[tech-whois] A follow up session in San Francisco?

Jay Daley jay at nzrs.net.nz
Tue Mar 8 22:42:38 UTC 2011 

On 9/03/2011, at 11:15 AM, Michael Young wrote:

> On IPv6
> Look at the RIR policies for block size allocations, most rate limiting
> back-off algorithms include escalating address block denys, minimum IPv6
> block size allocations are vast - exponentially larger than the entire
> existing space. It means someone could bypass IP based rate limiting by
> spreading queries across shifting source IP addresses in a way just not
> feasible today. It becomes very difficult to block them without affecting
> geniune source traffic.

We might need to talk about this bit as well.  All address based algorithms (as opposed to geo-locating) I've seen for this do a shifting mask aggregation - so they aggregate at /31 then /30 then /29 etc right the way up to a /16 or higher.  With IPv6 the principle is the same except that they start at a /55 then /54 and so on.  The only difference is that current density of addresses in use from IPv6 /56 upwards are lower than for IPv4 /32 upwards, but that will change with adoption and growth of the Internet.

cheers
Jay

> 
> Best Regards,
> 
> Michael Young
> M:+1-647-289-1220
> 
> 
> -----Original Message-----
> From: Jay Daley [mailto:jay at nzrs.net.nz]
> Sent: March-08-11 5:06 PM
> To: Michael Young
> Cc: Smith, Bill; tech-whois at icann.org
> Subject: Re: [tech-whois] A follow up session in San Francisco?
> 
> Hi Michael
> 
> The idea that authentication is a better basis for rate limiting for WHOIS
> than IP rate limiting is a fallacy.
> 
> If we did add authentication then instead of people querying from multiple
> IP addresses to get around rate limiting, people would use multiple
> credentials to get around it.  We could not stop that by vetting/limiting
> who gets credentials because:
> 
> a.  It is just too expensive for what is a free service.
> b.  The basic premise of WHOIS is that it is a public service so we would
> still have to give credentials to anyone who asks
> 
> Thereby defeating entirely the purpose of authentication while also adding
> a great deal of cost into the process.
> 
> Even where there is vetting/limiting of credentials, if the rewards are
> high enough then people will game the system, just look at the number of
> shell gTLD registrars for evidence.
> 
> The principles that determine the effectiveness of any rate limiting
> mechanism are:
> 
> 1.  How high a cost is it to overcome for the data poachers.
> 2.  How low a cost is it to implement for the data gamekeepers.
> 3.  How asymmetric is the cost in favour of the gamekeepers.
> 
> IP rate limiting wins on all three.  It is easy to implement, not trivial
> to overcome and the cost is reasonably asymmetric as it costs the data
> poachers more than it costs the data gamekeepers.
> 
> Authentication on the other hand fails on the last two.  Yes it is
> expensive for data poachers but it is also expensive for data gamekeepers
> (anything involving human beings providing credentials is) and the
> asymmetry is now in the wrong direction as it costs more to implement than
> abuse.
> 
> 
> Separately, I should point out that a great deal of WHOIS interaction is
> automated, often for good reasons.  The automation is not the problem, the
> excess queries are.  IP rate limiting deals with that problem
> transparently but introducing authentication would require all that
> automation to be rewritten.
> 
> 
> And finally, perhaps you could explain why IPv6 changes the effectiveness
> of rate limiting?
> 
> Jay
> 
> On 9/03/2011, at 10:30 AM, Michael Young wrote:
> 
>> Specifically, having the ability to enforce data usage policies above
>> the IP level.
>> 
>> One example of this:
>> 
>> Many whois providers restrict the use of Whois for systematic
>> wholesale data mining purposes. They discourage use of the service for
>> this purpose by applying controls through IP based rating limiting
>> approaches.  With the advent of IPv6 this type of control becomes much
>> less effective, some might even say it becomes ineffective.
>> 
>> Michael
>> 
>> -----Original Message-----
>> From: Smith, Bill [mailto:bill.smith at paypal-inc.com]
>> Sent: March-08-11 4:02 PM
>> To: Michael Young
>> Cc: Dave Piscitello; Smith, Bill; tech-whois at icann.org
>> Subject: Re: [tech-whois] A follow up session in San Francisco?
>> 
>> Exactly what problem are we trying to solve by requiring
>> authentication for access to WHOIS data?
>> 
>> On Mar 8, 2011, at 11:51 AM, Michael Young wrote:
>> 
>>> Absolutely, a user ID accessing a whois system does not have to be
>>> tied to known identity if the overall policy supports anonymity.  The
>>> elements of usage enforcement can be applied against the user ID just
>>> the same.  Of course you would want some control heuristics
>>> preventing the automated creation of those anonymous user ID's in any
>>> sort of scale, but that's a well understood problem with many
>>> existing tools
>> that can help with that.
>>> 
>>> Best Regards,
>>> 
>>> Michael Young
>>> M:+1-647-289-1220
>>> 
>>> 
>>> 
>>> -----Original Message-----
>>> From: Dave Piscitello [mailto:dave.piscitello at icann.org]
>>> Sent: March-08-11 2:49 PM
