Hello Patrick, as you highlighted the most problem come from Industry which make choices against common interests. I don't understand why there is accusation against engineers or to exclude them from top level vision? Many decision are made by corporate regarding profit logic. there are many engineers and scholars at IETF and IEEE who just want to develop fantastic technolgies for common interests. the problem of DNS is the same with any kind of technology: when we should do the big shift and move to new technology because nobody are willing to pay for it. there is a plenty of dead at born technologies because this reason. in we check in deep we can find that issues are more related to money consideration than technical ones. Regards Rafik On Wed, Aug 27, 2008 at 9:27 AM, Patrick Vande Walle <patrick@vande-walle.eu
wrote:
Khaled,
This is indeed an interesting debate to have. As we know, most of the technology we use today was developed 25 years ago. Since then, there has been no change to the fundamentals, but rather patches designed from the start with backward compatibility.
I think most people will agree that the DNS is broken beyond repair. The changes we have seen over the years were all enhancements to the previous standards. DNSSEC and IDNs come to mind. Both were designed to prevent incompatibilities with older software. Punycode is ugly. We would need an 8-bit clean naming system. DNSSEC keys make zone files unreadable by a normal human being.
Note also that, over the last 15 years, most of the new developments in Internet standards were developed by the industry, and not by government funded academic research. The goal of the industry is make profits. Hence, technical choices are mostly short or medium term and tend to perpetuate existing economic models. The DNS hierarchical model has been generating an interesting cash flow for the registries and registrars (and ICANN, BTW). See for example the fact that domain names have largely prevented Verisign from going bankrupt. ( http://www.domainpulse.com/2008/08/08/verisign-reports-68-million-loss-873-m... )
The net result is that there is no real work done to change the fundamental design to address new concerns. IDN ugliness and security are issues, but so is the "one TLD, one registry" model, which prevents real competition in the TLD space. More distributed models for naming systems, like CoDoNS (http://www.cs.cornell.edu/people/egs/beehive/codons.php ) remain purely academic, as there is no willingness from the industry to kill the cash cow.
I focused here on the DNS, but similar considerations could apply to other parts of the Internet infrastructure, like traffic routing.
This is where I think ICANN could and should be more active in fostering and sponsoring new research aimed at designing a new Internet, targeting the general public good, with no short term economic considerations. Granted, I do not expect ICANN to do the work of the IETF. However, I think it is not necessarily a good thing to let the engineers be in charge of everything, from the general vision to specifications and implementation. There needs to be a top level vision, a master plan of what we want the Internet to be in 10 years time. From there, we could articulate work packages and deliverables.
This discussion is very relevant to the ALAC also. While it is good that the ALAC provides comments on ICANN processes, it also needs to know where it wants the Internet to go, especially in the naming and numbering area, and articulate its positions according to its own vision.
Patrick Vande Walle
On Wed, 27 Aug 2008 07:35:52 +0200, Khaled KOUBAA <khaled.koubaa@gmail.com
wrote:
Re-engineering the Internet
Source : http://iftf.org/node/2275
During a workshop at IFTF this week, I offered a forecast that there is at least a 50% probability of a fundamental re-engineering of the internet. Here's a bit of detail on this forecast and why I think this last week has been a critical turning point.
Domain Name Services, DNS, like most of the Gen One Internet is a system built on cooperation. DNS servers have a narrow function to accurately translate domain names like ABC.com into numerical IP addresses, using an an up to date directory from other -trusted- DNS servers. The problem in simple terms is the length of the encryption key used by DNS servers to authenticate each other is short enough, that using modern high performance CPUs, it's possible to calculate a key to enable access to " poison" the DNS database on the server server with fraudulent routing information to misdirect any query for ABC.com to XXX.com. Dan Kaminsky, a 'white hat' hacker/security expert, has been telling Internet engineering leadership about this exploit for at least four years, and talking publicly, without revealing details, ( I heard him talk about this three years ago.) trying to provoke action. Finally, this last month Dan forced the issue by releasing the details into the wild along with short term patch using a longer encrypted number requiring a lot more computing power to decrypt. The Global Internet Engineering Security and Operations communities scrambled frantically, and deployed his patch in about three days, remaining open, vulnerable until then. Here's a video of the patch being deployed over several days:. Red are vulnerable domains, green are protected http://www.youtube.com/watch?v=Ff5WBDOwueI
As we know, we are entering an era where super computing power will be trivially available on local multi-core processors, and on scalable platforms in the cloud. So it is inevitable that the current DNS patch will fall to superior decryption computation. So in the meantime limited software patches will forestall the inevitable crisis, that will occur when the black hat hackers have adequate computing cycles to break the encryption. This week most Internet routing experts agreed that we need a fundamentally more Secure DNS system that will withstand a massive assault. We may need a totally new, more powerful generation of software, computers, servers, routers and switches are necessary along with new operations regimens, and training and education for IT personnel.
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org
http://atlarge-lists.icann.org/mailman/listinfo/at-large_atlarge-lists.icann...
At-Large Official Site: http://atlarge.icann.org
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org
http://atlarge-lists.icann.org/mailman/listinfo/at-large_atlarge-lists.icann...
At-Large Official Site: http://atlarge.icann.org