Providing for Responsibility
in a Global Information Infrastructure

by Dr. Fred Cohen (fbcohen@ca.sandia.gov)
Senior Member of Technical Staff
Sandia National Laboratories
This Work Was Supported by The U.S. Department of Energy


Abstract

As a basic premise, any successful cooperative global arrangement can only succeed through the responsible actions of the parties involved.

Responsibility in a global information infrastructure depends on the ability to track actions to those responsible for them. But for freedom and integrity to flourish, there are also times when anonymity and/or pseudonymity are vital.

In this paper, we consider the issue of responsibility with anonymity/pseudonymity and propose a solution for the global information infrastructure.


Background

As a basic premise, a cooperative global arrangement can only succeed through the responsible actions of the parties involved. A small amount of irresponsibility may be tolerated without a harsh response and internal irresponsibility within a sovereign nation may be left unchallenged by other nations, but eventually, irresponsibility leads to the erosion of trust and the destruction of the cooperative arrangement. Any global infrastructure that doesn't provide a means for assuring responsibility is destined to failure.

This statement may seem to fly directly in the face of the recent history of the Internet. In fact, it does not. The Internet thrived throughout most of its history because it was used and operated by very responsible individuals. But as increasing numbers of people with less than stellar behavior have gained access to the Internet, large portions of the Internet's membership have moved away from the system of trust, providing firewalls, going to private intranets, and building alternative network infrastructures.

Responsibility in a global information infrastructure depends on the ability to track actions to those responsible for them. But for freedom to flourish, there are also times when anonymity and/or pseudonymity are vital. The classic dilemma comes when we consider that, without anonymity, oppressive governments may track down the sources of all dissident speech in the electronic venue; while anonymity without risk leads to irresponsible fabrications and attacks, as are common in the Internet today. (1) The lack of responsibility in the current Internet commonly results in spamming of individuals by signing them up to hundreds of mailing lists, getting thousands of people to try to access a site for services it does not provide, (2) and getting other sites falsely accused of launching attacks they had nothing to do with. And yet, the Internet is also used to publish information that is otherwise suppressed by oppressive governments. Without anonymity or pseudonymity these efforts to provide for the free and open exchange of information would likely result in the death of the authors.

To claim that one of these results is better than the other is naive. We need both responsibility and anonymity in order to achieve open exchange of reliable information.

In this paper, we suggest one possible way to meet this challenge. Our technique uses audit trails to associate responsibility for actions while providing anonymity and pseudonymity via responsible intermediaries.


An Audit-based Solution

The basis of our solution is to provide audit trails as a matter of course with every packet transmitted through the global information infrastructure. In cases where anonymity is desired, a responsible party provides it.

When we say responsible in this context we mean to say that the party providing anonymity assumes responsibility for the party they provide anonymity to. In the case of criminal prosecution, they risk being treated as an accomplice, while in a civil suit, they may be held liable just as a publisher may be held liable for publishing a book with instructions on how to commit murder. Anonymity is provided in much the same way as a newspaper reporter provides anonymity. The reporter cites unnamed sources. The courts may hold the reporter responsible for the content, but the anonymity of the source is essentially guaranteed so long as the person providing anonymity refuses to provide the necessary information to track the source.

Just as in the case of a newspaper reporter, the person who provides anonymity may be subject to civil and criminal penalties. Unlike most newspaper reporters, since an anonymity server may be set up to prevent tracing harmful acts (not just words), the party taking responsibility may also be charged with crimes related to the results of the actions they anonymize.

The audit mechanism is simple and basic. Every node appends to each packet the address of the node it got the packet from. As a result, the complete path between the original source and the current node is available to each node in the packet's path. This requires little overhead or added circuitry and requires no other changes to the operation of most existing network protocols.

If a node's owner wishes to provide anonymity, all they have to do is cause their node to remove the previous audit trail, making their node into the apparent source of the packet. The rest of the infrastructure will then provide the necessary audit records to assure that the packet can be traced back step-by-step to the party that chose to take responsibility for it. Note that anonymity implies the ability to track the packet back to the service that provides the anonymity, called the responsible party. Let's look at some examples:

The issue of responsibility does not end with computers. In order for responsibility to work, it is also necessary for individuals (whether corporate or human) to be associated with nodes. In the case of corporate responsibility, current human contact information is necessary in order for responsibility to work. If the human being responsible for a packet cannot be contacted, the network as a whole must have a way to sever the information sources associated with that node. Otherwise, as is sometimes the case today, those who are administrativel responsible simply ignore complaints.


An IPv6 Example

We will use IPv6 (4) as an example of how audit trails could be added to an information infrasatructure to provide for responsibility and anonymity.

