The SIPNOC 2013 agenda includes talks on:

• VoIP and communications security
• Business strategies for service providers
• Regulatory and policy issues
• Multiple sessions about WebRTC and how that will change IP communications
• IPv6 and VoIP
• HD audio
• Standards relating to VoIP and SIP

The main sessions begin tomorrow with a keynote presentation from FCC CTO Henning Schulzrinne where I expect he will talk about some of the challenges the FCC has identified as they continue to push the industry to move away from the traditional PSTN to the world of IP communications.

I've very much enjoyed the past SIPNOC conferences and will be back there again this year leading sessions about: IPv6 and VoIP; how DNSSEC can help secure VoIP; and a couple of sessions related to VoIP security. I'm very much looking forward to the discussions and connections that get made there — and if any of you are attending I look forward to meeting you there.

SIPNOC 2013 will not be livestreamed, but if you are in the DC area (or can easily get there), registration is still open for the event. I suspect you'll also see some of us tweeting with the hashtag #sipnoc.

Written by Dan York, Author and Speaker on Internet technologies

http://beijing46.icann.org/

and the full schedule of events can be found at:

http://beijing46.icann.org/full-schedule

A great aspect of ICANN meetings is that most of the meetings have some mechanism for you to view the meeting remotely. If you go into any of the sessions on the schedule, you will see remote participation links — often for both high and low bandwidth connections. In my experience, many sessions are also recorded for later viewing.

Do keep in mind that all times are local to Beijing which is UTC+8 and may not work with your viewing schedule. For instance, there is a 12-hour difference from the eastern US where I live and as a result a session that starts Monday at 9am will be starting Sunday night at 9pm for people in the eastern US..

In the midst of all the more business-focused discussions around domain names and governance questions, there are also some excellent technical tracks. I will be in Beijing specifically for the excellent DNSSEC Workshop and related sessions, as well as attending the IPv6 workshop.

I'm looking forward to the ICANN 46 event — if you will be there, too, please do feel free to say hello. You can pretty much expect to find me in any sessions related to DNS security.

P.S. If you are interested in the views of my employer, the Internet Society, on the events happening at ICANN 46, a few of my colleagues prepared the "Internet Society's Rough Guide to ICANN 46's Hot Topics” that outlines what the organization will be watching and participating in over the next week.

Written by Dan York, Author and Speaker on Internet technologies

While 1) is unavoidable simply due to the additional data that DNSSEC produces, and 2) "should" be practised as part of any provider's network configuration, it is 3) that requires "you and I" ensure that systems are adequately configured.

The fact is open DNS resolvers are nothing new and the open resolver project is tracking approximately 27 million open DNS resolvers. What I find interesting is that their database can be queried for an IP range to see how many open resolvers are listed.

Out of curiosity, I entered the /24 prefix that my personal IP address resides on, 81.174.169.0/24. This range belongs to Plusnet, a popular ISP located within the UK. I was quite surprised that a list of 9 IP addresses came back, I wasn't really expecting any, and fortunately, none of them were mine!

Out of further curiosity, I started using dig to fire off a DNS query for "www.bbc.co.uk" to each of the IP's. Most of them timed out, but as I worked down the list, sure enough, one of them returned an answer. I ran a port scan but couldn't detect any well known open ports other than DNS. So within a few minutes, I had found an open resolver being run on an IP address within the same /24 as my own. This ISP has hundreds of thousands, if not millions of customers, so if extrapolated, there could be thousands of open resolvers present via this one ISP. (Having said that, this list of open resolvers vs AS numbers only lists 7 open resolvers against Plusnet, so maybe I was just (un)lucky...) I would like to think my ISP has implemented BCP-38, but what if they haven't? And how many other ISPs out there haven't?

I have no idea whether CPE routers are providing this open resolver capability or whether people are genuinely running a poorly configured DNS server. The Measurement Factory perform regular surveys for open resolvers and network providers can get them to email a list of open resolvers. They have a useful page here.

I guess it's unfair to place the blame solely at sysadmins when the default setting for BIND up until 9.4 was to allow queries from anyone, and I am sure there are many *nix/*BSD distros that shipped with BIND versions <9.4 (RHEL 5 anyone?) — although you could argue "Why haven't they upgraded?" as we are talking pretty old code here. No, I think more culpable are the network operators who route spoofed traffic out from their network; it is inexcusable that they have not implemented BCP-38 (also known as RFC2827).

However, looking at that list of open resolvers vs ASNs again, the top offender is Brazil, followed by a big block in Asia-Pac, HINET is Taiwan, then Chile, Korea etc. To go to each of these providers, figure out which local networks are the offenders, and communicate all this in a meaningful, constructive way to the end customers, well, it's a gargantuan task!

Unfortunately I do not see a simple solution to this problem, and I fear that with the publicity the Spamhaus attack generated, we will ultimately see more of these kinds of attacks.

If you are curious like me, why not check your local ISP range and see if you can find any open resolvers? You never know what you might find! I'll buy a pint for the person who can find the most… at a date/time/location of my choosing… provided it's in the UK… in the South somewhere… near Reading or Basingstoke! ;-)

Written by Paul Roberts, CEO, Calleva Networks

While attacks of this nature are certainly nothing new, the scale of this attack was surprising, reported to hit 120Gbps. For a sense of scale, your average cable modem is only about 20Mbps, or about 0.016% of that bandwidth.

So how does one generate an attack of that size? The technique that appears to have been used is called DNS Amplification. The attacker will typically use a network of infected hosts, known as a botnet, to send DNS queries to servers, faking the source address to be that of their target. When the servers reply to these queries, they send the reply to that false address.

Since the response packet is bigger than the query packet, the DNS server is helping out in the attack by increasing the amount of bandwidth being used. This is not a new technique, and has been around since at least the late 1990s.

