[ga] Re: [At-Large] Re-engineering the Internet

["Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>]

Patrick and all,

  Largely I agree with your sentiments below.  But
try to remember ICANN doesn't lead in any real sense,
especially not in a technology sense.  Nor should it
at this time due to it's poor performing leadership.

  We have called time and time again for ICANN and
the IETF to get away form the hiarcial DNS we know
oh to well today and move towards a relational DNS.
Those calls fell, and still fall on deaf hears.  Private
industry will either lead this migration our of advantage
or necessity, and maybe even both.

  The IETF's and the IANA strong if not stubborn support
of IPv6 a largely failed or failing protocol due to security
and privacy considerations as well as application migration
reasons, was doomed nearly from it's earliest beginnings
nearly 10 years ago.  But forward thinking business and
technical folks that know this than, were shouted or
"Hummed" down, and so we have the promotion of IPv6 such
as it is and has been.  Yet still failing to be very
attractive even on the eve of the running out of IPv4
address space.  But yet others are quietly moving forward
with IPv8, and perhaps IPv9 and Dynamic DNS.  Yet as you
rightly indicate the "Cash Cow" of the legacy Internet
becoming more and more a "Scam Cow" remains preferred.

  Yet I amongst others, remain undaunted and reticent
that the Legacy Internet we use today is wilting on the
vine as more and more governments are becoming more and
more involved and willing to impose regulation that seeks
to make the Legacy Internet "Safe", yet also further hampers
it's appeal.  Small wonder really given Phishing, Spam, and
other forms of miscreant behavior becoming nearly insermountable
as ICANN dragged it's feet for years to address these problems
for too long in favor of "Cultural" issues.


