RE: On-going Internet Emergency and Domain Names
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- "william(at)elan.net" <william@elan.net> wrote:
On Sat, 31 Mar 2007, Fergie wrote:
Amen.
The Registry policies, as they stand today, enable criminals.
Registry or Registrar?
Good question. It is my understanding that the various domain registries answer to ICANN policy -- if ICANN policy allows them to operate in a manner which is conducive to allowing criminals to manipulate the system, then the buck stops with ICANN, and ICANN needs to rectify the problems in the policy framework. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGDtZwq1pz9mNUZTMRAu8KAKC/hVfAcj8iY5bnyN69kSnVFJcmFgCgmNcO ZNPLZTyYIBpUNtf84qvdKEg= =8531 -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
On Sat, 31 Mar 2007, Fergie wrote:
Amen.
The Registry policies, as they stand today, enable criminals.
Registry or Registrar?
Good question.
It is my understanding that the various domain registries answer to ICANN policy -- if ICANN policy allows them to operate in a manner which is conducive to allowing criminals to manipulate the system, then the buck stops with ICANN, and ICANN needs to rectify the problems in the policy framework.
Yes, that's correct. Policies are only administered by registries and registrars, they are not made by them and registrars are supposed to be ultimately accountable to ICANN for adhering to them. If they are not doing something and there is nothing that says they should, we do have process to go through but its not an easy and fast and this process really does not go through nanog. But those are policy process issues and this is an operations mail list. Original question raised is who is ultimately better at acting on dns operational issues? Do you want all issues going through 100s of different registrars with some as "responsible" as RegisterFly? -- William Leibzon Elan Networks william@elan.net
On Sat, 2007-03-31 at 15:02 -0800, william(at)elan.net wrote:
On Sat, 31 Mar 2007, Fergie wrote:
It is my understanding that the various domain registries answer to ICANN policy -- if ICANN policy allows them to operate in a manner which is conducive to allowing criminals to manipulate the system, then the buck stops with ICANN, and ICANN needs to rectify the problems in the policy framework.
Yes, that's correct. Policies are only administered by registries and registrars, they are not made by them and registrars are supposed to be ultimately accountable to ICANN for adhering to them. If they are not doing something and there is nothing that says they should, we do have process to go through but its not an easy and fast and this process really does not go through nanog.
But those are policy process issues and this is an operations mail list. Original question raised is who is ultimately better at acting on dns operational issues? Do you want all issues going through 100s of different registrars with some as "responsible" as RegisterFly?
Changing the registry process to enable a preview of the zone files was suggested. Additional requirements imposed upon registrars could curb the overall volume, but that also involves dealing with fraudulent methods of payment, profit motives, privacy concerns, etcetera. A process change at the registry can provide an immediate means of enforcement. This approach should avoid upsetting registrars or incurring even more extended debates. -Doug
It is my understanding that the various domain registries answer to ICANN policy
_Some_ registries answer to ICANN policy, those that have entered into contracts with ICANN. Others, e.g., all the country code TLD registries, don't. However, even in those cases in which there are contractual agreements, ICANN's role is typically quite limited (by design: ICANN isn't the Internet's mommy).
if ICANN policy allows them to operate in a manner which is conducive to allowing criminals to manipulate the system, then the buck stops with ICANN, and ICANN needs to rectify the problems in the policy framework.
Sorry, I still haven't figured out what the problem is you're trying to lay at ICANN's door... Rgds, -drc
On Sun, 2007-04-01 at 08:41 -0700, David Conrad wrote:
It is my understanding that the various domain registries answer to ICANN policy
_Some_ registries answer to ICANN policy, those that have entered into contracts with ICANN. Others, e.g., all the country code TLD registries, don't. However, even in those cases in which there are contractual agreements, ICANN's role is typically quite limited (by design: ICANN isn't the Internet's mommy).
if ICANN policy allows them to operate in a manner which is conducive to allowing criminals to manipulate the system, then the buck stops with ICANN, and ICANN needs to rectify the problems in the policy framework.
Sorry, I still haven't figured out what the problem is you're trying to lay at ICANN's door...
