Re: [NA-Discuss] [At-Large] Re-engineering the Internet
Patrick and all, Largely I agree with your sentiments below. But try to remember ICANN doesn't lead in any real sense, especially not in a technology sense. Nor should it at this time due to it's poor performing leadership. We have called time and time again for ICANN and the IETF to get away form the hiarcial DNS we know oh to well today and move towards a relational DNS. Those calls fell, and still fall on deaf hears. Private industry will either lead this migration our of advantage or necessity, and maybe even both. The IETF's and the IANA strong if not stubborn support of IPv6 a largely failed or failing protocol due to security and privacy considerations as well as application migration reasons, was doomed nearly from it's earliest beginnings nearly 10 years ago. But forward thinking business and technical folks that know this than, were shouted or "Hummed" down, and so we have the promotion of IPv6 such as it is and has been. Yet still failing to be very attractive even on the eve of the running out of IPv4 address space. But yet others are quietly moving forward with IPv8, and perhaps IPv9 and Dynamic DNS. Yet as you rightly indicate the "Cash Cow" of the legacy Internet becoming more and more a "Scam Cow" remains preferred. Yet I amongst others, remain undaunted and reticent that the Legacy Internet we use today is wilting on the vine as more and more governments are becoming more and more involved and willing to impose regulation that seeks to make the Legacy Internet "Safe", yet also further hampers it's appeal. Small wonder really given Phishing, Spam, and other forms of miscreant behavior becoming nearly insermountable as ICANN dragged it's feet for years to address these problems for too long in favor of "Cultural" issues. -----Original Message-----
From: Patrick Vande Walle <patrick@vande-walle.eu> Sent: Aug 27, 2008 12:27 AM To: At-Large Worldwide <at-large@atlarge-lists.icann.org> Subject: Re: [At-Large] Re-engineering the Internet
Khaled,
This is indeed an interesting debate to have. As we know, most of the technology we use today was developed 25 years ago. Since then, there has been no change to the fundamentals, but rather patches designed from the start with backward compatibility.
I think most people will agree that the DNS is broken beyond repair. The changes we have seen over the years were all enhancements to the previous standards. DNSSEC and IDNs come to mind. Both were designed to prevent incompatibilities with older software. Punycode is ugly. We would need an 8-bit clean naming system. DNSSEC keys make zone files unreadable by a normal human being.
Note also that, over the last 15 years, most of the new developments in Internet standards were developed by the industry, and not by government funded academic research. The goal of the industry is make profits. Hence, technical choices are mostly short or medium term and tend to perpetuate existing economic models. The DNS hierarchical model has been generating an interesting cash flow for the registries and registrars (and ICANN, BTW). See for example the fact that domain names have largely prevented Verisign from going bankrupt. (http://www.domainpulse.com/2008/08/08/verisign-reports-68-million-loss-873-m... )
The net result is that there is no real work done to change the fundamental design to address new concerns. IDN ugliness and security are issues, but so is the "one TLD, one registry" model, which prevents real competition in the TLD space. More distributed models for naming systems, like CoDoNS (http://www.cs.cornell.edu/people/egs/beehive/codons.php ) remain purely academic, as there is no willingness from the industry to kill the cash cow.
I focused here on the DNS, but similar considerations could apply to other parts of the Internet infrastructure, like traffic routing.
This is where I think ICANN could and should be more active in fostering and sponsoring new research aimed at designing a new Internet, targeting the general public good, with no short term economic considerations. Granted, I do not expect ICANN to do the work of the IETF. However, I think it is not necessarily a good thing to let the engineers be in charge of everything, from the general vision to specifications and implementation. There needs to be a top level vision, a master plan of what we want the Internet to be in 10 years time. From there, we could articulate work packages and deliverables.
This discussion is very relevant to the ALAC also. While it is good that the ALAC provides comments on ICANN processes, it also needs to know where it wants the Internet to go, especially in the naming and numbering area, and articulate its positions according to its own vision.
Patrick Vande Walle
On Wed, 27 Aug 2008 07:35:52 +0200, Khaled KOUBAA <khaled.koubaa@gmail.com> wrote:
Re-engineering the Internet
Source : http://iftf.org/node/2275
During a workshop at IFTF this week, I offered a forecast that there is at least a 50% probability of a fundamental re-engineering of the internet. Here's a bit of detail on this forecast and why I think this last week has been a critical turning point.
Domain Name Services, DNS, like most of the Gen One Internet is a system built on cooperation. DNS servers have a narrow function to accurately translate domain names like ABC.com into numerical IP addresses, using an an up to date directory from other -trusted- DNS servers. The problem in simple terms is the length of the encryption key used by DNS servers to authenticate each other is short enough, that using modern high performance CPUs, it's possible to calculate a key to enable access to " poison" the DNS database on the server server with fraudulent routing information to misdirect any query for ABC.com to XXX.com. Dan Kaminsky, a 'white hat' hacker/security expert, has been telling Internet engineering leadership about this exploit for at least four years, and talking publicly, without revealing details, ( I heard him talk about this three years ago.) trying to provoke action. Finally, this last month Dan forced the issue by releasing the details into the wild along with short term patch using a longer encrypted number requiring a lot more computing power to decrypt. The Global Internet Engineering Security and Operations communities scrambled frantically, and deployed his patch in about three days, remaining open, vulnerable until then. Here's a video of the patch being deployed over several days:. Red are vulnerable domains, green are protected http://www.youtube.com/watch?v=Ff5WBDOwueI
As we know, we are entering an era where super computing power will be trivially available on local multi-core processors, and on scalable platforms in the cloud. So it is inevitable that the current DNS patch will fall to superior decryption computation. So in the meantime limited software patches will forestall the inevitable crisis, that will occur when the black hat hackers have adequate computing cycles to break the encryption. This week most Internet routing experts agreed that we need a fundamentally more Secure DNS system that will withstand a massive assault. We may need a totally new, more powerful generation of software, computers, servers, routers and switches are necessary along with new operations regimens, and training and education for IT personnel.
