Documentary coverage of IGF-USA by the Imagining the Internet Center

Brief description:

The security, stability and resiliency of the Internet are recognized as vital to the continued successful growth of the Internet as a platform for worldwide communication, commerce and innovation. This panel focused on domain name service blocking and filtering and the implementation of Internet Protocol version 6 (IPv6) and critical Internet resources in general. The panel addressed some of the implications of blocking and filtering; the implementation of DNSSEC and IPv6 on a national basis; and future challenges to the Internet in a mobile age.

Details of the session:

The Internet’s success well into the future may be largely dependent on how it responds and reacts to new challenges, according to panelists in a session on critical Internet resources at the IGF-USA conference July 18 in Washington, D.C.

The Internet continues to evolve. It is also growing, as it becomes accessible to billions more people. A major challenge now and in years to come is to make the Internet more secure while continuing to promote openness, accessibility, transparency, bottom-up decision-making, cooperation and multistakeholder engagement. It is important that organizations continue to retain these values as much as possible as they react to cybersecurity and cybertrust issues.

This workshop was conducted in two parts, both moderated by Sally Wentworth, senior manager of public policy for the Internet Society. Panelists included:

• John Curran, president and CEO of the American Registry for Internet Numbers (ARIN)
• Steve Crocker, CEO and co-founder of Shinkuro, and vice chair of the board for ICANN, the Internet Corporation for Assigned Names and Numbers
• George Ou, expert analyst and blogger for High Tech Forum http://www.hightechforum.org/
• Rex Bullinger, senior director for broadband technology for the National Cable and Telecommunications Association (NCTA)
• Paul Brigner, chief technology policy officer, Motion Picture Association of America (MPAA)
• Bobby Flaim, special agent in the Technical Liaison Unit of the Operational Technology Division of the FBI
• David Sohn, senior policy counsel for the Center for Democracy and Technology (CDT)
• Don Blumenthal, senior policy adviser for the Public Interest Registry (PIR)
• Jim Galvin, director of strategic relationships and technical standards for Afilias

JULY 18, 2011- Sally Wentworth moderated the discussion at the New Challenges to Critical Internet Resources workshop at the IGF-USA conference.

Wentworth began the session by referring to it by an alternate title, “Blocking and Tackling.” The alternate title proved appropriate, as the two sets of panelists became more and more passionate in their assertions during the discussions on two topics that affect the future health of the Internet: the implementations of IP version 6, or IPv6, and especially Domain Name System (DNS) blocking and filtering.

IPv6

The first panel consisted of John Curran, Steve Crocker, Rex Bullinger, Jim Galvin and Bobby Flaim. It centered on a discussion of IPv6 and the difficulty in implementing a system that is viewed as the “broccoli of the Internet” – something that is technologically necessary, but for consumers is less of a priority because a switch is not incentivized.

The technological necessity is an inevitability. IPv4 has 4.3 billion independent IP addresses. The central pool of addresses ran dry Feb. 3, 2011. The last five blocks were passed out to the five regional address distributors. Depending on the rate of growth, Curran explained, those addresses may not last very long. In fact, the Pacific region has already handed out all its addresses. The 7 billion people in the world can’t fit into 4.3 billion addresses, especially when most have more than one address to their names.

“We have to move, the hard part is getting them to move,” Curran said, referring to consumers.

The biggest problem is that IPv6 and IPv4 are two languages that don’t talk to each other.

“You have to enable IPv6 in order to speak to IPv6 Internet users. It’s literally possible for us to break the global Internet if we don’t transition to IPv6,” Curran said.

The dual stack model was identified by the Internet Engineering Task Force (IETF) to be the most effective and efficient way to begin integrating IPv6 into the lexicon.

“What we have is a coexistence processes rather than a transition,” Crocker explained. “We’re going to have these two existing parallels. You’ve got pure IPv4 exchanges and conversations, pure IPv6 exchanges, then you’ll have somewhat more complex interchanges between IPv4 users and IPv6 systems and those will require some sort of translation.”

“The ISPs,” Curran said, “are stuck in the trap as to whether there’s enough demand to make the switch.”

Currently, most devices, such as laptops, are IPv6 enabled and have been for some time, so they’re coexisting, rather than transitioning directly from IPv4, Curran said.

