Reality Check

Tim_McKee1 · March 14, 2001, 6:08pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Let's have a reality check here.

Our job as **OPERATORS** is to provide our subscribers with simple and
reliable access to what they consider as the Global Internet. They have the
following 2 reasonable expectations:

1) That they can access any publicly acessible web, ftp, email, etc server
anywhere in the world by using the destination's published textual address.
Without, I might add, having to know that certain locations require loading
a special plug-in, changing their resolver, or artificially padding the
name.

2) That their customers or prospective customers can access any server OF
ANY TYPE that they declare to be public by means of a single published
textual address, usually in URL format. Again, with the same caveats as
item 1.

Jim_Dixon · March 14, 2001, 7:42pm

Let's have a reality check here.

Our job as **OPERATORS** is to provide our subscribers with simple and
reliable access to what they consider as the Global Internet. They have the
following 2 reasonable expectations:

1) That they can access any publicly acessible web, ftp, email, etc server
anywhere in the world by using the destination's published textual address.
Without, I might add, having to know that certain locations require loading
a special plug-in, changing their resolver, or artificially padding the
name.

Bear in mind that in many cases, this is an illusion. They aren't
accessing the same machine at all. Someone is using round robin DNS
to map one name into several IP addresses, or a Local Director to
map one IP address into many IP addresses, or there is some other such
substitution being employed.

In some cases the party serving the data is involved in the illusion.
In others, as in transparent proxying, someone along the way is
intervening. This is often silent and may have the consent of neither
the user/client or whoever is running the intended target.

Remember that, regardless of theoretical arguments, _WE_ are the ones that
have to deal with the messes that result from things like this... _WE_ are
the ones who will have to pay for the increased NOC and Tech Support staff
and phone charges...

My point is that we are already in the world that you are warning us
about. People are happily using one address space within their
company and quite another to talk to the outside world, with NAT
mediating between the two. Their internal DNS is also different from
the DNS seen on the global Internet. And it all seems to be working
exceedingly well, despite the fact the games people play with IP
addresses and domain names are becoming very subtle indeed.

Tim_McKee1 · March 14, 2001, 8:28pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Technical points taken, but we need to clearly differentiate between the
internal (including local director type internal) addresses and what I and
the end users would consider to be published PUBLIC addresses. These had
better work or we will start to lose customers followed shortly thereafter
by revenue.

> Our job as **OPERATORS** is to provide our subscribers with simple and
> reliable access to what they consider as the Global Internet.
They have the
> following 2 reasonable expectations:
>
> 1) That they can access any publicly acessible web, ftp, email,
etc server
> anywhere in the world by using the destination's published
textual address.
> Without, I might add, having to know that certain locations
require loading
> a special plug-in, changing their resolver, or artificially padding the
> name.

Bear in mind that in many cases, this is an illusion. They aren't
accessing the same machine at all. Someone is using round robin DNS
to map one name into several IP addresses, or a Local Director to
map one IP address into many IP addresses, or there is some other such
substitution being employed.

In some cases the party serving the data is involved in the illusion.
In others, as in transparent proxying, someone along the way is
intervening. This is often silent and may have the consent of neither
the user/client or whoever is running the intended target.

Yet in all cases, except where something is physically broken or out of
synch, the initiating user and the terminating server expect that access to
information or services via a documented public mnemonic URL will provide
the same information (or a cached copy of it) to every user globally. If it
doesn't WE are the ones that are held responsible by the users.

> Remember that, regardless of theoretical arguments, _WE_ are
the ones that
> have to deal with the messes that result from things like
this... _WE_ are
> the ones who will have to pay for the increased NOC and Tech
Support staff
> and phone charges...

My point is that we are already in the world that you are warning us
about. People are happily using one address space within their
company and quite another to talk to the outside world, with NAT
mediating between the two. Their internal DNS is also different from
the DNS seen on the global Internet. And it all seems to be working
exceedingly well, despite the fact the games people play with IP
addresses and domain names are becoming very subtle indeed.

But once again, when they access or publish a PUBLIC URL, they have
expectations that it will work and it will work the same for everyone
regardless of location or ISP affiliation. I don't consider internal
network workings to be public in nature.

