http://www.tech-faq.com/osi-model.html

A lot to digest there, Ed. I was trying to figure out what is upside down.

I don't view the Internet as being fundamentally different from other common carriers, in the matter of trust. For example, the trust question applies equally to the telephone network of the past century and more, and to the public roads. In this regard, the network is required to protect itself from the users, and the users are required to manage their own trust. That's why I don't see what is upside down. No entity implicitly trusts the other.

In the Internet example, infrastructure routers are expected to be secured, by the service provider, so that users cannot willingly or inadvertently compromise the correct operation of that infrastructure. Similarly, the addresses (or address prefixes at least) supplied to the client devices are typically under the control of the infrastructure. Attempting to use incorrect addresses will fail, because the network will reject those packets.

At the same time, the users are not obliged to trust the network. Users establish their own end to end trust, either as peers, or in sessions with servers on the web. There are various ways of achieving this, with symmetric or asymmetric key algorithms. A most simplistic example being, two users wanting to communicate with only one another can share a secret key, without which their communications are unintelligible. That secret key can be exhanged out of band, perhaps by physically going to the other user's location. The result being, even if the network infrastructure does not route the messages properly, the communication will not be compromised. Same thing if someone in the middle intercepts the messages. They won't be able to decipher the packets.

You mention use of certificate autorities. So, ASSUMING you are using an asymmetric key algorithm, which does involve CAs, then there is no requirement to trust all such CAs. In fact, that is not usually the case. Only those CAs that have trustworthy policies need to be trusted, let's say by any group of entities that want to intercommunicate securely. The group would establish which CAs they will accept. And again, asymmetric key is not the only solution here. Not every security solution involves this third party CA. I'd say, most secure communications over the Internet do not involve a CA.

An example of a commercial use of the Internet, where trust is essential, might be dealing with your bank. When you set up the web account with your bank, trust goes no further than between you and the bank. The service providers in the middle are never trusted. So, when you authenticate yourself as a user, on that bank's web site, the bank knows it's you they are commincating with, and you know it is your bank and your bank account, WITHOUT having to involve the trust of any other aspect of that communications link. Much the same is true with the telephone. The only way to communicate securely over the telephone is for the two parties to encrypt their ends of the link, and not to trust the security of the telephone companies involved. Much the same with the Brinks vans that haul money between banks. There is no trust of the public roads. The only trust involved is between the bank and that courier company - users of the public roads. The public road network does have to protect itself, though, e.g. with appropriate signage to keep traffic flowing smoothly, proper lighting at night, and so on, showing that it does not implicitly trust the users of the roads. Nor do the users place their trust implicitly on the road network.

In short, the network protects itself from the users, and the users are responsible for establishing their own end to end security solution. There is no "In God we trust" going on here that I can tell, nor is there any "this side up," when it comes to trust over the Internet, the telephone, or public roads. I'm having a tough time seeing what could be upside down.

Dear Himadri,

Thank you for your citation. That paper does not cite trust and OSI does not provide an environment where trust can be communicated. As said before [1], "OSI is a Beautiful Dream, and TCP/IP is Living It.” We use TCP/IP, and we made changes to OSI long ago.

In addition, the OSI model can be seen as too restrictive for efficiency and security, requiring layers that actually have not been used, attractive as the may look to theoretical approaches, and layers that have to be mixed to work.

Especially, in cybernetic terms, the OSI model maps poorly to computers viewed as communication devices, compared to human functions, to functions that include explicit trust, and the existence of necessary, distributed redundancy and diversity to combat noise.

Cheers, Ed Gerck

[1] Einar Stefferud, http://nma.com/papers/InternetParadigm.pdf

Dear Albert,

Thank you for your extensive comments. However, the Internet is fundamentally different from other common carriers. This is the topological difference that invites new solutions and prohibits others. Here, topology sets the stage that communication follows, not the other way around. The same happens in Physics, even in quantum mechanics.

An internet is a network of networks. The Internet is just a case of it. As a network of networks, an internet has no center and is mathematically open To any point, even "at the edge", you can define an open neighborhood, with any number of other open points.

An iternet, because it has no center, also does not make sense of talks of an "edge" or a "far way" point. We all share the Internet, friends and foes alike. The Internet is not a "cyberspace " but a point -- we all share the same point. To think one has a key to "close" the internet is a key to the midway, a wrong assumption that can give people a false sense of security, a firewall that would work for any threat.

The real-world we live in is much more complex than a common carrier; you often visit your bank online that, however, is in entirely in your local disk cache. Or, as net neutraility defenders want it, in a a cache at your ISP.

Imagine, how do you trust that the site you see is the current, actual site, unless you have --at your free choosing -- diversity and redundancy? The Tenth Theorem by Shannon guarantees you cannot.