What has changed is how effective this attack is, mostly due to the introduction of DNSSEC records. For example, a DNS query for isc.org/ANY with DNSSEC is only 78 bytes, but the reply is 3,586 bytes — so big it gets fragmented and spread across three packets. This makes it very easy to use a little bit of bandwidth to make a huge attack, and since your compromised hosts don't need to send out a lot of data, it's less likely they'll be detected and shut down.

Open Recursives Are Not the (Only) Problem

A lot of these attacks make use of recursive resolvers to perform this amplification. These are the servers that are typically run by your ISP or by services such as Dyn's Internet Guide, OpenDNS, or Google's Public DNS.

It is intended that the end user will query these servers, they'll take care of finding the answer, caching it, and returning it to the user. In the case of an ISP's resolvers, these are usually locked down so only the ISP's customers can use it. It has long been considered a security risk to operate a resolver that will respond to just anyone (an "open" resolver) without taking special care to consider the consequences.

There has been a lot of renewed interest in finding and shutting down unintentional open resolvers, through things like the Open DNS Resolver Project. This is a good thing, but it only addresses part of the problem. These attacks do not need to use open resolvers; they can use the authoritative servers directly to do their amplification. The authoritative servers are the systems that ultimately serve the answers in DNS.

These are the sorts of systems operated by DynECT Managed DNS and Standard DNS. And since these servers must be open in order to function, it's much more difficult to secure them against abuse and the attackers are using them.

Dyn observed this activity back in December 2011, and it has only gotten worse since then. Other authoritative operators have seen the same behavior, typically DNS queries for "ANY" records on zones that have been DNSSEC signed. We have our own in-house tools for mitigating these attacks, but there has been public work to counter the problem, such as the Response Rate Limiting patches to the BIND nameserver software.

But these are really only temporary fixes in an arms race between DNS operators and the people who want to abuse their systems.

The Real Problem and its Solution

At its core, the problem that enables these attacks to work is source address spoofing. This is when a packet is sent from a computer using a source address that isn't actually on that computer, but instead belongs to some other system — usually not even on the same network, such as a home PC on a cable modem, sending traffic that appears to be from a popular website. This has been seen as a security problem for a long time, and yet there are still plenty of networks that allow it to happen.

The solution has also been around for a while, known as BCP38. This document, part of a series of Best Common Practices, describes a very simple concept of not allowing packets to pass through a router from hosts that shouldn't be sending from those addresses. It was published nearly 13 years ago, and is often brought up in tech circles as a solution to a number of problems, but there is still a lack of implementation on the Internet at large.

It boils down to a very simple logic, described in section 4:

IF packet's source address from within [its assigned space]
THEN forward as appropriate

IF packet's source address is anything else
THEN deny packet

There has been a renewed effort recently to push the adoption of this practice, with a boost from this recent DDoS attack on CloudFlare, with some new websites popping up, such as BCP38.info, and a lot of discussion in public forums. This is something that really needs to be done for the security of the Internet as a whole.

So, if you're a network operator, please consider implementing BCP38. If you're buying internet service, ask your provider about BCP38. The rest of the Internet will thank you.

Written by Chip Marshall, Network and Security Analyst

From the Alert: "While the attacks are difficult to prevent, network operators can implement several possible mitigation strategies. The primary element in the attack that is the focus of an effective long-term solution is the detection and elimination of open recursive DNS resolvers. These systems are typically legitimate DNS servers that have been improperly configured to respond to recursive queries on behalf of any system, rather than restricting recursive responses only to requests from local or authorized clients. By identifying these systems, an organization or network operator can reduce the number of potential resources that the attacker can employ in an attack."

It's worth reading the whole thing, but in short, their well-supported opinion is that the net isn't ready for all the new TLDs, and even if they were, ICANN's processes or lack thereof will cause other huge problems.

The simplest issues are administrative ones for ICANN. In the olden days updates to the root zone were all handled manually, signed email from ICANN to Verisign, who manages the root zone, with a check at NTIA, who oversees it under longstanding contracts. As the number of changes increased, more due to added IPv6 and DNSSEC records than increased numbers of TLDs, the amount of email got unwieldy so they came up with a new system where the change data is handled automatically with people looking at secure web sites rather than copy and paste from their mailboxes. This system still in testing and isn't in production yet; Verisign would really prefer that it was before ICANN starts adding large numbers of new TLDs.

The new domains all have to use the Trademark Clearinghous (TMCH), a blacklist of names that people aren't allowed to register. Due to lengthy dithering at ICANN, the the TMCH operator was just recently selected, and they haven't even started working out the technical details of how registry operators will query it in real time as registrations arrive.

There are other ICANN issues as well, the process for transferring a failed registry's data to a backup provider isn't ready, nor is zone file access for getting copies of zone data, nor are the pre-delegation testing reqiurements done, and the GAC (the representatives from various governments) could still retroactively veto new domains even after they'd been placed in service.

All of these issues are well known, and the technical requirements have been listed in the applicant guidebook for several years, so it does reflect poorly on ICANN that they're so far from being ready to implement the new domains.

Most importantly, Verisign notes that the root servers, who are run by a variety of fiercely independent operators, have no coordinated logging or problem reporting system. If something does go wrong at one root server, there's no way to tell whether it's just them or everyone other than making phone calls. Verisign gives some examples of odd and unexpected things that happened as DNSSEC was rolled out, and again their concerns are quite reasonable.

An obvious question is what is Verisign's motivation in publishing this now. Since they are the registry for .COM and .NET and a few smaller domains, one possibility is FUD, trying to delay all the new domains to keep competitors out of the root. I don't think that's it. Over 200 of the applications say that they'll use Verisign to run their registries, so Verisign stands to make a fair amount of money from them. And everyone expects that to the extent the new TLDs are successful at all, it'll be additional, often defensive registrations, not people abandoning .COM and .NET.