>>> To: Michael Young; 'Smith, Bill'
>>> Cc: tech-whois at icann.org
>>> Subject: Re: [tech-whois] A follow up session in San Francisco?
>>> 
>>> Michael you raise an excellent point re: IPv6.
>>> 
>>> I also think you touch on important benefits of "knowing the source":
>>> accountability and auditing. Anonymity is very different from
>>> accountability but the Internet fails to make this distinction and
>>> thus
>> abuse flourishes.
>>> 
>>> There are several forms of authentication that can provide auditing
>>> or a basis for rate limiting that do not require disclosure of
>>> personal information or creation of an identity, e.g., guest accounts
>>> that can be bound to sessions, connections, validated origin IP
> addresses.
>>> There's a lot of room between "unknown origin, unknown querying party"
>>> to "non-reputiable originator of a request".
>>> 
>>> 
>>> On 3/8/11 2:20 PM, "Michael Young" <michael at mwyoung.ca> wrote:
>>> 
>>>> "- access control, which most WHOIS providers have implemented at
>>>> the TCP/IP level
>>>> 
>>>> Without source address validation, IP level access control is not
>>>> sufficient. Even with IP level access control, the granularity of
>>>> access control is arguably less than one might want in a future
>>>> incarnation of a Whois service. For example, an IP level access
>>>> control does not accommodate a future policy that might block a user
>>>> of group X from accessing to a subset of registration data elements
>>>> {b} while allowing a user of group Y access to those elements. A
>>>> robust directory service protocol ought to accommodate this."
>>>> 
>>>> First of all I agree with this point but let me reinforce/add that
>>>> the current rate limiting methodologies based on traffic from source
>>>> IPs becomes much trickier with IPv6.  I don't see any practical
>>>> reason why every user of a whois service shouldn't have to
>>>> authenticate to get a response. Just because its a free public
>>>> service doesn't mean someone seeking the data can't sign up for a
>>>> user ID.  Sign up systems can be automated and protected from
>>>> machine based registration, subsequent whois lookups would always be
>>>> tied to User ID and usage policy enforcement can be made against
>>>> individuals
>> instead of IP addresses.
>>>> You can also create classes of users with different traffic policy
>>>> expectations (provided you were still in compliance with any
>>>> contractual
>>> obligations).
>>>> 
>>>> I know this is a fundamental change from today, but the more I think
>>>> about it, the more I see the practicality and operational
>>>> sensibility in going that route.
>>>> 
>>>> Best Regards,
>>>> 
>>>> Michael Young
>>>> M:+1-647-289-1220
>>>> 
>>>> 
>>>> 
>>>> -----Original Message-----
>>>> From: tech-whois-bounces at icann.org
>>>> [mailto:tech-whois-bounces at icann.org] On Behalf Of Smith, Bill
>>>> Sent: March-08-11 1:22 PM
>>>> To: Dave Piscitello
>>>> Cc: tech-whois at icann.org
>>>> Subject: Re: [tech-whois] A follow up session in San Francisco?
>>>> 
>>>> 
>>>> On Mar 7, 2011, at 12:13 PM, Dave Piscitello wrote:
>>>> 
>>>> 
>>>> On 3/7/11 2:45 PM, "Jay Daley"
>>>> <jay at nzrs.net.nz<mailto:jay at nzrs.net.nz>>
>>>> wrote:
>>>> [snipped]
>>>> 
>>>> The only two that cannot be addressed this way are:
>>>> 
>>>> - authentication, which is the feature where I think we are talking
>>>> about a very different protocol from WHOIS
>>>> 
>>>> Agree.
>>>> 
>>>> Why would we consider requiring authentication when accurate WHOIS
>>>> information is available to the public?
>>>> 
>>>> 
>>>> - access control, which most WHOIS providers have implemented at the
>>>> TCP/IP level
>>>> 
>>>> Without source address validation, IP level access control is not
>>>> sufficient. Even with IP level access control, the granularity of
>>>> access control is arguably less than one might want in a future
>>>> incarnation of a Whois service. For example, an IP level access
>>>> control does not accommodate a future policy that might block a user
>>>> of group X from accessing to a subset of registration data elements
>>>> {b} while allowing a user of group Y access to those elements. A
>>>> robust directory service protocol ought to accommodate this.
>>>> 
>>>> 
>>>> 
>>>> With respect, I trust we aren't talking about a directory service
>>>> for the Internet public.
>>>> 
>>>> 
>>>> _______________________________________________
>>>> tech-whois mailing list
>>>> tech-whois at icann.org<mailto:tech-whois at icann.org>
>>>> https://mm.icann.org/mailman/listinfo/tech-whois
>>>> 
>>>> 
>>>> _______________________________________________
>>>> tech-whois mailing list
>>>> tech-whois at icann.org
>>>> https://mm.icann.org/mailman/listinfo/tech-whois
>>>> 
>>> 
>>> 
>> _______________________________________________
>> tech-whois mailing list
>> tech-whois at icann.org
>> https://mm.icann.org/mailman/listinfo/tech-whois
> 
> 
> --
> Jay Daley
> Chief Executive
> .nz Registry Services (New Zealand Domain Name Registry Limited)
> desk: +64 4 931 6977
> mobile: +64 21 678840


-- 
Jay Daley
Chief Executive
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 931 6977
mobile: +64 21 678840

More information about the tech-whois mailing list