千家爭鳴的域名新時代 New gTLD – National Cyberspace Strategy

Kenny Huang, Ph.D. 黃勝雄博士 Executive Council Member, APNIC Advisor, .taipei Registry huangksh@gmail.com

Agenda

2

S1. New gTLD updated

S2. New gTLD vs. Technology

S3. New gTLD vs. Policy

Network Paths

•Routing policy

•Peering •Transit

Number Space

•IPv4 •IPv6

Critical Internet Components

3

Routing

Name Space

•gTLDs •ccTLDs

Naming Addressing

Internet

S1

New gTLD Applications

4

Generic, 53 TM, 34

IDN, 6

Community, 4 Geographic, 3

Generic

TM

IDN

Community

Geographic

1930 Applications

1409 Extensions

1155 Applicants

S1

New gTLDs Applications Updated

5

Application Statistics Selected Subcategories of Delegated gTLDs

(ICANN, 9 Jan 2015)

Total Applications Submitted : 1930 Delegation gTLDs: 483

S1

New gTLD Market

6

S1

New gTLD Registrations

7

(namestat, 15 Jan 2015)

S1

All gTLD Registrations

8

(registrarstat, 15 Jan 2015)

New gTLD All gTLD = 2.08% New gTLD Market Share=

gTLD Market Dilution

S1

gTLD CR4 Impact

9

97.99% 98.01% 98.09% 98.21% 98.34% 98.37% 98.39% 94.11%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

2007 2008 2009 2010 2011 2012 2013 2015

9 CR4 : Four-Firm Concentration Ratio measures the total market share of the four largest firms in an industry

Conc

entr

atio

n R

atio

.com .net .org .info

New gTLD Delegated

NTIA agreement & ICANN Core Value “promote and sustain a competitive environment”

S1

(Kenny Huang, 2015)

New gTLD – Norm Disruption

10

S2

(Kenny Huang, 2015)

DNSSEC Behavior

11

DNSKEY root

DS .taipei

DNSKEY .taipei

DS 101.taipei

DNSKEY 101.taipei

root

TLD : .taipei

SLD: .101.taipei

ISP recursive resolver

1 user makes request for a .taipei domain

2 ISP resolver verifies the root’s DS key 3 root points the ISP to the .taipei TLD and gives the ISP the .taipei DS key

4 ISP verifies .taipei’s DS key 5 .taipei points the ISP to the 101.taipei SLD and give the ISP the 101.taipei DS key.

6 ISP verifies 101.taipei’s SLD DS key 7 Requested SLD information is retrieved and sent back to ISP 8 ISP sends SLD information back to user 9 User access trusted 101.taipei domain

1

8

2

3

4

5

6

7

User stub resolver

9

S2

DNSSEC Deployment Updated

12

Root Zone 795 TLDs in the root zone in total 622 TLDs are signed; 615 TLDs have trust anchors published as DS records in the root zone; 6 TLDs have trust anchors published in the ISC DLV Repository.

(ICANN, 16 Jan 2015)

(Eggert, Jan 2015)

S2

DNSSEC Internet Governance and Security Implication

13

root (.)

RFC2826 Unique DNS Root From “de facto model” to “de jure model”

Security is as strong as the weakest link Inconsistent Cyber Security:

S2

IDN System & Technology Mandated

14

registration

delegation

resolution

Registrar Registry Registrant Managed Authoritative DNS

Registrant

DNS Technical Specification IDN Policy (option1) Sub-delegation Policy

Users Bind Application Server

1

2

3

4

5 6

7

IDN Policy (option2)

rfc1034,1035

rfc1034,1035

rfc3743,4713

rfc4033,4034,4035

rfc4033,4034,4035

rfc4033,4034,4035

rfc5730,5731, 5732,5733,5734

Recursive DNS/ Cache

S2

(Kenny Huang, 2014)

Han Label Rules for The Root Zone

15

S2

(Kenny Huang, 2014)

Google IPv6 adoption

IPv6 and New gTLD

16

(Google, Jan 2015)

IPv6 is mandatory

S2

DN Market Value Chain (VC)

17

DN Market

Registries

Registrars Resellers Trade Marketplace Brokers

DN Holders

Registries/ Registrars

Backend Registry

Operators Software Vendors

DNS/Web Hosting

Server Hosting

Cloud Services

VCa

a1

a2 a3 c1 c2

b1 b2

d1

d2 d3

VCb

VCc VCd

Industrial Competitiveness : Irreplaceable link in a value chain

(Kenny Huang, 2012)

weak link

weak link

weak link

S3

Strategy for Domain Name Policy

18

a1

a2

a3 b1

b2 c1

c2

d1

d2

d3

0.00

1.00

2.00

3.00

4.00

5.00

0.00 1.00 2.00 3.00 4.00 5.00

Unc

erta

inty

Value

a1

a2

a3

b1

b2

c1

c2

d1

d2

d3

Reprioritize and source alternative technologies Risk mitigation

Develop fair competition environment

Strengthen industrial competitive advantage

registries

registrars

resellers

Software vendors

Backend registry operators

Trade marketplace

brokers

DNS hosting

Server hosting

Cloud services

(Kenny Huang, 2012)

S3

Regulations

19

Telecom Act s11, s17,s18? s20-1; Communication Security and Surveillance Act ?

Telecom Act s20-1? Communication Security and Surveillance Act?

