Trust Zones: A Path to a More Secure Internet Infrastructure

We propose a path to measurably improve a particular set of Internet infrastructure security weaknesses. By Internet infrastructure we mean the Internet as a packet transport architecture: the transport/network layer protocols (TCP/IP), the Internet routing protocol (BGP), and the naming protocol (DNS). Higher-layer security threats – such as malware, phishing, ransomware, fake news and trolling – get enormous media attention. But the less publicized security concerns with the Internet as a packet transport layer can, and sometimes do, destabilize the foundation on which all higher-level activities occur, and facilitate execution of higher-layer malicious actions. It is the foundational nature of the packet transport layer that motivates our focus. The insecurity of the Internet infrastructure poses a threat to users, businesses, governments, and society at large. As a further point of concern, many of the known security flaws in these systems have persisted for decades. Insecurity persists for five entangled reasons: lack of agreement on appropriate protective measures; misaligned incentives and negative externalities; inability for relevant actors to coordinate actions—especially across national boundaries; the generality of the Internet as a service platform, which allows malicious actors great fluidity in their attacks; and information asymmetries that leave those who need to act without sufficient knowledge to inform planning and execution. While many of these considerations can apply to security challenges more broadly, the generality of the Internet, the tensions among the different sets of private-sector actors, and the lack of any effective mechanism for high-level direction-setting compound the problem. We do not imagine that we are going to make the Internet “secure”, if by that we mean free of risk. Risk is a part of living, and the Internet experience will be no exception. Our goal should be to reduce the risk to the level that users are not fearful of using the Internet, while preserving the core benefits of the Internet—the freedom from unnecessary constraint. The call for better security is aspirational. Any serious attempt to improve security must begin by defining it operationally: breaking the problem into actionable parts; carefully studying the constraints, capabilities and incentives of the relevant actors; analyzing the merits and practicality of different approaches; and developing a strategy to achieve sufficient consensus to motivate progress. These steps are part of any serious system security analysis; our goal is to apply this line of reasoning to the Internet infrastructure layer.