"Rethinking the design of the Internet: The end to end arguments vs. the brave new world" Marjory S. Blumenthal Computer Science & Telecommunications Board, NRC mblument@nas.edu David D. Clark M.I.T. Lab for Computer Science ddc@lcs.mit.edu A version of this paper to appear in the ACM Transactions on Internet Technology A version also to appear in Communications Policy in Transition: The Internet and Beyond, edited by Benjamin Compaine and Shane Greenstein, MIT Press, Sept. 2001 Abstract This paper looks at the Internet and the changing set of requirements for the Internet that are emerging as it becomes more commercial, more oriented towards the consumer, and used for a wider set of purposes. We discuss a set of principles that have guided the design of the Internet, called the end to end arguments, and we conclude that there is a risk that the range of new requirements now emerging could have the consequence of compromising the Internet's original design principles. Were this to happen, the Internet might lose some of its key features, in particular its ability to support new and unanticipated applications. We link this possible outcome to a number of trends: the rise of new stakeholders in the Internet, in particular Internet Service Providers; new government interests; the changing motivations of the growing user base; and the tension between the demand for trustworthy overall operation and the inability to trust the behavior of individual users. Introduction The end to end arguments are a set of design principles that characterize (among other things) how the Internet has been designed. These principles were first articulated in the early 1980s, and they have served as an architectural model in countless design debates for almost 20 years. The end to end arguments concern how application requirements should be met in a system. When a general purpose system (for example, a network or an operating system) is built, and specific applications are then built using this system (for example, e-mail or the World Wide Web over the Internet), there is a question of how these specific applications and their required supporting services should be designed. The end to end arguments suggest that specific application-level functions usually cannot, and preferably should not, be built into the lower levels of the system-the core of the network. The reason why was stated as follows in the original paper: "The function in question can completely and correctly be implemented only with the knowledge and help of the application standing at the endpoints of the communications system. Therefore, providing that questioned function as a feature of the communications systems itself is not possible." In the original paper, the primary example of this end to end reasoning about application functions is the assurance of accurate and reliable transfer of information across the network. Even if any one lower level subsystem, such as a network, tries hard to ensure reliability, data can be lost or corrupted after it leaves that subsystem. The ultimate check of correct execution has to be at the application level, at the endpoints of the transfer. There are many examples of this observation in practice. Even if parts of an application-level function can potentially be implemented in the core of the network, the end to end arguments state that one should resist this approach if possible. There are a number of advantages of moving application-specific functions up out of the core of the network and providing only general-purpose system services there. o The complexity of the core network is reduced, which reduces costs and facilitates future upgrades to the network. o Generality in the network increases the chances that a new application can be added without having to change the core of the network. o Applications do not have to depend on the successful implementation and operation of application-specific services in the network, which may increase their reliability. Of course, the end to end arguments are not offered as an absolute. There are functions that can only be implemented in the core of the network, and issues of efficiency and performance may motivate core-located features. Features that enhance popular applications can be added to the core of the network in such a way that they do not prevent other applications from functioning. But the bias toward movement of function "up" from the core and "out" to the edge node has served very well as a central Internet design principle. As a consequence of the end to end arguments, the Internet has evolved to have certain characteristics. The functions implemented "in" the Internet-by the routers that forward packets-have remained rather simple and general. The bulk of the functions that implement specific applications, such as e-mail, the World Wide Web, multi-player games, and so on, have been implemented in software on the computers attached to the "edge" of the Net. The edge-orientation for applications and comparative simplicity within the Internet together have facilitated the creation of new applications, and they are part of the context for innovation on the Internet. Moving away from end to end For its first 20 years, much of the Internet's design has been shaped by the end to end arguments. To a large extent, the core of the network provides a very general data transfer service, which is used by all the different applications running over it. The individual applications have been designed in different ways, but mostly in ways that are sensitive to the advantages of the end to end design approach. However, over the last few years, a number of new requirements have emerged for the Internet and its applications. To certain stakeholders, these various new requirements might best be met through the addition of new mechanism in the core of the network. This perspective has, in turn, raised concerns among those who wish to preserve the benefits of the original Internet design. [One particularly civil liberty oriented except--] The rise of third-party involvement: An increasingly visible issue is the demand by third parties to interpose themselves between communicating end-points, irrespective of the desires of the ends. Third parties may include officials of organizations (e.g., corporate network or ISP administrators implementing organizational policies or other oversight) or officials of governments, whose interests may range from taxation to law enforcement and public safety. When end-points want to communicate, but some third party demands to interpose itself into the path without their agreement, the end to end arguments do not provide an obvious framework to reason about this situation. We must abandon the end to end arguments, reject the demand of a third party because it does not "fit" our technical design principles, or find another design approach that preserves the power of the end to end arguments as much as possible. Continued at: http://www.ana.lcs.mit.edu/anaweb/PDF/Rethinking_2001.pdf