Cheers, Ed Gerck

Dear Albert and all,

RG is experimenting again in imposing a no "edit" option in science postings, just "delete". Therefore, I am using this space to edit my last post to Albert, which also shows how persistent posters have to become even more persisting in RG. Of course, this could be easily changed back by RG to allow "edit", which shows the point.

When you read, in my last post, "Or, as net neutraility defenders want it, in a a cache at your ISP.", which has a double-meaning, you should understand it as saying, "Or, as net neutrality defenders insist on warning against, your bank could just live in you ISP cache."

This correction tell us why NOT having net neutrality can not only be bad, can be undetectably bad. Provably, not a good idea. It is not a matter of opinion, nor a choice available. That is one of the reasons the Internet model has to change, to conform better to the real-world, to model fair business interactions, to consider the threats, and the trust that makes it all work.

.

Cheers, Ed Gerck

Ed, I'm really not following some of what you write. I do not see why you say that the Internet is different from many other common carriers, which also have no center. Take the telephone or the road networks, which also have no "center," and which have edges, just as the Internet does. Topologically, these are very similar to the Internet and the ISP networks that tie in.

The concept "network of networks" is described pretty well in RFC 1180, old but it explains the topology, and it explains what "networks" are being tied together. I've attached it here.

Certainly there are edges. The edges are where your computer connects, where web site servers connect, where your business's enterprise network connects. Any time you see a device connected to an ISP network, through which packets do not flow, you are at an edge device. Just as businesses and homes connect to the edges of the road network. Roads don't go through your home, right? The home connects to the road from a driveway, or a front door. It doesn't mean there has to be a "center." "Far away" simply means topologically distant, if not necessarily geographically distant. For example, how many routers have to be traversed, to go from point A to point B. It's not a problem. Roads work the same way.

And I do not believe that net neutrality defenders want your bank's servers to be cached in a mirrorored server in your ISP, NECESSARILY. Net neutrality defenders simply want, as I do, that the ISP does not determine what packets I can send, to what destination, across the Internet. If I want to reach the bank of my own choice, and that bank has no mirrored server in my ISP's network, who cares? The ISP network simply forwards the packets across its border router(s), possibly through an interexchange carrier network, and then into the ISP network to which the bank's servers connect. Net neutrality, just like telephone system neutrality which has been guaranteed in the US, beginning in 1906, means that the network infrastructure must be transparent. It's that simple. Telephone companies have to interconnect with all other telephone companies, and they must allow people to call anyone else, either within your own telephone company or on other networks. That same concept applies to Internet service providers.

Not having net neutrality is likely to change the nature of your Internet service into something more similar to a cable TV system. Your ISP would determine which web sites you can browse to, it would entirely block some, it could charge different amounts for access to different web sites, the ISP can offer fast service for some sites that it prefers, and very poor service for sites it does not prefer, it could even totally isolate your ISP network from other ISP networks. Just like cable TV companies do not tie into each other. Not having a net neutrality guarantee might change nothing at all, or it could change everything. That's entirely up to your ISP. Only the ISPs stand to benefit, from no net neutrality guarantees. Certainly not users, certainly not Internet businesses either.

And as to trust, there are very many options for implementing security, at any of the OSI layers. I don't think you can make the case that there is only one model, and that this one model is flawed. There are just too many options!

Hello Albert,

Let me go by parts, and answer first you first paragraph. After my answer, you hopefully can answer yourself your other questions.

Einar "Stef" Stefferud was an early visionary of the Internet. I will quote him not because he was a dear friend, but mainly because he was active in ARPA/NSF/IETF DARPA Internet research and development since 1975! He was involved in pre-standards work for X.400/X.500 in the International Federation for Information Processing (IFIP) WG 6.5, and post-standards profiling in the National Institute of Standards and Technology OIW. He was involved in the US ANSI OSI Registration Authority; the US National Mail Transfer Service Interest Group (USMTS) and the IETF (Internet Engineering Task Force) where he has been involved with email standards development (e.g. MIME, SMTP Extensions and MHTML). He was Chair of IFIP Working Group 6.5 on Upper Layer Protocols, Architectures and Applications (ULPAA) from 1990 to 1996. He served as Chair of the 1988, 1990, 1992, 1994 IFIP WG 6.5 ULPAA Conferences. [1]

Stef wrote earlier what will become my reply to you, so I just have to quote him:

So I now see that all my previous talk about the Net being edge controlled needs to be revised in some new framework. In short, the Internet does not really have a center or edges. It only has connection points, each of which can be connected to any other such connection point for the purpose of packet exchange. One reason that the Internet does not have an edge (as I just realized) is that at any termination connector, it is possible to extend the Net beyond that point by relaying packets, or by relaying messages, via dial-up modem, FAX or printer, or word of mouth, for that matter. So we suddenly discover that we cannot define any edge of the Internet. [2].