“Things are not going to be replaced overnight,” Galvin said. “The providers are ready, but the customers aren’t. The laptops are ready, but the interaction is not ready.”

There are other problematic implications of enacting the new IP version, particularly as it relates to ensuring that how the IP addresses are being allocated and to whom and logging NATS, according to Flaim. Another element was addressed by an audience member – the possible advantages possessed by countries with less infrastructure than the United States. Is the United States being left behind because its Internet is too big? Crocker contended that it’s a possible scenario that some developing regions could leap frog over IPv4 and go directly to IPv6.

DNS Blocking and Filtering

The second panel of the afternoon consisted of Crocker, George Ou, Paul Brigner, Galvin, David Sohn and Don Blumenthal and centered on a lively discussion about the merits of DNS blocking and filtering as an answer to copyright infringement.

The panel was divided on its views – some felt that DNS filtering and blocking represented the perfect answer to copyright infringement and media piracy, while others felt that a solution based on technical adjustment was the wrong way to approach what they deemed a human problem, not a technical problem. While a consensus was not achieved, the discussion addressed serious concerns about the damaging effects of illegal downloading on the content production industry, as well as the greater constitutional, technical and political implications of the use of DNS filtering and blocking.

Panelists referenced the Protect IP legislation that is currently in the U.S. Senate. The legislation is aimed at off-shore websites that infringe copyright laws by hosting pirated media. One of the ways the bill works is to undercut the sites by going after their advertising and funding sources.

JULY 18, 2011- New Challenges to Critical Internet Resources workshop engages audience at the IGF-USA conference.

The trouble, Crocker explained, is that the blockages or filters are not only “trivial to get around” but the motivation is there. Sohn agreed that DNS filtering is not beneficial, especially in this case, because it is easy to evade. Using DNS filtering to prevent users from accessing entire domains that may contain illegal content rather than addressing the content itself on specific websites is too broad, Sohn suggested.

Galvin agreed: “While content providers have a legitimate need to protect their assets, there seems to be the automatic assumption that DNS filtering is the right way to do that. You’re concerned about content, so you want to do content filtering.”

Galvin cautioned the panel and the audience to be aware of consequential damages.

Sohn also raised concerns about prior restraint. “Under prior restraint law, you cannot restrict speech unless it’s actually proven illegal,” he said. “DNS filtering orders would often occur on a preliminary basis, as part of a restraining order, rather than after a full legal determination by a court.”

There was further discussion that on a technical level, the use of these tactics would be problematic because it would break DNSSEC and destabilize the Internet. Especially when DNSSEC was designed to detect just that type of illegal activity, Crocker maintained.

On the other side of the issue, Brigner explained that in using DNS filtering, criminal sites would be removed from the “global phonebook,” preventing individuals from accessing them and propagating the consumption of illegal media.

“We’re not asking for a new row of cannons,” he said in reference to Crocker’s earlier metaphor about the Vassa, a Swedish warship that sank because its poor design was based on the king’s desire for more firepower in spite of architectural faults. “Let’s use sound engineering principals.”

An audience member’s suggestion of the use of an industry seal program was also met with varying levels of support and dissension. Ou expressed that an industry seal program may be easily counterfeited, while others felt that using a “human” solution rather than a technical solution was a more appropriate answer to the problem.

In the end, the dialogue raised many new questions about the real world implications of IPv6 and DNS blocking technologies.

“It’s important that these various communities find a way to address the issues in a way that’s respectful of the technology, respectful of the global Internet and people’s need to carry out their business, and the freedom of expression,” Wentworth said in closing.

“There’s a lot of competing interests, but they don’t have to be mutually exclusive.”

- Bethany Swanson

Panelists discuss the different options, perspectives and issues surrounding web security.

Brief description:

This panel, moderated by Robert Guerra of Freedom House, focused on critical Internet resources and how to ensure that the underlying principles that have led to the Internet’s success persist in the face of security challenges. These principles include openness (open standards, open technologies), accessibility transparency, bottom-up decision-making, cooperation and multi-stakeholder engagement. Key to implementing these principles is also a broadened understanding of the role of the infrastructure providers, such as global and national Internet services/connectivity providers who build and operate the backbones and edge networks. The panel was also expected to address some of the implications for the implementation of DNSSEC and IPv6 on a national basis that contribute to the security and resiliency of CIR on a global basis.

