SlideShare a Scribd company logo
1 of 26
Text
Text
#ICANN49
Name Collision Mitigation Update
Text
#ICANN49
Agenda
• New gTLD Collision Occurrence
Management Plan
• Outreach
• Collision Occurrence Mitigation
Framework – Draft Proposal
• Mitigation Interactions
• Q&A
Text
#ICANN49
Collision Occurrence Management Plan
• 7 October 2013: New gTLD Collision Occurrence
Management Plan adopted by ICANN Board New
gTLD Program Committee
• Plan Overview
o Defer delegating home and corp indefinitely
o Commission a study to develop a Name Collision Occurrence
Management Framework
o Each new gTLD to receive a Collision Occurrence Assessment
based on the Framework
o Alternate Path to Delegation for eligible strings
o Outreach Campaign
Text
#ICANN49
Name Collision Outreach
• Educational content published
o Information and resources hub on ICANN website
 http://www.icann.org/namecollision
• Influential technology media outlets and industry associations targeted
o Media coverage in 14 countries, 6 languages
o 100+ IT industry associations contacted around the world
• Amplified reach through social media
o Engaged with LinkedIn CIO groups
o Promotion through Twitter (66K followers) and Facebook (10K likes)
• Ongoing efforts
o Name Collision Information kit (contact GDD-Communications@icann.org)
o Public mailing list coming soon
 nc-info@icann.org
 https://mm.icann.org/mailman/listinfo/nc-info
Text
#ICANN49
Mitigating the Risk of
DNS Namespace
Collisions
Jeff Schmidt
JAS
Scope
• Initial Evaluation “DNS Stability String Review”
focused on a string’s potential impact on the
global DNS
• JAS research performed from the perspective of
end-systems as “consumers” of the global DNS
• JAS found no evidence to suggest that the
security and stability of the global Internet DNS
itself is at risk
Risk Assessment Objectives
• The frequency of possible collisions has received
substantial attention; JAS primary objective is to
advance discussion of the possible consequences
from the theoretical to the concrete
• Not all potential for collision results in collision
• Not all collisions are problematic
• Not all problematic collisions are equal
• Evaluate mitigation options
Definition
• Interisle: Name collision occurs when name
resolution takes place in a semantic domain other
than the one that was expected by a user.
• SAC062: The term “name collision” refers to the
situation in which a name that is properly defined
in one operational domain or naming scope may
appear in another domain (in which it is also
syntactically valid), where users, software, or
other functions in that domain may misinterpret
it as if it correctly belonged there.
Major Outreach and
Community Consultations
• 8-10 Mar: Verisign Name Collisions Workshop
(WPNC 14/IETF 89), London
• 26 Feb: Draft report released for ICANN public
comment period (closes 31 Mar)
• 17-21 Nov: ICANN 48 Buenos Aires
• 29 Oct: Online Trust Alliance (OTA) Collisions
Event, Washington DC
• 1 Oct: TLD Security Forum, Washington DC
Major Outreach and
Community Consultations
• Three JAS guest blog posts on DomainIncite
– 39 comments
• Active discussion on two email lists
• > 20 active “consumers” of colliding namespaces
• > 10 vendors
• > 40 other sources
Summary Findings
• Namespace collisions occur routinely throughout entire DNS
• Collisions occurred prior to delegation of every TLD since (at least) 2007
TLD Registration Date # SLDs in theoretical block list
.post 2012-08-07 > 50,000
.xxx 2011-04-15 > 40,000
.me 2007-09-24 > 10,000
.cw 2010-12-20 > 10,000
.asia 2007-05-02 > 5,000
.sx 2010-12-20 > 5,000
.rs 2007-09-24 > 5,000
.tel 2007-03-01 > 1,000
. xn--
mgba3a4f16a
2013-09-13 > 100
Summary Findings
• Collisions have been mentioned in research as
early as 2003
• The two previous new TLD pilot rounds yielded
no serious collision-related issues
• Failure modalities seem similar in all parts of the
DNS namespace
• Namespace expansion does not fundamentally or
significantly increase or change the risks
Why is this happening?
• Lack of appreciation/understanding of DNS
• DNS search list processing
• Intentional use of a namespace that is not under
