
Chinese RFC proposes separate, independent, national internets and DNS roots - gioele
https://tools.ietf.org/html/draft-diao-aip-dns-00
======
kijin
"Internet autonomy" = we want to have our own _intranet_ so we can cut off the
rest of the world from our population without causing technical trouble.

"Unilateral action" = we're gonna do this whether you like it or not.

But you know what, the Chinese already have the means to do this. Just block
anything that doesn't end in ".cn", and block port 53 on all foreign DNS
servers. Then what's the point of this internet draft? Just something that
somebody can cite later to lend an appearance of support when China does break
away from the internet?

~~~
bilbo0s
Just trying to be fair-minded here.

We probably should have foreseen this and fixed our system earlier. I remember
being at Interop back before it was cool, think industry at Gopher not Mosaic
(more 'People Sometimes Need Data Processing', and not so much of the 'All').
Anyway, even then I was flabbergasted at the way networking was being
implemented. The truth is, there ARE really good reasons to have a multiple
DNS roots. We probably SHOULD have thought about languages with non latin
alphabets. It is also true that we SHOULD have considered allocating more
internet addresses to China than we allocated to, say, Stanford University.
And, yes, the list goes on and on.

Having mentioned all that, I am inclined to try to fix the internet we
currently use. And, to be fair, even the Chinese will concede that we have
been TRYING to do just that. These things take time though. No one, (and by no
one I mean Governments), really has the motivation to be very proactive in the
attempts to fix a lot of these issues. This is just one manifestation of the
diverging interests.

~~~
kijin
> _we SHOULD have considered allocating more internet addresses to China than
> we allocated to, say, Stanford University._

That might actually have been a good justification for China being in control
of its own addressing scheme (which the draft proposes) if we didn't have
IPv6. But now there is no need, since the cost of implementing a nationwide
NAT (sort of) might rival, if not exceed, the cost of transitioning to IPv6.

~~~
marshray
Don't confuse IP addresses (which are finite and especially in the early days
could only be handed out it big chunks) with DNS names (which are infinite and
as hierarchical and granular as necessary).

------
sern
It's not an RFC, it's an Internet Draft (which anyone can submit without
review), and anyway it's offensive and incoherent enough that nobody will take
it seriously, and it certainly won't make it as an actual RFC.

~~~
sanxiyn
Why is it offensive? How is it incoherent?

~~~
sern
Proposals to fragment the Internet generally do not go down well, for obvious
reasons.

The proposal is needlessly complicated, notwithstanding the poor quality of
writing. The authors' rationale is to "realize autonomy", yet AIP suffixes are
globally namespaced and still need IANA assignment, which is really no
different to the current situation in relation to TLDs. It breaks backwards
compatibility when applications need to cross AIP networks and also introduces
the issue of conflicting AIP network-internal names. The authors make no
attempt to discuss these obvious issues or any others, and also blindly wave
off security considerations, saying "there is no additional security
requirement".

Also, the authors are on Yahoo/QQ free webmail addresses, which isn't very
professional.

~~~
cocoflunchy
The '@qq.com' part seemed more professional to me than the '644247110' part.

~~~
Volpe
Phone number style email addresses are quite common in China.

I assume it's because you can't have unicode email address? (can you?) And
there are only a hundred or so different names (in pinyin without tone
marks)...

~~~
connectionreset
>And there are only a hundred or so different names (in pinyin without tone
marks)...

My instinct tell me that's not correct. So I did the calculation:) From the
ancient Chinese surname document "百家姓" [1], there're more than 500 hundreds
surnames listed. And by removing the tone marks, I got 295 unique surnames in
pinyin. But these are just surnames commonly used thousand years ago. Multiple
by thousands unique first names, I believe that there're at least hundreds of
thousands different names in pinyin.

Of course this is still far less than the number of different names in western
countries. But it's not the main reason that some people in China use number
style email addresses.

[1] <http://en.wikipedia.org/wiki/Chinese_surname>

------
pmb
We like this Internet, but we would like one without the "Inter", and possibly
without the "net".

~~~
smoyer
My thoughts exactly ... and by definition, this RFC is an Intranet (although
on a very large scale). See <http://en.wikipedia.org/wiki/Intranet>.

I've actually done what this RFC proposes twice before simply by configuring
my DNS server carefully. Once I left an open wifi AP at a tradeshow that
served our company's website regardless of the domain entered. The other time
I specified that all hosts used the address of our proxy-filter so that there
was no need to configure a proxy server on your computer.

I'd have to think it through a bit but I think these techniques would work on
a larger scale (like a country). Perhaps I'll write an article about these
unorthodox DNS configurations if people are interested.

------
gwillen
I see a lot of people complaining about the quality of English in the draft.
This makes me wonder about something:

Is it legal to discriminate in hiring based on English skills? It seems like
it would necessarily have a disparate impact based on national origin, which I
believe is a protected class. But to forbid hiring on the basis of English
skills would seem very strange in an English-speaking company, where English
is critical to communication.

