insight 

There was a lot happening in the DNSSEC world at this ICANN, far more than any other forum and far more than previous ICANN meetings.

Signing .org

Public Internet Registry (PIR) announced their intention to sign .org, with the help of their registry partner, Afilias. This will be the first big Top Level Domain (TLD) to sign. The best bit is the reasons they give for doing are exactly the right reasons - they want to make the Internet a safer place by doing the right thing and signing .org.

Implementation is a while off but all the pre-work has been done and the ICANN board voted to give PIR the go-ahead. This is a brave step forward from the progressive CEO of PIR, Alexa Raad, and we wish them all the best.

IANA preparations and the new TAR

IANA announced their plans for a Trust Anchor Repository (TAR) as an interim measure until the root is signed. This will be a web site that us TLDs can populate through our normal processes with our keys. Anyone ISP or business who wants to use DNSSEC on the nameservers now has only the one place to visit to get keys rather than going to lots of different places.

This will certainly make life easier but it is still a poor second to signing the root. That unfortunately is out of IANA’s hands otherwise they would have done it by now, they have a well designed and well built (we’ve audited it) infrastructure in place to do it when they get the go ahead.

One thing IANA have been clear about is that they do not want any API access to the TAR. They are clear that this will develop into a competing technology to signing the root and almost everyone knows that is the best way forward.

US Government internal mandate

I haven’t checked this independently but I’ve been told that some departments of the US Government are going to mandate the use of DNSSEC internally. I’ve no idea how this will work but it shows a genuine recognition of the value of DNSSEC that I hope manufacturers take note of.

Resistance is fading

As knowledge and understanding of DNSSEC and the benefits it brings are spreading, the resistance amongst it from registries is fading. There are two public refuseniks but even then the picture is different depending on which part of the organisation you talk two.

The first is DENIC (.de) who are in the unenviable position of having a zone with more than just nameservers in it, they also have direct customer data of the type normally only seen on registrar nameservers. This means that DENIC have no choice but to sign their whole zone and cannot take advantage of the latest revision to DNSSEC that allows the rest of us to only sign those domains that are actually using DNSSEC. For us that means a gradual and low impact implementation of DNSSEC, but for DENIC it means the kind of big bang implementation us larger TLDs have all been frightened of.

The second, and most recent dissident, is apparently Verisign. Their CTO Ken Silva has been quoted in the media as saying that the urgency for DNSSEC is not there any more. I’ve no idea what is driving that, but I suspect it is the cost and complexity of adding DNSSEC support to their proprietary nameserver cluster. There is no doubt that bandwidth costs will increase for TLDs because the size of the response we are giving is increasing dramatically. But then with the likely gradual increase in DNSSEC takeup I expect this to be naturally absorbed in our rolling upgrade programme.

What this statement does do though is throw the spotlight on their contract with the US Department of Commerce (USDoC) to be the Root Zone Maintainer (RZM). It sits a bit uneasily when the rest of us are all pushing for the root to be signed, IANA are prepared and yet Verisign is going soft on the whole idea.

The exit plan

It might be more accurate to describe this as a lack of an exit plan. It is becoming clear that there is no way currently for a zone to signal that it intends to stop signing itself. If it just does so without such a mechanism then any validators operating in strict DNSSEC mode (nobody would do this just yet) would decide that all replies from that zone were bogus, effectively losing contact with it. Thankfully this is just a theoretical risk for now and our DNSSEC expert, Roy Arends, already has a solution so this should not take long to spread amongst implementors.

So, overall a lot is happening in the push for a secure DNS. All we need now is the root signed!

I wrote previously about the discussions starting on establishing trading markets as a way of dealing with the impending exhaustion of IPv4 addresses.  Well things have now moved on a bit and we have a policy proposal being discussed (proposal 2008-07) at RIPE that is the first key step to enabling a market in the RIPE region to form.  It doesn’t mention money but it does allow for simple address transfer between registered holders of IP addresses.

To save you having to look it up, this the key text being added:

Any LIR is allowed to re-allocate complete or partial blocks of IPv4 address space that were previously allocated to them by either the RIPE NCC or the IANA. Such address space must not contain any block that is assigned to an End User.