the control of the using party
• Retirement/expiration of hostnames/2LD
registrations
• Colliding DNS namespaces are often purchased
– squatting, investing, domaining, drop-catching…
Lessons from other namespaces
• Other (important) namespaces have collisions
• Other (important) namespaces have changed
• Use notification/transition periods
– Advance notification
– Temporary grace/NACK period highly desirable
• 30-90 days typical
• There will be resistance to change
• In the end people and systems will adapt
Excerpt: Most people, and
certainly the members of
ADDL, welcome constructive
change. However, the
telephone is an extremely
important part of everyday
life, and major changes in its
use will have widespread
effects.
JAS Recommendations (1)
• The TLDs .corp, .home and .mail should be
permanently reserved
• “Controlled Interruption” zone (127.0.53.53)
immediately upon delegation and extending
for 120 days
– Non-delegated: implement following delegation
using wildcard
– Delegated/APD: implement using DNS Resource
Records (RR) for SDL Block List strings
JAS Recommendations (2)
• ICANN to monitor implementation
• ICANN to maintain emergency response
capability to act upon reported problems that
present “clear and present danger to human life”
• Don’t de-delegate at root level; use EBERO for
surgical edits if required
• Several recommendations around improved data
collection and archival at the root zone
Clear and Present Danger to Human Life
(C&PDHL)
• Balance not involving ICANN in commercial
disputes and allowing for situations where
inaction is not acceptable
• Defining and quantifying harm in any terms less
than C&PDHL on a global basis is impossible
• Cause “self-selection” of collisions-related reports
to ICANN
• Provide guidance to ICANN staff when evaluating
reports
Why 127.0.53.53?
• 127/8 loopback/localnet (RFC 1122 c. 1989)
• Intended to be “odd” enough to get attention and
rank in search engines
• Other options: RFC 1918 & Internet Honeypot
• Sophisticated network operators have options to
control 127.0.53.53 responses
– Response Policy Zone (RPZ), IDS/IPS
– Verified with BIND and Snort
Why 120 days?
• Certificate revocation period is a benchmark of
conservatism for a transition/buffer period
• Controlled interruption impacts different systems
differently; wide variance in time required for
detection and remediation
• Conscious of quarterly batch processing
Text
#ICANN49
Name Collision
Mitigation Interactions
Text
#ICANN49
Name Collision Mitigation Interactions
• Not anticipated to alter rate of new TLD delegations
• Activation of domain names under the new gTLD
o Already not allowed during 120-days from contracting
o Would also not be allowed during 120-days from delegation
 Only exception to rule: nic.<tld> and under
• Registration/allocation of domain names under new gTLD
o Allowed from delegation, subject to RPM and other requirements,
Sunrise and Claims periods
o Registered/allocated names are subject to the normal Sunrise and
Claims period, depending on the period in which they are allocated
Text
#ICANN49
Name Collision Mitigation Interactions
• 100 names for promotion of TLD allowed
o Cannot be activated until the end of the no-activation period(s)
o Subject to other requirements in the Registry Agreement
• Alternate Path vs. Controlled Interruption Measure
o Newly delegated gTLDs: Alternate Path to Delegation not available
if/when Framework is adopted by ICANN Board
o Already delegated gTLDs: Only apply controlled interruption in
block list names (i.e., no DNS wildcard record under the TLD)
• Name Collision Reporting
o Already available 24/7 to affected parties
o New requirement in proposal is threshold for demonstrably severe
harm: “clear and present danger to human life”
Text
#ICANN49
Q & A
Questions can also be submitted to
XXX@icann.org
Text
#ICANN49
Related Global Domains Division Sessions
26 March
10:30-12:00
24 March
15:15-16:30
24 March
15:15-16:45
24 March
17:00-18:30
TLD Registry - Ongoing Operations
New gTLD Program Auctions
TLD Acceptance
TLD Launch Process Experiences and
Registry Onboarding
IDN Variant TLDs Program Update
26 March
10:30-12:00