Details of the session:

The Internet’s success well into the future may be largely dependent on how it responds and reacts to increasing security challenges, according to panelists in a critical Internet resources workshop at the IGF-USA conference July 21 in Washington, D.C.

The Internet continues to evolve. It is also growing, as it becomes accessible to billions more people. The major challenge of our generation is to make the Internet more secure while continuing to promote openness, accessibility, transparency, bottom-up decision-making, cooperation and multistakeholder engagement. It is important that organizations continue to retain these values as much as possible as they react to cybersecurity and cybertrust issues.

Panelists at this workshop included:

• Moderator Robert Guerra, Freedom House
• Trent Adams, outreach specialist for the Internet Society
• Matt Larson, vice president of DNS research for VeriSign
• Steve Ryan, counsel to the American Registry for Internet Numbers
• Patrick Jones, senior manager of continuity and risk management for ICANN
• Jeff Brueggeman, vice president for public policy for AT&T

Panelists all expressed a desire to continue to engage in multifaceted talks because a single governmental entity is not the solution; it takes many people working together. As Brueggeman put it, there’s no “silver bullet” for the issue of Internet security.

“What we do on a day-to-day basis is ensure that those conversations take place,” Adams said. “The (critical Internet) resource is not a thing you can touch. You have this mesh of interconnected components that is the critical resource. You can’t pull one of those components out. Everyone must be around that table.”

So what’s the solution? The answer to that question is still a little unclear because Internet service providers and other organizations are often reactive to issues. Brueggeman said it’s time to embrace a forward-thinking approach.

“Things can get complicated when you’re reacting to an attack,” he said. “The best way to deal with these things is to try to think about them up front. How do we detect and prevent rather than react after the fact? How can we have more cooperative information sharing before attacks to try to prevent them and have the best information we can?”

Ryan stressed, though, that not all government is bad. He said citizens and organizations need to think “carefully about what the role of the government is.” But still, there should be a symbiotic relationship.

“There’s become a sense in government policy circles, including in the most sophisticated, that somehow (the Internet) runs on its own and you can’t break it,” he said. “I have news for you: You can break it. We look at government as something that has an increasingly important role because the Internet has an increasingly important role in economies.”

Ryan continued by saying non-governmental organizations have a responsibility to work with governments and to educate the people who work in them. He and the other panelists agreed that an international governmental organization wouldn’t work, though, unless core Internet values are embraced and upheld. They said a set-up that would allow countries around the world to vote on how the Internet is governed would not be a favorable solution.

“Until we get it right,” Ryan said, “I think we’re muddling along rather well.”

Panelists weigh in on the debate surrounding web security.

DNS issues and DNSSEC

Larson spoke specifically about the security of the Domain Name System because he views the DNS as an absolutely critical Internet resource. “If you don’t have the DNS, you don’t have the Internet,” he noted. He said users can’t truly trust the DNS, though, which is a bit disconcerting because of its necessity.

He supports DNSSEC—Domain Name System Security Extensions—which give users digital signatures (origin authentication) and data integrity. “Once you have that, you can validate data and have a higher level of confidence that the data you’re getting back is valid,” Larson said.

(You can read more about DNSSEC here: http://en.wikipedia.org/wiki/Dnssec.)

He also said that DNSSEC makes DNS more trustworthy and critical to users as more applications—not just host names—depend on it. “We’re going to look back and realize it enabled a whole new class of applications to put information in the DNS,” Larson said. “Now you can trust the information coming out of the DNS.”

Going from IPv4 to a combination with IPv6

Ryan emphasized the importance of Internet Protocol version 6, IPv6, a new Internet layer protocol for packet switching that will allow a “gazillion numbers” vastly expanding the address space online. There is a rapidly decreasing pool of numbers left under IPv4. Ryan said the increased flexibility of IPv6 will allow for the continued growth of the Internet, but it won’t be a free-for-all.

“The numbers we have issued are not property,” he said. “We have a legal theory that’s embodied in every contract we’ve issued. They belong to community. If you’re not using them, you have to give them back. They are in essence an intangible, non-property interest, so over the next couple of years there will be some very interesting legal issues.”