Cheers, Ed Gerck

[1] https://en.m.wikipedia.org/wiki/Einar_Stefferud

[2] https://www.researchgate.net/publication/286459650_Trust_as_Qualified_Reliance_on_Information_Part_I

Parenthetically, as long as we're dropping names, Vinton Cerf, one of the true, undeniable "fathers of the Internet," strongly favors net neutrality.

Ed, just in the matter of topology and edges, never mind trust for now, just because topology can change, by adding links, does not mean that edges don't exist. In this regard, the Internet (an interlinking of any number and types of local networks) is truly no different from the road network.

Take for example a neighborhood of residences. Sometimes, the neighborhood ties into the municipal roads through only one interface. This is especially obvious in "gated communities," where access is through a single, guarded gate.

That gated community is at the edge of the municipal road network. Municipal traffic does not flow through the gated community, by design! Now, let's add a second and third gate into the neighborhood. As long as through-traffic is still forbidden, for security reasons in this case, this neighborhood remains at the edge of the municipal road network. It becomes a multiple access edge system, in the municipal road network. (There are exact analogies here to computer networks, where the municipal road network in the example might be analogous to an ISP network. In turn, this municipal road network ties into the state roads and interstate freeways, to allow traffic between cities. This combination can be thought of as equivalent to the Internet.)

Now, sure, the gates to this gated community can be removed. The roads within that previously-gated community will no longer all be at the edge. Through-traffic will be possible now. And yet still, individual homes or apartment buildings will be at the edges, because presumably, municipal road traffic will not flow through the parking lot or garage, of each house or apartment building.

That's exactly how the Internet, and access networks into it, are architected. Virtually ALL home networks, and also corporate enterprise networks, are at the edges of ISP nets and of the Internet. They are analogous to the gated communities in the road network. By design. Sure, topolgies can change, but edges typically remain. They may not HAVE to remain, in the sense that every single computer that ties into an ISP network could, in theory, be configured as a router, connected to two different ISP networks, and Internet traffic could in theory be allowed to flow through each user's computer. But that is by no means the general case. It is not how ISP networks and the Internet are architected.

Yes, there are special types of networks, like MANETs (mobile ad-hoc networks), where this sort of concept applies, but in localized areas only. The MANET itself would usually be at the edge of the Internet or ISP network, not routing Internet traffic through potentially every host.

In ISP networks, the routing protocols which build the routing tables are generally known as "interior gateway protocols," or IGP (e.g. OSPF, ISIS, RIP). ISP networks in turn connect to the Internet through edge routers, which use "border gateway protocols," or BGP. Emphatically a hierarchical structure, in other words. This concept of edges also applies to LANs themselves. That's why individual ports of Ethernet switches may be "edge ports" or "trunk ports." Just as OSPF, ISIS, or RIP, determine whether a router is at the edge or in the network core, the Spanning Tree Protocol or Rapid Spanning Tree Protocol determine, in that particular LAN topology, whether a switch port is an edge port or not. Edge ports are those switch ports THROUGH which traffic does not flow. Not unless you deliberately change the topology, by adding links.

This discussion of architecture is essential, to understand net neutrality. The whole discussion of net neutrality would make no sense without an understanding of the topologies involved. Net neutrality forbids ISP networks from becoming "gated communities," allowing through only the traffic that they prefer. Net neutrality mandates that ISPs treat all Internet traffic equally. If a particular user of an ISP wants to establish a session with some server on a different ISP network, or wants to send an e-mail to some user on another ISP network, perhaps even in a different country, net neutrality mandates that user's ISP to carry the traffic, unimpeded! No blocking, no throttling, no special tarrifs.

Hello Albert,

I also favor net neutrality, so I liked you favor it too. We agree on this part.

But that calls for stronger controls at the user level, as I am suggesting, not by some mythical "fair" agent or ISP. At the end, we here think that the Internet cannot be controlled-- exactly by the topological reasons I mentioned. It seems you need to follow this subject ontologically, not hierarchically. The Internet is not hierarchical, although it may look so. Let's have others chime in, as they may want, in this discussion.

But net neutrality calls for more user controls, so the next days should also bring more arguments on this side of net neutrality. Price may be one of them, but people should eventually abandon more restrictive networks, for example, by encryption, and embrace net neutrality.

Cheers, Ed Gerck

Yes, I completely agree with you that the Internet needs "strong controls at the user level," for example, to establish trust. It has always been the case. See for example, RFC 4301, which describes the "security architecture" for IPsec, a network layer security protocol (layer 3). You do not rely on the ISP network for trust. At the same time, the ISP network also does not rely on the users, for its own well-being. It must protect itself from the users.