More Related Content

What's hot

What's hot (9)

DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul Islam
 
OpenSplice DDS Tutorial -- Part II
OpenSplice DDS Tutorial -- Part IIOpenSplice DDS Tutorial -- Part II
OpenSplice DDS Tutorial -- Part II
 
DDS QoS Unleashed
DDS QoS UnleashedDDS QoS Unleashed
DDS QoS Unleashed
 
A Sysadmins Guide To Authentication And Authorization Chhorn Current
A Sysadmins Guide To Authentication And Authorization  Chhorn  CurrentA Sysadmins Guide To Authentication And Authorization  Chhorn  Current
A Sysadmins Guide To Authentication And Authorization Chhorn Current
 
A Gentle Introduction to OpenSplice DDS
A Gentle Introduction to OpenSplice DDSA Gentle Introduction to OpenSplice DDS
A Gentle Introduction to OpenSplice DDS
 
DDS Interoperability Demo 2013 (Washington DC)
DDS Interoperability Demo 2013 (Washington DC)DDS Interoperability Demo 2013 (Washington DC)
DDS Interoperability Demo 2013 (Washington DC)
 
OMG DDS: The Data Distribution Service for Real-Time Systems
OMG DDS: The Data Distribution Service for Real-Time SystemsOMG DDS: The Data Distribution Service for Real-Time Systems
OMG DDS: The Data Distribution Service for Real-Time Systems
 
Component Based DDS with C++11 and R2DDS
Component Based DDS with C++11 and R2DDSComponent Based DDS with C++11 and R2DDS
Component Based DDS with C++11 and R2DDS
 
Getting Started in DDS with C++ and Java
Getting Started in DDS with C++ and JavaGetting Started in DDS with C++ and Java
Getting Started in DDS with C++ and Java
 

Viewers also liked

Viewers also liked (7)

TLD Launch Process Experiences & Registry Onboarding from ICANN 49
TLD Launch Process Experiences & Registry Onboarding from ICANN 49TLD Launch Process Experiences & Registry Onboarding from ICANN 49
TLD Launch Process Experiences & Registry Onboarding from ICANN 49
 
The Logical Layer of Digital Governance
The Logical Layer of Digital GovernanceThe Logical Layer of Digital Governance
The Logical Layer of Digital Governance
 
What Does ICANN Do (English)
What Does ICANN Do (English)What Does ICANN Do (English)
What Does ICANN Do (English)
 
The Domain Name Industry: Responsibilities
The Domain Name Industry: ResponsibilitiesThe Domain Name Industry: Responsibilities
The Domain Name Industry: Responsibilities
 
The Domain Name Industry: Ecosystem
The Domain Name Industry: EcosystemThe Domain Name Industry: Ecosystem
The Domain Name Industry: Ecosystem
 
Who Runs the Internet?
Who Runs the Internet?Who Runs the Internet?
Who Runs the Internet?
 
The IANA Functions
The IANA FunctionsThe IANA Functions
The IANA Functions
 

Similar to Name Collision Mitigation Update from ICANN 49

Icann Presentation @OBP Milano 18 novembre2009
Icann Presentation  @OBP Milano 18 novembre2009Icann Presentation  @OBP Milano 18 novembre2009
Icann Presentation @OBP Milano 18 novembre2009
Register.it
 
IDNs and the new gTLDs: Evolving a Strategy
IDNs and the new gTLDs: Evolving a StrategyIDNs and the new gTLDs: Evolving a Strategy
IDNs and the new gTLDs: Evolving a Strategy
Rodney D. Ryder
 

Similar to Name Collision Mitigation Update from ICANN 49 (20)

Icann Presentation @OBP Milano 18 novembre2009
Icann Presentation  @OBP Milano 18 novembre2009Icann Presentation  @OBP Milano 18 novembre2009
Icann Presentation @OBP Milano 18 novembre2009
 
New gTLDs are coming! - ResellerClub Webinar
New gTLDs are coming! - ResellerClub WebinarNew gTLDs are coming! - ResellerClub Webinar
New gTLDs are coming! - ResellerClub Webinar
 
ICANN 51: Name Collision
ICANN 51: Name CollisionICANN 51: Name Collision
ICANN 51: Name Collision
 
Technical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC DeploymentTechnical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC Deployment
 
DDS, the US Navy, and the Need for Distributed Software
DDS, the US Navy,  and the Need for Distributed SoftwareDDS, the US Navy,  and the Need for Distributed Software
DDS, the US Navy, and the Need for Distributed Software
 