~~~
mturmon
It is certainly ok to require excellent communication skills in hiring certain
positions. Probably not for all positions across an enterprise, though.

------
haberman
I'm having trouble understanding what this buys even the Chinese. As far as I
can tell, this proposal is the equivalent of all clients putting "search cn"
(for example) in their resolv.conf; local "cn" domains will then be searched
first, falling back on non-cn domains only if no .cn domain is found. The only
difference is that the code to handle this "search cn" directive would be in
the DNS server instead of the client.

This doesn't have any "teeth" unless they also blocked non-Chinese DNS
servers. But they could do that already, even today. I just don't get why
they're coming to the table trying to convince the rest of the Internet to do
something, when they seem to already have the tools they need to do this
themselves.

~~~
gioele
There is a worldwide political pressure around DNS filtering, redirection and
manipulation. [1,2,3] The same pressure is going to come to IP as soon as DNS-
poisoning workarounds will spread to more lay people.

Probably China is trying to show the way, even the technical way, on how to
apply internet-wide censorship to other "freedom loving" countries. I think
China may also be seeking some kind of official recognition of the fact they
are not the only bad guys in town, that other countries are implementing the
same measures, although with much less bad public reaction. If other countries
will reference that Internet Draft in their (leaked) technical manuals or even
participate in the discussion of it, China could much more easily justify its
actions.

[1] [http://m.zdnet.com.au/dns-poisoning-the-thin-end-of-a-
wedge-...](http://m.zdnet.com.au/dns-poisoning-the-thin-end-of-a-
wedge-339338101.htm) [2] [http://vrritti.com/2012/05/23/dutch-justice-
department-wants...](http://vrritti.com/2012/05/23/dutch-justice-department-
wants-dns-blockade-for-gambling-sites-even-when-such-a-blockade-will-have-a-
limited-effectiveness/) [3]
[http://www.guardian.co.uk/technology/2012/apr/30/british-
isp...](http://www.guardian.co.uk/technology/2012/apr/30/british-isps-block-
pirate-bay)

------
mtgx
I wonder if this is just because they would like as much control over their
population as possible and they want their _own_ Internet, as they would like
their own "Twitter", and own "Facebook" and so on, out of a strong sense of
nationalism, or because they are worried that US wants more and more control
of the Internet, and could be why they are also support getting the Internet
under UN's control (among other things).

~~~
toemetoch
IMO it's to keep the country together. Super-large nations tend to promote
separatist movements along its fringes. In the case of Russia and China
they're held together with a strict regime. Other countries provide levels of
autonomy on a more granular level. As a rule: monolithic = dictatorial. The
moment they get true democracy in China will be the start of armed conflicts
and calls for independence along the border regions. Again, just my opinion.

~~~
Volpe
Except that in any "democratic vote" such a 'call for independence' would be
voted down, as the number of Han chinese outnumber the ethnic minorities in
those regions.

They've thought of that problem already.

True democracy... (Is that like a true scotsman? ... Who has a true
democracy?)

------
EricBurnett
Setting aside the motivations for this draft, the idea of removing the one
single DNS 'root' is a reasonable one. It acts as a single point of failure
for the DNS system and puts the entire DNS hierarchy under the jurisdiction of
the United States Department of Commerce. There are already existing
alternative roots[1], but no interoperability between them and no standards
governing them. Indeed, the IETF is strongly against them at present [2].

With that in mind, let us examine the flaws in the proposal at hand.

* 1. Lettered roots

This proposal puts the existing DNS root under a lettered virtual root above
it, with implicit resolution to the local AIP. The existing DNS root locations
are ALREADY indexed by letter, so this is a recipe for confusion. Even more
importantly, this system _will not scale_: There are 26 possible letters, if
drawing from the ASCII set only, which permanently restricts the number of
autonomous zones. What happens then?

This could be resolved by using a unique suffix scheme that does not conflict
with the existing or requested TLDs, but would make it that much harder to
type an external DNS address. yahoo.com.extdomA for general use would be quite
unfortunate.

* 2. Who hands out the AIP designations?

If every AIP must have a single unique designation, there must be an
organization handing them out. The ICANN would be the obvious choice, but that
brings us back around full circle.

* 3. Ownership conflicts

As rfc2826 points out [2], the internet is built on the assumption that domain
names are unique. With multiple implicit zones, either the same entity must be
able to control their domain within each or we will end up with conflicts. If
yahoo.com resolves to the 'Yahoo' corporate entity in most AIDs, but is
controlled by Baidu in one, can they claim it? If not, what about the user
confusion that would entail?

Regardless of the answer to this question, I expect in an AID world everyone
would start using external domains for the stronger guarantees they provide.
So Yahoo would be permanently yahoo.com.A. Which is complicated by...

* 4. Blocking.

If AIPs start blocking resolution of specific external domains, what happens?
Obviously China would like this, but for the internet at large, having siloed
intranets would likely be a huge problem. Every time someone misconfigures BGP
and one region of the internet cannot talk to another, things break. A
shifting set of resolvable domains would likely cause exactly the same
headaches, only they wouldn't go away with the next BGP update.

* 5. Proxying and scale.

The AIP DNS are required to proxy requests to external domains (3.2 from the
draft). Presumably this is to facilitate blocking, but it would also impose
significant load issues and key bottlenecks. Note that right now the only
equivalent is the root DNS, and it only handles resolution for the TLDs.
Something far larger would need to be set up to be able to handle the load of
proxying all external requests.

Overall, this proposal has far too many foundational issues to be seriously
considered. I am personally happy it was drafted - work to break the One True
Root should be done in the open with all relevant parties involved. But this
draft isn't going to cut it.

[1] <http://en.wikipedia.org/wiki/Alternative_DNS_root> [2]
<http://tools.ietf.org/html/rfc2826> (IAB Technical Comment on the Unique DNS
Root)