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org
http://atlarge-lists.icann.org/mailman/listinfo/at-large_atlarge-lists.icann...
At-Large Official Site: http://atlarge.icann.org
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org http://atlarge-lists.icann.org/mailman/listinfo/at-large_atlarge-lists.icann...
At-Large Official Site: http://atlarge.icann.org
Regards, Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827 Patrick Vande Walle wrote:
Khaled,
This is indeed an interesting debate to have. As we know, most of the technology we use today was developed 25 years ago. Since then, there has been no change to the fundamentals, but rather patches designed from the start with backward compatibility.
I think most people will agree that the DNS is broken beyond repair. The changes we have seen over the years were all enhancements to the previous standards. DNSSEC and IDNs come to mind. Both were designed to prevent incompatibilities with older software. Punycode is ugly. We would need an 8-bit clean naming system. DNSSEC keys make zone files unreadable by a normal human being.
Note also that, over the last 15 years, most of the new developments in Internet standards were developed by the industry, and not by government funded academic research. The goal of the industry is make profits. Hence, technical choices are mostly short or medium term and tend to perpetuate existing economic models. The DNS hierarchical model has been generating an interesting cash flow for the registries and registrars (and ICANN, BTW). See for example the fact that domain names have largely prevented Verisign from going bankrupt. (http://www.domainpulse.com/2008/08/08/verisign-reports-68-million-loss-873-m... )
The net result is that there is no real work done to change the fundamental design to address new concerns. IDN ugliness and security are issues, but so is the "one TLD, one registry" model, which prevents real competition in the TLD space. More distributed models for naming systems, like CoDoNS (http://www.cs.cornell.edu/people/egs/beehive/codons.php ) remain purely academic, as there is no willingness from the industry to kill the cash cow.
I focused here on the DNS, but similar considerations could apply to other parts of the Internet infrastructure, like traffic routing.
This is where I think ICANN could and should be more active in fostering and sponsoring new research aimed at designing a new Internet, targeting the general public good, with no short term economic considerations. Granted, I do not expect ICANN to do the work of the IETF. However, I think it is not necessarily a good thing to let the engineers be in charge of everything, from the general vision to specifications and implementation. There needs to be a top level vision, a master plan of what we want the Internet to be in 10 years time. From there, we could articulate work packages and deliverables.
This discussion is very relevant to the ALAC also. While it is good that the ALAC provides comments on ICANN processes, it also needs to know where it wants the Internet to go, especially in the naming and numbering area, and articulate its positions according to its own vision.
Patrick Vande Walle
On Wed, 27 Aug 2008 07:35:52 +0200, Khaled KOUBAA <khaled.koubaa@gmail.com> wrote:
Re-engineering the Internet
Source : http://iftf.org/node/2275
During a workshop at IFTF this week, I offered a forecast that there is at least a 50% probability of a fundamental re-engineering of the internet. Here's a bit of detail on this forecast and why I think this last week has been a critical turning point.
Domain Name Services, DNS, like most of the Gen One Internet is a system built on cooperation. DNS servers have a narrow function to accurately translate domain names like ABC.com into numerical IP addresses, using an an up to date directory from other -trusted- DNS servers. The problem in simple terms is the length of the encryption key used by DNS servers to authenticate each other is short enough, that using modern high performance CPUs, it's possible to calculate a key to enable access to " poison" the DNS database on the server server with fraudulent routing information to misdirect any query for ABC.com to XXX.com. Dan Kaminsky, a 'white hat' hacker/security expert, has been telling Internet engineering leadership about this exploit for at least four years, and talking publicly, without revealing details, ( I heard him talk about this three years ago.) trying to provoke action. Finally, this last month Dan forced the issue by releasing the details into the wild along with short term patch using a longer encrypted number requiring a lot more computing power to decrypt. The Global Internet Engineering Security and Operations communities scrambled frantically, and deployed his patch in about three days, remaining open, vulnerable until then. Here's a video of the patch being deployed over several days:. Red are vulnerable domains, green are protected http://www.youtube.com/watch?v=Ff5WBDOwueI
As we know, we are entering an era where super computing power will be trivially available on local multi-core processors, and on scalable platforms in the cloud. So it is inevitable that the current DNS patch will fall to superior decryption computation. So in the meantime limited software patches will forestall the inevitable crisis, that will occur when the black hat hackers have adequate computing cycles to break the encryption. This week most Internet routing experts agreed that we need a fundamentally more Secure DNS system that will withstand a massive assault. We may need a totally new, more powerful generation of software, computers, servers, routers and switches are necessary along with new operations regimens, and training and education for IT personnel.
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org
http://atlarge-lists.icann.org/mailman/listinfo/at-large_atlarge-lists.icann...
At-Large Official Site: http://atlarge.icann.org
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org http://atlarge-lists.icann.org/mailman/listinfo/at-large_atlarge-lists.icann...
At-Large Official Site: http://atlarge.icann.org
participants (1)
-
Jeffrey A. Williams