When providers daily accept payment for thousands of accounts with unique, valid, albeit stolen credit card numbers, preventing abuse remains difficult without using time as a remedy. No doubt, domain tasting represents a retreat from dealing with fallout created by such fraud. In addition, several security strategies could become more comprehensive and rely less upon specific OS threat recognitions. Instituting notification of domain name additions before publishing would enable several preemptive defenses not otherwise possible. A notice of change does not alter the core, but instead enables defensive strategies at the edge. These strategies are not limited to white-outs, but might be in the form of alerts or warnings. It takes time to push defensive information to the edge. A notification of change before it occurs reduces the significant advantage now afforded bad actors who are heavily exploiting DNS. -Doug
On Apr 1, 2007, at 11:51 AM, Douglas Otis wrote:
Instituting notification of domain name additions before publishing would enable several preemptive defenses not otherwise possible.
How does this help? Are you saying that new domains somehow are somehow to be judged based upon someone's interpretation as to whether or not the domain 'reads' well, or some other factor? Who makes that determination, and by what criteria? Or are you saying that notification of someone whose credit card has been stolen would somehow help? How would the registrar know whether or not an email address given at the time of registration is valid for the purported registree? If there's some kind of 'click-to- validate' system put into place, the miscreants will simply automate the acceptance process (there's been a lot of work done on defeating CAPTCHAs, for example; even if they do it by hand, that would work. And services like Mailinator can make it even easier for the miscreants due to their FIFO nature - no forensics possible). Several registrars offer private domain registration as an option, as well. How does this affect the notification model? I generally agree with you that when possible, time for analysis can be useful (though I'm unsure how that helps in this scenario, see above). But one of the ways registrars compete ison timeliness; last night, for example, I registered a few domains on a whim. If the registrar I chose to use had told me there was some delay in the process for vetting, I would've cancelled the order and gone somewhere else, because I wanted those domains -right then-, before someone else registered them. This is all probably way off-topic for NANOG, anyways. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice Words that come from a machine have no soul. -- Duong Van Ngo
On Sun, 2007-04-01 at 12:29 -0700, Roland Dobbins wrote:
On Apr 1, 2007, at 11:51 AM, Douglas Otis wrote:
Instituting notification of domain name additions before publishing would enable several preemptive defenses not otherwise possible.
How does this help?
Information collected by the registrar must be assumed to be untrustworthy, save the functional elements to be published.
Several registrars offer private domain registration as an option, as well. How does this affect the notification model?
By ensuring data published by registry's can be previewed, all registrars would be affected equally.
I generally agree with you that when possible, time for analysis can be useful (though I'm unsure how that helps in this scenario, see above).
When functional information is not valid, such as incorrect name servers or IP addresses, this would not impose an immediate threat. However, basic functional information will trace to the controlling entity. Only by being able to preview this information, would comprehensive preemptive efforts be able to prove fully effective.
But one of the ways registrars compete is on timeliness;
All registrars would be subject to the same delay. The previewing process would be a function of the registry. -Doug
On Apr 1, 2007, at 3:36 PM, Douglas Otis wrote:
By ensuring data published by registry's can be previewed, all registrars would be affected equally.
But what is the probative value of the 'preview'? By what criteria is the reputational quality of the domain assessed, and by whom? It almost seems as if the base problem has to do with credit-card transaction validation and fraud reporting, rather than anything to do with the actual domain registration process? ----------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice Words that come from a machine have no soul. -- Duong Van Ngo
On Sun, 2007-04-01 at 16:42 -0700, Roland Dobbins wrote:
On Apr 1, 2007, at 3:36 PM, Douglas Otis wrote:
By ensuring data published by registry's can be previewed, all registrars would be affected equally.
But what is the probative value of the 'preview'? By what criteria is the reputational quality of the domain assessed, and by whom?
A preview affords time for correlating and pushing protective information to the edge. Some reviewing previews may specialize in look-alike fraud. Others may specialize in net nanny services. Not all exploits will be initially recognized, where a defense in depth should include examining the infrastructure. A preview is required before this infrastructural information can offer the greatest level of protection. Reacting to new domains after the fact is often too late.