~~~
wmf
_If every AIP must have a single unique designation, there must be an
organization handing them out._

I've got an idea; let's use two-letter ISO country codes...

~~~
rmc
Countries sometimes disagree about what is or isn't a country, and also on
what lands/people are in what country.

~~~
klodolph
Of course, it's something we already know what we disagree about. Whereas
using another set of names is an additional thing to disagree about on top of
the existing things we already disagree about.

------
ajitk
From the draft:

> ...network A, B and ... are AIP networks; Domain node "www.yahoo.com" in
> network B is expressed as "www.yahoo.com.B" for its external domain name.

It mean that www.yahoo.com can co-exist in AIPs A and B. The "external domain
names" will be www.yahoo.com.A abd www.yahoo.com.B. Would HTML documents be
linked using local names or external names? Local only names are not going to
work across APIs unless www.yahoo.com maintains same document hierarchy in all
of them!

~~~
kijin
I don't think China would care at all. If all the links to www.yahoo.com
suddenly becomes invalid by default, now the Great Firewall can do
whitelisting instead of blacklisting!

On the other hand, they already have access to a ".B" suffix, and it's called
".cn". For exampe, www.yahoo.com.cn.

~~~
Volpe
I suspect the Great Firewall already does whitelisting rather than
blacklisting.

When an external (out of china) domain is visited from within china (for the
first time), it is blocked. It is then later unblocked.

I've experimented with this a few times, and it always happens like that.

------
joshaidan
I wonder if they thought about what would happen if Canada, the United States,
and the rest of the world adopted this RFC?

For example, lets say an entrepreneur develops a new product and wants to have
it manufactured by an outsourced company. Searches for it on Google, but
thanks to this RFC the results from China either don't show up, or don't load
at all. The entrepreneur therefore opts for a manufacturing company in Des
Moines, Iowa.

I guess perhaps the same could happen if only China adopts this RFC, i.e.
business people in China who don't know better launch their website on a
Chinese only DNS system and wonder why nobody from the rest of the world calls
them.

------
PeterisP
The proposed draft breaks the whole concept of URI's, as they become not
unique. Not speaking about the web, even on the identifier side it is quite
important that something.org is a single concept, regardless from where it is
accessed. Requiring all URI's to have explicit lettered roots (such as
something.org.A or something.org.cn) would be a possibility; but implicitly
translating from something.org to something.org.B would break things in a
million places if sometimes or someplaces it is translated differently.

------
climis
Perhaps we are all wrong, the authors just want the world to know what the
Chinese gov is doing with DNS poisoning and what will be ended up with if we
cannot stop it.

~~~
marshray
Wait ...I think I've almost gotten it decoded now ... wait ... it's a
cookbook!!

------
daurnimator
I can barely read it... the spelling and grammar are terrible.

This can NOT be a real effort... can it?

~~~
yxhuvud
Access to people that write good english can be very hard to get in China, so
that is probably not a good indicator of anything in this case.

~~~
icebraining
Unless the Great Firewall also blocks websites offering proofreading services,
I'm not sure if that's a valid excuse.

~~~
inportb
On the flip side, I often see equally poor translations of English documents
to Chinese. I'm not sure if we have a similar firewall preventing access to
proofreading services.

