

Paul Vixie Explains How Protect IP Will Break The Internet - garbowza
http://www.techdirt.com/blog/?tag=protect+ip

======
tptacek
Contrary to the lede of this article, it's not impossible to merely _question_
Vixie's credibility here†.

First, this is the same Paul Vixie who proposed and advocated for RPZ. RPZ is
a distributed blacklisting scheme for the DNS. Unlike the the email spam RBL,
RPZ works at the level of DNS, allowing "policy" to determine which lookups
fail. So it seems that DNS filtering doesn't break the Internet when it's used
to combat malware, but does break the Internet when it's used suppress piracy.

Second, however urgent the authors of this document want to make DNSSEC sound,
the _entire Internet_ functions without DNSSEC today. I can go on and on about
how broken I think DNSSEC is, but I don't think I need to bother, because
there's an even stronger argument as to how unnecessary it is. Put simply, the
"secure Internet" was designed to assume that the DNS was untrustworthy. We
built an entire parallel directory alongside the DNS to resolve that. To a
large extent, that secure directory (the X509 SSL/TLS PKI) works whether or
not the DNS is unsafe. To the extent that the DNS threatens TLS, those are
fixable flaws in the TLS infrastructure (and many of those flaws are policy
issues in TLS, and the majority of the balance of those flaws are UX issues
stemming from the fact that we haven't refined the UI for TLS since it was
introduced by Netscape).

Breaking DNSSEC _does not_ break the Internet. Proof: go do a Google search
for your bank, click through it, log in, and check your balance. Let me know
if any DNSSEC happens along the way.

Tying this back to Paul Vixie: Vixie is the Internet's foremost advocate for
DNSSEC. It's unfair but not _totally_ unreasonable to suggest that Vixie
resisted the randomization fixes to BIND that Djbdns adopted because he
preferred DNSSEC as the solution to that problem; as a result, BIND's DNS
cache was vulnerable for almost a decade while Djbdns wasn't.††

Next, as smart as Danny McPhereson may be, I think it's far from proven that
DNSSEC can't coexist with fiat third-party filtering. In the DNSSEC
implementation originally envisaged by the working group's current iteration
of the protocol, end systems don't even run DNSSEC; they run stub resolvers
that talk to cache servers that run the whole protocol. Those cache servers
could have lookaside rules for a policy zone without breaking the security
model for DNSSEC.

Finally, because the reality is that virtually nobody speaks DNSSEC today, it
may suffice for PROTECT IP's goals to filter only insecure DNS. The sponsors
of PROTECT IP could just easily say, "uh, of course we don't mean DNSSEC is
illegal; we'll deal with DNSSEC another day, but for now, we're suppressing
websites, not trying to destroy them, and we're content to have our
intervention only impact DNS users".

I'm not a believer in PROTECT IP, I just think this argument is fragile.

For whatever it's worth, I think all 5 of the authors of this report are
advocating in good faith what they think is best for the Internet. And I do
buy the argument that fiat third-party filtering is bad for the Internet. I
just don't think "it breaks DNSSEC" is the most compelling or intellectually
honest argument. I think the honest argument is, "because we don't think any
one authority will be an adequate steward of the Internet".

† _I'm choosing my words carefully; the_ answer _to the question might still
be "he's totally credible"._

†† _Again this is a drastically unfair summary of an issue that could possibly
reworded in a way that would refute my point, which is that Vixie's going to
tend to err on the side of whatever makes DNSSEC easier to deploy._

~~~
lookforipv6
Even though you can circumvent technical barriers, this PROTECT IP is a bad
idea. It would bring more trouble than benefits.

------
bediger
The single best part of this techdirt article is reading the pro-PROTECT IP-
shills perform writing gymnastics to "prove" that Vixie doesn't know what he's
talking about, that only pirates would circumvent a state-sponsored and
censored DNS system, and that the state would bother censoring non-"rouge" web
sites. Oh, and that administrative punishment, not transparent to the
citizenry, won't allow abuse and use for other purposes.

I love the techdirt Shill Corps. They're the best!

