{\rtf1\ansi\ansicpg949\cocoartf1265\cocoasubrtf210<br/>{\fonttbl\f0\fswiss\fcharset0 Helvetica;}<br/>{\colortbl;\red255\green255\blue255;}<br/>\paperw12240\paperh15840\vieww18340\viewh11420\viewkind0<br/>\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural

\f0\fs36 \cf0 Him him him him all talked about Darwin protocols and as you might expect it's a mostly about DNS I put up the super slide show how much people like identifiers older for my seven email addresses under the most you out there have many people want identifiers in the DNS is the basis of providing most of the identifiers we use today in the Internet the reason I'm saying Darwin and protocols this is the I'm worried about the future of DNS and I either want to replace it something better run one would enhance the DNS that we have if you want, DNS version 2 or DNS or whatever this is a Darwinian problem it's about survival of the fittest not necessarily good most beautiful or the protocol that was endorsed by international standards organization of it's about he able to deal with the environment that we have the Internet and to do even better than it does today today's most of the discussion so far been about bright shiny new protocols and this could be about enhancing oldster of why am I talking about protocols well I invented the DNS way back when we have about 30 years of experience about some of these Darwinian factors that have influenced the way that it has grown I think maybe will help us think about what to do in the future I started out on this endeavor about a year ago when I can came to me and they said while we want you to leave the strategic panel-sort happily sitting in Paris thinking about assorted academic issues and worrying about serve the commercial company in a civil you know the basis of our operation is DNS maybe we ought to think about ways to enhance it because if I can was a commercial company and those of you that want to say it is hot that's fine but if you have a third of $1 billion based upon DNS you might want to make sure the DNS survived so they asked me to to take a look at strategy for say the next decade in this kind of the energized about actually thinking about the subject the present DNS is limiting the number of ways partially by its own success and what I mean by that is every electronic device the talks of the Internet probably talked DNS I'll let people come up with except that with exceptions that over cocktails but that means that in order to use DNS you have to anticipate all of the different variants that are out there and there's a lot of innovation is is limited by a lot of the deployment that's already out there whether it's a firewall or whatever know the protocol if you go to the IETF and you say I'm that are introduced some great new enhancement that you will that won't fly with the existing base forget it go away in fact there is a DNS extensions working group the IDF shut down all I have left is DNS operations and the Diaz operations people actually are slipping through loopholes in the process they don't design protocols anymore because that would not be operational issue they decide they designed mechanisms and it's okay for them to design mechanisms it looked to me like protocols but that's kind of where we are today so you can I can do anything about it they said study this problem and I said okay you want me to study a problem that light study anyways Laurent first thing I had to do was recruit a panel a people that would at least half of the wedding disagree with me on a regular basis we we had to chair the IETF and didn't appreciate my comments on the idea process Nepal Dixie disagrees with me about almost everything a bunch of other people but now that I've talked about the panel I want to say that the rest of this talk is pure Paul block competitors or tall Paul as we disambiguate the polls on the panel let's go back to the start 1983 what was the basis of the original DNS design well first of all you have to realize that everyone at the time to look at it said it was much too complicated I thought it was just enough features so that we could get it off the ground there was a balance we left a lot of stuff about intentionally so when Dan Kaminsky managed to break into DNS security he was actually breaking into a door that had no lock nevermind being unlock but the idea was to grow it and it was more recipe than invention people are always saying what you didn't invent hierarchies and I'm single I'm not sure which Pharaoh did but the core values were that simple wins we does we try to make the protocol of a little bit like second set theory needs tree that's the end of the story reliable to replication it's amusing to me that I think this was the first cases assist in the just said no you have to replicate I was completely different from prior efforts were you just retry to a particular high reliability server must be inherently fast in the distribution of authority control when people ask me why this protocol win over the OSI competition and so forth it was because we enable people to manage the names and their own network and not have to worry about any central authority LOL I will talk about simple ideas is my favorite example of a simple idea over on the left by the whale pause here could you probably have to edit this part out due to copyright issues but they there is a became and have invented fire what a great idea one great simple idea means you can cook food life is really good and then there's log over there on the right and song is in the spirit he has his meet on the stick rather than holding it in his hand and simple ideas like this I think are still out there I think we could probably come up with innovations in the way that we do naming that are very basic another example