50 Shades of Needless Complexity: Avoiding Policy-Induced Outages
The Internet broke Monday morning. Not for everybody, of course: the outages just hit people who get their Internet service from an ISP that uses Level 3 for backbone service and live in Mountain View, Denver, Portland, Chicago, Seattle, New York, San Francisco, Houston, Minneapolis, and Boston.
Unbeknownst to the ISPs, Level 3 (now owned by CenturyLink) was routing user transmissions into a black hole thanks to a “route leak”. Level 3 didn’t mean to do this, but it happened for reasons we don’t precisely understand.
Route leaks happen dozens of times a year in various locations. The most infamous example happened in 2008 when Pakistan tried to block YouTube. It leaked some bogus routes to YouTube and all the world’s YouTube traffic converged on an ISP that couldn’t handle it. Internet routing depends on something called BGP, and BGP isn’t very robust.
Routing is Complicated
BGP (Border Gateway Protocol) was created when the NSF backbone that used to connect the non-commercial Internet was decommissioned in the mid-’90s. At the time, the community needed a means to select from a number of backbone routing companies, and the backbones needed a means of providing service to customers but denying it to others.
BGP also needed to conform routing to national laws that forbade certain classes of data from traversing particular countries. While routing decisions are generally made on the basis of commercial agreements and efficiency, some data requires special treatment. One example is data with national security implications.
Other data needs to be routed in sub-optimal fashion because of data localization rules and other national policies. So BGP is more complicated than technical considerations warrant. As with all technical systems, the more complicated the Internet’s routing map gets, the harder it becomes to optimize it.
Complicated Systems Tend to be Unreliable
Because routing is complicated, ISPs and other networks trust their partners to configure their BGP information correctly. It’s hard to check in any case, so there’s very little choice. If Level 3 says it can route from Denver to the Daily Beast in an optimal manner, Denver ISPs believe it unless and until this assumption is proved wrong.
This is what happened Monday. The best guess is that CenturyLink and its newly acquired subsidiary, Level 3, made a mistake while optimizing routes as a result of the merger.
Looking into the mess on Monday, I saw packets going from Comcast into a intermediary called scnet.net and failing to emerge to the desired destination. This probably happened because Level 3 broadcast route announcements that claimed scnet.net could take users to CDNs in Chicago that it couldn’t actually reach.
So clicking a link to some websites led to an endless wait for a page to load. This didn’t affect all sites, but enough to be troublesome.
Let’s make routing more complicated!
Nobody prefers convoluted routing and BGP is complicated enough. Data localization policies are bad because they undermine the Internet’s reliability, efficiency, and economics. Internet services like to store data in a limited number of locations with good connectivity to ISPs and rely on internal controls to deal with national differences such as content restrictions, currencies, and tax rates.
It’s certainly possible for retailers to charge and pay local authorities the appropriate sales tax rates, but that’s also complicated. Sales tax for some goods has to take national, state, county, and city rates into account and once collected it has to be disbursed correctly.
For a very long time, Internet sales were exempt from sale tax in the US simply because it was too hard to handle. And now that it’s a fact of life, the burden of collecting it impacts small companies more than the large ones. Internet sales tax even created a niche for services that handle the problem for small retailers.
As far as I am aware, there is no corresponding service for routing. Assuring compliance with national laws is partly a backbone service but mainly a service provider headache.
50 Shades of Needless Complexity
US-based Internet companies that do business in Europe, Russia, and China had to adapt their services to local laws. While this is a nuisance, it’s not the major issue with localization: language and culture issues are also part of the bargain. And this kind of adaptation is not nearly as bad as it could be, because the 30 nations in Europe follow a uniform guideline.
Doing business across the US requires partnerships with backbones and a number of data centers. This is purely a technical arrangement that companies can easily adjust as their needs and scale change.
But what would happen if each of the 50 states and 16 territories had its own regulations on privacy, security, and net neutrality? We would effectively return to the scenarios that prevailed in Europe before the formation of the common market or the US before the Constitution was ratified.
That’s not exactly chaos, but it’s a lot of needless red tape, barriers to commerce, favors for local employers and meddling by public utility commissioners. Rather than the federalist utopia of 50 laboratories of democracy, we would simply have a less reliable national Internet.
This could easily impair the ability of US companies to compete on the global scale. The effort to accommodate 50 state laws would be greater than the effort to conduct business worldwide today. I wonder how many startups have the stomach for all of that.
The Internet of Outages
Adapting services to state laws isn’t unheard of. Medicaid is a state level program administered by claims processors who’ve made a business out of portable accounting systems with policy modules easily adapted to specific state regulations.
If we apply Medicaid-style design to the Internet, we can envision policy modules responsive to state laws on:
- Tracking opt-ins
- Data retention
- Data volume metering
- Site blocking criteria
- De-priotization of data under various conditions
- Routes between users and services
- Data compression for video streams
- Cookie permissions
- Warnings about data thresholds
- Switching between cellular and Wi-Fi and LAA under various scenarios
- Roaming onto other networks
- Myriad regulations on backhaul networks for small cells
That’s just off the top of my head, but it’s already about ten times more code than the entire Medicaid system. Whereas Medicaid is constrained by federal law with respect to the features it can customize, turning the states loose on Internet regulation without any limits would be a much more creative exercise.
As Internet services grow more complex, they become less reliable. While we can all appreciate the abstract benefits of a fair, free, and open Internet I suspect the average consumer is more interested in a reliable Facebook experience.
In any field of interstate commerce, there will be some policy questions best suited to national consistency and others where variety is beneficial. The trick is to find the boundary between the two.
The wisdom of publicly-funded networks is hotly debated. So it makes sense for each state to enact its own framework about this question. The financing of a network doesn’t have any effect on its interconnection policies, so the Internet as a whole doesn’t care who’s footing the bill.
But opt-in vs. opt-out for Internet advertisers is a question with direct bearing on interstate commerce. And the question of applying opt-in to one segment of the Internet and opt-out to another raises additional legal and ethical considerations.
It would appear reasonable for the drafters of the FCC’s Restoring Internet Freedom order to examine key principles for instances in which experimentation at the state level is appropriate and helpful. The Commission is not all-knowing and all-seeing, so there’s nothing wrong with asking for help where it’s needed.
But I don’t expect there are going to be many places beyond fees, rates, and permissions where state level variation is going to be beneficial. Consistency is a virtue in its own right.