[NCAP-Discuss] Defining and Naming Methodologies

Casey Deccio casey at deccio.net
Tue Aug 8 00:58:48 UTC 2023 

In last Wednesday's NCAP call, I expressed my confusion related to the differences in understanding of the proposals that have been discussed.  We were asked to go back and review the definitions of some of these proposals.

Let me share some history here.  In each mailman message, please read the whole thread.

In February 2022, Jeff Schmidt posted a cost-benefit of proposed interruption and data collection techniques:
https://mm.icann.org/pipermail/ncap-discuss/2022-February/000744.html

The slides from the presentation above clearly refer to active collision assessment as a mechanism in which HTTP(S) requests are intercepted.

However, noting that there still seemed to be some specification confusion, Jeff later posted the following:

https://mm.icann.org/pipermail/ncap-discuss/2022-February/000794.html
(Discussion continues in Nov 2022:)
https://mm.icann.org/pipermail/ncap-discuss/2022-November/000998.html
(Discussion continues in Aug 2023:)
https://mm.icann.org/pipermail/ncap-discuss/2023-August/001206.html

These threads also show application-layer interception as part of active collision assessment.

In October 2022, I shared with the group the writeup I prepared "A Comparison of Proposed Techniques", which is similar in many ways to both sets of slides Jeff posted in February 2022.
https://mm.icann.org/pipermail/ncap-discuss/2022-October/000968.html
(Discussion continues here:)
https://mm.icann.org/pipermail/ncap-discuss/2022-November/000980.html
(Actual document):
https://docs.google.com/document/d/14g4hp_BlosWQJ6-otygww9OHmu1C0GCHIMyfsinbqOE/edit?usp=sharing

In the November 9, 2022, NCAP call, I shared this comparison with the group:
https://community.icann.org/pages/viewpage.action?pageId=221348112

This document -- with some modifications -- is now part of the NCAP Study 2 document as Sections 1 - 3 (specifically section 3.5 and 3.6):
https://docs.google.com/document/d/13SQnZt1HHeD9i1cSds-kj16mxRQgxp6hpb2K1kLqB1U/edit?usp=sharing

The original document -- and these sections in the Study 2 doc -- very clearly show active collision assessment as a mechanism that (in part) intercepts application-layer information.

In February 2023 I shared my thoughts on the proposed techniques, AND I introduced a new technique ("reject-all") which is a variation on active collision assessment (as previously defined):
https://mm.icann.org/pipermail/ncap-discuss/2023-February/001105.html
(Discussion continues in Mar 2023:)
https://mm.icann.org/pipermail/ncap-discuss/2023-March/001131.html

Note that the "reject-all" proposal is *not* currently integrated into the NCAP Study 2 doc.  I *propose* that it be considered as one of the options, for the reasons described in my email above.

As I reviewed past discussions, I did find that this (Feb 2023) was not the first time this has been referenced.  Matt Thomas alluded to this on the list in Feb 2022:
https://mm.icann.org/pipermail/ncap-discuss/2022-February/000775.html
But the very next response seemed to disagree:
https://mm.icann.org/pipermail/ncap-discuss/2022-February/000776.html
The confusion was caught immediately:
https://mm.icann.org/pipermail/ncap-discuss/2022-February/000784.html

Fast forward to last week, when we observe this from the chat transcript on the August 2, 2023, meeting:
https://icann.zoom.us/rec/play/6X_woMuHOsxAK60F_KVko-P5DDLoRt_1h9K6KcvyFr_10dXv1Hd5Jpc_vzBtLu4IjZ-xFgPE-RFufuk.UL2RISdM4RL0xjPM

> James Galvin (he/him)
> 33:01
> ACA - current working model is delegation with a return of an IP address (IPv4 and IPv6) for an authoritative server that captures additional meta data about usage of the name. there are two methods under ACA today: controlled interruption as defined in 2012 and the minimal honeypot we have been discussing ad infinitum.
> 
> Casey Deccio
> 52:39
> Another model that has been proposed is the active-reject model, where clients reach out, but all TCP connections are reset.
> 
> James Galvin (he/him)
> 54:02
> Exactly Casey. That’s what I meant by minimal honeypot.

My first confusion was referring to controlled interruption as a "method" of active collision assessment, when we've always compared active collision assessment against controlled interruption.  Second, I'm not sure I've heard this term "minimal honeypot" with any sort of regularity before, and I don't recall discussing it by that name or by its description (is this the reject-all proposal?) "ad infinitum".

So far I've only discussed active collision assessment.  I haven't even touched passive collision assessment.  For example, Jeff Schmidt made this comment about lack of technical detail:
https://mm.icann.org/pipermail/ncap-discuss/2022-November/000989.html
It is echoed later on, including here, by Matt Larson:
https://mm.icann.org/pipermail/ncap-discuss/2022-November/000993.html

Okay, so now what?  Passive collision assessment and active collision assessment are definitely ambiguous - shown most recently in last week's (Aug 2, 2023) meeting.  We need precise terms.  For example (I'm not expecting these to stick, per se):

1. Delegation of minimal TLD zone or Delegation of apex-only TLD zone.
2. Resolution to loopback using special IP address in 127/8.
3. Transport-layer rejection at publicly available IP address.
4. Application-layer interception at publicly available IP address.
5. Eliciting DNS lookups using ads embedded in Web browsers

Now, I'm not suggesting that the technical details of these are all spelled out with these more succinct names.  In fact, some will argue that there's more confusion.  I'm not suggesting that these are popular, but it's clear that terms that we've coined and used in the past have been misunderstood and/or changed over time.  At this point, understanding what we're dealing with is more important than making them easy to say or even market.

The way I have understood things is: #1 is passive collision assessment, #2 is controlled interruption, and #3 is reject-all (and maybe what was referred to as "minimal honeypot" las week?).  Active collision assessment is a combination of #4 (for ports 80, 443, and others where interception was proposed) and #3 (for all other ports).  And, of course, #5 is the ad-based measurements using, which I believe is proposed to happen in the environment specified by #1.

It makes more sense to discuss (or not discuss) the issue of (for example) application-layer redirection when we know whether we're talking about #3 vs. #4, for example.
https://mm.icann.org/pipermail/ncap-discuss/2022-February/000796.html
https://mm.icann.org/pipermail/ncap-discuss/2023-August/001206.html
https://mm.icann.org/pipermail/ncap-discuss/2023-August/001208.html

Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/ncap-discuss/attachments/20230807/a38bede7/attachment.html>

More information about the NCAP-Discuss mailing list