is over on the right hand side it took 40 years from the first airliner to to actually have jet airlines the first airline was in a zeppelin might say what GS a very complicated innovation it took another 40 years after that before people invented the wheelie bag we had wheels on the bag you would bring into the airplane for 40 years people were carrying in luggage there's a lot of simple ideas that are still out there I believe so what happened early on while the original art season in early implementations cannot be three by couple or three years later depending upon some fine points we had machines that didn't have a host table I always think that you can tell whether or not something is production system that people are operating without a backup of the previous system we had that in two or three years I was very happy to see and 86 that the first extension that I didn't write in their no idea about mail routing came about and then we had the final set of specs that are still the base it turns out that one of the things that I think is wrong with the current DNS is that those specs still stand why do they stand is because nobody is willing to come to go through the IETF process to try and rewrite the specs taking into account everything that were learn and because there's literally thousands of pages of fine detail the people have written up and think should be included in the spec I don't think so I think you need a simple and clear explanation for the next generation other things got added I take credit for the initial protocol design I sometimes say I invented the basement in the first floor the of the DNS building people of since put on another 15 to 17 floors depending on how you count things like dynamic update DNS second it's been hard to get DNS Seco the NSX is on the order of 15 years old has been three years to get the DNS going in and 15 years at digital signature sums wrong and we have think about and those editions either bending upon who you talk to in my view they filled in the blanks the people thought oh my God know that fixed the original scaling failures in the original design but they were there and added to the richness of the echo system one of things I think most people don't appreciate is no we defined about 60 new data types to go into the day DNS along with uses for those datatypes and probably only 10 of them have been really successful so there's a lot of failures one way to look at it is I wrote about 100 pages of additional of the original specs and is probably 1000 of additions the route later so there was that this is how the DNS was going to grow both can happen is would start out with the host names in the name server records that this the good authority and then people would add new services so that was one new layer that was MX which was to route email and then you'd have other services built on top that would grant the use of the DNS and in some sense that's happened when you send email today there's a small amount of DNS activity to route the email and there's a large amount of DNS activity to decide whether or not it's spam and whether or not its origin is certified in and it should be delivered you actually do more DNS lookups to try and not route mail when you do to route mail so to speak and but now the database and you can put whatever you want to okay so that's a nice theory how that worked out best way to understand how it worked out his first both are well about 10 out of 60 but what are the kind of problems that we ran into RFID tags are one example there's lots of different kinds of RFID out there there's a kind of RFID that you see on door locks were your card opens the door all the cows in North America have RFID tags there's barcodes and there's RFID tags and cars to let you automatically changed holes think most people don't understand is that there's lots of different formats there about how many bits you get back from the tag some that's understandable because you want be able to read the tag on a container ship for maybe 2 miles away whereas when you're scanning groceries use only has to be 6 inches to some of it is whether it's powered and range a lot of it was there was a bunch of existing systems there is an existing system for consumer goods there was an existing system used by the US military one by NATO blah blah blah so how can we kind of unified while the MIT people at the auto ID Center came up with an idea and they said well okay what will do is will create a system where it is a prefix on the number and then there's the old code so we embed all of the old code systems and I said 96 bits was enough but we need something we need a database that could be distributed around the world and have millions of items in it billions of queries and total distribution and they came to me in a sick we use the DNS for this Leslie Escher why not so they respect called Owen S and basically the way the spec work is that the nice expense of the tag there was the next part of the front said what numbering system you're using but the rest of it was divided just like an IP subnet mask is divided however that particular regime wanted to divide so for example in pharmaceuticals is very important to tag the exact lot where is perhaps if you're talking about the latest copy of the Batman book you don't really need to know which printing lot just need to know what tradition of the book so these tags be different for books and for pharmaceuticals for airplane parts and so forth so this went forward and I thought this was a really cool idea this around six he well no the MIT people defined it and they handed over to EPC global which has its headquarters just down the road are down the river I guess these in the 15th and Eric a BBC global is the people who defined barcodes