Tim

Jim_Dixon · March 14, 2001, 9:13pm

> Bear in mind that in many cases, this is an illusion. They aren't
> accessing the same machine at all. Someone is using round robin DNS
> to map one name into several IP addresses, or a Local Director to
> map one IP address into many IP addresses, or there is some other such
> substitution being employed.
>
> In some cases the party serving the data is involved in the illusion.
> In others, as in transparent proxying, someone along the way is
> intervening. This is often silent and may have the consent of neither
> the user/client or whoever is running the intended target.

Yet in all cases, except where something is physically broken or out of
synch, the initiating user and the terminating server expect that access to
information or services via a documented public mnemonic URL will provide
the same information (or a cached copy of it) to every user globally. If it
doesn't WE are the ones that are held responsible by the users.

That may be true. Nevertheless, the existing system works. Whenever
it fails to work, we fix it.

> My point is that we are already in the world that you are warning us
> about. People are happily using one address space within their
> company and quite another to talk to the outside world, with NAT
> mediating between the two. Their internal DNS is also different from
> the DNS seen on the global Internet. And it all seems to be working
> exceedingly well, despite the fact the games people play with IP
> addresses and domain names are becoming very subtle indeed.

But once again, when they access or publish a PUBLIC URL, they have
expectations that it will work and it will work the same for everyone
regardless of location or ISP affiliation. I don't consider internal
network workings to be public in nature.

And that is of course true. But we still have a working system,
one in which we, the network operators, ensure that our customers
are content that the illusion with which we present them is correct.

Now consider the relative complexity of the systems involved. In
one, there are at least tens of thousands of address fiddles in
operation, cases in which the machine you think you are accessing
is not the machine that you are really accessing. This goes on
all the time. Moderately often there are glitches. When there
are, we fix it or complain to someone who can. Generally speaking,
problems get resolved fairly quickly.

In the other case, there are a couple of hundred mappings from
domain names like .COM, .UK, .NET, .FR into the IP addresses of name
servers authoritative for these names. Someone else pointed out
that the information involve is around 60 KB in all. Please
convince me that the world's ISPs are not capable of managing
this simple task.

Spelling out the obvious: let's say that VBCnet started referring
our customers to the wrong name server to resolve names in .COM.
How many minutes would it be before the phones began ringing off
the hook? I can assure you that we would fix it really fast, and
take steps to make sure that we didn't screw up again.

Tim_McKee1 · March 14, 2001, 9:36pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes, we fix things when they break. We have done so for years. What I
don't want to see happen is for us to allow a system to be put in place that
CAN'T BE FIXED.

If several 'pirate' TLD providers all offer up the same TLD how do we fix
conflicts? No matter which one we choose to put first in our search list we
will end up being sued by the others... It's guaranteed. The only legally
defensible mechanism is to not allow ANY patches - that is to say we enforce
the only root zone authority that has any real recognized legal standing. I
know if I started one of these companies I would start looking for legal
targets immediately.... There's more potential money there than in the
registration business itself.

Tim

Jim_Dixon · March 14, 2001, 10:53pm

Yes, we fix things when they break. We have done so for years. What I
don't want to see happen is for us to allow a system to be put in place that
CAN'T BE FIXED.

With all due respect, you are ignoring everything that I have said.

We are already dealing with a system that is far more complex than
the one that you are describing as unfixable -- and we are coping
with it quite well.

If several 'pirate' TLD providers all offer up the same TLD how do we fix
conflicts? No matter which one we choose to put first in our search list we
will end up being sued by the others... It's guaranteed. The only legally

I must be missing something.

Various parties have been providing access to alternative roots of one
kind or another for several years. Who is suing anybody?

What would the grounds for the lawsuit be?

And does this sudden shift in arguments mean that you are conceding
my main point, that there are no serious technical difficulties
involved?

defensible mechanism is to not allow ANY patches - that is to say we enforce
the only root zone authority that has any real recognized legal standing. I
know if I started one of these companies I would start looking for legal
targets immediately.... There's more potential money there than in the
registration business itself.

I think that in the real world if several different registries offered
the same top level domain and this resulted in any ambiguity, no one
would use the top level domain. The market would sort out any
ambiguity very very quickly.

Scott_Francis3 · March 15, 2001, 12:44am

On Wed, Mar 14, 2001 at 09:13:17PM +0000, Jim Dixon had this to say:

Spelling out the obvious: let's say that VBCnet started referring
our customers to the wrong name server to resolve names in .COM.
How many minutes would it be before the phones began ringing off
the hook? I can assure you that we would fix it really fast, and
take steps to make sure that we didn't screw up again.

problem arises when individuals or organizations _purposefully_ subvert
nameserver resolution. This entire thread has not been about the possibility
of 'accidental' collisions, but more about who has the right to be the One
True foo.com - if there are two entities each claiming that right, who do
you believe, and why?

