Comments: 2006 - The Year of the Bull

On Wed, Dec 28, 2005 at 04:35:17PM +0000, iang@iang.org wrote:

>> .
>> .
>> * countries have woken up to the fact that at the end of the day, the
>> USA controls enough of the core to have its way, and as a policy won't
>> give that up. This annoys some and worries others, so expect the fires
>> of UN committees on Internet governance to be well stoked, along with a
>> dozen other global copycats.

I don't think that is necessarily an accurate picture of the situation. More of a common misconception that the US administration has a vested interest in perpetuating.

The problem is that the people that are worried don't understand the technology, and the US has fooled the rest of the world into thinking that control of the Internet is theirs to give up if they should so choose...

If you believe them, then I have a bridge I would like to sell you...

In considering 'control of the Internet', the implementation of two key technologies are critical and largely independent - DNS and IP.

Consider the first for example. A simplified description of the basic strategy is as follows:

1. Dumb.
For the vast majority of hosts, such as Windows PCs, the strategy is simply 'I don't know but I know someone who does'. The ISP or other trusted party provides the name translatin (by supplying an IP address of a 'nameserver' to do the work).
2. DNS server
This is any host running a DNS server, such as a Unix system running named. It does the following:
a. If the target is in a domain managed by someone under my domain, pass on the next level down
b. If the target is outside my domain, pass the request on to one of of the root servers at the top of the tree.
c. If the target is in the directly managed domain, return the host if found, else return error.
3. Root Server.
For the root servers, the strategy is simply
a. If the target is in a domain managed by someone under my domain, pass on the next level down
b. Reject request - Non-existent host/domain

The crux of the control question is action 2b. The only differences between the 'root servers' and any other server are

1. It has no higher authority to refer to because it believes it knows everything defined in the top level domain
2. lots of other servers are configured to voluntarily defer to it.

So how do we confiscate these toys from the Whitehouse? Not as hard as everyone seems to imagine. You don't need the blessing of someone in the US, or a critical mass of rebels. You just need a machine on the Internet running a slightly modified DNS server.

The configuration would look like this

4. Rebel DNS server
This is any host running a DNS server, such as a Unix system running named.
a. If the target is in my directly managed domain, return the host if found, else pass request to legacy root server.
b. If the target is managed by someone under my domain, pass on the request to that host
c. If the target is outside my domain, pass the request on to one of of the rebel root servers at the top of the tree.
5. Rebel Root Server.
a. If the target is managed by someone under my domain, pass on the request to that machine
c. else pass the request on to one of of the legacy root servers.

The trick is that we are now free to define new domains and hosts without any control from the old heirarchy. Any name search will be satisfied locally if possible, but come from the old tree if not. Effectively we have a union mount with the rebel system bound before the old.

There is a positive incentive for everyone to change, because those that do not only have a subset of the new Internet at their disposal.

There is the problem that the US servers can go ahead and define new hosts/domain that conflict with rebel ones (or rebel managers could pre-empt existing legacy domains) making part of the Internet inacessible to rebel net users. However there is a disincenive here, in that most people will not want to register a DNS name that they know will be masked from some of the net.

A strategy aournd this would be to put the entire current Internet into a sub-domain under the rebel tree - so complaints, for example, might need to be emailed to _president@whitehouse.gov.yank_ if we decided to confiscate the '.gov' domain from Washington to use for our 'Internet Governance' organization. And of course the Whitehouse could not email any complaints to us unless they switched to the rebel servers.... ;)

This would be a trivial modification to the rebel servers above - the Rebel Root just recognizes the '.yank' domain as meaning 'strip the .yank and pass the result to one of the old servers..' But some things would break, such as web sites refering to conflicted names.

It would be a lot cleaner and simpler to just avoid any overlaps with the existing top level domains, making the rebel net a strict superset of what is provided by the US servers. The US administrators could fight back by deliberately defineing new domains in conflict, but that would be such an overtly hostile act that it would most likely hasten the stampede to the independent servers.

The point is that DNS control is democratic, and we vote by pointing our DNS servers at a nominated higher authority. There is no need to take over the existing roots, you just define a better alternative. Any of us could set this up, (I have been running one for years, but there was no point in advertising it because most of names I have defined are on my private internal network) and any of us would be free to point our DNS servers to such a site. We would then has an 'in' Internet to manage as we wish - perhaps offering a '.free' domain for free registrations. If badly managed, people will simply go elsewhere.

The strategy for IP is a little different, and takes a bit more infrastructural co-operation. I will leave that as an exercise for now..

Regards,
DigbyT

Posted by DigbyT at December 28, 2005 02:53 PM

The Rebel Root thing has been tried quite a number of times in the past, and has always gone down in flames eventually from lack of uptake. Unless there is sufficient momentum for the network effects to kick in and everyone decides to use the same Rebel Root, you just end up with fragmentation.

See the Late 90's DNS Wars and "which .biz is that?" madness. There were for a time a number of alternate Rebel Roots, some of which had overlapping domains, at least one of which (.biz) eventually DID get added to the Canonical Roots.

The problem is that such hierarchal naming schemes are a natural monopoly, and the network effects will drive everyone to use one system, so you need to somehow bootstrap up off of the current canonical root servers without having a future conflict be possible. Oy, that's a tall order, and I have yet to see a proposed solution that dodges the bullet on that one.

Posted by David Mercer at December 28, 2005 04:59 PM

If I can make enough money next year, I will hire people to code up a distributed, non-hierarchical DNS system based on PGP WoT trust model. The RFCs are already out, it's just a matter of implementation.
There is a marked demand in the p2p world for an independent, cheap nameserver infrastructure. I hope, the indestructible .p2p TLD will be rolled out in 2006 or in 2007.
Of course, foo.p2p might not mean the same for you and for me, but it's not as much of an issue as some people think it is. If we want to do business, we will decide (freely) to trust the same name providers. The same way we have done with PGP keys.

Posted by Daniel A. Nagy at December 29, 2005 06:22 AM

Just some quick notes in response to your year of the bull article.

I expect Macs to get their virus comeuppance, if not in 2006 then in 2007, because of the Intel switch. What has prevented this from happening before is security through PowerPC obscurity. The vast majority of virus writers are x86 hackers. And OS X is no more secure than the open source software it employs and infrequently updates.

Also, imagine the following scenario: you run OS X, Windows and some BSD on the same hardware, with a recent CPU that has all of the virtualization enhancements. Windows is attacked by a worm or virus which installs itself on the harddisk and runs Windows as a virtualized OS. The virus could do the same with the other operating systems installed...

Posted by Felix at December 29, 2005 03:20 PM

Hi I am a student at Mayfield School Essex

I am writting this to try and gain your permission to use the picture bull1_dan_kozen.jpg.I am doing a coursework in DIDA at my school so I am only allowed to use a picture with the permission. I will give you my word that i wont use this pictureto sell or anything else i just want to use the fantastic picture.

Please email me back asap on
hansenraj@mayfieldschool.net

Your concern in this matter will be appreciated
Hansen Raj

Posted by Hansen Raj at December 5, 2008 07:39 AM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x560db3fdfc30) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.