Re: [ga] Net security's a losing battle
Dear Roberto, I agree that we now have to think seriously to a name space management strategy (you may remember I have been quite rebuked when I proposed again and again to consider the matter globally and not only through what no one really knows what the others call an "alt root"). The whole security strategy stays the same question over techniques and centuries. Is concentration better to resist and get protected together at the risk of losing everything in case of short defeat, or is dispersion the only way to minimize the global casualty toll, offer the best resilience and never be fully defeated. Cornwallis vs. Insurgents. British vs. IRA. John vs. Robin Hood. Chinese last Emperor vs. Mao. US vs. Viet-Cong. etc... I will not dispute that. But everyone agree that the topography of the battle field is of the essence. So the first thing is to make sure we do not use wide continuous plains strategy while the Internet topography is far more than distributed (like hills and valleys) and is a myriad of interconnects (like islands). I are to be more Mc Arthur than Eisenhower. I priority is to keep our lines open and avoid contamination. More British a strategy than French. Bind and co make a good system. But the way we use it is costly and non protected. To keep with the WWII image, improving the DNS protection is good, but it like adding new destroyers to convoys: this actually enlarges the target. What is better is to improve the strategy to increase the defence capacity of the islands while reducing the number and the dependance from the convoys. We use the DNS today as if we were calling the operator every time we want to place a phone call: like 70 years ago. So part of a response can be to concentrate all the operators in a strong hold (but what if they blow the strong hold?) Another way is to give everyone a phone book. Do you know how many times a year (or a decade) the root changes? And how many times it changes enough for calls not to get through? Look at the IANA/DoC procedure and the delay to get an IP address updated (ask Pitcairn). Nearly one year to get .info and .biz. .pro and other are still pending. I do hope you update your anti-virus files more often than they update the root! The root is available on line via ftp://rs.internic.net/domain/root.zone.gz It is a 14,655 Bytes file today. To manage the Internet Michelle from the IANA is enough, and she may even take vacations. The rest is pure job/fee protection. Our true protection is to get a root copy an to use it with our local resolver. Bill Gates thinks that the Microsoft strategy is not there? OK, until Windows gets shareware alternative resolvers good souls will keep helping in providing root mirrors. ccTLDs will eventually agree root delivery is part of their duties to their ISP and good business protection. I suppose the GAC will require them soon, probably in MdR. In the meanwhile you can use my root servers.. Obviously this shows that the main security battle is against ICANN and Microsoft. Let help them correct that and let have an ICANN sponsored "alternative authoritative root servers systems", to use the ICANN awful slang. And then a Windows resolver using the root authoritatively loaded and checked by the machine owner. You may have noted that I only considered the ICANN root. Jefsey On 18:28 28/09/01, Roberto Gaetano said: Hi.
|