ICANN in action

Jones said ICANN, which recently passed its 10-year milestone, has continued to work collaboratively with the community to take on major initiatives, such as the introduction of internationalized domain names in the root.

“We have taken requests from countries for internationalized country codes and approved 15,” Jones said.

“There’s a huge development in those regions of the world where you can now have domain names and an Internet that reflects their own languages and scripts. That will have an impact as discussion around critical Internet resources continues, especially in the IGF space.”

Physical critical resources

Brueggeman said AT&T has a broader perspective of critical Internet resources because the company is responsible for carrying Web traffic and for the underlying infrastructure, not just involved in issues tied to the DNS. He said the transition to IPv6 is daunting because it’s not backward-compatible. His main challenge has been in outreach efforts to customers.

“We have to deal with a lot of traffic that’s generated as we’re making changes to DNSSEC and IPv6,” he said. “In some cases, you might create some new security concerns, but overall both are important essential transitions.”

Brueggeman emphasized that multistakeholder discussions will be important in the coming years.

“We really need all of the parties who have the direct stake at the table to be part of the solution,” he said. “We need to have the resources handled in a way that promotes openness and promotes interoperability. There’s a huge policy risk of not managing these resources in a multistakeholder way.”

-by Colin Donohue, http://imaginingtheinternet.org

The 2009 IGF-USA session description of this panel is: “Critical Internet Resources (CIR) and the evolution of the Internet’s technical foundations are a central theme of Internet governance debates. Three foundational technological changes – IPv6 (the ‘new’ version of the protocol for the Internet); secure DNS (domain name system security) and secure routing – will underpin the dialogue between key experts from the Internet community, business and government. The successful implementation of these technologies can expand and improve the security of the Internet’s core infrastructures, but deployment raises significant challenges for Internet infrastructure providers and policy makers, and has implications for governance arrangements.”

Brenden Kuerbis, operations director for the Internet Governance Project, based at Syracuse University, served as moderator for a panel that included Alain Durand, director and IPv6 architect, office of the CTO of Comcast; David Conrad, VP for research and IANA Strategy for the Internet Corporation for Assigned Names and Numbers (ICANN); Fiona Alexander, associate administrator, National Telecommunications and Information Administration, U.S. Department of Commerce; and Stephen Ryan, general counsel for the American Registry for Internet Numbers (ARIN).

Kuerbis noted that documents drawn up during the World Summits on the Information Society suggest that critical Internet resources should be managed through global agreements.

“In the third year of IGF, control of CIR was raised forcefully by a member of the Chinese delegation,” Kuerbis said.

Going forward, the management of critical Internet resources is likely to become more contentious.  - Brenden Kuerbis

He noted the implementation of IPv6 and attempts to introduce more security will complicate the management of CIR.

David Conrad said there are critical Internet resources at all layers of the Internet infrastructure. Not all are being discussed at IGF. “You need electricity, you need IP addresses, routing infrastructure, ports,” he said. “In my experience in the IGF context the focus has only been on a select set of resources – those that are involved in what ICANN does. Electricity is more important than whether or not you can get a domain name. There is a focus on the developed world.”

He added that DNS security and routing are important topics that once again tend to have the policy dialogue centered around ICANN. “It is a place where most of the decisions are made around critical Internet resources – it is a community, just like the RIRs are communities that develop policies in a community-driven, bottom-up process. I encourage you to participate in these meetings.”

Stephen Ryan of ARIN discussed the Regional Internet Registries and their role in CIR. There are five recognized registries located in regions around the world. They were established in the 1990s. He said each “develops policies in its own regions regarding Internet numbering and associated issues.” The leaders of the five registries also meet to set common global policies. The boards are voluntary, and anyone is invited to participate in the process of governing the RIRs. These organizations provide Whois service and assign and give out numbers – IP addresses.

There was some discussion of the fact that IPv4 addresses are being depleted. This was anticipated years ago, and IPv6 is being adopted. “What’s our biggest challenge in regard to critical Internet resources?” he asked. “The numbers resources and the switch to IPv6. The fixed number of IPv4 numbers the free pool of remaining IPv4 resources is small.

Clearly we’re going to have to run IPv4 and IPv6 systems in tandem and that’s going to cause problems. Not many people in America understand IP numbers and that their modems won’t work.  - Stephen Ryan

He closed by smiling and saying, “Buy Cisco stock, that’s a tip.”

