Comments on the draft ICANN strategic plan for 2010-2013
I am writing today to express my support for the broad outlines ICANN has made in its draft 2010-2013 strategic plans. Specifically, it's a pleasure to see an expression of ICANN's possible role as a leader in global coordination to address security problems affecting DNS operators, registrars and registries, and ultimately end-users. DNS clearly is an underpinning for Internet operations, and the next few years are crucial to Internet security. A DNS-CERT can easily have many possible roles in helping global Internet security efforts. Under an ICANN umbrella, access to key constituents would be possible, much more so than from an outside body. DNS operations are multi-national, and therefore some body focused on DNS is required in a coordination or a support role. Furthermore, DNSSEC deployments clearly require investigations into scalability and impact, and ICANN's continued leadership will be key. The past few years have seen a rise in domain generation algorithms (DGAs), most visibly this past year with the Conficker worm. In these scenarios, a successful response to block the attacker's access requires significant amounts of TLD coordination to prevent misuse of the domain names in the future. Ad-hoc efforts in the past have been attempted but quickly run into longevity and cost challenges. As a longstanding participant in the Conficker Working Group, I can say that ICANN's role was key to making last year's Conficker response a success. ICANN's willingness to lead demonstrated the positive impact that can be brought to bear, as well as gaps that the Internet security community must address. An additional threat that an ICANN DNS-CERT would be valuable to address are attacks on the system of registries and registrars, which we have seen growing with an alarming frequency. ICANN's responsibility in helping to protect the DNS infrastructure makes a DNS-CERT key to future security and infrastructure plans. ICANN has shown leadership in 2009 in this area, and they can - and should - extend these efforts. ICANN has also shown concern over the impact of fast-flux DNS operations on the DNS infrastructure with the working group, in which I also participated. Already we've seen a significant drop in the number of fast-flux domains active in a given day, and their effective lifetime is dropping. ICANN's efforts in educating operators and the security research community have certainly been key to this result. Similarly, ICANN's move to allow for new TLDs and IDNs has security implications that will surely be abused in the immediate future. Any DNS-CERT can help ICANN's role in a coordinated response for the defense of the DNS infrastructure against such fraud and abuse. Finally, DNS infrastructure attacks on the availability have been a problem for many years, although their scale and impact has been growing for many years. ICANN is uniquely positioned to provide assistance to all TLD operators in the DNS community. A DNS-CERT would easily have a beneficial role in protecting a key underpinning of the Internet. These are but a few of the areas that need cross-border, Internet- scale responses that ICANN would be able to provide. A DNS-CERT's mission should be to support their constituency against these sorts of threats - and surely more in the coming years. Any DNS-CERT's success is measurable in the number of incidents that occur, the number attempted and the number that succeed, along with their impact. This includes losses from registry compromise, outages from DDoS attacks, use of DGAs by botnets, and fast-flux activity. The Internet security community is actively seeking ICANN's participation in security response, and a DNS-CERT effort is certain to have a major benefit to the future of the Internet. I welcome this proposal in the draft 2010-2013 strategic outline put forth by ICANN. Sincerely, Jose Nazario, Ph.D. Arbor Networks |