Re: [gnso-ff-pdp-may08] Accommodating Ran Atkinson's comments

[Dave Piscitello <dave.piscitello@xxxxxxxxx>]

Yes, the quote you provide works nicely, perhaps in the main body rather
than the exec summary.

Lixia Zhang (UCLA) presented results from a study on infrastructure TTLs to
the DNSOps WG in 2007 and noted that ~10% of RRs had TTLs < 1 hour.  That's
a pretty intriguing number. I will see if she has any further insight to
share.


On 4/28/09 10:36 AM  Apr 28, 2009, "Greg Aaron" <gaaron@xxxxxxxxxxxx> wrote:

> Thank, Dave; this is helpful info.
> 
> If you like, feel free to work in or adapt any of this material about
> volatility and short TTLs, which I wrote in the RyC input statement, at
> lines 2151 ff in the current FFWG report.  I don't know if all such domains
> are considered "volatile networks."  RFC 1035 refers to sites with "volatile
> data." (Webster says "Volatile: characterized by or subject to rapid or
> unexpected change.")
> 
> "Any entity that operates a Web site or other Internet service has
> legitimate reasons for using short TTLs, at least for finite periods of
> time.  Such uses are written into relevant RFCs, including the domain name
> RFCs 1034 and 1035. Internet services that are subject to a high change
> frequency legitimately use low TTLs, and even TTLs of zero. Uses of
> zero-length TTLs are mentioned in relevant RFCs, including RFC 1035.
> Imposing minimum lengths for TTLs is therefore contrary to standard
> engineering practices, will interfere with the operation of existing sites
> and services, may stifle the development of innovative services, and will
> impose costs on site operators and their service providers. Even if such
> limits were desired, there is presently no practical way that any entity
> could impose minimum TTLs on those parties responsible for setting them
> authoritatively."
> 
> I bet that over time, the use of short TTLs has become more common.
> Certainly in mobile applications, where the user's location is dynamic.  And
> I see short TTLs used by blogging sites, since those sites are updated
> frequently.  Those have "volatile data" I guess.
> 
> I wonder what Twitter's TTL is?
> 
> All best,
> --Greg
> 
> 
> -----Original Message-----
> From: Dave Piscitello [mailto:dave.piscitello@xxxxxxxxx]
> Sent: Tuesday, April 28, 2009 8:51 AM
> To: Fast Flux Workgroup
> Subject: [gnso-ff-pdp-may08] Accommodating Ran Atkinson's comments
> 
> 
> Hello FF WG,
> 
> As you know, Ran Atkinson had several major comments:
> 
> 1) expand on the positive applications of fast flux techniques
> 2) make the distinction between positive and malicious uses of fast flux
> clearer
> 3) invite comment from the IETF
> 
> I've sent a separate email to handle (3).
> 
> For (1) and (2) I think we need to begin by adjusting the executive summary
> to acknowledge that the WG dissected the concept "fast flux" into two
> distinct classes, then carry these changes through the main body of the
> report. I walked through the newly posted draft final report and I think the
> following sections and pages are affected (I may have missed some but
> hopefully not many)
> 
> Again, I used the draft final report that Marika posted early today at
> https://st.icann.org/data/workspaces/pdp-wg-ff/attachments/fast_flux_pdp_wg:
> 20090428080103-0-28575/original/Draft%20Fast%20Flux%20Final%20Report%20-%202
> 7%20April%202009.pdf
> 
> 
> Executive Summary, PAGE 4, line 97
> 
> In the Executive Summary, we can do this by adding the following at the very
> beginning of Section 1.3:
> 
> "After considerable deliberation, the working group was able to identify
> positive applications of certain characteristics generally associated with
> the term fast flux. These characteristics, including short TTLs and frequent
> update of DNS records, are present in production networking environments
> that are high profile, support mobility, or are likely-targets of attacker,
> or network that must be adaptive and resilient. Such self-beneficial or
> positive applications are described in the literature as <I>volatile
> networking</I>. Generally, additional, sufficiently different and suspicious
> characteristics are present in malicious networking applications to
> distinguish positive, volatile networks from <I>fast flux attack
> networks</I>."
> 
> The current text of Section 1.3, line 98, follows the above paragraph.
> 
> PAGE 6, line 143
> 
> It would be helpful to clarify that the WG elected to include the questions
> posed by the GNSO "as is" rather than rephrase them and risk
> misrepresentation or create confusion.
> 
