{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T04:46:04Z","timestamp":1750308364256,"version":"3.41.0"},"reference-count":28,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2003,1,1]],"date-time":"2003-01-01T00:00:00Z","timestamp":1041379200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["SIGCOMM Comput. Commun. Rev."],"published-print":{"date-parts":[[2003,1]]},"abstract":"<jats:p>Robustness has long been a central design goal of the Internet. Much of the initial effort towards robustness focusedon the \"fail-stop\" model, where node failures are complete and easily detectable by other nodes. The Internet is quite robust against such failures, routinely surviving various catastrophes with only limited outages. This robustness is largely due to the widespread belief in a set of guidelines for critical design decisions such as where to initiate recovery and how to maintain state.However, the Internet remains extremely vulnerable to more arbitrary failures where, through either error or malice, a node issues syntactically correct responses that are not semantically correct. Such failures, some as simple as misconfigured routing state, can seriously undemnine the functioning of the Internet. With the Internet playing such a central role in the global telecommunications infrastructure, this level of vulnerability is no longer acceptable.In this paper we argue that to make the Internet more robust to these kinds of arbitrary failures, we need to change the way we design network protocols. To this end, we propose a set of six design guidelines for improving the network protocol design. These guidelines emerged from a study of past examples of failures, and determining what could have been done to prevent the problem from occurring in the first place. The unifying theme behind the various guidelines is that we need to design protocols more defensively, expecting malicious attack, misimplementation, and misconfiguration at every turn.<\/jats:p>","DOI":"10.1145\/774763.774783","type":"journal-article","created":{"date-parts":[[2004,10,12]],"date-time":"2004-10-12T13:44:32Z","timestamp":1097588672000},"page":"125-130","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":11,"title":["Design guidelines for robust Internet protocols"],"prefix":"10.1145","volume":"33","author":[{"given":"Tom","family":"Anderson","sequence":"first","affiliation":[{"name":"University of Washington"}]},{"given":"Scott","family":"Shenker","sequence":"additional","affiliation":[{"name":"ICSI Center for Internet Research"}]},{"given":"Ion","family":"Stoica","sequence":"additional","affiliation":[{"name":"University of California, Berkeley"}]},{"given":"David","family":"Wetherall","sequence":"additional","affiliation":[{"name":"University of Washington"}]}],"member":"320","published-online":{"date-parts":[[2003,1]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1109\/32.481513"},{"key":"e_1_2_1_2_1","volume-title":"IETF","author":"Bates T.","year":"2000","unstructured":"T. Bates , R. Chandra , and E. Chen . BGP route reflection - an alternative to full mesh IBGP. RFC 2796 , IETF , Apr. 2000 .]] T. Bates, R. Chandra, and E. Chen. BGP route reflection - an alternative to full mesh IBGP. RFC 2796, IETF, Apr. 2000.]]"},{"key":"e_1_2_1_3_1","unstructured":"D. J. Bernstein. SYN cookies. http:\/\/cr.yp.to\/syncookies.html 1996.]]  D. J. Bernstein. SYN cookies. http:\/\/cr.yp.to\/syncookies.html 1996.]]"},{"key":"e_1_2_1_4_1","volume-title":"IETF","author":"Braden R.","year":"1989","unstructured":"R. Braden . Requirements for Internet hosts -- communication layers. RFC 1122 , IETF , Oct. 1989 .]] R. Braden. Requirements for Internet hosts -- communication layers. RFC 1122, IETF, Oct. 1989.]]"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/77648.77649"},{"key":"e_1_2_1_6_1","volume-title":"Operating Systems Design and Implementation (OSDI)","author":"Castro Miguel","year":"1999","unstructured":"Miguel Castro and Barbara Liskov . Practical Byzantine fault tolerance . In Operating Systems Design and Implementation (OSDI) , 1999 .]] Miguel Castro and Barbara Liskov. Practical Byzantine fault tolerance. In Operating Systems Design and Implementation (OSDI), 1999.]]"},{"key":"e_1_2_1_7_1","volume-title":"Sep.","author":"CERT","year":"1996","unstructured":"CERT advisory ca-1996-21 TCP SYN flooding and IP spoofing attacks. http:\/\/www.cert.org\/advisories\/CA-1996-21.html , Sep. 1996 .]] CERT advisory ca-1996-21 TCP SYN flooding and IP spoofing attacks. http:\/\/www.cert.org\/advisories\/CA-1996-21.html, Sep. 1996.]]"},{"key":"e_1_2_1_8_1","unstructured":"Cisco security advisory: Cisco ISO BGP attribute corruption vulnerability. http:\/\/www.cisco.com\/warp\/public\/707\/ios-bgp-attr-corruption-pub.shtml May 2001.]]  Cisco security advisory: Cisco ISO BGP attribute corruption vulnerability. http:\/\/www.cisco.com\/warp\/public\/707\/ios-bgp-attr-corruption-pub.shtml May 2001.]]"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/52324.52336"},{"key":"e_1_2_1_10_1","unstructured":"Jim Cowie Andy Ogielski BJ Premore and Yougu Yuan. Global routing instabilities during Code Red II and Nimda worm propagation. http:\/\/www.renesys.com\/projects\/bgp_instability Oct. 2001.]]  