Interesting People mailing list archives
more on Fort N.O.C.'s
From: Dave Farber <dave () farber net>
Date: Thu, 22 Jan 2004 11:12:53 -0500
Delivered-To: dfarber+ () ux13 sp cs cmu edu Date: Wed, 21 Jan 2004 15:11:38 -0800 (PST) From: Karl Auerbach <karl () cavebear com> Subject: Re: [IP] Fort N.O.C.'s To: Dave Farber <dave () farber net> On Thu, 22 Jan 2004, Dave Farber wrote: > http://www.msnbc.msn.com/Default.aspx?id=4009568&p1=01%7C%7C%7C%7C004 > Fort N.O.C.'s > By Brock N. Meeks > ... No signs or markers give a hint that the Internet's most > precious computer... It is hardly the "most precious computer"!!! It is very easy to replicate the DNS root zone - in its compressed form it is smaller than many of the cutsie image buttons that besplatter web pages around the world, it will fit on a floppy disk with lots of room to spare. As I have suggested, the "precious" aspect is merely the result of a near dogma that is unwilling to accept the fact that just as the telephone system can have multiple publishers of telephone books, the internet can have multiple "roots" for DNS. The issue is consistency. As long as those roots all point to the same places the end result will be the same, just as it is the same person who answers the telephone whether you find the phone number from brand X or brand Y telephone book. Many of us who have had to live through natural disasters can attest to the value of having a copy of the root zone handy so that we can set up local emergency root servers and start rebuilding our infrastractures from the inside-out rather than waiting for the outside to come and find us. The concept that Verisign's "a" root server is precious has substance only because we have blinded ourselves to the alternatives. I don't use the ICANN/Verisign/Dept of Commerce DNS root, I haven't used it for something on the order of 7 years no. So my ability to resolve names is not dependent on whether that building in northern Virgina collapses in the next Virgina earthquake or not. Far more damaging to the Internet would be loss of the suite of servers that serve-up the .com, .net, and in-addr.arpa domains. > Historically the root operators have formed a loose > collation that coordinates and cooperates out of sense of duty, not > regulation or contract. One can only stand in astonishment at this fact. ICANN was created to assume the obligation to ensure to the public that the top levels of the DNS system work well, day-in and day-out. The fact that the DNS roots are still run by people who, despite their technical expertise and steller performance so far, are completely beyond public accountability or bound to abide by any service level agreements, is very sad, and ought to be of great concern by those who believe that those who run critical resources on behalf of the public should be ultimately accountable to the public and obliged to provide clearly defined services according to clearly defined service levels. > Access to the Network Operations Center, the "NORAD" of the Internet's > traffic monitoring, requires the electronic badge and then a double > biometric hand print scan. Of course even the most dim-witted attacker would realize that no matter how strong the walls are, simply disconnecting the building from the net, either physically (with a back hoe) or logically (by saturating network links or by interfering with the routing of packets) is much more effective that a full frontal assault. > "Should the 'A' root fail for any reason, sudden network drop or a backhoe > out there [cutting a line], somehow if this site just vanished off the > Internet, it would automatically [switch] over to one or two other > locations," Silva said. These are the so-called "warm back-ups" that > VeriSign has on stand-by at all times. The Internet never sees them, Silva > says, but they can be up and running within 15 minutes and in that time > Internet users wouldn't even notice a hiccup in traffic, Silva says, owing > to the fact that the majority of a user's web experience is "cached" on a > local Internet Service Provider. That all presumes that packet routing - the all important system that few talk about and which ISPs consider highly proprietary - is able to adapt to the routing changes. Physical connectivity is worthless if packets can not find their way or are led into dead ends. The late Jon Postel wanted to test some of these fallback systems - he was nearly burned at the stake for suggesting it. I'm not suggesting that Verisign's engineering is bad. In fact, the folks at Verisign have great technical abilities and a good attitude - their efforts deserve both recognition and congratulation. However, as I said before - this fact that is armoring is needed is the result of our own mental blinders that don't allow us to see that we can distribute the root information much further and much wider so that such points of sensitivity would not exist. See my note http://www.cavebear.com/cbblog-archives/000007.html --karl-- ------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on Fort N.O.C.'s Dave Farber (Jan 21)