So my take on this is that Verisign means what they say, the root isn't ready for all these domains, nor are ICANN's processes ready, and Verisign as the root zone manager is justifiably worried that if they go ahead anyway, the root could break.

Update: Thu April 4, 2013
A follow up to the discussed Verisign's white paper, New gTLD Security and Stability Considerations, in which they listed a bunch of reasons that ICANN isn't ready to roll out lots of new TLDs. Among the reasons were that several of the services the new GTLDs are required to use aren't available yet, including the Emergency Back End Registry Operators (EBEROs), who would take over the registry functions for a TLD whose operator failed. They were supposed to have been chosen in mid-2012. By complete coincidence, ICANN has announced that they had chosen the three Emergency End Registry Operators. I can't wait to see what happens next week.

Written by John Levine, Author, Consultant & Speaker

Al Iverson over at Spamresource has a great round-up of the news, if you haven't managed to catch the news, go check it out, then come on back, we'll wait ...

Of course, bad guys are always mad at Spamhaus, and so they had a pretty robust set-up to begin with, but whoever was behind this attack was able to muster some huge resources, heretofore never seen in intensity, and it had some impact, on the Spamhaus website, and to a limited degree, on the behind-the-scenes services that Spamhaus uses to distribute their data to their customers.

Some reasonable criticism, was aimed at the New York Times, and Cloudflare for being a little hyperbolic in their headlines and so on, and sure, it was a bit 'Chicken Little'-like, the sky wasn't falling and the Internet didn't collapse.

But, don't let the critics fools you, this was a bullet we all dodged.

For one, were Spamhaus to be taken offline, their effectiveness in filtering spam and malware would rapidly decay, due to the rate at which their blocklists need to be updated. The CBL anti-botnet feed and the SBL list both have many additions and deletions every day. These services are used to protect mail servers and networks against the most malicious criminal traffic. If they go down, a lot of major sites would have trouble staying up, or become massively infected with malware.

There are also a ton of small email systems that use the Spamhaus lists as a key part of their mail filtering (for free as it turns out). Were those lookups prevented, or tampered with, those systems would buckle under the load of spam that they dispense with easily thanks to Spamhaus.

To put it into perspective, somewhere between 80% & 90% of all email is spam, and that's the stuff Spamhaus helps filter. So it doesn't take a Rocket Scientist to figure out that if filters go out, so do the email systems, in short order. AOL's Postmaster famously said, at an FTC Spam Summit a decade ago, before the inception of massive botnets, that were their filtering to be taken offline, it'd be 10 minutes before their email systems crashed.

Due to some poorly researched media reports (hello, Wolf Blitzer!), there is a perception that this is a fight between two legitimate entities, Spamhaus and Stophaus; some press outlets and bloggers have given equal time to the criminals (we use that word advisedly, there is an ongoing investigation by law enforcement in at least five countries to bring these people to justice). Nothing could be further from the truth. The attackers are a group of organized criminals, end of story. There is nothing to be celebrated in Spamhaus taking it on the chin, unless you want email systems and networks on the Internet to stop working.

So yeah, it was a big deal.

Written by Neil Schwartzman, Executive Director, The Coalition Against unsolicited Commercial Email - CAUCE

In the article I was questioning if this was even possible and what was needed as general interest and curiosity.

Well, looking at the "stophaus" attack last week, we are getting some answers.

I would say it is a real threat now and is a valid attack vector. Seems you only need a couple of ingredients:

Open recursive DNS servers

Many of these are already available, and numbers increase. This not only includes dedicated DNS Server systems, but also any equipment attached to the internet capable of handling DNS requests it seems (like cable-modems, routers, etc). So the risk this will be utilized again, will be greater every day now.

A party that is capable/willing do set it off

Seems that there are more and more parties on the Internet that open to "attack" certain entities on the Internet to defend their believes. In above case, stressing even the Internet and influence the usage of everyone on it.

Infrastructure

Lets call it the "Internet", "Logistics" and "Bandwidth". Looking at the numbers, it is apparent that you need little (in context) and it is possible to do so if you want. Technology, services or other wise it is not really challenging. And it can be done not from a shady area/country either.

I suspect we will see more of this happening now the "proof-of-concept" is done. It still worries me when the real guns are pulled out and focus would shift from particular entities to the root infrastructure of the Internet.

I had a couple of talks with my expertise peers on this how to mitigate this, it is very difficult as it is sheer load coming from every corner of the Internet. We really did not come up with a single solution. Mitigation would probably mean "breaking" some parts of the Internet as collateral damage, which in size would probably be disruptive enough as well.

Main concern in this, again, is the "open resolvers" out there that we cannot control without education and regulation on how DNS is deployed (you know, the thing we are allergic/apathetic about on/about Internet).

The more thoughts I give this, the more I think the solution is not only technical but mostly an organisational/educational/regulation one… Before that is in place, we probably will experience some outages…

Written by Chris Buijs, Head of Delivery

Sessions on the agenda include:

• The Business Case for IPv6 & DNSSEC
• Deploying DNSSEC: From End-customer to Content
• Industry Collaboration: Working Together to Deploy IPv6

Joining the sessions are a variety of speakers from across the industry and within the Asia Pacific region. Information about the webcast can be found at:

http://www.internetsociety.org/deploy360/ion/singapore2013/webcast/

We'll also be recording the sessions so you can view them later. For example, given that Singapore time is 12 hours ahead of U.S. Eastern time, I don't expect many of the folks I know there to be up at 2am to watch these sessions!

The ION Singapore conference is produced by the Internet Society Deploy360 Programme and is part of the ICT Business Summit taking place this week in Singapore. I just got to meet some of the panelists at a dinner tonight and I think the sessions tomorrow should be quite educational and also quite engaging and fun. Please do feel free to tune in if you are interested and have the chance to do so.

