[tech-whois] A follow up session in San Francisco?

Michael Young michael at mwyoung.ca
Tue Mar 8 22:15:49 UTC 2011 

Jay sorry I don't have the time to systematically go through why I
disagree with the below arguments in email, let's talk at San Fran, (high
bandwidth communication :-) ).

On IPv6
Look at the RIR policies for block size allocations, most rate limiting
back-off algorithms include escalating address block denys, minimum IPv6
block size allocations are vast - exponentially larger than the entire
existing space. It means someone could bypass IP based rate limiting by
spreading queries across shifting source IP addresses in a way just not
feasible today. It becomes very difficult to block them without affecting
geniune source traffic.

Best Regards,

Michael Young
M:+1-647-289-1220


-----Original Message-----
From: Jay Daley [mailto:jay at nzrs.net.nz]
Sent: March-08-11 5:06 PM
To: Michael Young
Cc: Smith, Bill; tech-whois at icann.org
Subject: Re: [tech-whois] A follow up session in San Francisco?

Hi Michael

The idea that authentication is a better basis for rate limiting for WHOIS
than IP rate limiting is a fallacy.

If we did add authentication then instead of people querying from multiple
IP addresses to get around rate limiting, people would use multiple
credentials to get around it.  We could not stop that by vetting/limiting
who gets credentials because:

a.  It is just too expensive for what is a free service.
b.  The basic premise of WHOIS is that it is a public service so we would
still have to give credentials to anyone who asks

Thereby defeating entirely the purpose of authentication while also adding
a great deal of cost into the process.

Even where there is vetting/limiting of credentials, if the rewards are
high enough then people will game the system, just look at the number of
shell gTLD registrars for evidence.

The principles that determine the effectiveness of any rate limiting
mechanism are:

1.  How high a cost is it to overcome for the data poachers.
2.  How low a cost is it to implement for the data gamekeepers.
3.  How asymmetric is the cost in favour of the gamekeepers.

IP rate limiting wins on all three.  It is easy to implement, not trivial
to overcome and the cost is reasonably asymmetric as it costs the data
poachers more than it costs the data gamekeepers.

Authentication on the other hand fails on the last two.  Yes it is
expensive for data poachers but it is also expensive for data gamekeepers
(anything involving human beings providing credentials is) and the
asymmetry is now in the wrong direction as it costs more to implement than
abuse.


Separately, I should point out that a great deal of WHOIS interaction is
automated, often for good reasons.  The automation is not the problem, the
excess queries are.  IP rate limiting deals with that problem
transparently but introducing authentication would require all that
automation to be rewritten.


And finally, perhaps you could explain why IPv6 changes the effectiveness
of rate limiting?

Jay

On 9/03/2011, at 10:30 AM, Michael Young wrote:

> Specifically, having the ability to enforce data usage policies above
> the IP level.
>
> One example of this:
>
> Many whois providers restrict the use of Whois for systematic
> wholesale data mining purposes. They discourage use of the service for
> this purpose by applying controls through IP based rating limiting
> approaches.  With the advent of IPv6 this type of control becomes much
> less effective, some might even say it becomes ineffective.
>
> Michael
>
> -----Original Message-----
> From: Smith, Bill [mailto:bill.smith at paypal-inc.com]
> Sent: March-08-11 4:02 PM
> To: Michael Young
> Cc: Dave Piscitello; Smith, Bill; tech-whois at icann.org
> Subject: Re: [tech-whois] A follow up session in San Francisco?
>
> Exactly what problem are we trying to solve by requiring
> authentication for access to WHOIS data?
>
> On Mar 8, 2011, at 11:51 AM, Michael Young wrote:
>
>> Absolutely, a user ID accessing a whois system does not have to be
>> tied to known identity if the overall policy supports anonymity.  The
>> elements of usage enforcement can be applied against the user ID just
>> the same.  Of course you would want some control heuristics
>> preventing the automated creation of those anonymous user ID's in any
>> sort of scale, but that's a well understood problem with many
>> existing tools
> that can help with that.
>>
>> Best Regards,
>>
>> Michael Young
>> M:+1-647-289-1220
>>
>>
>>
>> -----Original Message-----
>> From: Dave Piscitello [mailto:dave.piscitello at icann.org]
>> Sent: March-08-11 2:49 PM
>> To: Michael Young; 'Smith, Bill'
>> Cc: tech-whois at icann.org
>> Subject: Re: [tech-whois] A follow up session in San Francisco?
>>
>> Michael you raise an excellent point re: IPv6.
>>
>> I also think you touch on important benefits of "knowing the source":
>> accountability and auditing. Anonymity is very different from
>> accountability but the Internet fails to make this distinction and
>> thus
> abuse flourishes.
>>
>> There are several forms of authentication that can provide auditing
>> or a basis for rate limiting that do not require disclosure of
>> personal information or creation of an identity, e.g., guest accounts
>> that can be bound to sessions, connections, validated origin IP
addresses.
>> There's a lot of room between "unknown origin, unknown querying party"
>> to "non-reputiable originator of a request".
>>
>>
>> On 3/8/11 2:20 PM, "Michael Young" <michael at mwyoung.ca> wrote:
>>
>>> "- access control, which most WHOIS providers have implemented at
>>> the TCP/IP level
>>>
>>> Without source address validation, IP level access control is not
>>> sufficient. Even with IP level access control, the granularity of
>>> access control is arguably less than one might want in a future
>>> incarnation of a Whois service. For example, an IP level access
>>> control does not accommodate a future policy that might block a user
>>> of group X from accessing to a subset of registration data elements
>>> {b} while allowing a user of group Y access to those elements. A
>>> robust directory service protocol ought to accommodate this."
>>>
>>> First of all I agree with this point but let me reinforce/add that
>>> the current rate limiting methodologies based on traffic from source
>>> IPs becomes much trickier with IPv6.  I don't see any practical
>>> reason why every user of a whois service shouldn't have to
>>> authenticate to get a response. Just because its a free public
>>> service doesn't mean someone seeking the data can't sign up for a
>>> user ID.  Sign up systems can be automated and protected from
>>> machine based registration, subsequent whois lookups would always be
>>> tied to User ID and usage policy enforcement can be made against
>>> individuals
> instead of IP addresses.
>>> You can also create classes of users with different traffic policy
>>> expectations (provided you were still in compliance with any
>>> contractual
>> obligations).
>>>
>>> I know this is a fundamental change from today, but the more I think
>>> about it, the more I see the practicality and operational
>>> sensibility in going that route.
>>>
>>> Best Regards,
>>>
>>> Michael Young
>>> M:+1-647-289-1220
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: tech-whois-bounces at icann.org
>>> [mailto:tech-whois-bounces at icann.org] On Behalf Of Smith, Bill
>>> Sent: March-08-11 1:22 PM
>>> To: Dave Piscitello
>>> Cc: tech-whois at icann.org
>>> Subject: Re: [tech-whois] A follow up session in San Francisco?
>>>
>>>
>>> On Mar 7, 2011, at 12:13 PM, Dave Piscitello wrote:
>>>
>>>
>>> On 3/7/11 2:45 PM, "Jay Daley"
>>> <jay at nzrs.net.nz<mailto:jay at nzrs.net.nz>>
>>> wrote:
>>> [snipped]
>>>
>>> The only two that cannot be addressed this way are:
>>>
>>> - authentication, which is the feature where I think we are talking
>>> about a very different protocol from WHOIS
>>>
>>> Agree.
>>>
>>> Why would we consider requiring authentication when accurate WHOIS
>>> information is available to the public?
>>>
>>>
>>> - access control, which most WHOIS providers have implemented at the
>>> TCP/IP level
>>>
>>> Without source address validation, IP level access control is not
>>> sufficient. Even with IP level access control, the granularity of
>>> access control is arguably less than one might want in a future
>>> incarnation of a Whois service. For example, an IP level access
>>> control does not accommodate a future policy that might block a user
>>> of group X from accessing to a subset of registration data elements
>>> {b} while allowing a user of group Y access to those elements. A
>>> robust directory service protocol ought to accommodate this.
>>>
>>>
>>>
>>> With respect, I trust we aren't talking about a directory service
>>> for the Internet public.
>>>
>>>
>>> _______________________________________________
>>> tech-whois mailing list
>>> tech-whois at icann.org<mailto:tech-whois at icann.org>
>>> https://mm.icann.org/mailman/listinfo/tech-whois
>>>
>>>
>>> _______________________________________________
>>> tech-whois mailing list
>>> tech-whois at icann.org
>>> https://mm.icann.org/mailman/listinfo/tech-whois
>>>
>>
>>
> _______________________________________________
> tech-whois mailing list
> tech-whois at icann.org
> https://mm.icann.org/mailman/listinfo/tech-whois


--
Jay Daley
Chief Executive
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 931 6977
mobile: +64 21 678840

More information about the tech-whois mailing list