ICANN 50: Name Collision Occurrence Management Framework
ICANN 50: Name Collision Occurrence Management FrameworkICANN 50: Name Collision Occurrence Management Framework
ICANN 50: Name Collision Occurrence Management Framework
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
ION Trinidad and Tobago - The Business Case for DNSSEC
ION Trinidad and Tobago - The Business Case for DNSSECION Trinidad and Tobago - The Business Case for DNSSEC
ION Trinidad and Tobago - The Business Case for DNSSEC
 
Windows Network concepts
Windows Network conceptsWindows Network concepts
Windows Network concepts
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
Inta useof tmsindomainnamespresentation
Inta useof tmsindomainnamespresentationInta useof tmsindomainnamespresentation
Inta useof tmsindomainnamespresentation
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
IDNs and the new gTLDs: Evolving a Strategy
IDNs and the new gTLDs: Evolving a StrategyIDNs and the new gTLDs: Evolving a Strategy
IDNs and the new gTLDs: Evolving a Strategy
 
DNA Reg Ops Meeting
DNA Reg Ops MeetingDNA Reg Ops Meeting
DNA Reg Ops Meeting
 
Domain Name Association Registry-Registrar Operations Working Group
Domain Name Association Registry-Registrar Operations Working GroupDomain Name Association Registry-Registrar Operations Working Group
Domain Name Association Registry-Registrar Operations Working Group
 
FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons Learned
 
ICANN 51: DNS Risk Framework
ICANN 51: DNS Risk FrameworkICANN 51: DNS Risk Framework
ICANN 51: DNS Risk Framework
 
ICANN 50: What’s New with the Global Domains Division
ICANN 50: What’s New with the Global Domains DivisionICANN 50: What’s New with the Global Domains Division
ICANN 50: What’s New with the Global Domains Division
 
DNS Openness
DNS OpennessDNS Openness
DNS Openness
 
Demystifying SharePoint Infrastructure – for NON-IT People
 Demystifying SharePoint Infrastructure – for NON-IT People  Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
 

More from ICANN

More from ICANN (20)

Call for Volunteers: Accountability & Transparency Review Team_PT
Call for Volunteers: Accountability & Transparency Review Team_PTCall for Volunteers: Accountability & Transparency Review Team_PT
Call for Volunteers: Accountability & Transparency Review Team_PT
 
Call for Volunteers: Accountability & Transparency Review Team_ZH
Call for Volunteers: Accountability & Transparency Review Team_ZHCall for Volunteers: Accountability & Transparency Review Team_ZH
Call for Volunteers: Accountability & Transparency Review Team_ZH
 
Call for Volunteers: Accountability & Transparency Review Team_ES
Call for Volunteers: Accountability & Transparency Review Team_ESCall for Volunteers: Accountability & Transparency Review Team_ES
Call for Volunteers: Accountability & Transparency Review Team_ES
 
Call for Volunteers: Accountability & Transparency Review Team_AR
Call for Volunteers: Accountability & Transparency Review Team_ARCall for Volunteers: Accountability & Transparency Review Team_AR
Call for Volunteers: Accountability & Transparency Review Team_AR
 
Call for Volunteers: Accountability & Transparency Review Team_FR
Call for Volunteers: Accountability & Transparency Review Team_FRCall for Volunteers: Accountability & Transparency Review Team_FR
Call for Volunteers: Accountability & Transparency Review Team_FR
 
Call for Volunteers: Accountability & Transparency Review Team_RU
Call for Volunteers: Accountability & Transparency Review Team_RUCall for Volunteers: Accountability & Transparency Review Team_RU
Call for Volunteers: Accountability & Transparency Review Team_RU
 
Call for Volunteers: Accountability & Transparency Review Team
Call for Volunteers: Accountability & Transparency Review TeamCall for Volunteers: Accountability & Transparency Review Team
Call for Volunteers: Accountability & Transparency Review Team
 
ICANN Expected Standards of Behavior | French
ICANN Expected Standards of Behavior | FrenchICANN Expected Standards of Behavior | French
ICANN Expected Standards of Behavior | French
 
