[NCAP-Discuss] Draft final Study 1 report

Danny McPherson danny at tcb.net
Fri Apr 24 18:26:23 UTC 2020 

On 2020-04-24 11:03, Matt Larson wrote:
> Dear colleagues,
> 
> Attached is Karen's draft of the final version of Study 1. Changes
> since the last version are highlighted, but the significant updates
> are in Section 5 (Datasets) and the addition of an executive summary
> and a conclusion.
> 
> OCTO has told Karen all along that she should feel free to reach
> whatever conclusion she felt warranted by the research she's done. We
> have not attempted to undermine her professional integrity by leading
> her in any particular direction.

So Matt, this is Karen's work product and conclusion set and not those 
of NCAP or the SSAC, I presume?


> We'd be grateful for your review and comment. We'll be following the
> same process as we did with the draft version of the report: this
> group has a chance to comment first and then the report will go out
> for a formal Public Comment.

Are we commenting on what we believe are Karen's conclusions and what 
she feels warranted by the "research" she's done?

> In order to stay on schedule to deliver the final report to the Board
> by 30 June as we've promised, we need any feedback from this group by
> next Friday, 1 May.


Some specific comments, for Karen, I suppose:

I find some statements in section 6 inaccurate and the conclusions 
unsupported, if this is based on what Karen thinks and feels warranted 
v. some poll and discussion of the WG then that should be clear, but I 
don't think that's what most of us signed up to.  For example:

“The only known work on name collisions during the past few years has 
been from ICANN by the NCAP DG  and the New gTLD SubPro Working Group. 
There does not appear to be any recent academic research into the causes 
of name collisions or name collision mitigation strategies.”

I know Verisign has published two peer reviewed academic papers in 
2016[1] and 2017[2] that directly measure name collisions and identify 
various associated vulnerabilities. There have also been other industry 
publications directly talking about name collisions and similar 
vulnerabilities (just to name a few[3][4][5]).  In the last several 
years, we have also seen ORDINAL[6] come online and their analysis deck 
that was distributed on the NCAP mailing list[7]. Work has also been 
going on in the IETF[8].  There is also a patent[9] Verisign filed in 
2017 for detecting and remediating highly vulnerable domain names that 
is an alternative or complementary system to Controlled Interruption. In 
all, Verisign alone provided over 50 citations all since 2013 (which is 
certainly fresh considering how long even this SSAC / NCAP work has been 
occurring), are you saying none of these have content that NCAP and 
ICANN should consider?

“New causes for name collisions are far more likely to be found by 
investigating TLD candidates for potential delegation on a case by case 
basis.”

How was this conclusion made? What evidence supports it? Broad studies 
are fundamental to understand the diversity and general behavior of a 
system. The DNS today is significantly different than the DNS in 2012. 
Without doing the work of Study 2, how are we sure that risk 
measurements and investigations are effective using an old dated 
baseline models?

“Regarding Study 3, the review of prior work has not identified any new 
mitigation strategies for name collisions to be tested.”

This statement puts the cart in front of the horse. This implies that 
all known causes of name collisions are well understood. Without a 
thorough understanding of the various reasons name collisions occur and 
how they behave, how can a mitigation strategy be designed properly?

Further, no actual work has been done on the currently proposed 
mitigation with controlled interruption and the efficacy theref - 
apparently even in places where apparently SLDs such as corp.com are 
extremely risky (largely because of .CORP) the inventors didn't opt to 
use it when they controlled the domain.


This whole process seems wonky to me....

Patrik & Jim, what is SSAC's role in this WP?


[1] 
https://www.ieee-security.org/TC/SP2016/program-papers.html#oakland16-81
[2] https://dl.acm.org/doi/10.1145/3133956.3134084
[3] https://www.us-cert.gov/ncas/alerts/TA16-144A
[4] 
https://blog.trendmicro.com/trendlabs-security-intelligence/badwpad-doubtful-legacy-wpad-protocol/
[5] 
https://blog.redteam.pl/2019/10/internal-domain-name-collision-dns.html
[6] 
https://www.icann.org/en/system/files/files/presentation-ordinal-datasets-colliding-domains-13may17-en.pdf
[7] 
https://mm.icann.org/pipermail/ncap-discuss/2020-February/000202.html
[8] https://tools.ietf.org/html/rfc8244
[9] Patent US20170279846A1

More information about the NCAP-Discuss mailing list