It almost seems as if the base problem has to do with credit-card transaction validation and fraud reporting, rather than anything to do with the actual domain registration process?
Until Internet commerce requires some physical proof of identity, fraud will continue. A zone preview approach can reduce related exploits and associated crime, and the amount of information pushed to the edge. -Doug
On Sun, 1 Apr 2007, Douglas Otis wrote:
Until Internet commerce requires some physical proof of identity, fraud will continue. A zone preview approach can reduce related exploits and associated crime, and the amount of information pushed to the edge.
What on earth makes you think that physical proof of identity would be any sort of deterrant to fraud? Fraud existed long before the Internet, and in absolutely physical forms. cheers! ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now."
On Sun, 1 Apr 2007, Cat Okita wrote:
On Sun, 1 Apr 2007, Douglas Otis wrote:
Until Internet commerce requires some physical proof of identity, fraud will continue. A zone preview approach can reduce related exploits and associated crime, and the amount of information pushed to the edge.
What on earth makes you think that physical proof of identity would be any sort of deterrant to fraud? Fraud existed long before the Internet, and in absolutely physical forms.
And as long as proof of identity, physical or otherwise, is trasferred virtually via the compromised channel or platform, we solve nothing. The all idea of the web channel is the low cost. :) But that is off topic to NANOG and this thread.
cheers! ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now."
On Apr 1, 2007, at 6:16 PM, Douglas Otis wrote:
Reacting to new domains after the fact is often too late.
What happens when they're wrong? And who's 'they', btw? What qualifications must 'they' have? And what happens if a registrar disagrees with 'them'? Or when 'they' are instructed by their governments to objection to a domain because of its perceived lack of redeeming social value, or somesuch? It seems to me as if we've just talked through the institutionalization of the Department of Domain Pre-Crime, with all that entails. It could be argued that the proposed solution might be worse than the problem it's purporting to solve. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice Words that come from a machine have no soul. -- Duong Van Ngo
On Sun, 1 Apr 2007, Roland Dobbins wrote:
On Apr 1, 2007, at 6:16 PM, Douglas Otis wrote:
Reacting to new domains after the fact is often too late.
What happens when they're wrong?
And who's 'they', btw? What qualifications must 'they' have? And what happens if a registrar disagrees with 'them'? Or when 'they' are instructed by their governments to objection to a domain because of its perceived lack of redeeming social value, or somesuch?
what are 'they' going to cost, and who's going to pay for 'them' at 6$/yr domain registration fee?
On Apr 1, 2007, at 8:15 PM, Roland Dobbins wrote:
On Apr 1, 2007, at 6:16 PM, Douglas Otis wrote:
Reacting to new domains after the fact is often too late.
What happens when they're wrong?
Most assessments are fairly straight forward. As with any form of protection, there may be false positives. More attractive and successful services would reduce the level of false positives while still retaining a reasonable level of protection.
And who's 'they', btw? What qualifications must 'they' have? And what happens if a registrar disagrees with 'them'? Or when 'they' are instructed by their governments to objection to a domain because of its perceived lack of redeeming social value, or somesuch?
Market forces would determine these questions. The service must be independent of registrars. One might expect law enforcement to become involved in look-alike domains when notified by affected third- parties. As a result of legal actions, there should be some agency (or geographic specific courts for ccTLDs) to resolve conflicts. This seems like a worthwhile investment, as reducing Internet crime in this manner should save much more than it costs.
It seems to me as if we've just talked through the institutionalization of the Department of Domain Pre-Crime, with all that entails. It could be argued that the proposed solution might be worse than the problem it's purporting to solve.
This is about recognizing the weapon being used. In the case of a zone file preview, that the same weapon is about to be used again. Zone previews enable another defensive layer to be provided by the market place. It requires little from the registries and nothing from the registrars. Although the registrar may have their deposit held when a law enforcement agency requests a domain be held pending resolution. -Doug
On Apr 1, 2007, at 6:16 PM, Douglas Otis wrote:
Until Internet commerce requires some physical proof of identity, fraud will continue.