P.S. In full disclosure I am employed by the Internet Society to work on the Deploy360 Programme and for once a post of mine at CircleID IS related to my employer.

Written by Dan York, Author and Speaker on Internet technologies

Some of you will remember the heated debates when Calling Line Identification (CLID) was first introduced in telephony. Libertarians of all stripes called passionately to ban such an evil tool threatening our most precious civil liberties like the impunity of calling home from the bar, pretending to be still at work or with a customer. Today everybody welcomes the decline of crank and obscene calls even if telemarketers can continue to be a nuisance. Will SAVA be for the internet what CLID was for telephony?

One of the beauties and at the same time a source of potential vulnerability of the internet design is that it forwards packets connectionless, hop by hop, based on the destination address. This has proven a cornerstone of the amazing resiliency and scalability of the internet. The flip side is that this makes the blue box offspring, address spoofing more prevalent. From making occasional free calls in the 'telephony era', internet address spoofing now substitutes legitimate source addresses to fraudulently obtain personal information from unsuspecting end-users or wreak havoc flooding network hosts, DNS systems and even networks with DDoS attacks. So much so that a number of ISP's now offer 'scrubbing services' to their customers. Zacks Investment sees Cyber Security firms as a major investment opportunity. This is surely a growing and lucrative market segment; I might follow their advise.

SAVA was first presented at an IEEE conference in 2007 and subsequently proposed as a RFC to the IETF in 2008 with Tsinghua University of Beijing as lead author. The paper addressed the need for source address verification on the access network, intra-AS within a network, and inter-AS between networks across BGP boundaries. This led to the creation of a quite active IETF working group called SAVI to tackle the subject. An informational draft issued this February provides a good overview of a variety of 'attack vectors' and threats. How fast some of these RFC will be completed and approved and, more importantly, implemented remains however an open question.

China has reported that it is experimenting with a SAVA implementation in its CNGI (China Next Generation Internet) IPv6 only based R&E network, in no less than the United Kingdom's prestigious Philosophical Transactions of the Royal Society. This has in turn triggered some activity in the blogosphere ranging from more factual to a bit more alarming. Concluding yet again that China is light years ahead of the United States in IPv6 deployment remains questionable however. While CNGI has without question been the benchmark for native IPv6 deployment for many years in a Research and Education Networking environment, China has been really lagging so far in the commercial deployment of IPv6. They obviously bide their time.

While some will argue that SAVA would undermine their civil liberties and individual freedom especially when they prefer anonymity in whatever they are doing on the internet and others will see it as another step to big brother watching us, the need for better security is undeniable and even more urgent as we accelerate towards a mobile broadband data environment. IDC predicts that, this year, smartphone sales will for the first time surpass feature phones. Mobile operators enjoy usage based services and billing; to correctly identify the source will always remain essential to revenue generation and corporate wellbeing. And what would the impact be of a DDoS attack choking a major LTE network?

Major ISP's and mobile operators might want to track SAVA more closely; ça va ou ça va pas?

Written by Yves Poppe, Director, Business Development IP Strategy at Tata Communications

"We launched Google Public DNS three years ago to help make the Internet faster and more secure.Today, we are taking a major step towards this security goal: we now fully support DNSSEC (Domain Name System Security Extensions) validation on our Google Public DNS resolvers. Previously, we accepted and forwarded DNSSEC-formatted messages but did not perform validation. With this new security feature, we can better protect people from DNS-based attacks and make DNS more secure overall by identifying and rejecting invalid responses from DNSSEC-protected domains."

CENTR Paper – Fifth World Telecommunication/ICT Policy Forum (Download PDF)

Introduction

Many nations, particularly from the developing world, look to the International Telecommunications Union (ITU) for advice on telecommunications issues and, increasingly, Internet governance issues. The ITU's Fifth World Telecommunication/ICT Policy Forum (WTPF-13), 14-16 May 2013, Geneva, Switzerland, will be the first WTPF to focus exclusively on Internet issues. Positions agreed to by ITU Member States on the management of Internet resources — including ccTLDs — and the roles and responsibilities of stakeholders in Internet governance are of particular importance to ccTLD operators due to the close association of ccTLDs to the territorial boundaries of sovereign nations.

WTPF-13

WTPF-13 has been convened to discuss the issues raised in ITU's three key Internet-related resolutions:¹

• Resolution 101:"Internet Protocol (IP)-based Networks" (Rev. Guadalajara, 2010)²
• Resolution 102: "ITU's role with regard to international public policy issues pertaining to the Internet and the management of Internet resources, including domain names and addresses" (Rev. Guadalajara, 2010)³
• Resolution 133: "Roles of administrations of Member States in the management of Internationalized (multilingual) domain names" (Rev. Guadalajara, 2010)⁴

The main policy outcomes of WTPF-13 will be the "Opinion" documents, which are non-binding on ITU's membership. However, the Opinions and final meeting report will be a good indicator of the Internet issues that may become the focus of ITU discussions, and in turn, more formal resolutions and recommendations, in the near future. In particular, WTPF-13 outcomes will inform the discussions at the Council Working Group on International Internet-Related Public Policy Issues (CWG-Internet), the ITU Plenipotentiary 2014 and the WSIS+10 review process.

In preparation for WTPF-13, two meetings of the Informal Experts Group (IEG)⁵ have already been held to fine-tune the Secretary- General's report.⁶ The report's summary of issues, which includes ccTLD processes, will form the basis of WTPF-13 discussions in May. Draft Opinions have been made available in the fourth, and latest, version of the Secretary-General's report. It is possible that more Draft Opinions will appear in the next and final version of the Secretary General's report, which will be published 1 March 2013.

WTPF-13 Draft Opinions

There are six Draft Opinions in the January 2013 version of the Secretary-General's report. The final WTPF-13 Opinions will be based on these drafts and onsite discussion of the contents of the Secretariat-General's report.

