Re: [gnso-ff-pdp-may08] Comment References, Interim Conclusions and Next Steps

[Rod Rasmussen <rod.rasmussen@xxxxxxxxxxxxxxxxxxxx>]

I think Mike has done a good job of cleaning up some stuff here, but  
may have some more controversial deletes - nothing I see as a show  
stopper, but should be discussed.
I have a couple of thoughts to add in here.

In conclusions, I think we had an important consensus that, "any  
automated technique for detecting fast flux domains requires human  
interpretation of the results and examination of the evidence to  
confirm the presence of malicious or proscribed activities."
I would also add this thought to conclusions - perhaps right after  
Mike's comment about a neutral third party for determination of a  
malicious FFLUX domain:
Such a process could be devised to detect malicious FFLUX domains,  
however, those domains would still require some form of mitigation in  
order to end or prevent the undesired activity.  Depending on the  
nature of the fluxing configuration, many disparate providers could  
potentially be involved, from a domain registry or registrar, to DNS  
or hosting service providers.  The working group reached no consensus  
on which party or parties would be best suited to handle such  
mitigation work, but notes that in practical terms, such mitigations  
are already occurring in practice, but in an uncoordinated, uneven, or  
even arbitrary manner.  Some proposals do exist for creating a  
balanced process across-the-board for handling malicious domain  
registrations in general and merit further consideration for potential  
solutions to this particular issue.  <This last sentence may be better  
in the recommendations section>.
In the recommendations section, I think we should definitely point out  
that some domain name registries and registrars have already  
implemented contractual language that addresses the issue, and that is  
another way to attack the problem.  (no specific text here - just a  
thought extension that we need to cover, and there are a few places  
that could be added).
Also, please excuse the bit of APWG self-serving here, but I would  
point out that a specific mitigation framework has been proposed  
for .ASIA (and now others) in conjunction with the APWG that would  
allow for quick mitigation of malicious FFLUX domains and could be  
looked at as a general model for incident handling.
OK, please don't shoot me for a "new" thought here, but one role that  
ICANN could take on is the "best practices facilitator".  The idea  
being that ICANN (the formal company) keeps a current list of  
consensus-based best practices that could be used by various  
contracted parties, ensures that these are evangelized to those  
parties, and then does audits of if/how they are being used and  
reports findings based on those audits.  I'm just trying to think of  
ways to get past the old cliché of "everyone should follow best  
practices" and put some meaning/incentive to actually doing so.  I'm  
also trying to think of practical roles for ICANN itself to play in  
this.
Best,

Rod Rasmussen
President and CTO
Internet Identity
1 (253) 590-4088

On Jun 2, 2009, at 10:09 AM, Mike Rodenbaugh wrote:

> Hi Greg, that may depend on which version of Word you use, and what  
> view you
> are in.  On my copy, my edits are in blue, James' in red.  When I  
> mouse over
> the edits, it clearly shows who made them.
>
> -Mike
>
> -----Original Message-----
> From: owner-gnso-ff-pdp-may08@xxxxxxxxx
> [mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of Greg Aaron
> Sent: Tuesday, June 02, 2009 9:54 AM
> To: icann@xxxxxxxxxxxxxx; 'fast flux fast flux'
> Subject: RE: [gnso-ff-pdp-may08] Comment References, Interim  
> Conclusions and
> Next Steps
>
>
> Mike, I am not sure which edits are yours.  Can you give me an  
> example of
> your changes, so I can distinguish them from the others?  I think  
> this doc
> has edits by two or three hands?
>
> All best,
> --Greg
>
>
>
> -----Original Message-----
> From: Mike Rodenbaugh [mailto:icann@xxxxxxxxxxxxxx]
> Sent: Tuesday, June 02, 2009 12:38 PM
> To: 'fast flux fast flux'
> Subject: RE: [gnso-ff-pdp-may08] Comment References, Interim  
> Conclusions and
> Next Steps
>
> I have suggested edits to James rework of Secs 8/9, on attached.
>
> Thanks,
> Mike
>
> Mike Rodenbaugh
> Rodenbaugh Law
> 548 Market Street
> San Francisco, CA  94104
> +1.415.738.8087
> www.rodenbaugh.com
>
>
>
> -----Original Message-----
> From: owner-gnso-ff-pdp-may08@xxxxxxxxx
> [mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of James M.  
> Bladel
> Sent: Sunday, May 31, 2009 1:40 PM
> To: marika konings; fast flux fast flux
> Subject: [gnso-ff-pdp-may08] Comment References, Interim Conclusions  
> and
> Next Steps
>
> Team:
>
> Apologies for the delay on these materials.My schedule got away from  
> me
> beginning on Thursday, and so this task was pushed to the weekend.
>
> In any event, please find attached two separate documents.  The first
> (spreadsheet) attaches references for the views of the WG on comments
> received in response to the Initial Report.  Please note that these  
> are in
> no way an attempt to re-categorize the comments.  Instead, the goal  
> is to
> find the smallest number of sections / topics that sufficiently  
> address
> -all- comments.  I have included some sample language for each topic  
> (needs
> further word-smithing), which can be used individually or worked  
> into the
> comment analysis summary.
>
> Next, I have made many changes to section 8 ("Interim Conclusions")  
> and
> section 9 ("Next Steps"). Please note that if you believe the text  
> does not
> accurately characterize the WG findings, or if there are significant
> omissions, we can work through these on our call next Wednesday.
>
> Thank you,
>
> J.