> Under the bullet item "Charter Questions", following line 143, I suggest we
> add:
> 
> "Note: The FF WG introduced the distinguishing terms volatile networks and
> fast flux attack networks in section 1.3. The questions put before the WG by
> the GNSO are reproduced throughout this report in their original
> formulation. The WG elected to include the questions 'as posed' to avoid
> confusion or misrepresentation."
> 
> Under "Who benefits from fast flux?" (line 147) add a bullet item "mobility
> network providers", preferably between lines 148 and 149
> 
> Page 7, line 188
> 
> Under " Who benefits from the use of fast flux techniques?" add "mobility
> network users and operators who offer services to mobile users", preferably
> after line 190.
> 
> Page 16, line 426+
> 
> Under "How fast flux attacks work", edit the text to consistently refer to
> fast flux attacks rather than the generic term "fast flux" - this is
> probably a comment that must be applied throughout the report. An editing
> team can do this more effectively than I can in a single email. In the Note,
> add that the content only discusses fast flux attacks and that positive
> applications are considered later.
> 
> Page 17, line 481:
> 
> Perhaps the title here should be "Positive Applications of fast flux
> techniques (Volatile Networking)"? In this section, we should add a summary
> of Ran's description of mobility networking and how TTLs are used. I will
> write this if the WG concurs.
> 
> Page 18, line 505:
> 
> Perhaps the title should change to "Illicit Uses: Fast Flux attack
> networks"? Also, should we jettison "fast flux service networks" and align
> on "fast flux attack networks"? Also, should we use Illicit uses or
> Malicious uses throughout, or does it not matter?
> 
> Page 22, Section 5, line 565
> 
> I suggest that the WG begin this section with either the text I proposed in
> the Executive Summary, or an expanded form. If members of the WG prefer an
> expansion, please list the issues or observations you wish to make and I'll
> take on the writing assignment.
> 
> Page 23, line 620:
> 
> Under "Charter Questions", again, we may wish to make clear that the
> questions are phrased as originally formulated by the GNSO.
> 
> Page 24, line 665:
> 
> Before "3. Free speech / advocacy groups", insert "3. Mobility Support",
> incorporate Ran's discussion of mobility support, and include the citations
> he lists. Make "Free spech / advocacy groups" clause 4. Again, I will
> compose the exact text if the WG agrees that the set of changes I'm
> proposing are appropriate.
> 
> Page 27, line 749:
> 
> Replace the sentence following "The parties who benefit from the cessation
> of the practice of fast flux attacks are the same
> parties who are harmed when fast flux is used in support of attack
> networks." with
> 
> "Again, the WG calls the readers' attention to the distinction we make
> between volatile networking and fast flux attacks; here, we focus  attention
> on identifying the harms inflicted on victims of fast flux attacks:"
> 
> Page 32, line 908:
> 
> Suggest we re-word " The Working Group has previously explained that the use
> of short TTLs is insufficient to characterize a network as a fast flux
> network, and insufficient to characterize that fast flux
> network as an attack or production network." As follows:
> 
> "The WG has previously explained that positive and malicious applications of
> adaptive networking exist today. In particular, the use of short TTLs is
> insufficient to distinguish a positive application of volatile networking
> from a fast flux attack. The ... benefit from volatile network techniques,
> including short TTLs, includes:"
> 
> <Keep the positive applications 1-3 and add mobility networks as 3, move
> free speech to be item 4>
> 
> Then insert before the current item 4, and incorporate 4 as follows:
> 
>  "Short TTLs are one of several indicators of fast flux attacks. Criminals,
> terrorists, and generally, any organization that operates a fast flux attack
> network frequently benefit from the use of short TTLs along with other
> volatile networking techniques, but at public expense, harm or detriment."
> 
> Here, again, edit text to use fast flux attack networks, not simply fast
> flux.
> 
> ----- Summary -----
> 
> Other sections may require some additional editing and minor corrections to
> align correctly with the proposed changes. I realize there is more to do
> here, but I want to be certain the WG agrees in principle with these
> changes; if so, Marika and I can jointly edit a new draft.
> 
> 
> 
> 
> 
> 
>