[LACNIC/Seguridad] Fwd: Re: Montevideo statement

Fernando Gont fernando en gont.com.ar
Mar Oct 8 12:10:47 BRT 2013 

FYI


-------- Original Message --------
Subject: 	Re: Montevideo statement
Date: 	Tue, 8 Oct 2013 09:19:35 -0400
From: 	Phillip Hallam-Baker <hallam en gmail.com>
To: 	manning bill <bmanning en isi.edu>
CC: 	IETF Discussion Mailing List <ietf en ietf.org>






On Tue, Oct 8, 2013 at 8:53 AM, manning bill <bmanning en isi.edu
<mailto:bmanning en isi.edu>> wrote:

    >
    >
    > I think the US executive branch would be better rid of the control
    before the vandals work out how to use it for mischief. But better
    would be to ensure that no such leverage exists. There is no reason
    for the apex of the DNS to be a single root, it could be signed by a
    quorum of signers (in addition to the key splitting which I am fully
    familiar with). And every government should be assigned a sovereign
    reserve of IPv6 addresses to prevent a scarcity being used as leverage.
    >
    > --
    > Website: http://hallambaker.com/

            Quorum signing with split keys  was already built and tested
    in a root server operator testbed (the OTDR testbed) from 1998-2005.
     It was considered more fragile than the current system.


Considered more fragile by whom?

By the members of the $250m/yr NSA mole program?


Very few people in DNS land recognize the class of attack as being
realistic. Even when they have prime ministers and members of the GRU
visiting them to tell them how important the issue is to their country.

We already have one example of lobbyists attempting this type of attack
(see Martin's post). So it is far from unrealistic. 


At present ICANN's power over the DNS is entirely discretionary.
Attempting to drop Palestine out of the routing tables would simply be
the end of the ICANN root zone. ICANN could continue to manage .com but
their influence over the rest of the system would end completely.

But DNSSEC changes the balance of power. With the root signed and
embedded infrastructure verifying DNSSEC trust chains, the cost of a
switchover rises remarkably. And when I tried to mention the fact I
tended to get nasty threats.

The third question of power is 'how do we get rid of you'. The answer in
the case of DNSSEC is that you can't. 


Fortunately the issue is quite easily fixed, just as the problem of
using IPv6 or BGP allocations for leverage is fixable. Governments don't
need to wait on ICANN or the IETF to develop a quorum signing model for
the DNS apex, they could and should institute one themselves and tell
their infrastructure providers to chain to the quorum roots rather than
the monolithic apex root.


-- 
Website: http://hallambaker.com/



-- 
Fernando Gont
e-mail: fernando en gont.com.ar || fgont en si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1



------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/seguridad/attachments/20131008/898ce118/attachment.html>

Más información sobre la lista de distribución Seguridad