[CPWG] SSAC and Steve Crocker interventions - and the Global Public Interest

gopal gopal at annauniv.edu
Wed Nov 1 14:00:31 UTC 2023 

Olivier: Thank you for posting the recording of the Joint Session: ALAC & SSAC

My special thanks to Steve Crocker for highlighting the earliest well noted Cache [Server Side] Poisoning attack.

Suggested Reference:

Hoai Viet Nguyen, Luigi Lo Iacono, and Hannes Federrath. 2019. Your Cache Has Fallen: Cache-Poisoned Denial-of-Service Attack. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS '19). Association for Computing Machinery, New York, NY, USA, 1915–1936. https://doi.org/10.1145/3319535.3354215
[https://dl.acm.org/cms/asset/cd43a386-5409-4cbe-a5b9-519727a6ff9b/3319535.cover.jpg]<https://doi.org/10.1145/3319535.3354215>
Your Cache Has Fallen | Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security<https://doi.org/10.1145/3319535.3354215>
doi.org
The Denial - of - Service Attack has a property. It stays just like that until the service is needed. In other words it is an attractor on the "bad news" that always spreads fast in any given network.

Since this is Web Caching [Client Side], I am inclined to think that the "application" developers can keep the Denial of Service appear "recurring" many times using the seemingly infinite memory at their disposal.

Steven M Bellovin [1990] wrote a paper titled "Using the Domain Name System for System Break - ins" and withheld its publishing for over four years.

The Web Cache Poisoning denies some services but can signal an automated service(s) that are quite different or happening even elsewhere.

It is a good idea to have a battery of committees looking at the seemingly recurring Denial of Service that is simply stuck very attractively if I may be permitted to say so. The committees can keep it adequately attractive in their own way. This will thus remain under the aegis of a given organization for long enough time for working on long term solution.

Any statistics on how vulnerable is the web cache?

Since there are not many secure coding experts, my hunch is it is very vulnerable.

Your thoughts...

Sincerely,



Gopal T V
0 9840121302
https://vidwan.inflibnet.ac.in/profile/57545
https://www.facebook.com/gopal.tadepalli
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Dr. T V Gopal
Professor
Department of Computer Science and Engineering
College of Engineering
Anna University
Chennai - 600 025, INDIA
Ph : (Off) 22351723 Extn. 3340
       (Res) 24454753
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

________________________________
From: CPWG <cpwg-bounces at icann.org> on behalf of Olivier MJ Crépin-Leblond via CPWG <cpwg at icann.org>
Sent: 01 November 2023 17:41
To: Wolfgang Kleinwächter <wolfgang at kleinwaechter.info>; Olivier MJ Crépin-Leblond via CPWG <cpwg at icann.org>
Subject: Re: [CPWG] SSAC and Steve Crocker interventions - and the Global Public Interest

Dear Wolfgang,

definitely a topic which Chris could be focussing on.
I note he has joined the Organizational Effectiveness Committee, the Strategic Planning Committee and the Technical Committee.

But isn't this also a topic for the Accountability Mechanisms Committee?
León Sánchez (Chair)
Becky Burr
Sarah Deutsch
Patricio Poblete
Katrina Sataki

Kindest regards,

Olivier

On 01/11/2023 11:13, Wolfgang Kleinwächter wrote:
Thx. Olivier,

very helpful. Isn´t this a chance and challenge for Chris Buckridge?

w

Olivier MJ Crépin-Leblond via CPWG <cpwg at icann.org><mailto:cpwg at icann.org> hat am 01.11.2023 11:52 CET geschrieben:


Dear Colleagues,

during the ICANN meeting, the ALAC met with the SSAC and touched on several topics.
A recording is linked below - but a particularly interesting intervention was that of Dr. Steve Crocker.

Joint Session: ALAC & SSAC
Session Details: https://sched.co/1T4Kr
Zoom Recording: https://icann.zoom.us/rec/share/wglfBxy1wiD1QWzk0yxQbBf5Wa-1ocJWLCcfc7SUCrra5zR9z5gozfOFXVp_3Qdp.saTcYJQPcR7nbXGM?startTime=1697973518000

Steve Crocker starts on: 00:08:56 - and touches on some interesting topics.
At 21:48 - Dr. Crocker provides his opinion about the WHOIS situation, which in his view has been broken for many years.
The "System", meaning the ICANN policy and implementation of the Registration Data Request System (RDRS) reflects concerns of the domain owner side, its Registrar, Registries, but very little on the Requester side.
And then the comments on: 26:24 tagged a personal opinion about the ICANN consensus process being flawed relating to this topic.

These are significant words coming from an ex-Chair of ICANN who had access to all of the ICANN inside track.

The SSAC also had a meeting with the ICANN Board. Again, several members of the SSAC raised some significant points - whereas the "consumer" which includes end users are faced with ridiculous process put in place by incorrect implementation of ICANN policy.

Joint Session: ICANN Board and SSAC
Session Details: https://sched.co/1T4Ht
Zoom Recording: https://icann.zoom.us/rec/share/EgEGgiDRs1DIr7arQu_UBULIw1k-zhsk9bouuxnufPYg5F-u_tSkpy4RbeEg1EjW.aCjin6h4k9w_hzrm?startTime=1698152456000

Several SSAC members noted a pattern of not involving the consumer in the design of these systems. A particular concern relates to "urgent requests" which the PDP has responded to as a response in a matter of days - not hours or minutes.

Steve Crocker speaks at: 22:42
John Levine speaks at: 32:49

Both Avri Doria and Edmon Chung provide very valuable input into the discussion - and explain that ultimately the Board is tasked with upholding the Global Public Interest.

But the point is made that CISA DS ( https://www.cisa.gov/news-events/directives ) which was included initially as consensus policy does not appear to be in the contracts signed with ICANN - and the SSAC member asking the question (Benedict Addis - a technical officer in the Cyber and Forensics department of the Serious Organised Crime Agency (SOCA), a UK law enforcement body) regarding access to Registrant data in emergency situations - those of hostage taking or where there is a matter of life or death, does not seem particularly impressed.

The ICANN Board - as Becky Burr said, agree that the system is not fit for purpose. "The Board will be bringing the urgent request issue back to the GNSO council".

At 50:00 Rod Rasmussen spoke of "things that don't quite work right" - but is careful in mentioning SSAC are not picking on Contracted Parties.

Sadly, two of the Board members that focussed in particular on the topic were Avri and Matthew and they have now left the Board. I hope other Board members will pick up the helm of the Public Interest because it becomes clear that there is a problem here.

Could it be useful to take these problems as examples to support the need for an ICANN pilot Holistic Review?

Kindest regards,

Olivier

_______________________________________________ CPWG mailing list CPWG at icann.org<mailto:CPWG at icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/cpwg/attachments/20231101/d551c15c/attachment-0001.html>

More information about the CPWG mailing list