Overall model of Internet governance and development

There are three Draft Opinions on this topic. Two of the three drafts, submitted by Saudi Arabia, focus on the need for "immediate operationalization of the enhanced cooperation process" via an existing or new intergovernmental organization, in consultation with other stakeholders. The third draft, submitted by the United Kingdom, focuses on open, transparent and accountable Internet development, freedom of expression, universal access, and invites all stakeholders — not only Member States and Sector Members — to collaborate towards the ongoing expansion of the Internet.

Why these Opinions matter: These three Draft Opinions reflect fundamentally different views on how the Internet should be governed. On one side are States who believe it is important to have a government-only platform to discuss international Internet governance matters (this does not exclude other venues for Internet governance discussions). In many cases, these governments focus on the security risks the Internet can pose and seek an intergovernmental venue that can address these risks. On the other side are States who prefer to maintain the current multi-stakeholder environment, believing that governments already have enough opportunities to participate in Internet governance processes. These States often prefer to focus on the opportunities the Internet offers, such as freedom of expression and the development of an information society for all.

IPv6 deployment Both Draft Opinions on IPv6 encourage Member States to develop policies and incentives for IPv6 deployment within their territories. The Saudi Arabian draft also proposes ITU to develop policies to manage IPv4 address transfers in the wake of the exhaustion of the unallocated IPv4 pool. The United Kingdom's draft emphasizes the need to build human capacity in developing countries to enable IPv6 deployment.

Why these Opinions matter: If ITU Member States recommend the ITU should actively develop policy for IP address space management — an area already served by Regional Internet Registries (RIRs) — it may open the door for ITU to consider policy development in other areas of Internet resource management. In many cases, such policy development already has a home within existing organizations, such as the ICANN.

IXPs as the long-term solution to better and more robust Internet connectivity

The final draft opinion, from the United Kingdom, invites Member States and Sector Members to work collaboratively with developing countries in promoting IXPs.

Why this Opinion matters: In contrast to the other Draft Opinions, where views on the same topic are the result of ideological differences, this Draft Opinion is an example of practical ways to develop Internet capacity in developing countries. In addition, an improved Internet quality for regions served by new IXPs, will create new useful locations to host anycasted Root DNS Servers and secondary ccTLDs nameservers.

Internet issues contained in the Secretary-General's WTPF-13 report

Any of the topics included in the Secretary-General's report may be included in the final Opinions and meeting report. In particular, the broad scope of the three Draft Opinions on the overall model of Internet governance and development leaves room to add text on a variety of Internet issues summarized in the Secretary-General's report. The issues of most relevance to the ccTLD community in the report are:

1. Roles and responsibilities of stakeholders in Internet management

While the WSIS Tunis Agenda⁷ recognized the multi-stakeholder model as the appropriate global model for Internet governance, the Secretary-General's report summarizes debates on whether the model has been fully implemented. One view maintains that the current Internet governance framework is sufficiently multi-stakeholder and that intergovernmental forums that discuss the Internet, such as the ITU, also need to adopt a multi-stakeholder approach. The ITU has itself been keen to change the world's perceptions of its working methods, publicizing that the WTPF IEG process is open to all stakeholders.⁸

The other view is that the role of governments in Internet governance has not been allowed to evolve according to the "enhanced cooperation" text in the Tunis Agenda, which states:

"We further recognize the need for enhanced cooperation in the future, to enable governments, on an equal footing, to carry out their roles and responsibilities, in international public policy issues pertaining to the Internet, but not in the day-to-day technical and operational matters, that do not impact on international public policy issues."

According to this second view, the failure to operationalize an intergovernmental mechanism for enhanced cooperation has contributed to the world's failure to adequately address ongoing Internet challenges, including spam and cybercrime. States holding this view often also question the adequacy of the ICANN Government Advisory Committee (GAC).

2. Management of Internet resources

The Secretary-General's report notes concerns with the current Internet infrastructure's ability to support the Internet's continued growth — in particular, the ability to support security, identity management and multilingualism. Under the topic of Internet resource management are the following topics of interest:

• Internet connectivity – The high cost of international Internet connectivity for Least Developed Countries (LDCs) is seen to be particularly problematic, with IXPs reported as a long-term solution to the problem. Included in the report are descriptions of some of the main challenges LCDs face in closing the digital divide.
• IP addresses – The ITU has a long history discussing IP address management, which is reflected in the Secretary-General's report. The slow rate of IPv6 deployment, in particular, is a concern, with continued debate about whether today's "first come, first served" IPv6 allocation policies could penalize late adopters. The ITU has issued a number of IP address-related resolutions⁹, so it is a certainty that WTPF 2013 will result in an IP address-related Opinion.
• Resource Public Key Infrastructure (RPKI) – RPKI is still in its infancy but it is hoped it will make the Internet's IP routing system more secure. Given the security implications, RPKI is a topic of interest to ITU Member States and therefore is included in the Secretary-General's report. In particular, the report notes that questions have been raised about whether the operation of the RPKI certifi cate chain by ICANN and RIRs fundamentally changes their role in Internet governance.

3. gTLDs

The new gTLD process is detailed in the report, with the Secretary-General noting discussions about new gTLDs' impact on gTLD market competition and trademark or rights holders, particularly those in developing countries. The report also notes that concerns have been raised about the potential misuse of acronyms reserved for use by intergovernmental organizations (IGOs), geographic names, and cultural and language descriptors.

4. ccTLDs

The report notes that there is not a one-to-one relationship between a ccTLD string for a "territory" as defined in the ISO-3166 list and the name of a sovereign nation, with some nations having more than one ccTLD string reserved for their use (for example, Finland has both .fi and .ax). The ccTLD re-delegation process is also described in depth, including the need for the US government to evaluate IANA's report on the ccTLD request. The report includes a reference to ITU's role in requesting the re-delegation of .so in 2009 and notes that the Tunis Agenda states that countries should not be involved in decisions regarding another country's ccTLD. It is not clear whether this reference is meant to be compared directly with the earlier reference to the US government's role in overseeing re-delegation. The effect, however, is to highlight the US government's role in the re-delegation process of other nations' ccTLDs.

