Hacker News new | comments | show | ask | jobs | submit login
Chinese RFC proposes separate, independent, national internets and DNS roots (ietf.org)
121 points by gioele 1529 days ago | hide | past | web | 79 comments | favorite

"Internet autonomy" = we want to have our own intranet so we can cut off the rest of the world from our population without causing technical trouble.

"Unilateral action" = we're gonna do this whether you like it or not.

But you know what, the Chinese already have the means to do this. Just block anything that doesn't end in ".cn", and block port 53 on all foreign DNS servers. Then what's the point of this internet draft? Just something that somebody can cite later to lend an appearance of support when China does break away from the internet?

Just trying to be fair-minded here.

We probably should have foreseen this and fixed our system earlier. I remember being at Interop back before it was cool, think industry at Gopher not Mosaic (more 'People Sometimes Need Data Processing', and not so much of the 'All'). Anyway, even then I was flabbergasted at the way networking was being implemented. The truth is, there ARE really good reasons to have a multiple DNS roots. We probably SHOULD have thought about languages with non latin alphabets. It is also true that we SHOULD have considered allocating more internet addresses to China than we allocated to, say, Stanford University. And, yes, the list goes on and on.

Having mentioned all that, I am inclined to try to fix the internet we currently use. And, to be fair, even the Chinese will concede that we have been TRYING to do just that. These things take time though. No one, (and by no one I mean Governments), really has the motivation to be very proactive in the attempts to fix a lot of these issues. This is just one manifestation of the diverging interests.

> we SHOULD have considered allocating more internet addresses to China than we allocated to, say, Stanford University.

That might actually have been a good justification for China being in control of its own addressing scheme (which the draft proposes) if we didn't have IPv6. But now there is no need, since the cost of implementing a nationwide NAT (sort of) might rival, if not exceed, the cost of transitioning to IPv6.

Don't confuse IP addresses (which are finite and especially in the early days could only be handed out it big chunks) with DNS names (which are infinite and as hierarchical and granular as necessary).

If they block all but .cn they are effectively shutting down the internet. Of the top 25 sites in China, 22 use .com - and 21 of those are Chinese companies[1]. Those companies would much rather have their domain in US Jurisdiction than subject to the whims of the PRC.


They could just redirect the .com records to .cn in every DNS server in the country.

It's not an RFC, it's an Internet Draft (which anyone can submit without review), and anyway it's offensive and incoherent enough that nobody will take it seriously, and it certainly won't make it as an actual RFC.

Why is it offensive? How is it incoherent?

Proposals to fragment the Internet generally do not go down well, for obvious reasons.

The proposal is needlessly complicated, notwithstanding the poor quality of writing. The authors' rationale is to "realize autonomy", yet AIP suffixes are globally namespaced and still need IANA assignment, which is really no different to the current situation in relation to TLDs. It breaks backwards compatibility when applications need to cross AIP networks and also introduces the issue of conflicting AIP network-internal names. The authors make no attempt to discuss these obvious issues or any others, and also blindly wave off security considerations, saying "there is no additional security requirement".

Also, the authors are on Yahoo/QQ free webmail addresses, which isn't very professional.

> Also, the authors are on Yahoo/QQ free webmail addresses, which isn't very professional.

Par for the course in China, really. I know very few businesspeople here who don't use a free email service.

The '@qq.com' part seemed more professional to me than the '644247110' part.

Phone number style email addresses are quite common in China.

I assume it's because you can't have unicode email address? (can you?) And there are only a hundred or so different names (in pinyin without tone marks)...

>And there are only a hundred or so different names (in pinyin without tone marks)...

My instinct tell me that's not correct. So I did the calculation:) From the ancient Chinese surname document "百家姓" [1], there're more than 500 hundreds surnames listed. And by removing the tone marks, I got 295 unique surnames in pinyin. But these are just surnames commonly used thousand years ago. Multiple by thousands unique first names, I believe that there're at least hundreds of thousands different names in pinyin.

Of course this is still far less than the number of different names in western countries. But it's not the main reason that some people in China use number style email addresses.

[1] http://en.wikipedia.org/wiki/Chinese_surname

Also many domains follow this pattern:

https://www.4008-517-517.cn (McDonald's)

http://www.4008823823.com.cn (KFC)

>Proposals to fragment the Internet generally do not go down well, for obvious reasons.

Maybe with tech guys. They certainly go very down very well with politicians and corporations.

I can't speak to the offensive end, but it is an RFC draft proposal, and the author seems to be missing a lot of in/definite articles in his writing. It does make parts of it less coherent.

At least they took the time to write it in English. Considering how much effort the inventors and maintainers of the DNS put into supporting non-ASCII languages like Chinese I think that's pretty good, even if they missed a few articles.

It seems to be based more in politics and fear, than any rational thought.

The politics alone would disqualify it.

Sure the motivation is may be imposed by politics, but if it were your job to implement such network segmentation then this is a reasonably rational way to go about it.

It is, of course, contrary to the fundamental principle of the internet.

thanks for the clarification, I was unsure about the intentions of the authors and their capability to implement this proposal. however this doesn't rule out the possibility that China does in fact implement such a system.

We like this Internet, but we would like one without the "Inter", and possibly without the "net".

My thoughts exactly ... and by definition, this RFC is an Intranet (although on a very large scale). See http://en.wikipedia.org/wiki/Intranet.