~~~
tptacek
Lawrence Lessig once wrote something to the effect of, on the Internet, we're
bound less by the paper laws contrived by policymakers and more by the
intrinsic policy decisions made by code. The point I take from that is, one
way or another, people are making decisions for you. Unless you can _both_
build infrastructure _and_ secure adoption for it, someone else is making
decisions that curtail your liberty.

In this case, one of the same people who says DNS filtering will break the
Internet just one year ago advocated a whole new piece of infrastructure to
allow people to filter the DNS.

When Vixie did it, it was to suppress malware sites. I agree that this is a
more admirable use of fiat third-party filtering than anti-piracy (note though
that unlike the rest of HN, I think anti-piracy is a fine goal). But
fundamentally, what's happening in both cases is mostly the same; other people
making decisions about what you can and can't see on the Internet. And my
point is, maybe that's OK.

Note also that nobody can impeach the DNS administrators and standards group
sherpas.

~~~
schlomie
>In this case, one of the same people who says DNS filtering will break the
Internet just one year ago advocated a whole new piece of infrastructure to
allow people to filter the DNS.

Filtering infrastructure is one thing, this is an actual law you could break
(accidentally even) and then get into real trouble.

------
akozak
Just wanted to highlight this:

"In the last few months we've been hearing from more folks in the startup
world who are really concerned about the excessive burdens PROTECT IP is going
to put on them. If you're an entrepreneur who's worried about this, we'd like
to hear about it. Please contact us."

<http://www.techdirt.com/contact.php>

------
ajays
I think one of the reasons flawed legislation like "Protect IP" comes into the
picture is because the "Internet" community does not have a technical ruling
body like the AMA (American Medical Association). The Congress trying to
legislated IP packets is a ridiculous idea. But their trying to legislate
medical procedures is an equally ridiculous idea (well, except for the anti-
abortion zealots), and for that we have the AMA to thank for. They step in and
tell the politicians: stay away from our business; we know what we are doing.

So maybe an association like AMA (American Network Association?) would be
beneficial here. Every practicing computer scientist/engineer can join in, and
with their membership fees, they would make sure that asinine legislation
doesn't see the light of the day.

Just thinking aloud here.

~~~
tptacek
Why do computer scientists get to decide how intellectual property enforcement
should work? Serious question.

~~~
m0nastic
I don't know if they "should get to decide", but as the group tasked sort of
"de facto" with implementing the technical controls which result from
enforcement, I think you could argue that they should be more involved than
being told "hey, we just legislated this, now make the internet comply."

~~~
tptacek
I generally have a bug up my ass about the idea that those capable of doing $X
with technology should be the ones to decide when/how we do $X. We don't, by
way of example, leave the rules about deploying deadly force up to the best
marksmen in the police; or, more reasonably, we don't leave air traffic flight
paths entirely up to the air traffic controllers.

But that is generally the attitude we seem to favor with regards to the
Internet. It's a sort of "might makes right" setup; "Oh yeah? You want to stop
people from violating centuries-old copyright laws? Why don't _you_ design and
implement a scalable distributed directory system?" Whether you support
copyright or don't (I do), this doesn't seem like a good process for
determining policy.

Part of that is just 15+ years spent in software security. The notion seems to
be "if it's hard to stop someone from doing $X with technology, we shouldn't
make it illegal to do $X". Well, you'd be surprised what it's hard to stop
people from doing.

~~~
m0nastic
I don't disagree. I think maybe it's partly just "nerd exceptionalism" (which
seems to run rampant in discussions with technical people). I like the idea of
policies/laws being created with advise from people actually knowledgeable in
the effected area, but I don't think that's the same thing as saying that
those policies/laws should be drafted by that same special interest.

I like the idea of financial people being advisors in policy-making regarding
economics, but also cringe at the thought of them being the ones to draft the
legislation.

I'm actually a pretty bad nerd, in that I don't get particularly riled up
about issues like this. I also support copyright (self-serving as a working
photographer, but also as someone who just doesn't see a problem with the
arrangement of paying people who make things I enjoy, and not feeling entitled
to disregard the way they want to make those things available).

I also think I'm a dinosaur, and that in another fifteen years, the entire
makeup of content creation and distribution will have been gutted by a society
that increasingly feels like it's their inalienable right to have access to
whatever they want. I hope I'm wrong about that though.