-----Original Message-----
>From: Patrick Vande Walle <patrick@xxxxxxxxxxxxxx>
>Sent: Aug 27, 2008 12:27 AM
>To: At-Large Worldwide <at-large@xxxxxxxxxxxxxxxxxxxxxxx>
>Subject: Re: [At-Large] Re-engineering the Internet
>
>
>Khaled,
>
>This is indeed an interesting debate to have. As we know, most of the
>technology we use today was developed 25 years ago. Since then, there has
>been no change to the fundamentals, but rather patches designed from the
>start with backward compatibility.
>
>I think most people will agree that the DNS is broken beyond repair. The
>changes we have seen over the years were all enhancements to the previous
>standards. DNSSEC and IDNs come to mind. Both were designed to prevent
>incompatibilities with older software. Punycode is ugly. We would need an
>8-bit clean naming system. DNSSEC keys make zone files unreadable by a
>normal human being.
>
>Note also that, over the last 15 years, most of the new developments in
>Internet standards were developed by the industry, and not by government
>funded academic research. The goal of the industry is make profits. Hence,
>technical choices are mostly short or medium term and tend to perpetuate
>existing economic models.
>The DNS hierarchical model has been generating an interesting cash flow for
>the registries and registrars (and ICANN, BTW). See for example the fact
>that domain names have largely prevented Verisign from going bankrupt.
>(http://www.domainpulse.com/2008/08/08/verisign-reports-68-million-loss-873-million-comnet-domains/
>)
>
>The net result is that there is no real work done to change the fundamental
>design to address new concerns. IDN ugliness and security are issues, but
>so is the "one TLD, one registry" model, which prevents real competition in
>the TLD space. More distributed models for naming systems, like CoDoNS
>(http://www.cs.cornell.edu/people/egs/beehive/codons.php ) remain purely
>academic, as there is no willingness from the industry to kill the cash
>cow.
>
>I focused here on the DNS, but similar considerations could apply to other
>parts of the Internet infrastructure, like traffic routing.
>
>This is where I think ICANN could and should be more active in fostering
>and sponsoring new research aimed at designing a new Internet, targeting
>the general public good, with no short term economic considerations.
>Granted, I do not expect ICANN to do the work of the IETF. However, I think
>it is not necessarily a good thing to let the engineers be in charge of
>everything, from the general vision to specifications and implementation.
>There needs to be a top level vision, a master plan of what we want the
>Internet to be in 10 years time. From there, we could articulate work
>packages and deliverables.
>
>This discussion is very relevant to the ALAC also. While it is good that
>the ALAC provides comments on ICANN processes, it also needs to know where
>it wants the Internet to go, especially in the naming and numbering area,
>and articulate its positions according to its own vision.
>
>Patrick Vande Walle
>
>On Wed, 27 Aug 2008 07:35:52 +0200, Khaled KOUBAA <khaled.koubaa@xxxxxxxxx>
>wrote:
>>
>>   Re-engineering the Internet
>>
>> Source : http://iftf.org/node/2275
>>
>> During a workshop at IFTF this week,  I offered a forecast  that there
>> is at least a 50% probability of a fundamental re-engineering of the
>> internet. Here's a bit of detail on this forecast and why I think this
>> last week has been a critical turning point.
>>
>> Domain Name Services, DNS, like most of the Gen One Internet is  a
>> system built on cooperation. DNS servers have a narrow function to
>> accurately translate domain names like ABC.com  into numerical IP
>> addresses, using an an up to date directory from other -trusted- DNS
>> servers.  The problem  in simple terms is the length of the encryption
>> key used by DNS servers to authenticate  each other is short enough,
>> that using modern  high performance CPUs,  it's possible to calculate a
>> key  to enable access to  " poison"  the DNS database on the server
>> server with fraudulent routing information to misdirect any query for
>> ABC.com to XXX.com.   Dan Kaminsky, a 'white hat' hacker/security
>> expert, has been telling Internet engineering leadership about this
>> exploit for at least four years, and talking publicly, without revealing
>> details,  ( I heard him talk about this three years ago.)  trying to
>> provoke action. Finally, this last month Dan forced the issue by
>> releasing the details into the wild along with short term patch  using a
>> longer encrypted number requiring a lot more computing power to decrypt.
>> The Global Internet Engineering Security and Operations communities
>> scrambled frantically,  and deployed his patch in about three days,
>> remaining open, vulnerable until then. Here's a video of the patch being
>> deployed over several days:. Red are vulnerable domains, green are
>> protected http://www.youtube.com/watch?v=Ff5WBDOwueI
>>
>> As we know, we are entering an era where super computing power will be
>> trivially available on local multi-core processors, and on scalable
>> platforms in the cloud. So it is inevitable that the current DNS patch
>> will fall to superior decryption computation. So in the meantime limited
>> software patches will forestall the inevitable crisis, that will occur
>> when the black hat hackers have adequate computing cycles to break the
>> encryption. This week most Internet routing experts agreed that we need
>> a fundamentally more Secure DNS system that will withstand a massive
>> assault.  We may need a totally new, more powerful generation of
>> software,  computers, servers, routers and switches are necessary along
>> with new operations regimens,  and training and education for IT
>> personnel.
>>
>> _______________________________________________
>> At-Large mailing list
>> At-Large@xxxxxxxxxxxxxxxxxxxxxxx
>>
>http://atlarge-lists.icann.org/mailman/listinfo/at-large_atlarge-lists.icann.org
>>
>> At-Large Official Site: http://atlarge.icann.org
>
>
>_______________________________________________
>At-Large mailing list
>At-Large@xxxxxxxxxxxxxxxxxxxxxxx
>http://atlarge-lists.icann.org/mailman/listinfo/at-large_atlarge-lists.icann.org
>
>At-Large Official Site: http://atlarge.icann.org

Regards,

Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
My Phone: 214-244-4827

Patrick Vande Walle wrote:

