RE: [gnso-ff-pdp-may08] Accommodating Ran Atkinson's comments

["Greg Aaron" <gaaron@xxxxxxxxxxxx>]

Thank, Dave; this is helpful info.

If you like, feel free to work in or adapt any of this material about
volatility and short TTLs, which I wrote in the RyC input statement, at
lines 2151 ff in the current FFWG report.  I don't know if all such domains
are considered "volatile networks."  RFC 1035 refers to sites with "volatile
data." (Webster says "Volatile: characterized by or subject to rapid or
unexpected change.")

"Any entity that operates a Web site or other Internet service has
legitimate reasons for using short TTLs, at least for finite periods of
time.  Such uses are written into relevant RFCs, including the domain name
RFCs 1034 and 1035. Internet services that are subject to a high change
frequency legitimately use low TTLs, and even TTLs of zero. Uses of
zero-length TTLs are mentioned in relevant RFCs, including RFC 1035.
Imposing minimum lengths for TTLs is therefore contrary to standard
engineering practices, will interfere with the operation of existing sites
and services, may stifle the development of innovative services, and will
impose costs on site operators and their service providers. Even if such
limits were desired, there is presently no practical way that any entity
could impose minimum TTLs on those parties responsible for setting them
authoritatively."

I bet that over time, the use of short TTLs has become more common.
Certainly in mobile applications, where the user's location is dynamic.  And
I see short TTLs used by blogging sites, since those sites are updated
frequently.  Those have "volatile data" I guess.

I wonder what Twitter's TTL is?

All best,
--Greg


-----Original Message-----
From: Dave Piscitello [mailto:dave.piscitello@xxxxxxxxx] 
Sent: Tuesday, April 28, 2009 8:51 AM
To: Fast Flux Workgroup
Subject: [gnso-ff-pdp-may08] Accommodating Ran Atkinson's comments


Hello FF WG,

As you know, Ran Atkinson had several major comments:

1) expand on the positive applications of fast flux techniques
2) make the distinction between positive and malicious uses of fast flux
clearer
3) invite comment from the IETF

I've sent a separate email to handle (3).

For (1) and (2) I think we need to begin by adjusting the executive summary
to acknowledge that the WG dissected the concept "fast flux" into two
distinct classes, then carry these changes through the main body of the
report. I walked through the newly posted draft final report and I think the
following sections and pages are affected (I may have missed some but
hopefully not many)

Again, I used the draft final report that Marika posted early today at
https://st.icann.org/data/workspaces/pdp-wg-ff/attachments/fast_flux_pdp_wg:
20090428080103-0-28575/original/Draft%20Fast%20Flux%20Final%20Report%20-%202
7%20April%202009.pdf
 

Executive Summary, PAGE 4, line 97

In the Executive Summary, we can do this by adding the following at the very
beginning of Section 1.3:

"After considerable deliberation, the working group was able to identify
positive applications of certain characteristics generally associated with
the term fast flux. These characteristics, including short TTLs and frequent
update of DNS records, are present in production networking environments
that are high profile, support mobility, or are likely-targets of attacker,
or network that must be adaptive and resilient. Such self-beneficial or
positive applications are described in the literature as <I>volatile
networking</I>. Generally, additional, sufficiently different and suspicious
characteristics are present in malicious networking applications to
distinguish positive, volatile networks from <I>fast flux attack
networks</I>."

The current text of Section 1.3, line 98, follows the above paragraph.

PAGE 6, line 143

It would be helpful to clarify that the WG elected to include the questions
posed by the GNSO "as is" rather than rephrase them and risk
misrepresentation or create confusion.

Under the bullet item "Charter Questions", following line 143, I suggest we
add:

"Note: The FF WG introduced the distinguishing terms volatile networks and
fast flux attack networks in section 1.3. The questions put before the WG by
the GNSO are reproduced throughout this report in their original
formulation. The WG elected to include the questions 'as posed' to avoid
confusion or misrepresentation."

Under "Who benefits from fast flux?" (line 147) add a bullet item "mobility
network providers", preferably between lines 148 and 149

Page 7, line 188

Under " Who benefits from the use of fast flux techniques?" add "mobility
network users and operators who offer services to mobile users", preferably
after line 190.

Page 16, line 426+

Under "How fast flux attacks work", edit the text to consistently refer to
fast flux attacks rather than the generic term "fast flux" - this is
probably a comment that must be applied throughout the report. An editing
team can do this more effectively than I can in a single email. In the Note,
add that the content only discusses fast flux attacks and that positive
applications are considered later.

Page 17, line 481: 

Perhaps the title here should be "Positive Applications of fast flux
techniques (Volatile Networking)"? In this section, we should add a summary
of Ran's description of mobility networking and how TTLs are used. I will
write this if the WG concurs.

Page 18, line 505:

Perhaps the title should change to "Illicit Uses: Fast Flux attack
networks"? Also, should we jettison "fast flux service networks" and align
on "fast flux attack networks"? Also, should we use Illicit uses or
Malicious uses throughout, or does it not matter?

Page 22, Section 5, line 565

I suggest that the WG begin this section with either the text I proposed in
the Executive Summary, or an expanded form. If members of the WG prefer an
expansion, please list the issues or observations you wish to make and I'll
take on the writing assignment.

Page 23, line 620: 

Under "Charter Questions", again, we may wish to make clear that the
questions are phrased as originally formulated by the GNSO.

Page 24, line 665: 

Before "3. Free speech / advocacy groups", insert "3. Mobility Support",
incorporate Ran's discussion of mobility support, and include the citations
he lists. Make "Free spech / advocacy groups" clause 4. Again, I will
compose the exact text if the WG agrees that the set of changes I'm
proposing are appropriate.

Page 27, line 749:

Replace the sentence following "The parties who benefit from the cessation
of the practice of fast flux attacks are the same
parties who are harmed when fast flux is used in support of attack
networks." with

"Again, the WG calls the readers' attention to the distinction we make
between volatile networking and fast flux attacks; here, we focus  attention
on identifying the harms inflicted on victims of fast flux attacks:"

Page 32, line 908: 

Suggest we re-word " The Working Group has previously explained that the use
of short TTLs is insufficient to characterize a network as a fast flux
network, and insufficient to characterize that fast flux
network as an attack or production network." As follows:

"The WG has previously explained that positive and malicious applications of
adaptive networking exist today. In particular, the use of short TTLs is
insufficient to distinguish a positive application of volatile networking
from a fast flux attack. The ... benefit from volatile network techniques,
including short TTLs, includes:"

<Keep the positive applications 1-3 and add mobility networks as 3, move
free speech to be item 4>

Then insert before the current item 4, and incorporate 4 as follows:

 "Short TTLs are one of several indicators of fast flux attacks. Criminals,
terrorists, and generally, any organization that operates a fast flux attack
network frequently benefit from the use of short TTLs along with other
volatile networking techniques, but at public expense, harm or detriment."

Here, again, edit text to use fast flux attack networks, not simply fast
flux.

----- Summary -----

Other sections may require some additional editing and minor corrections to
align correctly with the proposed changes. I realize there is more to do
here, but I want to be certain the WG agrees in principle with these
changes; if so, Marika and I can jointly edit a new draft.