------
mbreese
You know, putting the merits of the Draft RFC aside, at least this was
submitted as an RFC and they didn't just go ahead and unilaterally do this.
This way, the RFC can be properly ignored. Or, on the other hand, when China
completely disappears from the Internet and starts using its own DNS root
system, we'll at least know what they are doing.

~~~
dsrguru
Keep in mind this was proposed by someone at a business school and two people
who work at phone companies, not by government officials.

~~~
icebraining
'though they are all government employees, indirectly.

~~~
Volpe
No, they aren't. Working for a government owned company is not working for the
government. They can have no affiliation with the CCP (which isn't possible if
you work for a government department).

~~~
olalonde
What distinction do you make between the Chinese government and the CCP?
Aren't they pretty much the same thing?

~~~
Volpe
They are the same thing. Government owned companies are not "part of the
government" like government departments are. The CEO's and directors are
probably all members of the party, but labelling every employee as a party
member running the party agenda is false.

There are even 'members' (large numbers) of the party who do not
agree/encourage the party agenda.

------
antidoh
Why not just take an ax to the Internet cables crossing China's borders, and
implement this internally?

I suppose bitcoin mining might suffer.

------
kirvyteo
It doesn't make sense to do this just to block sites. They are already doing
it.

Can it be a fallout from the SOPA fiasco? Assuming best intentions :)- It
seems like running your own autonomous root DNS enables them to stay up even
if the domain name is taken down by domain hosts.

------
gioele
From the draft,

«The main rules of the Autonomous Internet DNS are defined as following:

* Rule 1: Each AIP network itself has a complete set of Domain Name System, which support traditional domain name resolution within the AIP.

* Rule 2: Each AIP network has its own numbered name that is different from the others. The numbered name is taken as the default domain name suffix when the internal domain name of this AIP network is cited by external AIP network. And any IP node's external domain name is consist of its internal domain name and its AIP network default domain name suffix.

* Rule 3: When communicate between AIP networks, the access to IP node of external AIP network must use the IP node's external domain name.»

------
edwinyzh
No! No national internets! I've already paying an extra $10/month just to read
blog posts (mainly IT-related) those are blocked by that e __l gov (Great
Firewall).

------
netplumber
Still a draft not a RFC. Miles to go before it can become a RFC.

------
batista
> _Chinese RFC proposes separate, independent, national internets and DNS
> roots_

See how it's ALWAYS about politics and never about technology?

I say that for hackers that believe that political action doesn't matter, and
that technology will just liberate us every time, because we can always "find
workarounds for closed systems, surveillance technologies, DRM" etc...

Will it do much good for you to be able to use some obscure technical
workaround, when 99% of your country's population cannot or fears to get to
the outside "internet", including all your friends and relatives?

Not to mention, that would only work for your private computer use. I mean,
let's say (a contrived example) your country forbids standard SMTP. OK, you
can still use it over SSL, over a proxy, etc. But would you be able to use the
same workarounds also in your business? Would you be able to give your
employees the same ability? What if one of them rats you out to the police?

~~~
Wingman4l7
Cory Doctorow has an excellent examination of this issue (which he coins "nerd
determinism") and another similar issue ("nerd fatalism") in his _Guardian_
piece "The problem with nerd politics":
[http://www.guardian.co.uk/technology/2012/may/14/problem-
ner...](http://www.guardian.co.uk/technology/2012/may/14/problem-nerd-
politics)

For those on the go, here's a direct link to the podcast of said column:
[http://archive.org/download/Cory_Doctorow_Podcast_229/Cory_D...](http://archive.org/download/Cory_Doctorow_Podcast_229/Cory_Doctorow_Podcast_229_The_problem_with_nerd_politics.mp3)

------
huoju
The world is divided into two parts: China and Out of China.

In WWDC'12, Apple introduced many features for chinese in the same reason.

~~~
amurmann
Is that distinction into two parts, how you are seeing the world, or are you
quoting the Chinese government? If it's your view, can you please elaborate,
why you see this as the way to spli up the world, rather than let's say "the
world is split up into EMEA, Americas and Asia, to give another arbitrary
split.

As to the features Apple announced: There are multiple parts that play into
this: First the completely different character set, which requires it's own
input system and secondly that the Chinese government try's to cut foreign
Internet services off and encourages local solutions it can
control/manipulate. Those two issues require to address this market
separately. Similar things, however might be true for other markets as well
(maybe for different root causes) like let's say in Japan or North Korea.
However, these markets aren't big enough to warrant effort on this scale. So I
see this as a bad indicator to substantiate separating the world this way. If
there was higher monetary value for Apple in this, weight see
theworldseparated into Butan andtherest, with the same argument.

------
Nux
the Chinese can take their proposal and stick it where the sun doesn't shine
as far as I'm concerned. buy this is hardly surprising, since just as crazy
ideas came from less abject governments (acta, usa) of which I had higher
expectations. :(