5. DNS security

The report describes how DNSSEC works and notes concerns about the processes that create the DNSSEC "chain of trust". However, given the sources of such concerns have not attended IEG meetings, the majority of the text reflects the views of those who support the current DNSSEC trust chain.

6. Multilingualism and IDNs

The report states that internationalized domain names (IDNs) are seen as an important step in overcoming linguistic barriers to Internet access, while also highlighting views that there are a number of challenges regarding intellectual property and the IDN deployment. The report notes some countries believe the current Unicode-based IDN implementation is "effectively a patch on an ASCII-based system and that the DNS will properly refl ect multilingualism when support is native to the system".

7. Regional distribution of Root DNS Servers

The report notes that there is a disparity between the geographical distribution of Root DNS Servers and the global distribution of Internet users but does bust the myth that there are only 13 Root Servers by explaining the concept of anycasting. However, the report also points out that only three of the Root Server operators have administrative headquarters outside the USA.

WTPF-13 and other Internet-related discussions at the ITU

The ITU has held many Internet-related discussions in its meetings and Study Groups. Discussion at WTPF-13 will both be informed by these previous discussions as well as inform future discussions on the Internet at the ITU. The key interactions are described below.

World Conference on International Telecommunications

Many of the proposals submitted during the two-year preparatory process of WCIT¹⁰ contained explicit Internet-related content, including:

• Adding principles for Internet governance
• Asserting that "Member States have equal rights to manage the Internet, including in regard to the allotment, assignment and reclamation of Internet numbering, naming, addressing and identification resources"

Ultimately, the final set of International Telecommunication Regulations (ITRs)¹¹ produced in Dubai in 2012 did not include the word "Internet" anywhere. However, there are still many traces of Internet-related issues visible in the ITRs. For example, the ITRs' recognition of States' rights to access to international telecommunication services was added in response to trade blockades that prevent Internet-based services, such as electronic payments, being available in some countries. In addition, a new ITR article on accessibility to international telecommunication services is most applicable to Internet-based services (such as web services). There were strong disagreements on Internet-related issues at WCIT, and, following the intergovernmental practice of discarding proposals that cannot reach consensus amongst States, all direct references to the Internet were removed. A number of States, however, chose not to sign the ITRs — amongst them, the US government. Given the US government provides IANA with the authority to global coordinate the DNS Root and IP addressing systems, the refusal of the USA to sign the ITRs may be seen by a number of States as a sign that the USA "continues" to "control" the Internet. Many of the ideas expressed in Internet-related WCIT proposals have previously appeared in submissions to other ITU meetings, reflecting the fact that some Member States continue to feel strongly that current Internet governance arrangements — particularly the relationship between the US government and IANA — are unsatisfactory. Given the "unsatisfactory" Internet governance arrangements were not addressed in the WCIT outcomes, it is highly probable that many of the same issues will be create equally strong discussion at WTPF-13.

Council Working Group on International Internet-Related Public Policy Issues

Since 2010, the Member States-only CWG-Internet¹² — previously known as the Dedicated Group (DG) on International Internet- Related Public Policy Issues — has discussed ccTLDs, gTLDs, IDNs, IP addresses, DNSSEC, and RPKI under the banner of "critical Internet infrastructure". It has also discussed how ICANN and the ICANN GAC work. Although the group discusses many Internet issues that are currently managed under the open multi-stakeholder model of Internet governance, the CWG's documents are available only to Member States. One of the key documents produced by the group, "Internet Governance: Background Information on Mechanisms, Arrangements, Organizations and some Current Topics" is the source of much of the Secretary-General's report for WTPF-13, including information on ccTLD operations and re-delegation procedures. The Opinions produced by WTPF-13 are likely to affect future discussions within the CWG.

WSIS, the Tunis Agenda and WSIS+10

The World Summit on the Information Society (WSIS)¹³ produced the Tunis Agenda, which has become one of the key documents informing intergovernmental discussions on Internet governance. While it clearly stated that the multi-stakeholder model was the appropriate model for global Internet governance, its text on the need for "enhanced cooperation" between governments in relation to Internet governance remains the subject of debate to this day. WTPF-13 discussions on the appropriate way to further implement, if necessary, governments' roles in Internet governance result directly from differing interpretations of this Tunis Agenda text. To mark the tenth anniversary of the WSIS process ("WSIS+10"), there will be a high level event in 2014 or 2015 that will assess the implementation of WSIS goals. As the tenth anniversary of WSIS is only two years ago, governments that have been pushing for an intergovernmental organization to enhance their role in Internet governance are beginning to express their frustration at the lack of progress to date. With the WCIT outcomes not meeting their goals, the WTPF is the next major ITU event at which governments can continue this debate.

Plenipotentiary 2014

WTPF-13 is based on the Internet-related resolutions that were updated at Plenipotentiary 2010 and will, in turn, influence the Internet-related resolutions developed at the next Plenipotentiary¹⁴. Resolutions passed at Plenipotentiaries are particularly important as these meetings set the agenda for the following four years of ITU's work.

How to participate in WTPF-13

The final version of the Secretary-General will be published 1 March 2013. The WTPF-13 will be held 14-16 May 2013, in parallel with ITU's WSIS Forum, in Geneva, Switzerland. Anyone can attend the WTPF and ask for the floor to make statements.

Nominet, responsible for .uk, has already made a submission to the IEG process.¹⁵ Stakeholders can also contact their government representatives at ITU to help their government develop positions on the issues under discussion at WTPF-13. Many governments who support the multi-stakeholder model of Internet governance are also happy to place non-government stakeholders on their official delegation at meetings such as WTPF-13.