How do you define 'wrong' as quoted above when both destinations claim to
be right, and only a court can settle their differences? If you arbitrarily
choose, the entity you excluded, and probably some segment of your customers,
will be very unhappy with you for 'censoring' or otherwise 'choosing' for them
where 'foo.com' traffic will go, rather than allowing them to choose
themselves.

The real problem here, the one that needs to be stopped before it can start,
is the possibility of more than one correct answer to any given question "where
does this domain point to?" No matter _who_ you ask, you should _always_ receive
the same unique answer. The Internet in its current incarnation REQUIRES
globally unique addressing. As soon as you have more than one Correct Answer,
things begin to break, and lawyers come eagerly knocking.

Scott_Francis3 · March 15, 2001, 6:19pm

On Wed, Mar 14, 2001 at 10:53:04PM +0000, Jim Dixon had this to say:

I think that in the real world if several different registries offered
the same top level domain and this resulted in any ambiguity, no one
would use the top level domain. The market would sort out any
ambiguity very very quickly.

_I_ think you give the market much more credit than it deserves. But that's
just based on my own limited experience. *shrug*

Patrick_Greenwell1 · March 15, 2001, 9:10pm

If you own your network and are free to direct packets where you would
like them to go, rather it be to the DoC rootservers, the ORSC root
servers, or to blackhole new.net servers, how is it possible to
"subvert" nameserver resolution?

Scott_Francis3 · March 15, 2001, 11:07pm

On Thu, Mar 15, 2001 at 01:10:31PM -0800, Patrick Greenwell had this to say:

> > Spelling out the obvious: let's say that VBCnet started referring
> > our customers to the wrong name server to resolve names in .COM.
> > How many minutes would it be before the phones began ringing off
> > the hook? I can assure you that we would fix it really fast, and
> > take steps to make sure that we didn't screw up again.
>
> problem arises when individuals or organizations _purposefully_ subvert
> nameserver resolution.

If you own your network and are free to direct packets where you would
like them to go, rather it be to the DoC rootservers, the ORSC root
servers, or to blackhole new.net servers, how is it possible to
"subvert" nameserver resolution?

The same way people have learned to make sure that a search for "Anna
Kournikova" (for instance) returns, say, 200 records that are sites/pages
that have nothing whatever to do with Anna Kournikova, and a whole LOT to do
with bringing in cash to the sites in question.

If there is money to be made (which there is), people will ALWAYS find a way to
exploit inconsistencies in the system, unless it is NOT ALLOWED. See my reply
to Jim Dixon - if a query for domain.xxx returns one site in one root zone, and
another site in another zone, either site is likely to sue the alternate zone
operator and/or the other site for infringement, improper business practice or
whatever they can manage in order to get the hits going to the other site.

Sad as it may be, there will always be a contingent of folks that look to their
lawyer as a tool to steal things from others. If we allow a loophole, it _will_
be exploited. Solution: do not allow inconsistencies in the root, and multiple
roots will always allow for inconsistencies.

Shawn_McMahon · March 16, 2001, 2:08am

The same way people have learned to make sure that a search for "Anna
Kournikova" (for instance) returns, say, 200 records that are sites/pages
that have nothing whatever to do with Anna Kournikova, and a whole LOT to do
with bringing in cash to the sites in question.

This is self-defeating in the end; if your search site doesn't work, people
will stop using it.

If they stop using it, the advertising dollars will stop rolling in.

Thus, it's in the best interest of the owner of the search site to fix
the problem. Hence why people are flocking to the latest best technology
they can find, such as Google.

If there is money to be made (which there is), people will ALWAYS find a way to
exploit inconsistencies in the system, unless it is NOT ALLOWED. See my reply

Understand that anytime you choose to have the law prohibit something, you
are eliminating choice at the point of a gun.

You are telling people that if they choose to believe differently from
you, you are willing to set into motion a chain of events that can only
end in one of two ways: either they eventually give in at some point in
the process, or they get shot.

This is worth it if you're talking about prohibiting behavior that hurts
people, but is it really worth it for disagreeing with you about business
models?