The Physical World and the Real World
Most of us rely on the Internet for news,
entertainment, research, communication
with our families, friends, and colleagues, and myriad other purposes.
What if it went away?
Precisely that happened to many people in early
February, in the wake of the failure of several
undersea cables. According to some reports, more
than 80 million users were affected by the outages.
Both the initial failure and the subsequent recovery
have lessons to teach us.
The first lesson, of course, is that failures happen. In fact, multiple failures can happen. Simply
having some redundancy may not be sufficient;
one needs to have enough redundancy, and of the
right types. In this case, geography and politics
made life more difficult.
The geographical issue is obvious when viewing
the region on a map: there aren’t many good
choices for an all-water route between Europe and
the Persian Gulf or India. And despite this series
of events, cables are generally thought to be safer
on the seabed than on land. (There is a standing
joke in the network operator community, the
essence of which is that you should bring a length
of fiber-optic cable with you when going hiking in
the wilderness. If you get lost, throw it on the
ground. A backhoe will soon show up to sever it;
ask the driver how to get home.)
The obvious answer is to run some backup
cables on land, bypassing the chokepoint of the
Red Sea. Again, a glance at the map shows how
few choices there are. Bypassing the Red Sea on the
west would require routing through very unstable
countries. An eastern bypass would require cooperation from mutually hostile countries. Neither
choice is attractive.
From this perspective, it doesn’t matter much
just why the cables failed. Cables can be cut by ship
anchors, fishing trawlers, earthquakes, hostile
action, even shark bites. Regardless of the cause,
when so many cables are in such a small area, the
failure modes are no longer independent.
PAUL WATSON
For this problem, there are no good solutions.
Anyone whose business depends on Internet connectivity through this region must take this into
account.
The dangers aren’t only physical, as several
recent incidents will attest. The last few months
have also shown that a 1999 National Research
Council report was quite correct when it warned of
the fragility of the routing system and the domain
name system used for the Internet.
In one highly publicized incident, a routing
mistake by a Pakistani Internet service provider
knocked YouTube off the air. There was a lot of
speculation that this was deliberate—the government of Pakistan had ordered You Tube banned
within the country; might someone have tried to
“ban” it globally?—although later analysis
strongly suggests that it was an innocent mistake. An outage affecting such a popular site is
very noticeable; there was a great deal of press
coverage. By contrast, when a Kenyan network
was inadvertently hijacked by an American
Internet service provider, there was virtually no
notice. Quieter, deliberate misrouting—say, to
eavesdrop on traffic to or from a small site—
might go completely unnoticed.
The DNS-related incidents are scarier because
they do reflect deliberate actions, with the force of
the U.S. legal system behind them. In one case,
the Wikileaks.org Web site was briefly deleted
from the DNS by court order, because a bank
claimed the site contained stolen documents. (The
site owners had apparently foreseen something like
that, and had registered other names for the site in
other countries: the .org registry is located in the
U.S.) In a second incident, a U.S. government
agency ordered the names of some non-U.S. sites
removed from .com (again, located in the U.S.)
because they violated the embargo against Cuba.
What can we learn from these incidents? The
moral is simple: the Internet is a lot more fragile
than it appears. Most of the time, it works—and
works very well—without government interference,
routing mistakes, or outages due to occasional
fiber cuts. Sometimes, though, things go badly
wrong. Prudence dictates that we plan for such
instances. c
STEVEN M. BELLOVIN ( smb@cs.columbia.edu) is a professor of
computer science at Columbia University.