Jim Cowie Andy Ogielski BJ Premore and Yougu Yuan. Global routing instabilities during Code Red II and Nimda worm propagation. http:\/\/www.renesys.com\/projects\/bgp_instability Oct. 2001.]]"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/102792.102801"},{"key":"e_1_2_1_12_1","volume-title":"IETF","author":"Curtis Villamizar Ramesh Govindan","year":"1998","unstructured":"Ramesh Govindan Curtis Villamizar , Ravi Chandra . BGP route flap damping. RFC 2439 , IETF , Nov. 1998 .]] Ramesh Govindan Curtis Villamizar, Ravi Chandra. BGP route flap damping. RFC 2439, IETF, Nov. 1998.]]"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.5555\/876907.881572"},{"key":"e_1_2_1_14_1","volume-title":"Apr.","author":"Farrar Jim","year":"2001","unstructured":"Jim Farrar . C& W routing instability. NANOG mail archives , Apr. 2001 . http:\/\/www.merit.edu\/mail.archives\/nanog\/2001-04\/msg00209.html.]] Jim Farrar. C&W routing instability. NANOG mail archives, Apr. 2001. http:\/\/www.merit.edu\/mail.archives\/nanog\/2001-04\/msg00209.html.]]"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/32.588521"},{"key":"e_1_2_1_16_1","volume-title":"IETF","author":"Karn Phil","year":"1999","unstructured":"Phil Karn and William Allen Simpson . Photuris : Session-key management protocol. RFC 2522 , IETF , March 1999 .]] Phil Karn and William Allen Simpson. Photuris: Session-key management protocol. RFC 2522, IETF, March 1999.]]"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/357172.357176"},{"key":"e_1_2_1_18_1","volume-title":"Oct.","author":"Levine Matt","year":"2001","unstructured":"Matt Levine . BGP noise tonight? NANOG mail archives , Oct. 2001 . http:\/\/www.merit.edu\/mail.archives\/nanog\/2001-10\/msg00221.html.]] Matt Levine. BGP noise tonight? NANOG mail archives, Oct. 2001. http:\/\/www.merit.edu\/mail.archives\/nanog\/2001-10\/msg00221.html.]]"},{"key":"e_1_2_1_19_1","volume-title":"Writing Solid Code: Microsoft's Techniques for Developing Bug-Free C Programs","author":"Maguire Steve","year":"1993","unstructured":"Steve Maguire . Writing Solid Code: Microsoft's Techniques for Developing Bug-Free C Programs . Microsoft Press , 1993 .]] Steve Maguire. Writing Solid Code: Microsoft's Techniques for Developing Bug-Free C Programs. Microsoft Press, 1993.]]"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/633025.633027"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.17487\/RFC2018"},{"key":"e_1_2_1_22_1","volume-title":"IETF","author":"McPherson Danny","year":"2001","unstructured":"Danny McPherson , Vijay Gill , Daniel Walton , and Alvaro Retana . BGP persistent route oscillation condition. Internet Draft draft-mcpherson-bgp-route-oscillation-01.txt , IETF , March 2001 .]] Danny McPherson, Vijay Gill, Daniel Walton, and Alvaro Retana. BGP persistent route oscillation condition. Internet Draft draft-mcpherson-bgp-route-oscillation-01.txt, IETF, March 2001.]]"},{"key":"e_1_2_1_23_1","unstructured":"Stephen A Misel. Wow AS7007! NANOG mail archives Apr. 1997. http:\/\/www.merit.edu\/mail.archives\/nanog\/1997-04\/msg00340.html.]]  Stephen A Misel. Wow AS7007! NANOG mail archives Apr. 1997. http:\/\/www.merit.edu\/mail.archives\/nanog\/1997-04\/msg00340.html.]]"},{"key":"e_1_2_1_24_1","doi-asserted-by":"crossref","unstructured":"J. Postel. Internet Protocol (IP). RFC 791 IETF Sept. 1981.]]  J. Postel. Internet Protocol (IP). RFC 791 IETF Sept. 1981.]]","DOI":"10.17487\/rfc0791"},{"key":"e_1_2_1_25_1","volume-title":"IETF","author":"Ramakrishnan K.","year":"2001","unstructured":"K. Ramakrishnan , Sally Floyd , and D. Black . The addition of explicit congestion notification (ECN) to IP. RFC 3168 , IETF , Sep. 2001 .]] K. Ramakrishnan, Sally Floyd, and D. Black. The addition of explicit congestion notification (ECN) to IP. RFC 3168, IETF, Sep. 2001.]]"},{"key":"e_1_2_1_26_1","volume-title":"The Internet under stress. Talk at NANOG","author":"Salus Peter","year":"2001","unstructured":"Peter Salus . The Internet under stress. Talk at NANOG 23, Oct. 2001 .]] Peter Salus. The Internet under stress. Talk at NANOG 23, Oct. 2001.]]"},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/505696.505704"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/347059.347561"}],"container-title":["ACM SIGCOMM Computer Communication Review"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/774763.774783","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/774763.774783","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T17:43:51Z","timestamp":1750268631000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/774763.774783"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2003,1]]},"references-count":28,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2003,1]]}},"alternative-id":["10.1145\/774763.774783"],"URL":"https:\/\/doi.org\/10.1145\/774763.774783","relation":{},"ISSN":["0146-4833"],"issn-type":[{"type":"print","value":"0146-4833"}],"subject":[],"published":{"date-parts":[[2003,1]]},"assertion":[{"value":"2003-01-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}