ICANN Expected Standards of Behavior
ICANN Expected Standards of BehaviorICANN Expected Standards of Behavior
ICANN Expected Standards of Behavior
 
ICANN Expected Standards of Behavior | Russian
ICANN Expected Standards of Behavior | RussianICANN Expected Standards of Behavior | Russian
ICANN Expected Standards of Behavior | Russian
 
ICANN Expected Standards of Behavior | Arabic
ICANN Expected Standards of Behavior | ArabicICANN Expected Standards of Behavior | Arabic
ICANN Expected Standards of Behavior | Arabic
 
ICANN Expected Standards of Behavior | Chinese
ICANN Expected Standards of Behavior | ChineseICANN Expected Standards of Behavior | Chinese
ICANN Expected Standards of Behavior | Chinese
 
ICANN Expected Standards of Behavior | Spanish
ICANN Expected Standards of Behavior | SpanishICANN Expected Standards of Behavior | Spanish
ICANN Expected Standards of Behavior | Spanish
 
Policy Development Process Infographic Turkish
Policy Development Process Infographic TurkishPolicy Development Process Infographic Turkish
Policy Development Process Infographic Turkish
 
Policy Development Process Infographic Russian
Policy Development Process Infographic RussianPolicy Development Process Infographic Russian
Policy Development Process Infographic Russian
 
Policy Development Process Infographic Portuguese
Policy Development Process Infographic PortuguesePolicy Development Process Infographic Portuguese
Policy Development Process Infographic Portuguese
 
Policy Development Process Infographic Spanish
Policy Development Process Infographic SpanishPolicy Development Process Infographic Spanish
Policy Development Process Infographic Spanish
 
Policy Development Process Infographic French
Policy Development Process Infographic FrenchPolicy Development Process Infographic French
Policy Development Process Infographic French
 
Policy Development Process Infographic English
Policy Development Process Infographic EnglishPolicy Development Process Infographic English
Policy Development Process Infographic English
 
Policy Development Process Infographic Chinese
Policy Development Process Infographic ChinesePolicy Development Process Infographic Chinese
Policy Development Process Infographic Chinese
 

Recently uploaded

Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 

Recently uploaded (20)

FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024   Teams Premium - Pretty SecureECS 2024   Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4j
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 