As has already been stated, this is hardly a guarantee. It seems to me that we're in danger of straying into déformation professionnelle. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice Words that come from a machine have no soul. -- Duong Van Ngo
On Apr 2, 2007, at 11:07 AM, Roland Dobbins wrote:
On Apr 1, 2007, at 6:16 PM, Douglas Otis wrote:
Until Internet commerce requires some physical proof of identity, fraud will continue.
As has already been stated, this is hardly a guarantee.
It seems to me that we're in danger of straying into déformation professionnelle.
Agreed and my apologies for not being clear. Registrars are unable to curtail current levels of fraud without significant changes in how domains are acquired. Consider registrar related fraud as a separate and perhaps even fruitless topic. The recommendation was for registries to provide a preview of the next day's zone. A preview can reduce the amount of protective data required, and increase the timeframe alloted to push correlated threat information to the edge. This correlated threat information can act in a preemptive fashion to provide a significant improvement in security. This added level of protection can help defeat expected and even unexpected threats that are becoming far too common as well. -Doug
On Apr 2, 2007, at 4:56 PM, Douglas Otis wrote:
The recommendation was for registries to provide a preview of the next day's zone. A preview can reduce the amount of protective data required, and increase the timeframe alloted to push correlated threat information to the edge. This correlated threat information can act in a preemptive fashion to provide a significant improvement in security. This added level of protection can help defeat expected and even unexpected threats that are becoming far too common as well.
OK, I understand this, but the previously-expressed comments about unintentional/undesirable consequences and not addressing the actual cause of the problem (inadequate and/or inefficient credit card processing and inefficient business processes), as well as the comments regarding practicalities and so forth, haven't really been addressed (pardon the pun), IMHO. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice Words that come from a machine have no soul. -- Duong Van Ngo
On Apr 2, 2007, at 4:56 PM, Douglas Otis wrote:
The recommendation was for registries to provide a preview of the next day's zone.
I think this might be a bit in conflict with efforts registries have to reduce the turnaround in zone modification to the order of tens of minutes. Rgds, -drc
On Mon, Apr 02, 2007 at 05:33:08PM -0700, David Conrad wrote:
On Apr 2, 2007, at 4:56 PM, Douglas Otis wrote:
The recommendation was for registries to provide a preview of the next day's zone.
I think this might be a bit in conflict with efforts registries have to reduce the turnaround in zone modification to the order of tens of minutes.
Why is this necessary? Other than the cool factor. -- Joe Yao Analex Contractor
On Apr 2, 2007, at 7:12 PM, Joseph S D Yao wrote:
On Mon, Apr 02, 2007 at 05:33:08PM -0700, David Conrad wrote:
I think this might be a bit in conflict with efforts registries have to reduce the turnaround in zone modification to the order of tens of minutes.
Why is this necessary? Other than the cool factor.
I think the question is "why should the Internet be constrained to engineering decisions made in 1992?" Rgds, -drc
On Mon, 2 Apr 2007, David Conrad wrote:
On Apr 2, 2007, at 7:12 PM, Joseph S D Yao wrote:
On Mon, Apr 02, 2007 at 05:33:08PM -0700, David Conrad wrote:
I think this might be a bit in conflict with efforts registries have to reduce the turnaround in zone modification to the order of tens of minutes.
Why is this necessary? Other than the cool factor.
I think the question is "why should the Internet be constrained to engineering decisions made in 1992?"
or victims of policy of that same 'vintage'... doing things faster isn't bad, doing it with less checks and balances and more people willing to abuse the lack of checks/balances seems like a bad idea. If you can get a domain added to the system fresh in 5min or less, why does it take +90 days to get it removed when all data about the domain is patently false and the CC used to purchase the domain was reported stolen 2+years ago? I don't mean to pick on anyone in particular, but wow, to me this seems like just a policy update requirement.
On Mon, 2 Apr 2007, David Conrad wrote:
On Apr 2, 2007, at 7:12 PM, Joseph S D Yao wrote:
On Mon, Apr 02, 2007 at 05:33:08PM -0700, David Conrad wrote:
I think this might be a bit in conflict with efforts registries have to reduce the turnaround in zone modification to the order of tens of minutes.
Why is this necessary? Other than the cool factor.
I think the question is "why should the Internet be constrained to engineering decisions made in 1992?"
