Options for Schengen Net architectures

r2h2's picture
Rainer Hörbe assumed roles as security and identity architect in large identity-related projects like the Austrian eGovernment federation and European projects (epSOS, ATTPS, GÉANT). He is chair of the eGov WG at Kantara Initiative and active contributor to standardization activities in ISO SC27 and OASIS.

There was an interesting panel on „Alternatıve routes protectıng human rıghts on the Internet“ at the IGF 2014. Olexandr Pastukhov, Bogdan Manolea and Patrick Curry presented their views on creating a safe zone in the Internet by segregating a part of it, also dubbed Shengen Net and parallel universe. One of the viewpoints claims that a Shengen Net can be envisioned as a protected corporate intranet. In this article I am arguing, as an information security engineer, why protection at the network layer is infeasible and that alternatives on other layers promise more effectiveness.
The benefits of a Shengen Net can be easily explained by the analogy of a developed country with human rights, legal security and law enforecement. However, the continuation of this analogy insofar that physical border control translates to firewalling or non-routing protocols is controversial.

The Shengen Net behind a firewall

How would a Shengen Net look like? It is reasonable to assume that it must have some level of compatibility with the current Internet technology stack defined by IEEE, IETF, W3C and OASIS, possibly with mild enhancements. Otherwise adoption would not happen and the effort would be doomed. This firewalled subnet would most likely be built as up-scaled intranet with following properties: (1) No routing to the current ICANN Internet; (2) Internal routing would be between loosely coupled AS (autonomous systems) like the Internet scheme, where different networks are peering in a decentralized way; (3) The Shengen Net would offer some controlled access to and from the Internet; (4) Clients would have two options for access, (a) direct connection to the Shengen Net via their ISP/mobile operator, or (b) a virtual connection from an Internet account (like a VPN).

Such a schema is similar to a large intranet using non-routable [RFC 1918] adresses, protected by firewalls. The realted problem is that the effectiveness of firewalls has been detoriating significantly since the end of the 1990ies. Adversaries are now using content as an attack vector much more than protocols, adding a level of complexity to defense that is not manageable any more at the network layer, even in a mere enterprise context. The key parameter for protection at the network level is the size of the perimeter. Large perimeters offer little security.  In a network at the Shengen zone scale the protection against bot nets, fake servers, maleware and falsified identities is not feasible using firewalling, not to speak of simple routing restrictions.
Let us look at 2 use cases from a consumer point of view.

  • E-commerce. A segregated network could mandate vendors to register in a Shengen member state to make them trustworthy for consumers. Attack vectors would then move to lure a consumer into a fake shop, or abuse letter-box companies. However, the same set of controls that would mitigate fake shops would help to make those shops trustworthy within a single Internet.
  • Web surfing. End-user devices became a key attack target. Web surfing beares the risk of drive-by downloads, and trust decisions with respect to web sites is diffcult. There is no thing in a firewalled Shengen Net to protect a user against infected web sites that are inside the Shengen Net. Limiting routing cannot help here at all.

The interconnection between the parallel universes is not only about blocking, but also about allowing external traffic. If end-user devices would start connecting to other networks as well, the protection provided by firewalling would be diminished. Thus end-user devices would require physical or virtual separation, causing significant cost, inconvenience and enforcement problems. For traffic control with the outer world a more or less centralized system of gateways needs to be established. However, it is not trivial to define by what criteria gateways would decide whether traffic and contents are denied. Considering that maleware defenders do not dedect the larger part of newer attacks, nobody will want to take liability for either false negatives or positives.
As a consequence, segregated Internets would impede the honest user but would be ineffective to protect even against adversaries of low capacity. The downside of network separation, like increased cost, abuse by state actors for censorship, and killing network neutrality through the backdoor can hardly be justified for the little potential gain.

Alternative Shengen Net architectures

Almost all security was taken out from the Internet architecture compared to the SNA and OSI protocol stacks competing at that time. The Internet has been relying on good behavior, loose coupling of decentralized entities and lightweight governance for a minimum of centralized functions such as standardization and namespaces. This mix has been enabling the huge scalability, although with the known deficiencies in trustworthiness privacy and security.

The good news are that security in the Internet is a function of many layers, and the lack of network security can be compensated elsewhere. Viable alternatives shall add security at layers other than IP/routing.
A class of options are overlay networks, such as GNUnet, Freenet and Perfect Dark. These models focus on specific anonymization and anti-cencorship properties. However, they are limited by undesireable effects with respect to routing, and guaranteed anonymity is not helpful for building trust. Hence I am excluding overlay networks from the further discussion.
The classic toolkit to improve confidentiality, integrity and authenticity requires the establishment of technical and legal or social trust between communication partners, to answer to “Whom am I dealing with?” and “What kind of protection does the communication channel offer?”.
The vast majority of trust relationships in the Internet is established in three ways: (1) Out-of-band, like the exchange of secrets (passwords) or fingerprints of key material; (2) Bootstrapping trust, like the password setup using e-mail, or (3) Trust on first use (TOFU) where it is assumed that no attacker is manipulating a trust establishment upfront and there is the (usually false) hope that users would notice a misbehior in their device or system. There are few mechanisms in the Internet to establish trust otherwise. One used to be trust into carriers (that lines would be confidential), which is gone with the feasibility of large-scale wire tapping. The remaining main mechanism is PKI, mostly used in TLS. On the downside the PKI supplied by browser and OS vendors provides only low security because scalablilty and compatibility seem to overrule security.
Cryptography has been widely adopted in certain areas such as the GSM system. While GSM is technically weak for a number of reasons, it proofed that private keys – the foundation of scalable cryptography – can be deployed with users in a large scale. The adoption of end-to-end security with strong mutual authentication between reliably registered parties is therefore technically feasible, and would effectively divide the Internet into trusted and untrusted domains. While not able to address all threats, like maleware attacks, it can reduce the attack surface significantly. It has not been done yet because of cost, convenience and lack of collaboration between major stakeholders.
To have trust in cryptography a scalable key management and a trusted platform are required. Payment service providers are – driven by anti-money-laundering regulation -already identifying organizations and individuals in a reliable way on a global scope, and frequently linking this with strong electronic authentication. Trusted platforms are difficult to provide, but having more European control would decrease risk significantly.


With a realistic assessment it becomes clear that neither Europe, the US nor China will be able to control the complete technology stack required to run the Internet. The provenance of equipment is complex: designed by Apple, manufactured by Foxconn, shipped by a European company, with apps from all over the world.

The viable path is focusing on the most important areas relevant to trust and privacy. A Shengen Net relying on improved security of key components and availablity of identity services would have a significant better cost/benefit ratio compared to the network routing control. Sample components and services would be:

  • Multiple alternative crypto libraries, both open source and commercial. OpenSSL, the dominant crypto library for servers, is in a desparate state of maintenance and in urgent need for a plug-in replacement. There are open and closed source projects from viable European vendors that can offer more secure and controlled code.
  • Alternative web browsers that comply with EU-defined  security and privacy features.
  • Alternative identity management schemes that are oriented towards consumers and industry – current efforts are driven by government requirements and the public sector has most of the say. Promote web-of-trust schemes in addition to hierarchical trust, to bring trust from the physical context into cyberspace.
  • Promote secured mobile operating systems (there are already some derived from Android) and related app stores.