2010/3/31 Lutz Donnerhacke <lutz@iks-jena.de>
* Joe Baptista wrote:
The point of my letter is very clear. What happened? Who was affected? And what are the security repercussions to users world wide. So far ICANN has remained silent.
I should have specified the questions I'm asking are to ICANN. And the answers I want can only come from ICANN. Thats why I find the silence from ICANN unacceptable .. I will address this further below.
The problem is discussed in detail on dns-operators:
https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/thread.html#5...
To summarize: a) An network (connected to the Internet) installed a blocking technology by intercepting DNS queries. The technical method used is local route injection. b) Due to an operational error, the injected route leaked to the Internet and caused to redirect parts of the Internet world to participate in the blocking project.
OK so basically my letter to the president concerning the event is correct when I speculate the problem originated from a faulty gateway. But from what I can see of the conversations we don't have any official statement from ICANN to confirm or deny your conclusions or mine. This is all guess work and we need less guessing and more facts. Thats why I keep asking ICANN to make a statement that is long overdue.
Let's focus on ICANNs part and PLEASE move to technical-issues-WG. -> technical-issues@atlarge-lists.icann.org
My understanding is, that a) is not within ICANNs remit because it's internal to the participating autonomous systems. Autonomous systems occur as plain points (without any internal structure) in the visible Internet.
I completely agree but respectfully point out that claiming ICANN has no accountability or responsibility for this incident is disingenuous. ICANN is responsible on behalf of the U.S. Government for the operational stability and security of the DNS. Just because they were not in control of the event does not excuse them from the hot seat on this. Anyone who understands the significance of what happened must be very concerned. As I explained to President Obama what happened with the i-root is a national security concern. People - let's not forget what happened here. For a period of time user traffic in Chile and the United States was hijacked. So for ICANN to remain silent and point the finger of responsibility to some unknown third party is not acceptable practice here. What happened here is significant. I'm surprise this story has not been front page news. ICANN is very luck very few people understand the technology. Ignorance has been ICANN's best friend in this incident.
OTOH b) is a well known problem. Hijacking foreign IP space is unfortunely common and causes heavy headache by all involved operators. The SIDR-WG at IETF is working on a solution to prevent the negative impact of such operational errors.
I know. How long will it take to find a solution? 5 years .. 15 .. more? Now that a new attack vector is known to the script kiddies, criminals and governments how long will it be before it happens again?
Hijacking of foreign ressources is clearly a topic on ICANNs agenda. So please come to the technical-issues-WG.
There is only one solution to permanently solve this root issue. Run your own root. And if your a country ... simply pass legislation to nationalize the IANA root IP blocks and use the same routing technology to put all IANA servers under your governments control and make those servers available to your national infrastructure. That the most economic way to take control of your national infrastructure - you don't even need to tell your ISP's to change their root pointers. I developed the above methodology when we got a lot of opposition to the Turkish root. First all the ISPs had to be contacted to make the changes. This involved an economic cost on behalf of the ISPs. I felt there was a better way by just using the routing system. You simply nationalize the IANA root infrastructure and start answering on those numbers. Simple and easy solution. Much thanks for the pointers above Lutz. regards joe baptista
BTW: I'm biased on SIDR: My personal impression is, that their solution is much to complex and hardly handled by current routers. So I put my own proposal into this group (which was immediately ignored).
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org
http://atlarge-lists.icann.org/mailman/listinfo/at-large_atlarge-lists.icann...
At-Large Official Site: http://atlarge.icann.org