Address space may only be re-allocated to another LIR that is also a member of the RIPE NCC. The block that is to be re-allocated must not be smaller than the minimum allocation block size at the time of re-allocation. Demonstration of need for the address space by the receiving LIR to the RIPE NCC is not required during transfers.

Re-allocation must be reflected in the RIPE Database. This re-allocation may be on either a permanent or non-permanent basis.

LIRs that receive a re-allocation from another LIR cannot re-allocate complete or partial blocks of the same address space to another LIR within 24 months of receiving the re-allocation.

The re-allocation will be notified to the RIPE NCC, who will record the change of allocation. Please note that the LIR always remains responsible for the entire allocation it receives from the RIPE NCC until the re-allocation is transferred to another LIR or returned. The LIR must ensure that all policies are applied.

Re-allocated blocks will be signed to establish the current allocation owner.

Re-allocated blocks are no different from the allocations made directly by the RIPE NCC and so they must be used by the receiving LIR according to the policies described in this document.

A number of people have expressed support for the proposal but not ETNO, the influential voice of the European Telecoms industry.  We are another refusenik, for similar reasons.  Rather then go through them again, here is the text of the objection I wrote to the working group:

I do not support this proposal for the following reasons:

* It breaks the policy of providing addresses to those who need them in a
fair and non-discriminatory fashion because it allows LIRs to choose who
gets spare addresses for arbitrary and secret reasons rather than through
the open and transparent process of the RIR.

* It is discriminatory to those LIRs in developing countries (within this
RIR region) who have fewer IPv4 addresses than other countries for
historic reasons and will now have to pay considerably more for addresses
by buying them from other LIRs.  This will only exacerbate an already
difficult global position where some countries are pushing for a change in
the global management of the Internet driven by a perception of exclusion.

* It is only a partial solution to the problem.  Many LIRs believe that
much more can be achieved by a determined and well implemented policy on
reclaim/reuse.  However this policy only addresses the potential transfer
solution to the problem, not the potential reclaim/reuse solution.
Furthermore, it is likely that this policy, if implemented before a proper
reclaim/reuse policy will render such a policy unachievable and
unworkable.

* It will create a landrush of false or exaggerated allocation requests
from people who wish to profit by arbitrage, leading to far faster
exhaustion of IPv4 addresses.  In other words there will now be a
significant difference in the price that IP addresses can be ‘bought’ from
RIPE NCC compared to that at which they can be sold on the open market.
This difference in price, the arbitrage opportunity, will lead to an
influx of speculators who will work out how to play the system and so lead
to many more addresses being allocated than otherwise.

* It takes RIPE NCC into the business of a regulator of a secondary
market, which is something it has no expertise in and brings considerable
risk.  RIPE NCC has to develop into this role because the nature of the
proposal requires policing to check transfers have happened within the
rules.  However, with the potential for transfers to have commercial and
financial implications there is far greater possibility of costly and
complex challenges to RIPE NCCs decisions.  This in turns brings with it
the risks of scrutiny from competition authorities.

* It will lead to rapid degradation of the IPv4 LIR database and loss of
control for RIPE NCC in the registration of IPv4 addresses.  If LIR A
sells a block of IPv4 addresses to LIR B then the legal ownership is
adequately covered by the contract that exists between the two and so
there is no incentive to register the transfer with RIPE NCC other than
when peering with people that make strict use the LIR database.  Rival
databases, based around IPv4 trading exchanges, will spring up.

There is still until 9th July left to comment on this proposal and given just how important it is then if you have strong views one way or the other then now is that time to let the working group know.

You may have seen already our post on Domain Name Front Running (DNFR) since when things have got much more interesting.

Our original post explained our position that we have seen no evidence of DNFR and regard it as an inevitable consequence of a global market.  Network Solutions actually commented on that post saying they thought it did exist and needed to be tackled urgently as consumer confidence was being eroded.

Their response, which you probably have heard about, was to change their domain lookup tools so that any non-existent domain looked up through their site was automatically locked by them for four days so that nobody else could register it.  You as the customer who found it could register it, but only through Network Solutions and they are clear they will not be monetising the domain before then.

