Disappearing Act

Sun Engineer Radia Perlman Makes Technologies Transparent

By Al Riske

8.Feb.05--Radia Perlman is intent on replacing one of the most widely used technologies on the Internet, even though it's something she invented.

Known as the spanning-tree algorithm, the technology is an integral part of the bridges and switches that route network traffic from point A to point B.

It caught on, Perlman says, because the algorithm is exceedingly simple and easy to use. "You don't have to think about anything, which is how networking ought to be."

So why replace it?

Despite the obvious strength of its simplicity, the algorithm also has a serious shortcoming -- a shortcoming that may not be obvious to others but is obvious to Perlman, who first developed the algorithm in the early 1980s.

"I thought at the time that it was a temporary kind of thing," she says, "but it hasn't died out the way I expected it to. It's actually getting more and more popular."

And Perlman -- named "Inventor of the Year" by the Silicon Valley Intellectual Property Law Association in 2004 -- is just contrarian enough to want to change that.

The shortcoming of the spanning-tree algorithm is that it establishes a single path between points, switch by switch, but doesn't have the ability to determine the optimal path. It's also fragile, in that a temporary loop can be so devastating that the network might never recover.

"It's time to redo it in a way that is more robust and gives more efficient paths," Perlman says.

"I know how to do it technically. Then the question is whether politically it can happen. And I think so. It seems to me like it should be an easy sell. The new technology is backward compatible. You can just, one by one, change your bridges into these things and get better paths and more stability."

Perlman, a Distinguished Engineer who specializes in n-party protocols and network security (more on that later), doesn't like how networking is taught in universities.

"It's taught as if you're in a trade school," she says. "Instead of teaching you to think critically and really understand it, they just teach you how to use what is deployed. They say, 'This is what is, and this is how to write your programs to interface with it.' The assumption is that everything about it is perfect."

But networking is not perfect, and Perlman wants to make that perfectly clear.

So she wrote two books -- Interconnections: Bridges, Routers, Switches, and Internetworking Protocols and Network Security: Private Communication in a Public World (with coauthor Charlie Kaufman) -- both of which promote conceptual understanding and critical thinking.

In fact, in trying to explain an Internet security protocol called IPsec, Perlman and Kaufman discovered ways to simplify it.

"We came out with a much cleaner protocol that had all the functionality that the working group seemed to want and, after only a few years of typically ugly politics, that has become adopted," Perlman says.

In addition to writing textbooks, Perlman also speaks frequently at universities and industry gatherings. "One of the themes when I give a keynote is: Here's a bunch of things you know, but that aren't true," she says.

For example?

"One is that Ethernet is successful," she says.

"The thing people got so excited about when they were designing Ethernet, was this technology known as CSMA/CD, carrier sense multiple access with collision detect. The basic idea is contention. It's kind of like being in a room and speaking -- everybody else hears you. The problem is you may start speaking at the same time somebody else does, and then you will collide with each other, so you have to choose another random time at which to talk and hope that you don't collide with somebody else," she says.

"But it turns out that, actually, what Ethernet is today is bridges with the spanning-tree algorithm. There is no contention. Each of the links has just two parties on it. It's a point-to-point link, and there's none of this CSMA/CD. It's just still called Ethernet. But the underlying technology that is taught as Ethernet is not what's deployed today."

It's scary to Perlman that any statement, if repeated often enough, can become accepted as true. One example is the statement that "security is built into IPv6, but it's just an add-on to IPv4."

The germ of truth behind the statement is that a particular security protocol known as IPsec is specified as "mandatory to implement" in IPv6, but optional in IPv4. But IPsec works just as well with IPv4 as with IPv6, and "mandatory" is just a word in a specification. There are actually more implementations of IPv6 that don't include IPsec than implementations that do, Perlman points out. In fact, there are more implementations of IPsec for IPv4 than for IPv6.

"On top of that, IPsec is not equivalent to security," she says. "It doesn't automatically give you security, and it's not necessary for security -- there are many other ways you could do it."

Another statement that Perlman hears all the time and fears may become self-fulfilling is that "PKI [public key infrastructure] is dead."

"You just say the term to some people and they say, 'Oh, this uses PKI? Well, PKI is dead.' It's not clear what people mean by that, because we use PKI all the time. When you're using https, you're using SSL.

"Perhaps what people mean when they say 'PKI is dead' is that, as currently deployed, it is mostly used to authenticate servers rather than users. It convinces you that you're talking to the right web site, but it doesn't tell the web site who you are," she says.

"So that's another thing that I've been working on -- making PKI useable for actually authenticating users. And designing it to avoid building monopolies, so there is not one organization that everyone has to pay for the right to create certificates."

Perlman works out of a cluttered office in her home near Seattle, Washington. Paradoxically, she hates computers. They're too complex and too fragile, she says.

So she strives to make everything she designs completely transparent to the user. Which may explain why so much of her work has been widely deployed.

Things she's working on now include innovative ways to combat denial of service attacks and making data disappear.

"A lot of people worry about how to make data reliably available, with backups and all that; I'm trying to work on making data reliably go away," Perlman says.

"Suppose you have a policy where certain types of personal records, like health records, have to be destroyed after a year. It's very difficult to just delete something, because it may be on backup tapes."

Incidentally, she adds, "It should be a law that with any vendor you could say, 'Do not keep a permanent copy of my information in your database. Delete it after one month.' I don't want that stored -- my name and address and credit card number -- because it can be broken into."

Perlman's solution, in a nutshell: Encrypt the data, then, when you no longer want it around, throw away the key.

"The problem is it's hard enough for a user to keep track of one key, but to keep track of a lot of keys -- because you'd need a different key for every expiration date -- would be too hard," she says.

"So I've designed it so you can concentrate all of the expense and expertise of managing keys in one place. If you have data you want to expire on January 23, you find the public key that will expire on January 23 and you encrypt the data with that key."

The cost of creating and managing the key is then amortized over many users and many messages -- and Perlman adds a slick cryptographic trick, "so it's not insecure that you and I both have our data encrypted with the same key."

At the center of her scheme is what she calls the ephemerizer, because it makes things ephemeral.

"You don't need the ephemerizer to be owned by your organization. It could be some web site in, say, Switzerland," Perlman says. "All you do is hand in a pile of encrypted bits and say, 'Please apply your private key.' The ephemerizer does not need to be very trusted. And the ephemerizer does not need to know who its clients are. You could submit your bits anonymously."

And nobody -- not even you -- will be able to read data after the expiration date.

"It's very secure," Perlman says, "and very simple."