Re: [ga] Net security's a losing battle

[Jefsey Morfin <jefsey@wanadoo.fr>]

Dear Roberto,
I agree that we now have to think seriously to a name space management
strategy (you may remember I have been quite rebuked when I proposed
again and again to consider the matter globally and not only through what
no one really knows what the others call an "alt root").

The whole security strategy stays the same question over techniques and
centuries. Is concentration better to resist and get protected together
at the risk of losing everything in case of short defeat, or is
dispersion the only way to minimize the global casualty toll, offer the
best resilience and never be fully defeated. Cornwallis vs. Insurgents.
British vs. IRA. John vs. Robin Hood. Chinese last Emperor vs. Mao. US
vs. Viet-Cong. etc... I will not dispute that.

But everyone agree that the topography of the battle field is of the
essence.

So the first thing is to make sure we do not use wide continuous plains
strategy while the Internet topography is far more than distributed (like
hills and valleys) and is a myriad of interconnects (like islands). I are
to be more Mc Arthur than  Eisenhower. I priority is to keep our
lines open and avoid contamination. More British a strategy than
French.

Bind and co make a good system. But the way we use it is costly and non
protected. To keep with the WWII image, improving the DNS protection is
good, but it like adding new destroyers to convoys: this actually
enlarges the target. What is better is to improve the strategy to
increase the defence capacity of the islands while reducing the number
and the dependance from the convoys.  

We use the DNS today as if we were calling the operator every time we
want to place a phone call: like 70 years ago. So part of a response can
be to concentrate all the operators in a strong hold (but what if they
blow the strong hold?) Another way is to give everyone a phone book.

Do you know how many times a year (or a decade) the root changes? 
And how many times it changes enough for calls not to get through? Look
at the IANA/DoC procedure and the delay to get an IP address updated (ask
Pitcairn). Nearly one year to get .info and .biz. .pro and other are
still pending. 

I do hope you update your anti-virus files more often than they update
the root! 

The root is available on line via
ftp://rs.internic.net/domain/root.zone.gz
It is a 14,655 Bytes file today. To manage the Internet
Michelle from the IANA is enough, and she may even take vacations. The
rest is pure job/fee protection.

Our true protection is to get a root copy an to use it with our local
resolver. Bill Gates thinks that the Microsoft strategy is not there? OK,
until Windows gets shareware alternative resolvers good souls will keep
helping in providing root mirrors. ccTLDs will eventually agree root
delivery is part of their duties to their ISP and good business
protection. I suppose the GAC will require them soon, probably in MdR. In
the meanwhile you can use my root servers..

Obviously this shows that the main security battle is against ICANN and
Microsoft. Let help them correct that and let have an ICANN sponsored
"alternative authoritative root servers systems", to use the
ICANN awful slang. And then a Windows resolver using the root
authoritatively loaded and checked by the machine owner.

You may have noted that I only considered the ICANN root. 
Jefsey


On 18:28 28/09/01, Roberto Gaetano said:
> Hi.
> I concur with Sandy's post, but would also add a comment.
>
> The most spectacular effect that the terrorist attack has created is the
> collapse of the Twin Towers, and the most sad effect are the thousands of
> casualties, but there is another effect that has not to be
> underestimated: the critical situation in which the western economy has
> been put. I speak about the impact on airline industry, the burden on
> insurance companies, the drop in the stock market, and other things that
> will impact us for the years to come (higher insurance premia, higher
> cost of travel, longer boarding times, etc.).
>
> The terrorists of the new millennium might well concentrate on these kind
> of damages, that are less likely to create horror for their acts, and
> therefore less likely to create a consensus front against them.
> Our Net has been built and is being operated in a way that will survive
> well nuclear attacks, but less well electronic sabotage.
> Somebody has asked in this forum what would have happened if a root
> server would have been located in lower Manhattan (or, for this purpose,
> even in the Twin Towers). The answer is, IMHO, "Nothing, the other
> 12 would have been more than sufficient". In fact, the Net would
> have suffered under (physical) attack to half a dozen of roots at the
> same time much less than what it suffered under Kashpureff's electronic
> attack few years ago.
>
> I do believe that it is a responsible answer from ICANN to address these
> issues before the terrorists find out how they can attack the DNS and
> jeopardize its functioning, creating billions of damage to the western
> economy. The big problem is, IMHO, that a lot of people see the DNS as a
> milk cow, and are very little motivated to deploy secure procedures (more
> costly and requiring higher expertise) if they see this as a risk for
> their profits. Therefore the only way to progress on this is to include
> security requirements in the contracts ICANN has with the different
> parties (Registries and accredited Registrars).
>
> I am saddened by the delay that this may have on other issues, on which I
> am contributing and I would see progressing (like the AtLarge), but I am
> also looking forward to see an open debate on security, as a vital
> subject for the survival of the Net as we know it today.
>
> Regards
> Roberto
> (Sandy's excellent post cut for bandwidth)
>
>
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at
> http://explorer.msn.com/intl.asp
>
> --
> This message was passed to you via the ga@dnso.org list.
> Send mail to majordomo@dnso.org to unsubscribe
> ("unsubscribe ga" in the body of the message).
> Archives at
> http://www.dnso.org/archives.html