So, if you have not spotted it, they appear to be front running to protect end users from front running.

The second irony is slightly more oblique.  .com suffers dreadfully from the actions of domain tasters, who register huge volumes of domains and then cancel them before the grace period.  The mechanisms for deciding what domains to process in this way are largely algorithmic - how long was it registered for, when was it cancelled, how many clicks did it get in the tasting period.

Once a domain has entered the domain tasting merry-go-round it can be difficult for it to get off.  As soon as one taster lets it go another one picks it up because it meets the criteria for automatic registration.

So there is a possibility that the Network Solutions action could lead to a domain being picked up by tasters once Network Solutions drop the domain.  In that case the consumer who wanted it but decided they did not want to get it from Network Solutions would effectively lose it forever as it would now be on the taster radar.

There are discussions starting within the Regional Internet Registries (RIRs) about the creation of trading market in IPv4 addresses as we approach the inevitable exhaustion of unallocated addresses.  The view being put forward is basically “this is likely to happen anyway and by discussing it now, we can ensure it happens in an orderly way”.

When I first heard this idea I was a bit surprised.  The RIRs are policy based bodies and so a shift to a trading market appears to be an abandonment of that policy base.  However I have been partly corrected on that.  The discussions within RIPE (I’ve no idea about the other RIRs policy process) are for a policy based allocation policy to stay in place, but the outcome of that is to be a ‘right to buy’ rather than an allocation as now.

Of course this hybrid trading market still only enables policy control of the buying of domains, not the selling of domains, which is where some of the real disagreements start to surface.

The international view

The view taken by some countries is that the global allocation of IPv4 address space is unbalanced in favour of the early adopters, namely US-based organisations.  The introduction of the RIRs has meant ‘fair’ allocation since then but the historical imbalance goes uncorrected.  So if a trading mechanism were established now, the countries that were not early adopters are going to have to pay possibly very large sums for things that others got for free.

The view from some of the RIR people is that the crunch is coming soon anyway and there is no point trying to correct that balance, it will take too much effort to do and not buy us much time anyway.  They also believe that the trading mechanism will lead to many of those early adopters selling on large parts of their allocations thereby introducing more addresses than would be available otherwise.  I’ll come back to both of those points later.

What about IPv6

Of course the looming exhaustion of IPv4 addresses is nothing new.  IPv6 was designed to get around the limitations of IPv4 and IPv6 addresses are available easily and in vast numbers, so why can’t we just use that?

The simple answer is that IPv6 devices cannot talk to IPv4 devices and only a small fraction of the Internet runs IPv6.  So if I have only IPv6 on my desktop, I will not be able to contact web sites such as the BBC News, Google, The Register or even our web site.

Therefore, for the foreseeable future, both IPv4 and IPv6 addresses are going to be needed.  If you have a closed network, such as an internal management system, then you can use IPv6 alone, but not otherwise.

Certified allocations

There has been talk of moving to a secure routing system for some years now where address allocations are issued certificates and those are then used by Internet routers to determine if someone is entitled to route the addresses they are advertising.

The RIRs have started the process of issuing certificates for allocated addresses, but the technology has not been finalised or deployed to see these being used automatically.  In the interim some RIRs hope they will be used manually (i.e. before we interconnect you show me yours and I’ll show you mine).

Now we have the really interesting position.  How do those with pre-RIR allocations get certificates?  Should they have to go through an allocation policy process before they can get a certificate?

Alternatively, what if the price of the certificate reflects the size of the addresses?   Say a /19 cost roughly €50,000.  That makes roughly €100,000,000 for a /8.   In a trading market this may well be the figure a /8 fetches when sold to the highest bidder.

Timescales and investment

Exhaustion of unallocated IPv4 addresses is unavoidable and we have to migrate to IPv6.  Everyone knows that even we don’t all act accordingly as uptake and use of IPv6 address space is very low.