Name Collision Mitigation Update from ICANN 49

  • 3. Text #ICANN49 Agenda • New gTLD Collision Occurrence Management Plan • Outreach • Collision Occurrence Mitigation Framework – Draft Proposal • Mitigation Interactions • Q&A
  • 4. Text #ICANN49 Collision Occurrence Management Plan • 7 October 2013: New gTLD Collision Occurrence Management Plan adopted by ICANN Board New gTLD Program Committee • Plan Overview o Defer delegating home and corp indefinitely o Commission a study to develop a Name Collision Occurrence Management Framework o Each new gTLD to receive a Collision Occurrence Assessment based on the Framework o Alternate Path to Delegation for eligible strings o Outreach Campaign
  • 5. Text #ICANN49 Name Collision Outreach • Educational content published o Information and resources hub on ICANN website  http://www.icann.org/namecollision • Influential technology media outlets and industry associations targeted o Media coverage in 14 countries, 6 languages o 100+ IT industry associations contacted around the world • Amplified reach through social media o Engaged with LinkedIn CIO groups o Promotion through Twitter (66K followers) and Facebook (10K likes) • Ongoing efforts o Name Collision Information kit (contact GDD-Communications@icann.org) o Public mailing list coming soon  nc-info@icann.org  https://mm.icann.org/mailman/listinfo/nc-info
  • 6. Text #ICANN49 Mitigating the Risk of DNS Namespace Collisions Jeff Schmidt JAS
  • 7. Scope • Initial Evaluation “DNS Stability String Review” focused on a string’s potential impact on the global DNS • JAS research performed from the perspective of end-systems as “consumers” of the global DNS • JAS found no evidence to suggest that the security and stability of the global Internet DNS itself is at risk
  • 8. Risk Assessment Objectives • The frequency of possible collisions has received substantial attention; JAS primary objective is to advance discussion of the possible consequences from the theoretical to the concrete • Not all potential for collision results in collision • Not all collisions are problematic • Not all problematic collisions are equal • Evaluate mitigation options
  • 9. Definition • Interisle: Name collision occurs when name resolution takes place in a semantic domain other than the one that was expected by a user. • SAC062: The term “name collision” refers to the situation in which a name that is properly defined in one operational domain or naming scope may appear in another domain (in which it is also syntactically valid), where users, software, or other functions in that domain may misinterpret it as if it correctly belonged there.
  • 10. Major Outreach and Community Consultations • 8-10 Mar: Verisign Name Collisions Workshop (WPNC 14/IETF 89), London • 26 Feb: Draft report released for ICANN public comment period (closes 31 Mar) • 17-21 Nov: ICANN 48 Buenos Aires • 29 Oct: Online Trust Alliance (OTA) Collisions Event, Washington DC • 1 Oct: TLD Security Forum, Washington DC
  • 11. Major Outreach and Community Consultations • Three JAS guest blog posts on DomainIncite – 39 comments • Active discussion on two email lists • > 20 active “consumers” of colliding namespaces • > 10 vendors • > 40 other sources
  • 12. Summary Findings • Namespace collisions occur routinely throughout entire DNS • Collisions occurred prior to delegation of every TLD since (at least) 2007 TLD Registration Date # SLDs in theoretical block list .post 2012-08-07 > 50,000 .xxx 2011-04-15 > 40,000 .me 2007-09-24 > 10,000 .cw 2010-12-20 > 10,000 .asia 2007-05-02 > 5,000 .sx 2010-12-20 > 5,000 .rs 2007-09-24 > 5,000 .tel 2007-03-01 > 1,000 . xn-- mgba3a4f16a 2013-09-13 > 100
  • 13. Summary Findings • Collisions have been mentioned in research as early as 2003 • The two previous new TLD pilot rounds yielded no serious collision-related issues • Failure modalities seem similar in all parts of the DNS namespace • Namespace expansion does not fundamentally or significantly increase or change the risks
