New gTLD - National Cyberspace Strategy

1. 千家爭鳴的域名新時代
New gTLD – National Cyberspace Strategy
Kenny Huang, Ph.D. 黃勝雄博士
Executive Council Member, APNIC
Advisor, .taipei Registry
huangksh@gmail.com

2. Agenda
2
S1. New gTLD updated
S2. New gTLD vs. Technology
S3. New gTLD vs. Policy

3. Network
Paths
•Routing
policy
•Peering
•Transit
Number
Space
•IPv4
•IPv6
Critical Internet Components
3
Routing
Name
Space
•gTLDs
•ccTLDs
Naming
Addressing
Internet
S1

4. New gTLD Applications
4
Generic, 53
TM, 34
IDN, 6
Community, 4 Geographic, 3
Generic
TM
IDN
Community
Geographic
1930 Applications
1409 Extensions
1155 Applicants
S1

5. New gTLDs Applications Updated
5
Application Statistics Selected Subcategories of Delegated gTLDs
(ICANN, 9 Jan 2015)
Total Applications Submitted : 1930 Delegation gTLDs: 483
S1

6. New gTLD Market
6
S1

7. New gTLD Registrations
7
(namestat, 15 Jan 2015)
S1

8. All gTLD Registrations
8
(registrarstat, 15 Jan 2015)
New gTLD
All gTLD
= 2.08%New gTLD Market Share=
gTLD Market Dilution
S1

9. gTLD CR4 Impact
9
97.99% 98.01% 98.09% 98.21% 98.34% 98.37% 98.39%
94.11%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
2007 2008 2009 2010 2011 2012 2013 2015
9
CR4 : Four-Firm Concentration Ratio measures the total market share of the four largest firms in an industry
ConcentrationRatio
.com .net .org .info
New gTLD Delegated
NTIA agreement & ICANN Core Value
“promote and sustain a competitive environment”
S1
(Kenny Huang, 2015)

10. New gTLD – Norm Disruption
10
S2
(Kenny Huang, 2015)

11. DNSSEC Behavior
11
DNSKEY root
DS .taipei
DNSKEY .taipei
DS 101.taipei
DNSKEY 101.taipei
root
TLD : .taipei
SLD: .101.taipei
ISP
recursive resolver
1 user makes request for
a .taipei domain
2 ISP resolver verifies the
root’s DS key
3 root points the ISP to the
.taipei TLD and gives the
ISP the .taipei DS key
4 ISP verifies .taipei’s DS key
5 .taipei points the ISP to the
101.taipei SLD and give the
ISP the 101.taipei DS key.
6 ISP verifies 101.taipei’s SLD
DS key
7 Requested SLD information
is retrieved and sent back to
ISP
8 ISP sends SLD information
back to user
9 User access trusted
101.taipei domain
1
8
2
3
4
5
6
7
User
stub resolver
9
S2

12. DNSSEC Deployment Updated
12
Root Zone
795 TLDs in the root zone in total
622 TLDs are signed;
615 TLDs have trust anchors published as DS records in the root zone;
6 TLDs have trust anchors published in the ISC DLV Repository.
(ICANN, 16 Jan 2015)
(Eggert, Jan 2015)
S2

13. DNSSEC
Internet Governance and Security Implication
13
root (.)
RFC2826 Unique DNS Root
From “de facto model”
to “de jure model”
Security is as strong as the weakest linkInconsistent Cyber Security:
S2

14. IDN System & Technology Mandated
14
registration
delegation
resolution
Registrar Registry
Registrant Managed
Authoritative DNS
Registrant
DNS Technical
Specification
IDN Policy (option1) Sub-delegation Policy
UsersBind Application Server
1
2
3
4
5
6
7
IDN Policy (option2)
rfc1034,1035
rfc1034,1035
rfc3743,4713
rfc4033,4034,4035
rfc4033,4034,4035
rfc4033,4034,4035
rfc5730,5731,
5732,5733,5734
Recursive DNS/
Cache
S2
(Kenny Huang, 2014)

15. Han Label Rules for The Root Zone
15
S2
(Kenny Huang, 2014)

16. Google IPv6 adoption
IPv6 and New gTLD
16
(Google, Jan 2015)
IPv6 is mandatory
S2

17. DN Market Value Chain (VC)
17
DN
Market
Registries
Registrars Resellers
Trade
Marketplace Brokers
DN
Holders
Registries/
Registrars
Backend
Registry
Operators
Software
Vendors
DNS/Web
Hosting
Server
Hosting
Cloud
Services
VCa
a1
a2 a3
c1 c2
b1b2
d1
d2d3
VCb
VCcVCd
Industrial Competitiveness : Irreplaceable link in a value chain
(Kenny Huang, 2012)
weak
link
weak
link
weak
link
S3

18. Strategy for Domain Name Policy
18
a1
a2
a3 b1
b2
c1
c2
d1
d2
d3
0.00
1.00
2.00
3.00
4.00
5.00
0.00 1.00 2.00 3.00 4.00 5.00
Uncertainty
Value
a1
a2
a3
b1
b2
c1
c2
d1
d2
d3
Reprioritize and source
alternative technologies Risk mitigation
Develop fair competition
environment
Strengthen industrial
competitive advantage
registries
registrars
resellers
Software vendors
Backend registry operators
Trade marketplace
brokers
DNS hosting
Server hosting
Cloud services
(Kenny Huang, 2012)
S3

