New gTLD - National Cyberspace Strategy
-
Upload
kenny-huang -
Category
Internet
-
view
373 -
download
0
Transcript of New gTLD - National Cyberspace Strategy
千家爭鳴的域名新時代 New gTLD – National Cyberspace Strategy
Kenny Huang, Ph.D. 黃勝雄博士 Executive Council Member, APNIC Advisor, .taipei Registry [email protected]
Network Paths
•Routing policy
•Peering •Transit
Number Space
•IPv4 •IPv6
Critical Internet Components
3
Routing
Name Space
•gTLDs •ccTLDs
Naming Addressing
Internet
S1
New gTLD Applications
4
Generic, 53 TM, 34
IDN, 6
Community, 4 Geographic, 3
Generic
TM
IDN
Community
Geographic
1930 Applications
1409 Extensions
1155 Applicants
S1
New gTLDs Applications Updated
5
Application Statistics Selected Subcategories of Delegated gTLDs
(ICANN, 9 Jan 2015)
Total Applications Submitted : 1930 Delegation gTLDs: 483
S1
All gTLD Registrations
8
(registrarstat, 15 Jan 2015)
New gTLD All gTLD = 2.08% New gTLD Market Share=
gTLD Market Dilution
S1
gTLD CR4 Impact
9
97.99% 98.01% 98.09% 98.21% 98.34% 98.37% 98.39% 94.11%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
2007 2008 2009 2010 2011 2012 2013 2015
9 CR4 : Four-Firm Concentration Ratio measures the total market share of the four largest firms in an industry
Conc
entr
atio
n R
atio
.com .net .org .info
New gTLD Delegated
NTIA agreement & ICANN Core Value “promote and sustain a competitive environment”
S1
(Kenny Huang, 2015)
DNSSEC Behavior
11
DNSKEY root
DS .taipei
DNSKEY .taipei
DS 101.taipei
DNSKEY 101.taipei
root
TLD : .taipei
SLD: .101.taipei
ISP recursive resolver
1 user makes request for a .taipei domain
2 ISP resolver verifies the root’s DS key 3 root points the ISP to the .taipei TLD and gives the ISP the .taipei DS key
4 ISP verifies .taipei’s DS key 5 .taipei points the ISP to the 101.taipei SLD and give the ISP the 101.taipei DS key.
6 ISP verifies 101.taipei’s SLD DS key 7 Requested SLD information is retrieved and sent back to ISP 8 ISP sends SLD information back to user 9 User access trusted 101.taipei domain
1
8
2
3
4
5
6
7
User stub resolver
9
S2
DNSSEC Deployment Updated
12
Root Zone 795 TLDs in the root zone in total 622 TLDs are signed; 615 TLDs have trust anchors published as DS records in the root zone; 6 TLDs have trust anchors published in the ISC DLV Repository.
(ICANN, 16 Jan 2015)
(Eggert, Jan 2015)
S2
DNSSEC Internet Governance and Security Implication
13
root (.)
RFC2826 Unique DNS Root From “de facto model” to “de jure model”
Security is as strong as the weakest link Inconsistent Cyber Security:
S2
IDN System & Technology Mandated
14
registration
delegation
resolution
Registrar Registry Registrant Managed Authoritative DNS
Registrant
DNS Technical Specification IDN Policy (option1) Sub-delegation Policy
Users Bind Application Server
1
2
3
4
5 6
7
IDN Policy (option2)
rfc1034,1035
rfc1034,1035
rfc3743,4713
rfc4033,4034,4035
rfc4033,4034,4035
rfc4033,4034,4035
rfc5730,5731, 5732,5733,5734
Recursive DNS/ Cache
S2
(Kenny Huang, 2014)
DN Market Value Chain (VC)
17
DN Market
Registries
Registrars Resellers Trade Marketplace Brokers
DN Holders
Registries/ Registrars
Backend Registry
Operators Software Vendors
DNS/Web Hosting
Server Hosting
Cloud Services
VCa
a1
a2 a3 c1 c2
b1 b2
d1
d2 d3
VCb
VCc VCd
Industrial Competitiveness : Irreplaceable link in a value chain
(Kenny Huang, 2012)
weak link
weak link
weak link
S3
Strategy for Domain Name Policy
18
a1
a2
a3 b1
b2 c1
c2
d1
d2
d3
0.00
1.00
2.00
3.00
4.00
5.00
0.00 1.00 2.00 3.00 4.00 5.00
Unc
erta
inty
Value
a1
a2
a3
b1
b2
c1
c2
d1
d2
d3
Reprioritize and source alternative technologies Risk mitigation
Develop fair competition environment
Strengthen industrial competitive advantage
registries
registrars
resellers
Software vendors
Backend registry operators
Trade marketplace
brokers
DNS hosting
Server hosting
Cloud services
(Kenny Huang, 2012)
S3
Regulations
19
Telecom Act s11, s17,s18? s20-1; Communication Security and Surveillance Act ?
Telecom Act s20-1? Communication Security and Surveillance Act?
Telecom Act s11, s17,s18? Communication Security and Surveillance Act?
Telecom Act s20-1?
