This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] Re: ORSN-SERVERS.NET
- Previous message (by thread): [dns-wg] Re: ORSN-SERVERS.NET
- Next message (by thread): [dns-wg] Re: ORSN-SERVERS.NET
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
JFC (Jefsey) Morfin
jefsey at jefsey.com
Thu Oct 28 14:21:23 CEST 2004
At 21:57 24/10/2004, Jay Daley wrote: >Markus >Markus wrote on 22/10/2004 12:26:13 pm: > > > We are only the > > european (independent) copy of the stable ICANN root server system :-)) > >I really do not understand this. How are you in anyway more independent >than k-root or i-root? Jay, I will try to review this key point for the internet development. what ORSN does is risk containment. Suppose the ICANN/NTIA root is hacked. The ORSN file is not affected. This provides a protection. Now, obviously, if the delay in updating the ORSN file is too long it is going to pollute the namespace with old data. This is why trouble shouting calls for a report on possible differences. Such report must be taken both ways: - a way to know that ORSN is outdated - an alarm that the ICANN/NTIA root may be hacked. This kind of issue has been identified by the dot-root project of a DNS test bed we carried last years. This has lead us to work on local roots concepts and eventually on the authoritative root matrix (which is not documented, but implemented in reality through the additional name servers entered in the top level through ccTLD db.files for example). This also lead to the AFRAC project (http://afrac.org) to unlock root files (like the ICANN/NTIA root file) as this is true for any other application root file, through contextual root files for what we named "externets" (ie an external global view of the internet). For example, a Japanese externet can be all the users and hosts which freely chose to belong to it. End to end relations may then be limited to these externet members (only people able to read Japanese). You can belong to many externets. In the case of a nation, we identified that a national externet is a regalian duty. What does that mean? It means that many things may happen which affect your sure national use of the DNS. In 99.99% of the case that you use an US, a French, an European or a East-Timor root server is the same. But in critical occasions you will want to use a nameserver which will follow the rules which protect your skin. We developed this kind of thinking in parallel to the White House - we proposed ICANN to work on an "ICP-4" document on netsecurity in December 2001 at the DNSO/BC with a few large operators and corporations,. We then introduced the dot-root project to work on this along the lines of the ICP-3 document which investigates the possible end of an authoritative file and defines the conditions for test bedding we stick to [we added a few]). The White House (Dick Clarke) worked along the same lines after 9/11 and came with a very powerful evaluation showing that the internet represented a nuclear equivalent risk to the USA through the vulnerability of critical infrastructures and the impact on the US economy and way of life of a major dysfunction. We could measure it through the impact of the East Coast Black Out - should it have happened in Feb blizzard, the impact would have been devastating. This eventually lead to the http://whitehouse.gov/pcipb national strategy, the first visible impact we all know is the DoD IPv6 commitment. Let imagine that a terrorist atomic bomb blows Washington-West (the top worldwide target and an US working hypothesis). The propagation through the internet would be times devastating than the bomb itself on the USA. Regalian US duty will be to reserve most of the remaining internet bandwidth to civil security information and economy protection. P2P, adult, etc. traffic will not be a priority. The DNS is the control tool. We do not want to suffer from that in Europe or in the rest of the world, because there is no reason and because it would propagate the terror (and make the attempt more attractive and therefore more likely). So an European regalian duty is DNS risk containment, to protect us from the results of an attack of the US and to protect the US from being attacked. This is a very common strategy in network security. This means that every Gov has a regalian duty, not to load the ICANN/NTIA file, but to copy it like ORSN does. This copying must be carried with a take-over procedure to cope with a special national situation. A critical problem may be local. Or there may be an external attack. Let for example consider the Iraq invasion and the ".iq" management. The USA attacked ".iq" through spam DoS and lead Iraq to stop all their servers. An Iraqi externet would have made the Iraqi machine to switch to the Iraqi root they could have build the way they wanted (this same externet reasoning applies to IPv6 addresses and national numbering zones we support and document for years and the ITU now openly investigates - please remember that ITU is not an "internet opponent" but the Rep of regalian concerns). A very common hypothesis is a "Tchernobyl" like incident. TV waves pollution will make ADSL screens the best way to inform and calm the people through stable screams, with a major user demand peak. The control of the DNS would be vital. Another interesting point is that published reports are that only 2.5% of the root calls are legitimate, addressing based externets are a way to protect users at peak critical times. Their support in IPv6 numbering plan is a regalian demand that we should see develop in the coming months. It is also a network security issue to avoid pollution of the DNS in such cases. Obviously this is not the only resulting user architectural changes implied by the ICANN ICP-3 and WSIS real world consequences, as some mails documented it about DNS database usages. jfc morfin
- Previous message (by thread): [dns-wg] Re: ORSN-SERVERS.NET
- Next message (by thread): [dns-wg] Re: ORSN-SERVERS.NET
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]