> Khaled,
>
> This is indeed an interesting debate to have. As we know, most of the
> technology we use today was developed 25 years ago. Since then, there has
> been no change to the fundamentals, but rather patches designed from the
> start with backward compatibility.
>
> I think most people will agree that the DNS is broken beyond repair. The
> changes we have seen over the years were all enhancements to the previous
> standards. DNSSEC and IDNs come to mind. Both were designed to prevent
> incompatibilities with older software. Punycode is ugly. We would need an
> 8-bit clean naming system. DNSSEC keys make zone files unreadable by a
> normal human being.
>
> Note also that, over the last 15 years, most of the new developments in
> Internet standards were developed by the industry, and not by government
> funded academic research. The goal of the industry is make profits. Hence,
> technical choices are mostly short or medium term and tend to perpetuate
> existing economic models.
> The DNS hierarchical model has been generating an interesting cash flow for
> the registries and registrars (and ICANN, BTW). See for example the fact
> that domain names have largely prevented Verisign from going bankrupt.
> (http://www.domainpulse.com/2008/08/08/verisign-reports-68-million-loss-873-million-comnet-domains/
> )
>
> The net result is that there is no real work done to change the fundamental
> design to address new concerns. IDN ugliness and security are issues, but
> so is the "one TLD, one registry" model, which prevents real competition in
> the TLD space. More distributed models for naming systems, like CoDoNS
> (http://www.cs.cornell.edu/people/egs/beehive/codons.php ) remain purely
> academic, as there is no willingness from the industry to kill the cash
> cow.
>
> I focused here on the DNS, but similar considerations could apply to other
> parts of the Internet infrastructure, like traffic routing.
>
> This is where I think ICANN could and should be more active in fostering
> and sponsoring new research aimed at designing a new Internet, targeting
> the general public good, with no short term economic considerations.
> Granted, I do not expect ICANN to do the work of the IETF. However, I think
> it is not necessarily a good thing to let the engineers be in charge of
> everything, from the general vision to specifications and implementation.
> There needs to be a top level vision, a master plan of what we want the
> Internet to be in 10 years time. From there, we could articulate work
> packages and deliverables.
>
> This discussion is very relevant to the ALAC also. While it is good that
> the ALAC provides comments on ICANN processes, it also needs to know where
> it wants the Internet to go, especially in the naming and numbering area,
> and articulate its positions according to its own vision.
>
> Patrick Vande Walle
>
> On Wed, 27 Aug 2008 07:35:52 +0200, Khaled KOUBAA <khaled.koubaa@xxxxxxxxx>
> wrote:
> >
> >   Re-engineering the Internet
> >
> > Source : http://iftf.org/node/2275
> >
> > During a workshop at IFTF this week,  I offered a forecast  that there
> > is at least a 50% probability of a fundamental re-engineering of the
> > internet. Here's a bit of detail on this forecast and why I think this
> > last week has been a critical turning point.
> >
> > Domain Name Services, DNS, like most of the Gen One Internet is  a
> > system built on cooperation. DNS servers have a narrow function to
> > accurately translate domain names like ABC.com  into numerical IP
> > addresses, using an an up to date directory from other -trusted- DNS
> > servers.  The problem  in simple terms is the length of the encryption
> > key used by DNS servers to authenticate  each other is short enough,
> > that using modern  high performance CPUs,  it's possible to calculate a
> > key  to enable access to  " poison"  the DNS database on the server
> > server with fraudulent routing information to misdirect any query for
> > ABC.com to XXX.com.   Dan Kaminsky, a 'white hat' hacker/security
> > expert, has been telling Internet engineering leadership about this
> > exploit for at least four years, and talking publicly, without revealing
> > details,  ( I heard him talk about this three years ago.)  trying to
> > provoke action. Finally, this last month Dan forced the issue by
> > releasing the details into the wild along with short term patch  using a
> > longer encrypted number requiring a lot more computing power to decrypt.
> > The Global Internet Engineering Security and Operations communities
> > scrambled frantically,  and deployed his patch in about three days,
> > remaining open, vulnerable until then. Here's a video of the patch being
> > deployed over several days:. Red are vulnerable domains, green are
> > protected http://www.youtube.com/watch?v=Ff5WBDOwueI
> >
> > As we know, we are entering an era where super computing power will be
> > trivially available on local multi-core processors, and on scalable
> > platforms in the cloud. So it is inevitable that the current DNS patch
> > will fall to superior decryption computation. So in the meantime limited
> > software patches will forestall the inevitable crisis, that will occur
> > when the black hat hackers have adequate computing cycles to break the
> > encryption. This week most Internet routing experts agreed that we need
> > a fundamentally more Secure DNS system that will withstand a massive
> > assault.  We may need a totally new, more powerful generation of
> > software,  computers, servers, routers and switches are necessary along
> > with new operations regimens,  and training and education for IT
> > personnel.
> >
> > _______________________________________________
> > At-Large mailing list
> > At-Large@xxxxxxxxxxxxxxxxxxxxxxx
> >
> http://atlarge-lists.icann.org/mailman/listinfo/at-large_atlarge-lists.icann.org
> >
> > At-Large Official Site: http://atlarge.icann.org
>
> _______________________________________________
> At-Large mailing list
> At-Large@xxxxxxxxxxxxxxxxxxxxxxx
> http://atlarge-lists.icann.org/mailman/listinfo/at-large_atlarge-lists.icann.org
>
> At-Large Official Site: http://atlarge.icann.org