they put in their committee and they said well know what we need to do is first of all were to revise this so the MIT version music which is the version 1 it becomes version .5 it's a prior version and now our version 1 has a fixed three-level better were done and I was in the committee meeting possible wires are doing this and they said oh because this thing that you talk about like subnets and dividing the bits in different ways it doesn't work as a we need doesn't work and they said well there's no nobody has ever shown that the scheme would work as a wall every Internet host in the world shows that it works that uses the exact same thing they Simplenote only works for 32 bits it won't work for 96 so you know my heard the prior talk I neatly started thinking about government versus standards bodies where you run into more of two's behavior I'm not sure in Iraq it is a challenge so this kind of didn't work I think because it was displacing an existing industry that want to stay in verticals as opposed to having an open standard I'm not sure mother example was enough people in the IETF decided while we need a way in this brave new world to route phone calls and we should put that information in the DNS I thought this is a great idea related I didn't really get involved in the effort is I was off building routers story antirape hire this workout well it didn't why not while you can figure out how to take a phone number and reverse the digits an encoded in the DNS there turns out people route phone calls on more than just the destination phone number the reason you can have phone cards as well as expensive service is that the cheap phone cards are using a routing code that's based upon phone card to say well I want to route to this number but a lower level of service so event just didn't meet the needs of mass-market routing and it reduce the value of the expensive sort of 66 figure equipment called session border controllers that a lot of equipment providers were selling into the phone companies again the problem was it didn't meet the needs and it didn't the competing with an existing technology but didn't want to be displaced security security is a general problem it hasn't security in the DNS have to Test up with the threats we start the DNS in 1983 and I saw the first example of cache poisoning about seven years later it turns out it was done by accident but the DNS threat level has been growing step yellow area we don't know exactly where it is we do know that will be got to the Dan Kaminsky era and this is basically where somebody figured out how to retry addition to retry mechanism over and over at gigabit speed so that the fact that you would only succeed in breaking through one time out of 60 yeah to the 16th 54,000 well if you try 64,000 times you probably were any breakthrough so Dan discovered this and that accelerated the need to go to DNS set people decided well do what all do is in the meantime will change the way DNS is implemented so that there is a 32-bit number so that you only have one chance in 16 million of breaking inverted per try but if you think about it what that means is that when you upgrade your network to be a 10 gig network from one gig network you made it 16 times faster for some major break in using this particular kind of statistical attack the statistical attacks are not something that wherever contemplated in the original design and until we get to a DNS sect or something better enable world were basically still naked you know a bunch of the open source implementations I think her kind below that threat level if you're being attacked a gigabit rate in the commercial company I work with call mom and we have some additional algorithms but we can just loan down we can't stop we need to think about ways to create security for both the DNS second enable part of the world as well as legacy part of the world and right now were just on thin ice and nobody seems to worry about that much nothing that happened as DNS evolved is is that the ecology of all I say DNS became DN $you know the Descartes rounded new TLD's have generated you people are paid a third of $1 billion to get to try out these new domain names so presumably they expect to have much more marketing trademarks control a lot of what gets done at the top level this also deducts because of the way ANS was designed with UDP and because you can force towards the source address of the DOS attacks are sort of the bad news in the DNS world Figure how to deal with them as another case where faster links make the problem worse if you give somebody a faster link they can mount a more effective the DOS attack so the environment is changed as well as and we need to think about how to evolve protocol to evolve with the environment on example of the growth was seen I was kind surprised your summary talking about a server that was 10,000 queries the second is sort of a server that should be loafing the software quality and different server implementations varies a lot but sort of a high-end Intel box should be doing approaching 1 million queries a second these days with high-end software we could do a lot more and you were gone from one query per webpage to frequently a commercial webpages take couple hundred DNS queries in order to validate so we're seeing a lot more traffic so what we do about this what's the future can we keep up with the we still use the core values that got us here one of the core values with simple wins I've been amazed recently at how much analysis people do on DNS traffic and that the complicated systems of people abuse in fact one of things I was asking then surf I was saying that you think more people got PhD's writing about DNS analysis or TCP analysis I think I'm catching up to a there's just a lot of academic