Alain Durand of Comcast spoke as a panel member who could speak to the CIR concerns of large technology companies.

We are trying to actively participate. The bottom-up policy process has been successful. It has been flexible enough to meet all of our demands and we would like it to go on.  - Alain Durand

The depletion of IPv4 addresses is of concern, he said. “If you are a large service provider with many customers and you are growing you are going to be impacted more than individual users,” he said. “We have been concerned about imbalances between the RIRs in the world and that is why we have been participating in RIPE discussions, LACNIC discussions and participated in this process as a member of the community.”

Fiona Alexander of NTIA agreed that too much of the discussion of the World Summit on the Information Society text is absorbed by “people’s preoccupation with the domain name system.”

“The network is so decentralized,” she said in reference to the global Internet and the people engaged in working toward its evolution, “but the one organizing group everyone recognizes tends to be ICANN. When you read the WSIS text it explicitly says there are things beyond domain names. We should look at other things as a national priority and as we go into the global discussion of critical Internet resources.”

She said people in government are recognizing they need to understand the layers of architecture to understand its evolution and address needs.

“As the discussion is progressing in our own government about issues related to Internet or telecommunications you really have to understand the network architecture to make smart policy.

You have to more and more understand the different layers of this network. Governments are listening they are interested in these issues.  - Fiona Alexander

She added that governments know the uptake of IPv6 is important. “This is on the agenda of governments,” she said. “Our own government is struggling with this. We are working closely with NIST as we look at these issues – it helps that we are both in the Department of Commerce. It’s one of the things we are looking at as we assess the transitions that are fundamental to the network.”

-Janna Anderson, http://www.imaginingtheinternet.org

“Let me drill down on one issue,” McLaughlin responded. “I am pleased Lee highlighted these architectural issues because they tend to not get a lot of attention. The Internet we have today started out as a research network that is now being treated – properly so – as critical infrastructure. The basic considerations that led to the construction of the TCP and IP protocols were to solve a set of issues that arise from the kind of shared data from universities. There are a lot of components that were not built in that, as Lee outlined, would potentially be quite useful for some of the activities that we would like to take place on the Internet. We are now confronting some fundamental choices about, for example, authentication on the Internet.”

He noted that if you want to secure routing you want to know the places you do want to get packets from and those from which you don’t want to get packets, “where, for example, malware or virus attacks might be.” Yet in places where authoritarian structures control infrastructure complete authentication of identity behind and origins of information becomes problematic.

One of the great features of the Internet is that is facilitating a profound flourishing of direct citizen-to-citizen speech in places that don’t have much of a tradition of that or have a tradition of centralized control over information. So you would alter that architecture and build in that authentication at great peril.  - Andrew McLaughlin

He noted that one of the best results of the IGF and ICANN processes is the ways in which they illuminate discussions about the architecture, protocols and principles of the Internet to a much wider audience.

“It was not exactly the original intention for ICANN,” he noted, “but it has been the effect. The project of inculcating a way of thinking about problems with the Internet architecture is profoundly important,” he said, noting that you have to know the language of the architecture to operate in today’s political and economic environment. “Without that understanding, you can’t talk intelligently about cybersecurity, how to protect privacy, how to facilitate authenticated business and governmental transactions, and so forth – well, you can talk intelligently about it, but you will be missing something.”

He noted that the efforts of multistakeholder organizations in shaping an understanding and knowledge of information networks and the people building and scaling them is important.

The role of the IGF and the value of the ICANN process extends beyond the agendas that are typically before them.  - McLaughlin

“The reason these issues are conundrums – the security, authentication, privacy, identity issues,” he said, “is that the Internet is a voluntarily interconnected set of networks. There is no central controlling authority; there is no body, no government that can decree what the technical implementations of the network will be. That fact is part of the fundamental strength of the Internet, part of what made it scale so fast, part of what’s made it so powerful, part of what made it facilitate so much speech and free expression in so many surprising ways in every culture around the world.”

He said in this decentralized environment change must now be accomplished “in terms of nudges, in terms of incentives, in terms of persuasion, rather than by decree.” He added that while the Internet architecture at this point may protect the speech of a “dissident in a repressive society or in our own society,” but there are many Internet transactions now threatened by spoofing, DNS attacks and other threats that would not occur if we had a better authentication system.