19. Regulations
19
Telecom Act s11, s17,s18? s20-1;
Communication Security and Surveillance Act ?
Telecom Act s20-1?
Communication Security and Surveillance Act?
Telecom Act s11, s17,s18?
Communication Security and Surveillance Act?
Telecom Act s20-1?
網際網路位址及網域名稱註冊管理業務監督及輔導辦法第二條第5款
網域名稱註冊管理業務：指具有管理 .tw 頂級網域名稱 (TLD)或其他用以表徵我國之網域
名稱註冊資料，並提 供網域名稱系統正常運作及相關註冊管理之服務事項。
從事電信網際網路位址及網域名稱註冊管理業務之監督及輔導事項，由電 信總局辦理之；
其監督及輔導辦法，由電信總局訂定之。 從事前項業務者，應為非營利法人組織。
電信法第20-1條
通訊保障及監察法第7條
S3

20. Policy Hierarchy
20
Principles
Policies
Standards
Guidelines
Procedures
(Dominic Steinitz, 2002)
Policy
Enforcement
Pros: Agility
Cons: resource
sustainability
Pros: Legitimacy
Cons: Hard to achieve &
inflexibility
S3

21. gTLD Policy Planning Model
21
Regulatory Framework
Policy Framework Technical Specifications
Market Demands
gTLD Policy
ICANN policy; Sunrise; UDRP
Telecom Act; Domain
Registration Regulation
ACE, IDN, Security, Whois
FQDN < 253 ; DN < 63
value; price; service quality
IDN; variants; reserved
names; prohibited names;
pricing; DRP
S3
(Kenny Huang, 2015)

22. gTLD Public Interests
22
Registrar
Registration
System
New gTLD
Registry
DNS
Resolver
Registrant users
Domain name
registration
Shared Registration System
Registration Policy
Reserved names
IDN variants
DNS Resource Records
DN expire; delete data
Financial information
Registrant information
DNS
Server
delegation
DRP
Registration Policy
Public interests
Eligibility
Service Quality
S3
(Kenny Huang, 2015)

23. Government Digital Portfolio
23
Allocatable Names Prohibited Names
New gTLD
applications
GAC
Early Warning
Objections
Government
Operated Registry
Public-Private
Partnership Registry
Government
Endorsement
Government Cyberspace
Digital Portfolio
Defensive StrategyAcquisition Strategy
S3
(Kenny Huang, 2015)

24. 24
Economy
Innovation &
Open markets
Protecting
Networks
Security, Reliability
& Resiliency
Law
Enforcement
Collaboration &
Rule of Law
Military
Preparing Security
Challenges
Internet
Governance
Effective &
Inclusive Structure
International
Development
Build Capacity,
Security & Prosperity
Internet
Freedom
Supporting Freedoms
& Privacy
S3
(USG, 2010)

25. OECD
CIIP vs. gTLD
Critical Information Infrastructure Protection
25
Information components supporting the critical
infrastructure
Information infrastructure supporting essential
components of government business
Information infrastructure essential to the
national economy
US
Systems and assets, whether physical or virtual to
the US that the incapacity of destruction of such
systems and assets would have a debilitating
impact on security, national economic security,
national public health or safety, or any
combination of those matters.
CIIP
Critical information infrastructure protection
Focuses on protection of IT systems and asset:
Telecommunication, computers/software ,
Internet, Satellite, submarine cable system
Ensures confidentiality, integrity, and
availability
Required 24x7 (365 days)
Past of the daily modern economy and
the existence of any country
gTLD as CIIP
gTLD registry should be classified as CII.
Registry’s facilities should be compliance with
CIIP requirements
S3

26. DDoS Amplification Attack to a gTLD Registry
26
Spoofed source IP DNS
technical compliance protocols
technical compliance protocols
Amplification Attack
Firewall/DefenseSystem
S1: BIND rate limit S2: buy transit S3: rules/policing
Challenges
S1 : out of victim’s control
S2 : port speed may not be upgradable accordingly
S3 : 1 capacity and performance
2 design new algorithm for new patterns instantly
(DNSSEC: destination validation)
gTLD Registry
It will be a severed disaster when the gTLD and sub-domains are unresolvable
S3
(Kenny Huang, 2014)

27. Potential gTLD CIIP Activities
27
Assisting government to better understand gTLD registry operation
Issuing important recommendations to government
Developing gTLD registry good practices
Assisting telecom regulatory authority in implementing incident
reporting
Facilitating the dialogue among the public and private stakeholders
on emerging CIIP issues
Contributing to national policy and strategic initiatives
Offering training and seminars to government on the area of its
competence, e.g., contingency planning, incident reporting
gTLD CIIP Activities
S3

28. ETSI Lawful Intercept Model
28
administration
function
IRI mediation
function
content
mediation
function
IRI : intercept
related Information
CC : content
of communication
INI
internal network interface
IIF
internal interception function
HI3
content of communication
Network
Internal
Functions
HI2
Intercept related information
HI1
administrative information
NWO/AP/SvP Domain
LEMF
Law Enforcement Monitoring Facility
network operator / access provider / service provider
HI: handover interface
S3
(ETSI)

29. Lawful Interception for LEA SOC
29
MD
LEA SOC
AAA
server
Access Router
WWW
content
RADIUS
Internet
ETSI TS 102 232-3
RADIUS name; Circuit ID;
User ID; IP address..etc
S3

30. Lawful Intercept Architecture – RFC3924
30
(Fred. Baker, Bill Foster)
DNS
hosting
Registries Registrars
? ? ?
S3

31. Backend Operator
Potential Registry-LEA Implementation
31
gTLD Registry
Data Escrow Agent
(ICANN approved)
Contractual
Compliance
Finance System
EBERO
Law
Enforcement
Agency
Jurisdictional
Considerations
invoice
Data Escrow Alerts
gTLD Failover Design
(Kenny Huang, 2015)

32. 32