Telecom Act s11, s17,s18? Communication Security and Surveillance Act?

Telecom Act s20-1?

網際網路位址及網域名稱註冊管理業務監督及輔導辦法第二條第5款 網域名稱註冊管理業務：指具有管理 .tw 頂級網域名稱 (TLD)或其他用以表徵我國之網域 名稱註冊資料，並提 供網域名稱系統正常運作及相關註冊管理之服務事項。

從事電信網際網路位址及網域名稱註冊管理業務之監督及輔導事項，由電 信總局辦理之； 其監督及輔導辦法，由電信總局訂定之。 從事前項業務者，應為非營利法人組織。

電信法第20-1條

通訊保障及監察法第7條

S3

Policy Hierarchy

20

Principles

Policies

Standards

Guidelines

Procedures

(Dominic Steinitz, 2002)

Policy Enforcement

Pros: Agility Cons: resource sustainability

Pros: Legitimacy Cons: Hard to achieve & inflexibility

S3

gTLD Policy Planning Model

21

Regulatory Framework

Policy Framework Technical Specifications

Market Demands

gTLD Policy

ICANN policy; Sunrise; UDRP Telecom Act; Domain Registration Regulation

ACE, IDN, Security, Whois FQDN < 253 ; DN < 63

value; price; service quality

IDN; variants; reserved names; prohibited names; pricing; DRP

S3

(Kenny Huang, 2015)

gTLD Public Interests

22

Registrar Registration

System

New gTLD Registry

DNS Resolver

Registrant users

Domain name registration

Shared Registration System

Registration Policy Reserved names IDN variants DNS Resource Records DN expire; delete data Financial information Registrant information

DNS Server

delegation DRP

Registration Policy

Public interests

Eligibility

Service Quality

S3

(Kenny Huang, 2015)

Government Digital Portfolio

23

Allocatable Names Prohibited Names

New gTLD applications

GAC Early Warning

Objections Government Operated Registry

Public-Private Partnership Registry

Government Endorsement

Government Cyberspace Digital Portfolio

Defensive Strategy Acquisition Strategy

S3

(Kenny Huang, 2015)

24

Economy

Innovation & Open markets

Protecting Networks

Security, Reliability & Resiliency

Law Enforcement

Collaboration & Rule of Law

Military

Preparing Security Challenges

Internet Governance

Effective & Inclusive Structure

International Development

Build Capacity, Security & Prosperity

Internet Freedom

Supporting Freedoms & Privacy

S3

(USG, 2010)

OECD

CIIP vs. gTLD Critical Information Infrastructure Protection

25

Information components supporting the critical infrastructure Information infrastructure supporting essential components of government business Information infrastructure essential to the national economy

US

Systems and assets, whether physical or virtual to the US that the incapacity of destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

CIIP Critical information infrastructure protection Focuses on protection of IT systems and asset: Telecommunication, computers/software , Internet, Satellite, submarine cable system Ensures confidentiality, integrity, and availability

Required 24x7 (365 days) Past of the daily modern economy and the existence of any country

gTLD as CIIP

gTLD registry should be classified as CII. Registry’s facilities should be compliance with CIIP requirements

S3

DDoS Amplification Attack to a gTLD Registry

26

Spoofed source IP DNS

technical compliance protocols

technical compliance protocols

Amplification Attack

Firewall/Defense System

S1: BIND rate limit S2: buy transit S3: rules/policing

Challenges S1 : out of victim’s control S2 : port speed may not be upgradable accordingly S3 : 1 capacity and performance 2 design new algorithm for new patterns instantly

(DNSSEC: destination validation)

gTLD Registry

It will be a severed disaster when the gTLD and sub-domains are unresolvable

S3

(Kenny Huang, 2014)

Potential gTLD CIIP Activities

27

Assisting government to better understand gTLD registry operation Issuing important recommendations to government Developing gTLD registry good practices Assisting telecom regulatory authority in implementing incident reporting Facilitating the dialogue among the public and private stakeholders on emerging CIIP issues Contributing to national policy and strategic initiatives Offering training and seminars to government on the area of its competence, e.g., contingency planning, incident reporting

gTLD CIIP Activities

S3

ETSI Lawful Intercept Model

28

administration function

IRI mediation function

content mediation function

IRI : intercept related Information

CC : content of communication

INI internal network interface

IIF internal interception function

HI3 content of communication

Network Internal Functions

HI2 Intercept related information

HI1 administrative information

NWO/AP/SvP Domain

LEMF Law Enforcement Monitoring Facility

network operator / access provider / service provider

HI: handover interface

S3

(ETSI)

Lawful Interception for LEA SOC

29

MD

LEA SOC

AAA server

Access Router

WWW

content RADIUS

Internet

ETSI TS 102 232-3

RADIUS name; Circuit ID; User ID; IP address..etc

S3

Lawful Intercept Architecture – RFC3924

30

(Fred. Baker, Bill Foster)

DNS hosting Registries Registrars

? ? ?

S3

Backend Operator

Potential Registry-LEA Implementation

31

gTLD Registry Data Escrow Agent (ICANN approved)

Contractual Compliance

Finance System

EBERO

Law Enforcement

Agency

Jurisdictional Considerations

invoice

Data Escrow Alerts

gTLD Failover Design

(Kenny Huang, 2015)

32