Understanding how to be precise about those balances and how to get them implemented in a voluntarily interconnected set of networks is a central problem that confronts us over the next few years. From the [Obama] administration’s perspective, the goal of an open Internet that supports free expression, that supports the kind of array, vast wave of human creativity and free expression that we see coursing over the nerves and veins of the Internet every day – maintaining that, accelerating that, enabling that is fundamentally important.  - McLaughlin

He also noted that moving forward in encouraging the principles of open government “will guide the administration’s efforts to make progress on these problems.”

He noted that the Obama administration is working to make more information accessible to everyone.

“We want to be a more open government and free the data,” he said, “to make the government a platform for citizen innovation, citizen activities, new business models, and so forth that ride over the data the government has and the taxpayers pay for. The federal government sits on a staggering amount of data, and it can be incredibly valuable if it’s made public in machine-readable formats and can be remixed and reused and combined with other kinds of data. That’s a fundamental commitment.”

-Janna Anderson, http://www.imaginingtheinternet.org

At the opening of the inaugural Internet Governance Forum-USA, representatives from the United Nations and the U.S. government commended the Internet Governance Forum for its support of multistakeholder discussions and expressed optimism that the group’s annual conferences will continue well into the future at the first ever IGF-USA.

Markus Kummer, the executive coordinator of the United Nations Secretariat for the Internet Governance Forum, and Larry Strickling, assistant secretary of the U.S. Department of Commerce and administrator of the National Telecommunications and Information Agency, expressed their gratitude to organizer Marilyn Cade and other IGF stakeholders for making a U.S. conference possible Oct. 2 in Washington, D.C.

“I’m very impressed with the interest that has developed here not just in quantity but in quality,” Kummer said. “It’s an impressive gathering. This has turned into an enthusiastic endorsement of the IGF as a platform for dialogue.”

Kummer, briefly reviewed the history of the creation and execution of the UN-facilitated international IGF conferences, which have taken place previously in Athens, Rio de Janeiro and Hyderabad, India, and he said more regional IGF conventions are now taking place in cities and countries worldwide, proving the global importance of discussions regarding how the Internet is governed.

“There was a question of what kind of governance do you want?” Kummer said. “Do you want to stick to the traditional form of top-down governance or do you want a widely-distributed decision-making process? In essence it was a decision to continue the dialogue in a multistakeholder mold.”

The U.S. government is now even more accepting of allowing greater international access to the domain name system. Just this week, the Internet Corporation for Assigned Names and Numbers reached an agreement with the U.S. Department of Commerce that affords the nonprofit ICANN greater independence and gives additional emphasis to the international oversight of the organization.

“I was pleased I was able to represent the United States on Wednesday to sign the historic document,” Strickling said.

Strickling, who helped form the new agreement, titled an “Affirmation of Commitments,” said the new set-up has been well received from within President Barack Obama’s administration and members of Congress.

Strickling said the agreement ensures accountability and transparency in ICANN and establishes mechanisms to address security. He said it should continue to increase the “free and unfettered flow of information and commerce” online.

“It contains the U.S. government’s strong endorsement of the rapid introduction of internationalized country codes,” Strickling said.

The ICANN Affirmation of Commitments follows through with the IGF’s mission of creating open and honest international dialogue. Representatives will gather for the group’s fourth global conference in November in Sharm el-Sheikh, Egypt.

The initial mandate agreed upon during the World Summit on the Information Society process stipulated that the IGF would meet yearly for five years, and the meeting in Egypt will be its fourth. Both Strickling and Kummer, though, said they hoped the IGF will be extended.

“There is obviously some need for this kind of gathering,” Kummer said.

Strickling added that President Obama supports holding more IGF conferences both worldwide and domestically.

“The U.S. government supports extending IGF past five years,” Strickling said. “The hope and expectation is that today’s event will be first of many U.S. IGFs that will shape priorities in the Internet governance arena and bring stakeholders together. The Obama administration looks forward to next month’s meeting in Egypt and commends all of you for gathering at today’s U.S. meeting.”

- Colin Donohue, http://www.imaginingtheinternet.org