And individual ISP networks also protect themselves from other ISP networks. This is what I was trying to say before. Every entity has to protect itself, which is why I find it difficult to understand what might be "upside down." There is no "right side up."

Not sure how net neutrality requires more "user controls," unless you mean for such items as establishing "trust." As always, trust for users has to be end to end, as described in RFC 4301. The responsibility for secure communications lies entirely with the user devices. Net neutrality doesn't change that.

But Internet addresses, which reflect topology, are quite definitely hierarchical. They contain prefix bits and interface ID bits. An individual ISP network may be assigned any number of prefixes, from regional registries, which the ISP then subdivides into separate subnetworks, as needed, to connect to all of the subnets the ISP supports. For IP version 6, you might want to refer to RFC 4291, which describes the hierarchy of the address space. For IP version 4, there are fewer address bits (32 bits in IPv4, 128 bits in IPv6), but the hierarchy works the same way. The prefix "length" in effect changes, becomes longer, as your aggregated paths become split, the closer you approach the edge of the ISP network. So, from the perspective of a border gateway, an individual ISP may seem to have n separate prefixes assigned to it. But then inside that ISP network, the n prefixes become subdivided many different ways, as the ISP sees fit. The end users will be given an address prefix which is quite a bit longer than what the border gateway thinks is an address prefix.

The Internet is most definitely not a flat address space, and not a flat architecture. A flat architecture would require each host, or perhaps each router, to list an individual route to every other device on the internet. Does not scale well at all. Individual LANs work that way, with their non-hierarchical 48-bit MAC addresses, but that's NOT how Internet addressing and routing work.

Hello Albert,

You wrote, "Not sure how net neutrality requires more "user controls," unless you mean for such items as establishing 'trust'."

Supporting trust is one reason. But 'net neutrality' has indeed other reasons to require more "user controls".

For example, it has to prevent the injection of false-flag certificates by the US NSA or rogue nations, which act 100% on non-user levels, at a server. Or, prevent false routing of the DNA. I frequently receive emails from myself that I never sent, or see "correct" emails from others that were, nonetheless sent while they were out of the Internet -- which is not naively detectable.

Cheers, Ed Gerck

Ed, I agree that an open and neutral Internet places a greater burden of security on every component part. So yes, greater burden on the network to protect itself, such as routers to protect their routing tables from being hacked, a greater burden on infrastructure servers to proect themselves, and a greater burden also on individual hosts, to protect themselves from dangerous or unwanted messages. For example, virus protection is primarily the responsibility of each user device, as it is also the reponsibility of each individual network router.

As to the e-mails you receive "from yourself," this is the spam problem that has infected the Internet for some time. Your ISP does attempt to filter out much of that nuisance e-mail, and your own e-mail client app should also have spam filters. In the US, there is a similar problem on the voice telephone networks, wired and cellular. Unsolicited advertizing messages pushed to people's e-mail, and unsolicited commercial calls made to people's telephones. Ultimately, it is up to individual users to decide whether they want to accept such unsolicited advertizing. E-mail clients should give the user access to what filters are being applied.

Hello Albert,

Of course, when the spammer matches the user filters to PASS, also in the user device, the user gets the spam! And people may prove to be NOT on the Internet on a machine, and at the same machine can send an email AS on the Internet, which I also described. The Internet is a network of networks, no matter your not acceptance of it. You can study more, may be helpful on your job, or at least for discussions on RG. It is not enough to know the words, but what they mean.

Cheers, Ed Gerck

Hello all,

The Internet, a network of networks that can include every corner of the planet, not just US, seems to offer an optimum rule in its basic protocols -- be generous in what you accept, but strict in what you require.

By allowing, for example, many kinds of email headers, and body, to enter the system, the email protocol then reduces that variety in what it sends, thereby reducing the tax different people impose on the sytem (even if the cost charged is zero) and provides more varieties of successfull access at the same time. In India, for example, this can allow wireless Internet access to a wider population than would be possible with landlines, maybe ever.

The current US regulation against net neutrality seems to be a step in the wrong direction, regarding this Intermet protocol rule, but both reaction and implementation will set in to reduce cost, for example by increasing variety and redundancy. There are lots of entrepreneur opportunities, to combat the new status quo, as well as an example of what does not work.

Cost, in this context, seems to play a similar role as Noise in communication systems. Noise seems inevitable, but can be reduced (Shannon 10th Theorem) to zero as closely as desired, by means of a correction channel. Noise, then, does not interfere with our communications, such as this posting, while noise surely exists here.

Perhaps a similar future can be pursued in Internet protocols mandated by countries, that backwardly try to maime its own citizens. The cost of national loss and lack of competitivity of its citzens, in being against net neutrality or encryption, for example, can become much larger than the gain in a few companies' profitability or government agencies control, as allowed by a new law.

Cheers, Ed Gerck