Text
Text
#ICANN49
Name Collision Mitigation Update
Text
#ICANN49
Agenda
• New gTLD Collision Occurrence
Management Plan
• Outreach
• Collision Occurrence Mitigation
Framewor...
Text
#ICANN49
Collision Occurrence Management Plan
• 7 October 2013: New gTLD Collision Occurrence
Management Plan adopted...
Text
#ICANN49
Name Collision Outreach
• Educational content published
o Information and resources hub on ICANN website
 h...
Text
#ICANN49
Mitigating the Risk of
DNS Namespace
Collisions
Jeff Schmidt
JAS
Scope
• Initial Evaluation “DNS Stability String Review”
focused on a string’s potential impact on the
global DNS
• JAS re...
Risk Assessment Objectives
• The frequency of possible collisions has received
substantial attention; JAS primary objectiv...
Definition
• Interisle: Name collision occurs when name
resolution takes place in a semantic domain other
than the one tha...
Major Outreach and
Community Consultations
• 8-10 Mar: Verisign Name Collisions Workshop
(WPNC 14/IETF 89), London
• 26 Fe...
Major Outreach and
Community Consultations
• Three JAS guest blog posts on DomainIncite
– 39 comments
• Active discussion ...
Summary Findings
• Namespace collisions occur routinely throughout entire DNS
• Collisions occurred prior to delegation of...
Summary Findings
• Collisions have been mentioned in research as
early as 2003
• The two previous new TLD pilot rounds yie...
Why is this happening?
• Lack of appreciation/understanding of DNS
• DNS search list processing
• Intentional use of a nam...
Lessons from other namespaces
• Other (important) namespaces have collisions
• Other (important) namespaces have changed
•...
Excerpt: Most people, and
certainly the members of
ADDL, welcome constructive
change. However, the
telephone is an extreme...
JAS Recommendations (1)
• The TLDs .corp, .home and .mail should be
permanently reserved
• “Controlled Interruption” zone ...
JAS Recommendations (2)
• ICANN to monitor implementation
• ICANN to maintain emergency response
capability to act upon re...
Clear and Present Danger to Human Life
(C&PDHL)
• Balance not involving ICANN in commercial
disputes and allowing for situ...
Why 127.0.53.53?
• 127/8 loopback/localnet (RFC 1122 c. 1989)
• Intended to be “odd” enough to get attention and
rank in s...
Why 120 days?
• Certificate revocation period is a benchmark of
conservatism for a transition/buffer period
• Controlled i...
Text
#ICANN49
Name Collision
Mitigation Interactions
Text
#ICANN49
Name Collision Mitigation Interactions
• Not anticipated to alter rate of new TLD delegations
• Activation o...
Text
#ICANN49
Name Collision Mitigation Interactions
• 100 names for promotion of TLD allowed
o Cannot be activated until ...
Text
#ICANN49
Q & A
Questions can also be submitted to
XXX@icann.org
Text
#ICANN49
Related Global Domains Division Sessions
26 March
10:30-12:00
24 March
15:15-16:30
24 March
15:15-16:45
24 M...
of 26

Name Collision Mitigation Update from ICANN 49

Inform the community of the proposal to handle name collision on new TLDs and collect input. Originally presented during the Name Collision Mitigation Update Session at ICANN 49 in Singapore.
Published on: Mar 3, 2016
Published in: Technology      
Source: www.slideshare.net


