ICANN/DNSO
DNSO Mailling lists archives

[ga-full]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [ga] Net security's a losing battle


Dear Roberto,
I agree that we now have to think seriously to a name space management strategy (you may remember I have been quite rebuked when I proposed again and again to consider the matter globally and not only through what no one really knows what the others call an "alt root").

The whole security strategy stays the same question over techniques and centuries. Is concentration better to resist and get protected together at the risk of losing everything in case of short defeat, or is dispersion the only way to minimize the global casualty toll, offer the best resilience and never be fully defeated. Cornwallis vs. Insurgents. British vs. IRA. John vs. Robin Hood. Chinese last Emperor vs. Mao. US vs. Viet-Cong. etc... I will not dispute that.

But everyone agree that the topography of the battle field is of the essence.

So the first thing is to make sure we do not use wide continuous plains strategy while the Internet topography is far more than distributed (like hills and valleys) and is a myriad of interconnects (like islands). I are to be more Mc Arthur than  Eisenhower. I priority is to keep our lines open and avoid contamination. More British a strategy than French.

Bind and co make a good system. But the way we use it is costly and non protected. To keep with the WWII image, improving the DNS protection is good, but it like adding new destroyers to convoys: this actually enlarges the target. What is better is to improve the strategy to increase the defence capacity of the islands while reducing the number and the dependance from the convoys. 

We use the DNS today as if we were calling the operator every time we want to place a phone call: like 70 years ago. So part of a response can be to concentrate all the operators in a strong hold (but what if they blow the strong hold?) Another way is to give everyone a phone book.

Do you know how many times a year (or a decade) the root changes?  And how many times it changes enough for calls not to get through? Look at the IANA/DoC procedure and the delay to get an IP address updated (ask Pitcairn). Nearly one year to get .info and .biz. .pro and other are still pending.

I do hope you update your anti-virus files more often than they update the root!

The root is available on line via ftp://rs.internic.net/domain/root.zone.gz
It is a 14,655 Bytes file today. To manage the Internet Michelle from the IANA is enough, and she may even take vacations. The rest is pure job/fee protection.

Our true protection is to get a root copy an to use it with our local resolver. Bill Gates thinks that the Microsoft strategy is not there? OK, until Windows gets shareware alternative resolvers good souls will keep helping in providing root mirrors. ccTLDs will eventually agree root delivery is part of their duties to their ISP and good business protection. I suppose the GAC will require them soon, probably in MdR. In the meanwhile you can use my root servers..

Obviously this shows that the main security battle is against ICANN and Microsoft. Let help them correct that and let have an ICANN sponsored "alternative authoritative root servers systems", to use the ICANN awful slang. And then a Windows resolver using the root authoritatively loaded and checked by the machine owner.

You may have noted that I only considered the ICANN root.
Jefsey


On 18:28 28/09/01, Roberto Gaetano said:
Hi.
I concur with Sandy's post, but would also add a comment.

The most spectacular effect that the terrorist attack has created is the collapse of the Twin Towers, and the most sad effect are the thousands of casualties, but there is another effect that has not to be underestimated: the critical situation in which the western economy has been put. I speak about the impact on airline industry, the burden on insurance companies, the drop in the stock market, and other things that will impact us for the years to come (higher insurance premia, higher cost of travel, longer boarding times, etc.).

The terrorists of the new millennium might well concentrate on these kind of damages, that are less likely to create horror for their acts, and therefore less likely to create a consensus front against them.
Our Net has been built and is being operated in a way that will survive well nuclear attacks, but less well electronic sabotage.
Somebody has asked in this forum what would have happened if a root server would have been located in lower Manhattan (or, for this purpose, even in the Twin Towers). The answer is, IMHO, "Nothing, the other 12 would have been more than sufficient". In fact, the Net would have suffered under (physical) attack to half a dozen of roots at the same time much less than what it suffered under Kashpureff's electronic attack few years ago.

I do believe that it is a responsible answer from ICANN to address these issues before the terrorists find out how they can attack the DNS and jeopardize its functioning, creating billions of damage to the western economy. The big problem is, IMHO, that a lot of people see the DNS as a milk cow, and are very little motivated to deploy secure procedures (more costly and requiring higher expertise) if they see this as a risk for their profits. Therefore the only way to progress on this is to include security requirements in the contracts ICANN has with the different parties (Registries and accredited Registrars).

I am saddened by the delay that this may have on other issues, on which I am contributing and I would see progressing (like the AtLarge), but I am also looking forward to see an open debate on security, as a vital subject for the survival of the Net as we know it today.

Regards
Roberto
(Sandy's excellent post cut for bandwidth)



_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

--
This message was passed to you via the ga@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga" in the body of the message).
Archives at http://www.dnso.org/archives.html


<<< Chronological Index >>>    <<< Thread Index >>>