[gnso-ff-pdp-may08] Sunday Benefits

[Eric Brunner-Williams <ebw@xxxxxxxxxxxxxxxxxxxx>]

All,

The question of benefit has two parts. The first one has been mentioned 
during our two calls -- Wendy and I are looking for example(s) of some 
use of the techniques of evasion, preferably one or more that "flux" A 
records and NS records, and do so sufficiently frequently to be "fast". 
The second hasn't been, yet it is more obvious than any example we may 
find (and we may not find any examples of a particular technique of 
evasion, being just two slightly non-random people with small time and 
zero cash budgets to conduct what is in effect an open-ended survey of 
covert activity), or any we may hypothesize.
First, from the about page (http://www.icann.org/en/about/):

       *ICANN doesn’t control content on the Internet. It cannot stop
       spam and it doesn’t deal with access to the Internet.
       *


Now, on to the beneficiaries of "fast flux" ...

A. The Business Constituency benefits from "fast flux". Mike R. brought 
the theory that this is a problem and the venue for some part of the 
solution for this problem is ICANN to the GNSO in February, and in June 
the BC got this WG authorized, with much of Mike's original, and still 
problematic language, intact. There is real growth in the detection of 
"fast flux", however, this is an artifact of improved detection, not a 
corresponding growth in the number of distinct rational economic 
criminal entities exploiting evasion. The problems of spam, porn, 
malware, ... are not in a greater state of crisis in 2008 than they were 
in 2007 or are likely to be in 2009, regardless of any act ICANN may 
take. See above.
Yet here we are.

B. The "security vendors" benefits from "fast flux". The security 
after-market for Microsoft is a direct beneficiary of the vulnerability 
of Microsoft's operating system products, and "fast flux" is a marketing 
tool for some vendors in this market. Some "security vendors" have been 
accredited as Registrars by ICANN. Security vendors have expanded their 
presence in the ICANN multi-stake holder process from minority 
membership in two or more constituencies to having their own 
PDP-in-progress.
C. The "law enforcement agencies benefit from "fast flux". Budget 
justification drives institutional mission, and hoopla created by 
agencies to justify their budgets, from phone phreaking in the '80s to 
the buzz of the moment, which for us is "fast flux", is a fact of life. 
"Law enforcement agencies" have expanded their presence in the ICANN 
multi-stake holder process from no role at all to having their own 
PDP-in-progress.
D. Some registries benefit from "fast flux". In 2004, in response to 
UltraDNS' perceived marketing advantage from rapid updates in .org, 
Verisign started rapid DNS updates in .com and .net. I happen to recall 
this because as a bidder for .net, we (CORE) had to solve the problem of 
matching the update rate of the .net zone, from the starting point of 
being only able to get a .net zone transfer twice a day under the 
then-current ICANN contract. If you were around then, and you read bids, 
recall the care and concern that the ISC/IMC and SWITCH bids showed 
towards the stability and policy of .org.
Just before Paris I happened to notice in a competitor's marketing 
collateral (CORE operates the back ends of two ICANN gTLD registries) 
that the competitor was boasting of 15 second global resolvability, and 
I had to ask, "cui bono?" Not very much of the registrants have a 
mission critical dependency upon changes in records being globally 
resolved at sub-minute granularity. Note, I'm not suggesting that VGRS 
or anyone else who has built-out a very expensive DNS server 
constellation did so to benefit from a criminal use of that capability, 
but they did cost/benefit out the use of the capability, and came to the 
benefit greater than cost conclusion. This is the knob some have 
suggested tweaking.
E. Some registrars too have built out very expensive DNS server 
constellations. The same cost/benefit observations apply, and this too 
is the knob some have sugested tweaking.
To generalize from these last two, the "stupid DNS tricks" that have 
been toyed with since the mid-80s, initially just to make cluster 
computing a happy camper in the DNS, have been done without much thought 
about security. The first "DNS load balancing" RFC -- RFC 1794, written 
in the first half of 1995, but based on work that goes back to the 
mid-80s has this --
       *9. Security Considerations

       Security issues are not discussed in this memo.*

Finally, to the "who benefits" pile there are all the business models 
that are based upon the increase of dynamicism of delegation change and 
domain deletion, which are -- to quote Paul Vixie, "driving a bus 
through a loophole".
F. Akami and all the policy based (directed) load balancing schemes that 
publish different answers in different regions, that deliberately create 
incoherence, are beneficiaries of "fast flux", as the "fast flux" 
problem statement (see Mike R., above) assumes that policy based 
incoherence is not a "stupid DNS trick", and inherently harmful.
A decrease in the time from an add on the provisioning side to the 
change being visible on the publication side (resolution) is different 
from decreases in the times for delegation change and domain deletion.
The "VeriSign's rapid DNS updates in .com/.net " threads in July of 2004 
on the NANOG list could benefit us, and not just because you all would 
get to read vintage "me", but because it wouldn't hurt to read the views 
of the operations community on this very subject as the fundamental 
change occurred which made "fast flux" possible. And don't forget that 
its not just Verisign, and its not all registries, and not all registrars.
And that's my Sunday contribution on benefits.

Again, my goal is to try and get a better understanding, even if just 
for my self, of what the benefits are, and what they are not. I'm not 
trying to change anyone's mind that has already come to some other 
conclusions I haven't learned to share.
Eric