Transcripts - Name Collision Mitigation Update from ICANN 49

  • 1. Text
  • 2. Text #ICANN49 Name Collision Mitigation Update
  • 3. Text #ICANN49 Agenda • New gTLD Collision Occurrence Management Plan • Outreach • Collision Occurrence Mitigation Framework – Draft Proposal • Mitigation Interactions • Q&A
  • 4. Text #ICANN49 Collision Occurrence Management Plan • 7 October 2013: New gTLD Collision Occurrence Management Plan adopted by ICANN Board New gTLD Program Committee • Plan Overview o Defer delegating home and corp indefinitely o Commission a study to develop a Name Collision Occurrence Management Framework o Each new gTLD to receive a Collision Occurrence Assessment based on the Framework o Alternate Path to Delegation for eligible strings o Outreach Campaign
  • 5. Text #ICANN49 Name Collision Outreach • Educational content published o Information and resources hub on ICANN website  http://www.icann.org/namecollision • Influential technology media outlets and industry associations targeted o Media coverage in 14 countries, 6 languages o 100+ IT industry associations contacted around the world • Amplified reach through social media o Engaged with LinkedIn CIO groups o Promotion through Twitter (66K followers) and Facebook (10K likes) • Ongoing efforts o Name Collision Information kit (contact GDD-Communications@icann.org) o Public mailing list coming soon  nc-info@icann.org  https://mm.icann.org/mailman/listinfo/nc-info
  • 6. Text #ICANN49 Mitigating the Risk of DNS Namespace Collisions Jeff Schmidt JAS
  • 7. Scope • Initial Evaluation “DNS Stability String Review” focused on a string’s potential impact on the global DNS • JAS research performed from the perspective of end-systems as “consumers” of the global DNS • JAS found no evidence to suggest that the security and stability of the global Internet DNS itself is at risk
  • 8. Risk Assessment Objectives • The frequency of possible collisions has received substantial attention; JAS primary objective is to advance discussion of the possible consequences from the theoretical to the concrete • Not all potential for collision results in collision • Not all collisions are problematic • Not all problematic collisions are equal • Evaluate mitigation options
  • 9. Definition • Interisle: Name collision occurs when name resolution takes place in a semantic domain other than the one that was expected by a user. • SAC062: The term “name collision” refers to the situation in which a name that is properly defined in one operational domain or naming scope may appear in another domain (in which it is also syntactically valid), where users, software, or other functions in that domain may misinterpret it as if it correctly belonged there.
  • 10. Major Outreach and Community Consultations • 8-10 Mar: Verisign Name Collisions Workshop (WPNC 14/IETF 89), London • 26 Feb: Draft report released for ICANN public comment period (closes 31 Mar) • 17-21 Nov: ICANN 48 Buenos Aires • 29 Oct: Online Trust Alliance (OTA) Collisions Event, Washington DC • 1 Oct: TLD Security Forum, Washington DC
  • 11. Major Outreach and Community Consultations • Three JAS guest blog posts on DomainIncite – 39 comments • Active discussion on two email lists • > 20 active “consumers” of colliding namespaces • > 10 vendors • > 40 other sources
  • 12. Summary Findings • Namespace collisions occur routinely throughout entire DNS • Collisions occurred prior to delegation of every TLD since (at least) 2007 TLD Registration Date # SLDs in theoretical block list .post 2012-08-07 > 50,000 .xxx 2011-04-15 > 40,000 .me 2007-09-24 > 10,000 .cw 2010-12-20 > 10,000 .asia 2007-05-02 > 5,000 .sx 2010-12-20 > 5,000 .rs 2007-09-24 > 5,000 .tel 2007-03-01 > 1,000 . xn-- mgba3a4f16a 2013-09-13 > 100
  • 13. Summary Findings • Collisions have been mentioned in research as early as 2003 • The two previous new TLD pilot rounds yielded no serious collision-related issues • Failure modalities seem similar in all parts of the DNS namespace • Namespace expansion does not fundamentally or significantly increase or change the risks
  • 14. Why is this happening? • Lack of appreciation/understanding of DNS • DNS search list processing • Intentional use of a namespace that is not under the control of the using party • Retirement/expiration of hostnames/2LD registrations • Colliding DNS namespaces are often purchased – squatting, investing, domaining, drop-catching…
  • 15. Lessons from other namespaces • Other (important) namespaces have collisions • Other (important) namespaces have changed • Use notification/transition periods – Advance notification – Temporary grace/NACK period highly desirable • 30-90 days typical • There will be resistance to change • In the end people and systems will adapt
  • 16. Excerpt: Most people, and certainly the members of ADDL, welcome constructive change. However, the telephone is an extremely important part of everyday life, and major changes in its use will have widespread effects.
  • 17. JAS Recommendations (1) • The TLDs .corp, .home and .mail should be permanently reserved • “Controlled Interruption” zone (127.0.53.53) immediately upon delegation and extending for 120 days – Non-delegated: implement following delegation using wildcard – Delegated/APD: implement using DNS Resource Records (RR) for SDL Block List strings
  • 18. JAS Recommendations (2) • ICANN to monitor implementation • ICANN to maintain emergency response capability to act upon reported problems that present “clear and present danger to human life” • Don’t de-delegate at root level; use EBERO for surgical edits if required • Several recommendations around improved data collection and archival at the root zone
  • 19. Clear and Present Danger to Human Life (C&PDHL) • Balance not involving ICANN in commercial disputes and allowing for situations where inaction is not acceptable • Defining and quantifying harm in any terms less than C&PDHL on a global basis is impossible • Cause “self-selection” of collisions-related reports to ICANN • Provide guidance to ICANN staff when evaluating reports
  • 20. Why 127.0.53.53? • 127/8 loopback/localnet (RFC 1122 c. 1989) • Intended to be “odd” enough to get attention and rank in search engines • Other options: RFC 1918 & Internet Honeypot • Sophisticated network operators have options to control 127.0.53.53 responses – Response Policy Zone (RPZ), IDS/IPS – Verified with BIND and Snort
  • 21. Why 120 days? • Certificate revocation period is a benchmark of conservatism for a transition/buffer period • Controlled interruption impacts different systems differently; wide variance in time required for detection and remediation • Conscious of quarterly batch processing
  • 22. Text #ICANN49 Name Collision Mitigation Interactions
  • 23. Text #ICANN49 Name Collision Mitigation Interactions • Not anticipated to alter rate of new TLD delegations • Activation of domain names under the new gTLD o Already not allowed during 120-days from contracting o Would also not be allowed during 120-days from delegation  Only exception to rule: nic.<tld> and under • Registration/allocation of domain names under new gTLD o Allowed from delegation, subject to RPM and other requirements, Sunrise and Claims periods o Registered/allocated names are subject to the normal Sunrise and Claims period, depending on the period in which they are allocated
  • 24. Text #ICANN49 Name Collision Mitigation Interactions • 100 names for promotion of TLD allowed o Cannot be activated until the end of the no-activation period(s) o Subject to other requirements in the Registry Agreement • Alternate Path vs. Controlled Interruption Measure o Newly delegated gTLDs: Alternate Path to Delegation not available if/when Framework is adopted by ICANN Board o Already delegated gTLDs: Only apply controlled interruption in block list names (i.e., no DNS wildcard record under the TLD) • Name Collision Reporting o Already available 24/7 to affected parties o New requirement in proposal is threshold for demonstrably severe harm: “clear and present danger to human life”
  • 25. Text #ICANN49 Q & A Questions can also be submitted to XXX@icann.org
  • 26. Text #ICANN49 Related Global Domains Division Sessions 26 March 10:30-12:00 24 March 15:15-16:30 24 March 15:15-16:45 24 March 17:00-18:30 TLD Registry - Ongoing Operations New gTLD Program Auctions TLD Acceptance TLD Launch Process Experiences and Registry Onboarding IDN Variant TLDs Program Update 26 March 10:30-12:00

Related Documents