The current IPv6 proposal lays out a packet that looks like this:

Item

bits

default
Version 4 0110
Priority 4 0000
Flow Label 24 n/a
Payload Length 16 n/a
Next Header 8 n/a
Hop Limit 8 32
Source Address 128 n/a
Destination Address 128 n/a
Option1 n1 * 64 empty
Option ... n ... * 64 empty
Payload Payload Length * 64 n/a

Delivery is on a best effort basis with all nodes attempting to deliver all packets to the destination address. Since there is no requirement to examine the source address or any other packet component in the routing process (with the exception of the rarely-used and optional source routing protocol) the routers designed for IPv6, just as those already in place for IPv4, are almost certain to provide little or inadequate support for making routing decisions based on source address or other packet fields.

To add responsibility audit trails to this protocol requires only incrementing Payload Length by 2 and appending a 64-bit address field to each packet at each intervening node. Including the normal reduction of Hop Limit by one for each hop, here is the new packet generated by each intervening node:

Item bits default
Version 4 0110
Priority 4 0000
Flow Label 24 n/a
Payload Length 16 (add 2) n/a
Next Header 8 n/a
Hop Limit 8 (subtract 1) 32
Source Address 128 n/a
Destination Address 128 n/a
Option _1 n1 * 64 empty
Option ... n ...* 64 empty
Prior Payload Payload Length * 64 n/a
From Address 128 (added) n/a

The overhead for network routers is very small. Incrementing the Payload Length field by two is easily done in hardware just as the reduction of Hop Limit is currently done. Adding the From Address of the packet source is also simple to do, especially for most network routers which have static connections to one other router for each hardware interface.

The increased packet size will have some bandwidth impact. For example, it is common in today's Internet to have 10 to 12 intermediate nodes in a global communications link. To keep this in perspective, an empty packet could easily have its size increased by a factor of two by this mechanism. But we must also consider the changing nature of communication in considering the impact of such a mechanism on a global information infrastructure:

Using a two-part protocol based on wire numbers instead of IP addresses we can attain a further improvement in bandwidth. In this schema, we append just enough bits to the end of each packet at each router to indicate which wire the information came from. In most routers, this adds only 2 or three bits of information to the packet. A counter must also be used in the appended bytes to keep track of where the end of the list of bit codes is. The second part of the protocol in this case is a protocol that translates a wire-number sequence in to a list of IP addresses. This protocol reduces the overhead of adding audit information by about a factor of 8 and provides a way to verify that each packet has taken an identical route without carrying the IP address details in band. The tracing protocol can then be provided as a network service providing any desired visibility into a network based on the anonymity functions described earlier. For example, an Internet Service Provider might provide a single number indicating the location of the other end of the provider's infrastructure rather than providing complete routing details of their network. Turning off the pseudonymity function on a case-by-case basis can provide additional detail for customers requiring the added service.

It is important to note that protocols such as IPv6 have some significant built-in protection features. Both authentication and encryption are mandatory elements of an IPv6 implementation. Each of these mechanisms provides the means to detect and prevent both intentional and accidental corruption or leakage of information passing between communicating parties. In contrast, the audit mechanism described here does not, in itself, prevent or detect anything. This contrast is very important, for while the current protection mechanisms are very effective in preventing certain classes of attacks, the audit mechanism is very effective in tracking attacks to their source and providing evidence in support of subsequent action.

It is often said that the best deterrence is rapid and certain punishment. Although encryption and authentication provide the means to defend against many attacks, they are imperfect defenses, they don't provide defense against host-based attacks, and they don't provide any means for tracking down attackers. With only these defenses in place, attackers can try to attack systems any number of times with relative impunity. Given enough tries and an imperfect defense, it may only be a matter of time before attacks succeed. With an audit mechanism such as the one proposed here, detected attacks can be tracked to their sources and the responsible parties can be held responsible for those attacks.

Another substantial limitation of encryption and authentication is that they are only effective as defenses against malicious attacks if a prior arrangement exists either between the parties to the transaction or between those parties and trusted other parties. In a global information infrastructure such as the Internet, it is vital that legitimate communications be permitted between arbitrary sets of parties without prior arrangements. Anything less is counter to the goal of such an infrastructure.

With content-based vulnerabilities in open access systems (5) the only method available today that can reliably be used to track down attackers is auditing. Since it takes a considerable amount of time to update millions of systems that may have a newly discovered vulnerability, we can only prevent further attacks by tracking down and stopping attackers. If we do not, they exploit system after system as long as the vulnerability persists, share their knowledge with other attackers, and expand the attack. (2)


Some Commentary

This audit-based solution is similar to standard practice in process tracking and control systems and is essentially the same as the audit processes that occur within most timesharing systems and workstations. It is only new in the sense that it adds audit trails to the network rather than only applying them end-to-end or process-to-process.

This solution only works if anonymity is the exception rather than the rule. If every site provides anonymity (as they do today), the concept of common carrier will be used (as it is today) to exempt every node from responsibility. We will have anonymity, but no way to assure responsibility. By making responsibility the default, we can still provide anonymity when it is important, but by making anonymity the default, we make assured responsibility at the infrastructure level very difficult.

In today's Internet, service providers commonly use reverse DNS lookup to detect IP address forgery before servicing each TCP request. (7) Similarly, the process of tracing an attack to its source often involves the use of traceroute, a process that uses the Hop Limit or similar field to create a sequence of error returns in order to try to trace a packet to its source. (8) With the new audit mechanism in place, these and other similar traceback functions are no longer necessary.

