Future Now
The IFTF Blog
Re-engineering the Internet
During a workshop at IFTF this week, I offered a forecast that there is at least a 50% probability of a fundamental re-engineering of the internet. Here's a bit of detail on this forecast and why I think this last week has been a critical turning point.
Domain Name Services, DNS, like most of the Gen One Internet is a system built on cooperation. DNS servers have a narrow function to accurately translate domain names like ABC.com into numerical IP addresses, using an an up to date directory from other -trusted- DNS servers. The problem in simple terms is the length of the encryption key used by DNS servers to authenticate each other is short enough, that using modern high performance CPUs, it's possible to calculate a key to enable access to " poison" the DNS database on the server server with fraudulent routing information to misdirect any query for ABC.com to XXX.com. Dan Kaminsky, a 'white hat' hacker/security expert, has been telling Internet engineering leadership about this exploit for at least four years, and talking publicly, without revealing details, ( I heard him talk about this three years ago.) trying to provoke action. Finally, this last month Dan forced the issue by releasing the details into the wild along with short term patch using a longer encrypted number requiring a lot more computing power to decrypt. The Global Internet Engineering Security and Operations communities scrambled frantically, and deployed his patch in about three days, remaining open, vulnerable until then. Here's a video of the patch being deployed over several days:. Red are vulnerable domains, green are protected www.youtube.com/watch
As we know, we are entering an era where super computing power will be trivially available on local multi-core processors, and on scalable platforms in the cloud. So it is inevitable that the current DNS patch will fall to superior decryption computation. So in the meantime limited software patches will forestall the inevitable crisis, that will occur when the black hat hackers have adequate computing cycles to break the encryption. This week most Internet routing experts agreed that we need a fundamentally more Secure DNS system that will withstand a massive assault. We may need a totally new, more powerful generation of software, computers, servers, routers and switches are necessary along with new operations regimens, and training and education for IT personnel.