Amen to that. That said, you know better than me that even if not constrained, it still needs legacy support as well as small steps. Unless, of course, the changes are not in engineering decisions.
Rgds, -drc
I think this might be a bit in conflict with efforts registries have to reduce the turnaround in zone modification to the order of tens of minutes.
Why is this necessary? Other than the cool factor.
I think the question is "why should the Internet be constrained to engineering decisions made in 1992?"
Well, I think the question is, why to new domain additions have to be lumped in with all other zone changes and updated within minutes? Why can't new domain additions be treated specially and be held back for a day or two in order to prevent tasters from abusing the network. Note that this would not prevent tasting from happening, it would only hurt those tasters who are doing this to hide the source of network abuse. --Michael Dillon
On Tue, 2007-04-03 at 12:43 +0100, michael.dillon@bt.com wrote:
Well, I think the question is, why to new domain additions have to be lumped in with all other zone changes and updated within minutes? Why can't new domain additions be treated specially and be held back for a day or two in order to prevent tasters from abusing the network.
Because legit mom & pop shops want to sign-up and build a website in the same way they throw a brochure together down at Kinkos. Welcome to the "here and now" generation. ;-) I'm not saying that I agree with immediate domain registration, but I understand why it is what it is today. Want to fix it: have ICANN regulate and fine registrars who don't screen their clientele. There are enough spam/virus/bot reports out there to see who is responsible for what. -Jim P.
On Sun, 1 Apr 2007, Douglas Otis wrote:
When functional information is not valid, such as incorrect name servers or IP addresses, this would not impose an immediate threat. However, basic functional information will trace to the controlling entity. Only by being able to preview this information, would comprehensive preemptive efforts be able to prove fully effective.
So assuming you get rid of tasting and reduce the flow of new names to say 50,000 per day [1] exactly how are you going to preview these in any meaningful sort of way? Are you going to do the same for every ccTLD as well? What about domains with constantly changing subdomains? Everything hosted in different countries with different languages, policies and privacy laws? Believe it or not, some countries don't even have "states" or 5 digit zip codes. Please detail exactly what you will do if I register "trademe.ir" using a Pakistani Registrar, a .ly contact email, a physical address in Nigeria, the name "Tarek Rasshid" [2] , $10/year name servers in Cuba and pay for using Visa gift credit card bought in Malaysia. [1] 20 million new domains each year, just 20% growth on what we have now. [2] http://www.angelfire.com/tx/afira/arabic1.html -- Simon J. Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ "To stay awake all night adds a day to your life" - Stilgar | eMT.
On Mon, 2007-04-02 at 12:03 +1200, Simon Lyall wrote:
So assuming you get rid of tasting and reduce the flow of new names to say 50,000 per day [1] exactly how are you going to preview these in any meaningful sort of way?
A preview would not directly reduce a churn rate, although it might as a side effect. Computers are able to correlate even with millions of domains per day.
Are you going to do the same for every ccTLD as well?
Consistent rules should be established for ccTLD as well, however each ccTLD may wish to limit preview access differently.
What about domains with constantly changing subdomains? Everything hosted in different countries with different languages, policies and privacy laws? Believe it or not, some countries don't even have "states" or 5 digit zip codes.
Information collected can be pushed to the edge to protect against domains controlled by bad actors. A domain should be cautious about delegating to bad actors.
Please detail exactly what you will do if I register "trademe.ir" using a Pakistani Registrar, a .ly contact email, a physical address in Nigeria, the name "Tarek Rasshid" [2] , $10/year name servers in Cuba and pay for using Visa gift credit card bought in Malaysia.
This is not about modifying the function of registrars or registries, beyond requiring a zone preview from registries. This is about identifying threats, even zero day threats, and offering protection. The protection afforded can be fairly comprehensive, although nothing is 100%. -Doug
participants (12)
-
Cat Okita
-
Chris L. Morrow
-
David Conrad
-
Douglas Otis
-
Fergie
-
Gadi Evron
-
Jim Popovitch
-
Joseph S D Yao
-
michael.dillon@bt.com
-
Roland Dobbins
-
Simon Lyall
-
william(at)elan.net