  • 14. Why is this happening? • Lack of appreciation/understanding of DNS • DNS search list processing • Intentional use of a namespace that is not under the control of the using party • Retirement/expiration of hostnames/2LD registrations • Colliding DNS namespaces are often purchased – squatting, investing, domaining, drop-catching…
  • 15. Lessons from other namespaces • Other (important) namespaces have collisions • Other (important) namespaces have changed • Use notification/transition periods – Advance notification – Temporary grace/NACK period highly desirable • 30-90 days typical • There will be resistance to change • In the end people and systems will adapt
  • 16. Excerpt: Most people, and certainly the members of ADDL, welcome constructive change. However, the telephone is an extremely important part of everyday life, and major changes in its use will have widespread effects.
  • 17. JAS Recommendations (1) • The TLDs .corp, .home and .mail should be permanently reserved • “Controlled Interruption” zone (127.0.53.53) immediately upon delegation and extending for 120 days – Non-delegated: implement following delegation using wildcard – Delegated/APD: implement using DNS Resource Records (RR) for SDL Block List strings
  • 18. JAS Recommendations (2) • ICANN to monitor implementation • ICANN to maintain emergency response capability to act upon reported problems that present “clear and present danger to human life” • Don’t de-delegate at root level; use EBERO for surgical edits if required • Several recommendations around improved data collection and archival at the root zone
  • 19. Clear and Present Danger to Human Life (C&PDHL) • Balance not involving ICANN in commercial disputes and allowing for situations where inaction is not acceptable • Defining and quantifying harm in any terms less than C&PDHL on a global basis is impossible • Cause “self-selection” of collisions-related reports to ICANN • Provide guidance to ICANN staff when evaluating reports
  • 20. Why 127.0.53.53? • 127/8 loopback/localnet (RFC 1122 c. 1989) • Intended to be “odd” enough to get attention and rank in search engines • Other options: RFC 1918 & Internet Honeypot • Sophisticated network operators have options to control 127.0.53.53 responses – Response Policy Zone (RPZ), IDS/IPS – Verified with BIND and Snort
  • 21. Why 120 days? • Certificate revocation period is a benchmark of conservatism for a transition/buffer period • Controlled interruption impacts different systems differently; wide variance in time required for detection and remediation • Conscious of quarterly batch processing
  • 23. Text #ICANN49 Name Collision Mitigation Interactions • Not anticipated to alter rate of new TLD delegations • Activation of domain names under the new gTLD o Already not allowed during 120-days from contracting o Would also not be allowed during 120-days from delegation  Only exception to rule: nic.<tld> and under • Registration/allocation of domain names under new gTLD o Allowed from delegation, subject to RPM and other requirements, Sunrise and Claims periods o Registered/allocated names are subject to the normal Sunrise and Claims period, depending on the period in which they are allocated
  • 24. Text #ICANN49 Name Collision Mitigation Interactions • 100 names for promotion of TLD allowed o Cannot be activated until the end of the no-activation period(s) o Subject to other requirements in the Registry Agreement • Alternate Path vs. Controlled Interruption Measure o Newly delegated gTLDs: Alternate Path to Delegation not available if/when Framework is adopted by ICANN Board o Already delegated gTLDs: Only apply controlled interruption in block list names (i.e., no DNS wildcard record under the TLD) • Name Collision Reporting o Already available 24/7 to affected parties o New requirement in proposal is threshold for demonstrably severe harm: “clear and present danger to human life”
  • 25. Text #ICANN49 Q & A Questions can also be submitted to XXX@icann.org
  • 26. Text #ICANN49 Related Global Domains Division Sessions 26 March 10:30-12:00 24 March 15:15-16:30 24 March 15:15-16:45 24 March 17:00-18:30 TLD Registry - Ongoing Operations New gTLD Program Auctions TLD Acceptance TLD Launch Process Experiences and Registry Onboarding IDN Variant TLDs Program Update 26 March 10:30-12:00