If you are unsure whom to contact within your government, a good place to start is the Participants List from WCIT:
http://files.wcitleaks.org/public/S12-WCIT12-ADM-0004!!PDF-E.pdf

All information relating to WTPF-13 is posted at:
http://www.itu.int/wtpf

¹ Given the recent WCIT held in Dubai also adopted an Internet-related resolution, it is possible that the issues it raises will also be incorporated in the next version of the Secretary- General's report.

² http://www.itu.int/osg/csd/intgov/resoultions_2010/PP-10/RESOLUTION_101.pdf

³ http://www.itu.int/osg/csd/intgov/resoultions_2010/PP-10/RESOLUTION_102.pdf

⁴ http://www.itu.int/osg/csd/intgov/resoultions_2010/PP-10/RESOLUTION_133.pdf

⁵ http://www.itu.int/en/wtpf-13/Pages/ieg.aspx

⁶ http://www.itu.int/en/wtpf-13/Pages/report-sg.aspx

⁷ http://www.itu.int/wsis/docs2/tunis/off/6rev1.html

⁸ The recent WCIT Resolution 3 (see http://www.itu.int/en/wcit-12/Documents/final-acts-wcit-12.pdf) also called on Member States to "to engage with all their stakeholders" on "international Internet-related technical, development and public-policy issues within the mandate of ITU" but stopped short of opening ITU meetings to the full participation of all stakeholders.

⁹ For example: WTSA 2008 Resolution 64, http://www.itu.int/dms_pub/itu-t/opb/res/T-RES-T.64-2008-PDF-E.pdf; WTDC 2010 Resolution 63, http://www.itu.int/osg/csd/intgov/ resoultions_2010/resolution63.pdf; Plenipotentiary 2010 Resolution 180 http://www.itu.int/osg/csd/intgov/resoultions_2010/PP-10/RESOLUTION_180.pdf

¹⁰ http://www.itu.int/en/wcit-12/Pages/default.aspx

¹¹ http://www.itu.int/en/wcit-12/Pages/itrs.aspx

¹² http://www.itu.int/council/groups/CWG-internet

¹³ http://www.itu.int/wsis

¹⁴ http://www.itu.int/en/plenipotentiary/Pages/default.aspx

¹⁵ http://www.itu.int/md/S12-WTPF13PREP-C-0024/en

Written by CircleID Reporter

Top Ten Featured Blogs from the community in 2012:

#1		DNS Changerby Paul Vixie | Mar 27, 2012 | Viewed 66,094 times
#2		Trademarking .generics - the .bank Fiasco!by Konstantinos Komaitis | Jan 18, 2012 | Viewed 17,124 times
#3		Refusing REFUSEDby Paul Vixie | Jan 11, 2012 | Viewed 11,860 times
#4		MegaBust's MegaQuestions Cloud the Net's Futureby Philip S Corwin | Feb 13, 2012 | Viewed 10,430 times
#5		Anonymous Plans to Go After DNS Root Servers. What Will Be the US's Response?by Terry Zink | Feb 15, 2012 | Viewed 9,813 times
#6		Why the Dot Com Kingdom Will Continue to Rule Post New gTLDsby Naseem Javed | Jul 24, 2012 | Viewed 9,771 times
#7		Fake Bank Site, Fake Registrarby Garth Bruen | Mar 27, 2012 | Viewed 8,977 times
#8		Why Vint Cerf is Wrongby Wout de Natris | Nov 21, 2012 | Viewed 8,891 times
#9		Internet Governance and the Public Interestby Paul Diaz | Mar 19, 2012 | Viewed 8,384 times
#10		IPv6 Subnetting - The Paradigm Shiftby Chris Grundemann | Jul 19, 2012 | Viewed 8,380 times

Top 10 News in 2012:

#1		ISPs Are Not Broadcasters, Says Supreme Court of CanadaFeb 10, 2012 | Viewed 35,128 times
#2		Iran Blocks HTTPS, 30 Million Reported Losing Email AccessFeb 11, 2012 | Viewed 11,016 times
#3		Vint Cerf: The Launch of a New Larger InternetJun 05, 2012 | Viewed 8,257 times
#4		The Digital Marketing & gTLD Strategy Congress Announces Keynote, Speakers, Initial PartnershipsJan 08, 2013 | Viewed 7,841 times
#5		Akamai Reports 460 Times Increase in IPv6 Requests Over Its Platform Since Last YearOct 22, 2012 | Viewed 6,976 times
#6		Saudi Arabia Objects to Certain Proposed New gTLD Strings Such as .Gay and .WineAug 15, 2012 | Viewed 6,764 times
#7		Department of Commerce Cancels IANA Contract RFPMar 09, 2012 | Viewed 6,343 times
#8		SPECIAL: Updates from the ICANN Meetings in TorontoOct 17, 2012 | Viewed 5,802 times
#9		Most U.S. Agencies Expected to Miss IPv6 DeadlineSep 28, 2012 | Viewed 5,411 times
#10		Websites Go Dark Protesting SOPA and PIPA, Senators Change CourseJan 18, 2012 | Viewed 5,299 times

Top 10 Industry News in 2012 (sponsored posts):