studies out there can we keep a simple implementation structure the reliability to replication is a is is a winner although now wish were drifting towards implementing more more of the DNS at any cast infrastructures which I guess are okay but sort of move the problem to the routing area and also tend to force centralization of DNS services is that something you want to do or\<br/>trying to figure out how to spread them out more and I'll talk a little bit more about that must be inherently fast absolutely we can take Moore's law everything runs faster but that is also meant that the people who are mounting the DOS attacks have a bigger weapon think about how to allocate bandwidth in the old days of DNS we had a lot of open servers and we would say all you use our service you want were happy to help out these days you can't do that because then people will map the DOS attack through your OpenServer the politics and contracts have changed as well so we think about re-architecting things we have to take all of these things into it into account so the summary of the ICANN panel was here and we symbolic it one of the things that are going to cause the DNS to grow and one of them things that would cost shrink well given notice that you pretty much have to implement in every electronic device that's out there it's the legacy base and that's an advantage anybody that wants to implement an application that can talk anything in the world has to pretty much use DNS the flipside of that is is that all you can pretty much get people to implement these days is things that will work the vast majority of existing DNS implementation some of which are fundamentally broken one of the reasons the NSX deployment is slow has nothing to do with DNS second has to do with the fact that there's all these routers and firewalls that refuse to pass larger packets so people say innovate somewhere else send everything through according do something else you know we can't change the DNS and the cannibal \'b7 so I think one of the real questions is how can you get that evolution.factor for expansion new TLD I mean the fact that these people and spent the third of the billion-dollar certainly needs of the government trying sell it to and I suspect some of her trying to innovative things I don't know what they all are but I'm sure that some of them will succeed I think people asked me whether it's a good idea to get these 1300 new TLD's and I say I think so not so much because I believe that more than half of them are going to be fundamentally novel I don't think that's there's a chance of that but it breaks down it's been about 20 years of non-introducing new TLD gives people room to try things out contraction most of the Internet devices these days are coming online or cell phones doesn't favor typing a URL typing in a domain name voice recognition all those kinds of things why do we need any of this DNS my kids go to school here at the international school in Paris and in their first day of computer instruction they said the by the way you never type domain names nobody ever wants you to type domain names on the raise their hands while our dad dies is it's kind of scary because that seemed to me to be sort of forward-looking advice and then they had the parents and then they told me you know okay the family computer should be placed in an open area like on your dining room table as a when the family computer this what you know your the computer that everybody your family shares you don't know will share toothbrushes first so vivid that there's some oddities there this commercial identifiers that would certainly get your Facebook ID that would certainly like to keep on the role and there's big money and being the intermediary there so that's something that I think would do also contract the prospects of any new or the existing DNS and lastly I think there's one thing that I sort of really like and that is that there's new systems from the research world that have a bunch of new ideas and I think to be really great if all we do is we thought about them more their information centric networking content centric networking etc. so those of the factors I think there's new challenges can we do privacy it's very popular with the people who run the French top-level domain Have been trying to press for big privacy DNS should it be the case the people can watch what you're looking for as an example it's estimated that Google sees 15% of all DNS queries the NSA probably sees more is there a problem with that you would you not want people to know what you're looking for can you put that in there there is also content and identity in CDN those are another one of the challenges out there there I think you so in conclusion MSA is the alternatives one alternative is just a weight replacement passage want to do is you want to say well assumes one of these research project is ready to go we think it's solid not figure out a way to kind of make the DNS.so the make room for that new protocol scheme that's one theory my theories the second one which is that we all figure out a way to shamelessly steal the good ideas that we see coming out of the research world and from experience and I'd really like it if I came back to this form next year and said well got a critical mass of people there to work together about doing the next version and doing real upgrade of what the infrastructure that we have perhaps in a somewhat different way and we think it's time to unveil that project that's what I hope happens but will wait and see I think the big challenge there is figuring out what's the set of services the people need that would justify thinking about doing an upgrade is without an upgrade the tasks kind hopeless this awful lot of DNS embedded software out there to upgrade so}