網際網路位址及網域名稱註冊管理業務監督及輔導辦法第二條第5款 網域名稱註冊管理業務:指具有管理 .tw 頂級網域名稱 (TLD)或其他用以表徵我國之網域 名稱註冊資料,並提 供網域名稱系統正常運作及相關註冊管理之服務事項。
從事電信網際網路位址及網域名稱註冊管理業務之監督及輔導事項,由電 信總局辦理之; 其監督及輔導辦法,由電信總局訂定之。 從事前項業務者,應為非營利法人組織。
電信法第20-1條
通訊保障及監察法第7條
S3
Policy Hierarchy
20
Principles
Policies
Standards
Guidelines
Procedures
(Dominic Steinitz, 2002)
Policy Enforcement
Pros: Agility Cons: resource sustainability
Pros: Legitimacy Cons: Hard to achieve & inflexibility
S3
gTLD Policy Planning Model
21
Regulatory Framework
Policy Framework Technical Specifications
Market Demands
gTLD Policy
ICANN policy; Sunrise; UDRP Telecom Act; Domain Registration Regulation
ACE, IDN, Security, Whois FQDN < 253 ; DN < 63
value; price; service quality
IDN; variants; reserved names; prohibited names; pricing; DRP
S3
(Kenny Huang, 2015)
gTLD Public Interests
22
Registrar Registration
System
New gTLD Registry
DNS Resolver
Registrant users
Domain name registration
Shared Registration System
Registration Policy Reserved names IDN variants DNS Resource Records DN expire; delete data Financial information Registrant information
DNS Server
delegation DRP
Registration Policy
Public interests
Eligibility
Service Quality
S3
(Kenny Huang, 2015)
Government Digital Portfolio
23
Allocatable Names Prohibited Names
New gTLD applications
GAC Early Warning
Objections Government Operated Registry
Public-Private Partnership Registry
Government Endorsement
Government Cyberspace Digital Portfolio
Defensive Strategy Acquisition Strategy
S3
(Kenny Huang, 2015)
24
Economy
Innovation & Open markets
Protecting Networks
Security, Reliability & Resiliency
Law Enforcement
Collaboration & Rule of Law
Military
Preparing Security Challenges
Internet Governance
Effective & Inclusive Structure
International Development
Build Capacity, Security & Prosperity
Internet Freedom
Supporting Freedoms & Privacy
S3
(USG, 2010)
OECD
CIIP vs. gTLD Critical Information Infrastructure Protection
25
Information components supporting the critical infrastructure Information infrastructure supporting essential components of government business Information infrastructure essential to the national economy
US
Systems and assets, whether physical or virtual to the US that the incapacity of destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
CIIP Critical information infrastructure protection Focuses on protection of IT systems and asset: Telecommunication, computers/software , Internet, Satellite, submarine cable system Ensures confidentiality, integrity, and availability
Required 24x7 (365 days) Past of the daily modern economy and the existence of any country
gTLD as CIIP
gTLD registry should be classified as CII. Registry’s facilities should be compliance with CIIP requirements
S3
DDoS Amplification Attack to a gTLD Registry
26
Spoofed source IP DNS
technical compliance protocols
technical compliance protocols
Amplification Attack
Firewall/Defense System
S1: BIND rate limit S2: buy transit S3: rules/policing
Challenges S1 : out of victim’s control S2 : port speed may not be upgradable accordingly S3 : 1 capacity and performance 2 design new algorithm for new patterns instantly
(DNSSEC: destination validation)
gTLD Registry
It will be a severed disaster when the gTLD and sub-domains are unresolvable
S3
(Kenny Huang, 2014)
Potential gTLD CIIP Activities
27
Assisting government to better understand gTLD registry operation Issuing important recommendations to government Developing gTLD registry good practices Assisting telecom regulatory authority in implementing incident reporting Facilitating the dialogue among the public and private stakeholders on emerging CIIP issues Contributing to national policy and strategic initiatives Offering training and seminars to government on the area of its competence, e.g., contingency planning, incident reporting
gTLD CIIP Activities
S3
ETSI Lawful Intercept Model
28
administration function
IRI mediation function
content mediation function
IRI : intercept related Information
CC : content of communication
INI internal network interface
IIF internal interception function
HI3 content of communication
Network Internal Functions
HI2 Intercept related information
HI1 administrative information
NWO/AP/SvP Domain
LEMF Law Enforcement Monitoring Facility
network operator / access provider / service provider
HI: handover interface
S3
(ETSI)
Lawful Interception for LEA SOC
29
MD
LEA SOC
AAA server
Access Router
WWW
content RADIUS
Internet
ETSI TS 102 232-3
RADIUS name; Circuit ID; User ID; IP address..etc
S3
Lawful Intercept Architecture – RFC3924
30
(Fred. Baker, Bill Foster)
DNS hosting Registries Registrars
? ? ?
S3
Backend Operator
Potential Registry-LEA Implementation
31
gTLD Registry Data Escrow Agent (ICANN approved)
Contractual Compliance
Finance System
EBERO
Law Enforcement
Agency
Jurisdictional Considerations
invoice
Data Escrow Alerts
gTLD Failover Design
(Kenny Huang, 2015)