This seems to come down to basic economics.  Without a business case for the move to IPv6 only a few are going to make the move.  So the question is whether a trading market aids that move, which to me appears not to be the case:

• Those who already have IPv4 addresses will not have any pressure to move.  Don’t forget, these are the ones running the established services that need to move to IPv6 to be accessible to others.
• Those who need IPv4 addresses may be able to use IPv6 for closed networks, but otherwise are going to have to spend money on IPv4 addresses that might otherwise be used for IPv6 migration

Equipment is generally replaced in cycles, often three to five years, at which point new functionality tends to be introduced by being included in the newer products.  If I ran a large network of cable modems I would have started a couple of years ago to look to the next versions to support IPv6, but I would never consider swapping out perfectly good ones just for that functionality.  It might take several years before they all had IPv6 and I could switch to that for the management network, reducing address allocation.

So going back to the point on the need to reclaim space, maybe there is a valid reason, which is to buy enough time for the ordinary update cycle to enable the functionality without forcing people to make out of the ordinary investment.

There’s more

There is a lot of stuff I haven’t covered here, such as the role of Network Address Translation (NAT), the worry that carperbaggers might try to grab the remaining space in anticipation of a market, the role of RIRs in controlling routeing (correct spelling, trust me) or not and how to get people to really plan for IPv6.

What is clear though is that there is a lot to think about in this one development and it has a heavy impact on a lot of people.  This is one to watch.

The misbehaviour of some users of the Internet has wrought a change that is probably going to end up being far wider than is currently perceived. It is likely to mean the reconsideration of some of the fundamental principles, whether those were defined or just assumed, that are believed to have been key contributors to the success of the Internet to date.

A spectrum of misbehaviour

To understand this we need to begin with a model of the mindset of the misbehaving parties. Rather than give one single model, which would be unrealistic, it is possible to define a spectrum of behaviours into which the majority of these parties fit and from that spectrum to derive a set of common indicators that identify such parties.

• At one end of the spectrum we have those who can be harshly characterised as the ’selfish’. These are the people who use their home connection to the maximum downloading videos over bittorrent, with no regard for the impact on the other users of what is still essentially a shared medium.
• In the middle of the spectrum we have a group that can be less contentiously characterised as the ‘carpetbaggers’. These are those who see the Internet as a source of profit driven by mass action. This is where the business model behind spam originates.
• At the other end of the spectrum we have those who are fairly characterised as ‘crooks’. These are the people who create botnets by taking advantage of the weaknesses in security both technical and social that protect home desktops.

Common mindset

The most obvious common indicator derived from this spectrum, is that these people see the Internet as a natural resource just waiting to be exploited. If we analyse this indicator further we get the following attributes:

• Anything that is not explicitly forbidden (or more accurately - prevented by the technology) is allowed.
• There are things out there on the Internet that are not ‘owned’ by anyone.
• What they want to do is more important that any other considerations.

It is remarkable just how many otherwise sensible parties fall into the trap of believing some of these things. For example the rampant theft of WHOIS data by security companies.

Explicit control

The technical response to this misbehaviour, from which the majority of success in this struggle has originated, has been focused on explicit control that either prevents or permits certain activity. A whole industry has built up around this.

There are varying degrees of success with that approach. For example the response is less than perfect when it is difficult to precisely identify the behaviour to combat, as is the case with spam. Furthermore the exploitative mindset continues to search and probe for new avenues to exploit.

Emerging from this response is the recognition that misbehaviour will only be controlled by securing each and every part of the Internet that can be exploited.

This is not to deny the impact of after-the-fact enforcement and economic mechanisms for controlling behaviour, but prevention is always better than cure.

End-to-end principle

One principle that has defined the Internet until now is the end-to-end principle, which can be summarised as the intelligent choices being made by the end devices with the core of the Internet being relatively simple.

However this principle cannot prevent the exploitation of the core which is just as much a target as anything else. If we try to maintain this principle then it will continue to allow the development of end services that try to grab as much of the core as possible. This is inevitable given the mindset above. Efforts might be made to regularise access to the core at the end devices, but then that is just a semantic trick to make it appear the end-to-end principle is still in place.

The conclusion then is that the only way we can prevent the misbehaviour that impacts the core is to allow the core to defend itself. That means the end-to-end principle has to give. There may well be other principles that have to give before this is all over.