Without some sort of built-in and widely used responsibility mechanism, we cannot differentiate between trusted and untrusted sources, nor can we reliably refuse to deal with parties unwilling to take personal responsibility. There are many schemes for assuring that only trusted parties can communicate, but these schemes seem to leave out a fundamental goal of a global information infrastructure; the ability for anyone to communicate with anyone else without any prior arrangement.

To claim that making such mechanisms available on an as needed or ad-hoc basis for those who wish to exercise it is naive. Such mechanisms are available today in the Internet and they are not effective precisely because they are not universally used. Indeed, the routers that comprise the backbone of the Internet are not even designed to eliminate packets that are explicitly forbidden in the IPv4 protocol.

Furthermore, the social environment resulting from the design of the IPv4 protocol and the RFCs that define it, is one in which anonymity is essentially guaranteed and responsibility is easily avoided. Those who are irresponsible commonly hide behind the RFCs, asserting (in essence) that the Internet was designed to allow people to be irresponsible.

In today's Internet, special network protocols are used to update network routing tables to reflect routes from place to place. This takes time and effort and is susceptible to IP address forgery and similar attacks. The responsibility technique described here provides information that could be used for normal routing table updates in each network packet. By using the audit trail to update routing tables and to verify the source of routing update information, the entire infrastructure becomes less susceptible to attack, and attacks can be rapidly and automatically tracked to their source.

There is also a legitimate need for firewalls that protect individuals and organizations from each other to provide pseudonymity or anonymity for traffic passing through them. This responsibility method can be used to create pseudonyms by having the firewall replace audit records with pseudonymous records within the organization's name space. In this case, the organization takes responsibility for the actions and information that it passes.

This audit mechanism is also very useful in eliminating and tracing indirect attacks and attacks involving break-ins. For example, in the Internet today, an attempt to trace a forged packet would require cooperation between all of the possible intervening nodes. Each would have to have audit records of all packets and these audit records would have to be cross-matched in order to determine an actual source. In practice, this is infeasible. To trace an attack exploiting weaknesses in intermediate nodes requires cooperation of intermediaries that grows exponentially with the number of steps in the attack. This has been done for high-intensity DCAs, but it involves contacting several thousand intermediaries for each step in the traceback and produces an exponential growth in the number of contacts as the degree of indirection increases. Again, this process would be far easier and faster if adequate audit trails were available.

This change from the normal course of business today can only be successful if it is incorporated in a widespread way into the future information infrastructure. This would normally be an almost impossible task. The only time a change of this sort can be made is when the infrastructure is changing in a dramatic way. This is the case with the pending introduction of IPv6, and thus this is an ideal time for the introduction of such a mechanism.

In American courts (as well as many courts around the world), there are rules against the admission of heresy evidence. One example of heresy evidence is any written or computerized record. In many systems of jurisprudence, including the US system, there is an exception to the heresy rule for normal business records. This exception says, in essence, that records kept in the normal course of business are admissible as evidence when supported by the testimony of an expert witness as to their applicability and validity. The judge or jury then weights them as evidence relative to other factors in making their judgments. In the case of audit trails such as those specified here, they are almost certain to be admissible as evidence simply because they are normal business records kept by the devices that operate the network. This may eliminate a lot of legal impediments to prosecution of cases, even across international jurisdictions.

At the application layer, lower-level audit trails can be added to higher-level protocols. For example, a TCP protocol could include audit records indicating the path between the original information source and the site creating the TCP session. In this way, audit trails could be used to track attacks even through intermediaries. If an attacker broke into an intermediary and launched TCP-based attacks from there, the TCP packets would include the tracking information necessary to directly indicate the source of the packets. By providing this function at the TCP level, it is possible to implement this sort of auditing without the application layer being altered at all.


Some Other Applications

The addition of audit records to networks has other advantages that are worthy of consideration. Some examples of uses of these audit trails include:


Summary, Conclusions, and Further Work

The general technique of providing audit trails in networks can be used in any sort of network. In an Ethernet environment, the Ethernet card address can be used to provide an audit trail to the board generating a message. In a telephone network, caller number ID information can be placed in an audit record to track connections through infrastructure components. The combination of these and other similar audit trails can ultimately be used to create a detailed physical path associated with information, and in some circumstances to track information to a physical source. If tracked and analyzed in real-time, such audit trails could potentially be used to locate the individual responsible for content.

This potential underscores the need for and legitimacy of anonymity in a global information infrastructure. For example, even at the height of the cold war, nation-states were able to selectively kill defectors and other select individuals when they could locate them. The ability to physically locate those in vocal opposition to the goals of the state leads to a staggaring potential for abuse. The ability to automate the process in the global information infrastructure raises very serious legal and ethical issues.

We have provided a basis for studying, understanding, and experimenting with network-level audit trails, but the real work lies ahead.


Footnotes