Editor's Notes

  1. Name Collision Occurrence Management Plan7 October: Plan approved by the ICANN Board NGPC.home &amp; .corp considered high risk &amp; delegations deferred indefinitelyFramework for Name Collision Occurrence Management to be developed in cooperation with community, then applied to each proposed new gTLDAlternate Path to Delegation by blocking SLDs queried in historical data at DNS-OARC and other relevant datasetsOutreach to target potentially affected parties designed to mitigate future occurrences16 October: Announcement describing the implementation of the planAlternate Path to Delegation Reports &amp; lists of SLDs to block for each applied for TLD already publishedReports are being published to TLD’s registry agreement page on ICANN.org for those TLD that have signed a registry agreementCollision Occurrence Management Plan1 November: Engaged lead for the development of the Name Collision Occurrence Management FrameworkThe Framework will:Identify appropriate parameters and processes to assess the probability and severity of impactSpecify corresponding mitigation to be applied per category of collisionBased on datasets from DNS-OCAR and others, e.g., internal name certificates data from Certification AuthoritiesBe published for public commentFirst public discussion about the Framework later today at 15:15 in this roomFinal version of the Framework is planned by March 2014 during the ICANN meeting in Singapore
  2. December 2013: Launched multi-faceted outreach campaign Goals:Raise awareness of the issueEducate IT professionals on how to safeguard against itFirst Step: Create a resource hub at ICANN.org/namecollisionPublish a variety of content explaining Name CollisionMaterials include:Video introductionBlog post by Security Expert providing a high-level overview of managing collision occurrenceIn-depth report: Guide to Name Collision Mitigation for IT ProfessionalsFrequently Asked QuestionsForm allowing Internet users to report an incidence of harm caused by name collisionNext Step: Get the information into the hands of the people who have the potential to be most affectedTargeting key technology media outlets and influential industry associationsIssued an initial press releaseTracked nearly 40 pieces of coverage to dateMost notably The Register, Heise.de, Web Host Industry Review, and Zawya14 countries and 6 languages represented in coverageReaching out directly to industry associations (ongoing)Made contact with over 100 associationsResponse has been positive - many have published information and/or distributed directly to membersIssued a follow up press release serving as a point of reference both for associations and mediaReceived positive response from the likes of the European Telecommunications Network OperatorsStep 3: Amplify outreach through Social MediaActively promoting all educational materials, press releases on Twitter and FacebookICANN reaches 66 thousand followers on twitter and 10,000 Facebook usersIdentified trade groups and thought leaders on LinkedIn and engaged through their forumsCIO ForumCIO NetworkCIO ExchangeCDO/CIO/CTO Leadership CouncilCIO CommunityForbes CIO NetworkOutreach is ongoingRecently created a Name Collision Information kit, a zip file which can be distributed to interested parties via emailRequest the kit at gdd-communications@icann.orgFrancisco and team will be launching a public mailing list soon to allow the community to converse on how we can further our outreach efforts togetherEncourage you to joint the discussion!
  3. Note the actual SLD block lists are even larger – the further back one goes the less DITL data is availableFirst DITL data January 2006
  4. http://blogs.technet.com/b/networking/archive/2009/04/16/dns-client-name-resolution-behavior-in-windows-vista-vs-windows-xp.aspx
  5. Bruceschneier.com porn site
  6. Horrible what-if scenarios contrivedAlso RIR hold periods: 1 month – 6 months
  7. The Internet has shown that it needs RFC 1918-like DNS spaceBuffer previous usage and new usage with a notification period that will NACK some (but not all) useHope for the best, prepare for the worst
  8. The Internet has shown that it needs RFC 1918-like DNS spaceBuffer previous usage and new usage with a notification period that will NACK some (but not all) useHope for the best, prepare for the worst
  9. The Internet has shown that it needs RFC 1918-like DNS spaceBuffer previous usage and new usage with a notification period that will NACK some (but not all) useHope for the best, prepare for the worst
  10. The Internet has shown that it needs RFC 1918-like DNS spaceBuffer previous usage and new usage with a notification period that will NACK some (but not all) useHope for the best, prepare for the worst
  11. The Internet has shown that it needs RFC 1918-like DNS spaceBuffer previous usage and new usage with a notification period that will NACK some (but not all) useHope for the best, prepare for the worst
  12. Name Collision Occurrence Management Plan7 October: Plan approved by the ICANN Board NGPC.home &amp; .corp considered high risk &amp; delegations deferred indefinitelyFramework for Name Collision Occurrence Management to be developed in cooperation with community, then applied to each proposed new gTLDAlternate Path to Delegation by blocking SLDs queried in historical data at DNS-OARC and other relevant datasetsOutreach to target potentially affected parties designed to mitigate future occurrences16 October: Announcement describing the implementation of the planAlternate Path to Delegation Reports &amp; lists of SLDs to block for each applied for TLD already publishedReports are being published to TLD’s registry agreement page on ICANN.org for those TLD that have signed a registry agreementCollision Occurrence Management Plan1 November: Engaged lead for the development of the Name Collision Occurrence Management FrameworkThe Framework will:Identify appropriate parameters and processes to assess the probability and severity of impactSpecify corresponding mitigation to be applied per category of collisionBased on datasets from DNS-OCAR and others, e.g., internal name certificates data from Certification AuthoritiesBe published for public commentFirst public discussion about the Framework later today at 15:15 in this roomFinal version of the Framework is planned by March 2014 during the ICANN meeting in Singapore
  13. Name Collision Occurrence Management Plan7 October: Plan approved by the ICANN Board NGPC.home &amp; .corp considered high risk &amp; delegations deferred indefinitelyFramework for Name Collision Occurrence Management to be developed in cooperation with community, then applied to each proposed new gTLDAlternate Path to Delegation by blocking SLDs queried in historical data at DNS-OARC and other relevant datasetsOutreach to target potentially affected parties designed to mitigate future occurrences16 October: Announcement describing the implementation of the planAlternate Path to Delegation Reports &amp; lists of SLDs to block for each applied for TLD already publishedReports are being published to TLD’s registry agreement page on ICANN.org for those TLD that have signed a registry agreementCollision Occurrence Management Plan1 November: Engaged lead for the development of the Name Collision Occurrence Management FrameworkThe Framework will:Identify appropriate parameters and processes to assess the probability and severity of impactSpecify corresponding mitigation to be applied per category of collisionBased on datasets from DNS-OCAR and others, e.g., internal name certificates data from Certification AuthoritiesBe published for public commentFirst public discussion about the Framework later today at 15:15 in this roomFinal version of the Framework is planned by March 2014 during the ICANN meeting in Singapore