#1		MarkMonitor Offers New gTLD Application Databaseby MarkMonitor | Jun 15, 2012 | Viewed 6,992 times
#2		DotConnectAfrica Participates in ICANN-45 Toronto, Unveils New IBCA Initiative at ICANN Public Forumby DotConnectAfrica | Oct 23, 2012 | Viewed 6,822 times
#3		ICANN 45: New gTLDs Not Far Away Nowby Afilias | Oct 25, 2012 | Viewed 5,676 times
#4		MarkMonitor to Exhibit at Internet Tech Policy Exhibition and Reception to be Held on Capitol Hillby MarkMonitor | Jan 24, 2012 | Viewed 5,355 times
#5		CentralNic and REG.RU Confirm Strategic Partnershipby CentralNic | Jul 30, 2012 | Viewed 5,244 times
#6		MarkMonitor Fraud Intelligence Report, Q4 2011by MarkMonitor | Feb 17, 2012 | Viewed 5,037 times
#7		Afilias Participates in Global Test of Multilingual IDN Emailby Afilias | Jun 28, 2012 | Viewed 4,857 times
#8		Implementing a Cyber-Security Code of Conduct: Real-Life Lessons From Australia (Webinar)by Nominum | Apr 30, 2012 | Viewed 4,665 times
#9		Top-Level Domain Survey Findings Not Surprising, But Still Concerningby MarkMonitor | Sep 05, 2012 | Viewed 4,509 times
#10		Public Interest Registry Releases Results of Bi-Annual Domain Name Reportby PIR | Aug 14, 2012 | Viewed 4,462 times

Additionally, you can also check the leaderboards for CircleID's overall top 100 community and industry participants.

Written by CircleID Reporter

Neustar, a trusted, neutral provider of real-time information and analysis to the Internet, telecommunications, information services, financial services, retail, media and advertising sectors, announces the launch of Neustar Professional Services with a comprehensive suite of IT service offerings for enterprise organizations of all sizes. Neustar's seasoned team of professionals provides the expertise and resources organizations need to ensure the performance, security and reliability of their IT infrastructure.
A Comprehensive Approach – Neustar Professional Services offers a series of detailed assessments of your Internet infrastructure, both internal and public-facing. In each assessment a full system analysis is conducted, including interviews with your staff, ranking your vulnerabilities, citing best practices and making recommendations for efficient troubleshooting.

Organizations today face complex IT challenges, including reduced budgets and insufficient IT staff to meet critical deadlines. Using its proven three-dimensional methodology — discover, design, deploy — Neustar's team of experts helps customers identify the root of their IT problems and creates a comprehensive and technologically neutral solution to meet the customers' objectives. Once the solution is implemented, the team is available around the clock to help sustain critical systems and adjust to meet the organization's evolving needs.

"Our team has vast expertise in critical IT disciplines, from web performance to security," said Alex Berry, senior vice president of Enterprise Services at Neustar. "Each engineer has senior-level technical experience and brings a neutral, independent perspective to the job. With Neustar Professional Services, IT departments can extend themselves with confidence and get the results they need."

Meet Our Experts – Neustar experts are highly experienced and incredibly competent, exactly the sort of people you'd trust with your web performance and security.

Neustar Professional Services offerings include:

• Security and Reliability: Comprehensive assessments that include network vulnerability and penetration testing to deliver holistic and actionable insights to prioritize resources for maximum security — all while meeting best practices.
• Web Performance Analysis and Testing: Full-service website load testing that helps organizations protect their customers' experience by identifying traffic bottlenecks, ensuring sites can handle traffic and providing custom recommendations for improving performance.
• Integration, Migration and Training: Services that help customer IT departments integrate or migrate systems and policies effectively on any platform, while also providing in-depth training to enable customers to use the capabilities available through their solutions.
• Consulting Services: Services that help organizations accelerate projects, fill critical staffing gaps and access expertise in technical account management.

Learn more about Neustar Professional Services and meet the IT industry veterans on the team.

Christmas Goat – A pretty picture of the Christmas goat from the night before it was burnt down (top) and the early morning photo after it was burnt down (below). Image source: www.merjuligavle.se

A somewhat odd and long tradition in Gävle is to burn the poor Christmas goat down. Not in any official way I might add, more often as a result of bad behavior from some youngsters on their way home from a late night on the town. This obscure activity has ironically made the Christmas goat more famous, even on an international scale.

This year the Christmas goat was standing for 10 days before it was burnt down.

So how did we do this? Below is a brief description:

At the time of the premier of the 2012 Christmas Goat the following was set up:

http://www.julbockmedipv6ochdnssec.se/kamera1 (may not be active)

In order to:

• Track native IPv6 with a RR with A and AAAA.
• Track those who can run IPv6 native or tunneled.
• Track validating DNS-resolvers with a domain that has a faulty DNSSEC.

The result was quite surprising. The use of native IPv6 had not increased as much as I expected. Tunneling with 6to4 and Teredo was very low and the DNSSEC validation was almost half.

When I first counted the use of native IPv6 for 2012 I only reached a figure of 0.7%, compared to 0.5% last year. This made me curious, and I had to investigate some more. It turned out that from the total of more than 62,000 unique IP-addresses visiting the page, the 50 top talkers represented more than 50% of the hits. Not any of these 50 top talkers were using native IPv6. If I removed the top talkers, the figure for native IPv6 increased to 1.4%.

The use of IPv6 with native, 6to4 and Teredo was 11%, compared to 52% last year. DNSSEC validation came in at 32%, compared to 72% for 2011.

Is there any explanation to that reduction? Well, I don't know really. For the previous years I cannot find that many top talkers. Also I can't see any pattern in home and enterprise users. So my conclusion as of last year, that I only need a few days of data to get quite an accurate reading of the percentage, now seems to be completely wrong. Even the sun… :)

Conclusion:

Another way of looking at it is that if we discard 2011, and just compare native IPv6 in 2010 and 2012, we can see a fourteen times increase. And that makes me happy! I don't need much to be happy. :)

Unfortunately my logs don't show me any hints on why DNSSEC, 6to4 and teredo are reduced. For now, I will however not let these things disturb my Christmas holiday. Instead I will await the data from next Christmas and hope that our famous Christmas goat then will stand all the way past Christmas!

Merry Christmas and A Happy New Year to you all!

Written by Torbjörn Eklöv, CTO, Senior Network Architect, DNSSEC/IPv6