I've actually done what this RFC proposes twice before simply by configuring my DNS server carefully. Once I left an open wifi AP at a tradeshow that served our company's website regardless of the domain entered. The other time I specified that all hosts used the address of our proxy-filter so that there was no need to configure a proxy server on your computer.

I'd have to think it through a bit but I think these techniques would work on a larger scale (like a country). Perhaps I'll write an article about these unorthodox DNS configurations if people are interested.

I see a lot of people complaining about the quality of English in the draft. This makes me wonder about something:

Is it legal to discriminate in hiring based on English skills? It seems like it would necessarily have a disparate impact based on national origin, which I believe is a protected class. But to forbid hiring on the basis of English skills would seem very strange in an English-speaking company, where English is critical to communication.

It is certainly ok to require excellent communication skills in hiring certain positions. Probably not for all positions across an enterprise, though.

Well, speaking/writing/understanding a language is a skill (that some people have and others need to learn) so I don't see why that would be different from knowing a programming language or algorithms.

In China? Completely legal. Basic English is worth an extra $200 per month at least.

I'm having trouble understanding what this buys even the Chinese. As far as I can tell, this proposal is the equivalent of all clients putting "search cn" (for example) in their resolv.conf; local "cn" domains will then be searched first, falling back on non-cn domains only if no .cn domain is found. The only difference is that the code to handle this "search cn" directive would be in the DNS server instead of the client.

This doesn't have any "teeth" unless they also blocked non-Chinese DNS servers. But they could do that already, even today. I just don't get why they're coming to the table trying to convince the rest of the Internet to do something, when they seem to already have the tools they need to do this themselves.

There is a worldwide political pressure around DNS filtering, redirection and manipulation. [1,2,3] The same pressure is going to come to IP as soon as DNS-poisoning workarounds will spread to more lay people.

Probably China is trying to show the way, even the technical way, on how to apply internet-wide censorship to other "freedom loving" countries. I think China may also be seeking some kind of official recognition of the fact they are not the only bad guys in town, that other countries are implementing the same measures, although with much less bad public reaction. If other countries will reference that Internet Draft in their (leaked) technical manuals or even participate in the discussion of it, China could much more easily justify its actions.

[1] http://m.zdnet.com.au/dns-poisoning-the-thin-end-of-a-wedge-... [2] http://vrritti.com/2012/05/23/dutch-justice-department-wants... [3] http://www.guardian.co.uk/technology/2012/apr/30/british-isp...

I wonder if this is just because they would like as much control over their population as possible and they want their own Internet, as they would like their own "Twitter", and own "Facebook" and so on, out of a strong sense of nationalism, or because they are worried that US wants more and more control of the Internet, and could be why they are also support getting the Internet under UN's control (among other things).

IMO it's to keep the country together. Super-large nations tend to promote separatist movements along its fringes. In the case of Russia and China they're held together with a strict regime. Other countries provide levels of autonomy on a more granular level. As a rule: monolithic = dictatorial. The moment they get true democracy in China will be the start of armed conflicts and calls for independence along the border regions. Again, just my opinion.

Except that in any "democratic vote" such a 'call for independence' would be voted down, as the number of Han chinese outnumber the ethnic minorities in those regions.

They've thought of that problem already.

True democracy... (Is that like a true scotsman? ... Who has a true democracy?)

This could be one way of getting around an "Internet kill-switch"

Both, most likely.

>I wonder if this is just because they would like as much control over their population as possible and they want their own Internet, as they would like their own "Twitter", and own "Facebook" and so on, out of a strong sense of nationalism,

Nationalism, or merely, wanting control over your own country, is also at play, here.

Americans think every other country should be OK with them having control over the internet, what with ICANN, Google, Twitter, Facebook et al. Proposals such as SOPA, PIPA, etc, or the MegaUpload arrests, make it more evident why this is not the case.

Americans also think that ASCII should be good enough for anybody.

Setting aside the motivations for this draft, the idea of removing the one single DNS 'root' is a reasonable one. It acts as a single point of failure for the DNS system and puts the entire DNS hierarchy under the jurisdiction of the United States Department of Commerce. There are already existing alternative roots[1], but no interoperability between them and no standards governing them. Indeed, the IETF is strongly against them at present [2].

With that in mind, let us examine the flaws in the proposal at hand.

* 1. Lettered roots

This proposal puts the existing DNS root under a lettered virtual root above it, with implicit resolution to the local AIP. The existing DNS root locations are ALREADY indexed by letter, so this is a recipe for confusion. Even more importantly, this system _will not scale_: There are 26 possible letters, if drawing from the ASCII set only, which permanently restricts the number of autonomous zones. What happens then?

This could be resolved by using a unique suffix scheme that does not conflict with the existing or requested TLDs, but would make it that much harder to type an external DNS address. yahoo.com.extdomA for general use would be quite unfortunate.

* 2. Who hands out the AIP designations?

If every AIP must have a single unique designation, there must be an organization handing them out. The ICANN would be the obvious choice, but that brings us back around full circle.

* 3. Ownership conflicts

As rfc2826 points out [2], the internet is built on the assumption that domain names are unique. With multiple implicit zones, either the same entity must be able to control their domain within each or we will end up with conflicts. If yahoo.com resolves to the 'Yahoo' corporate entity in most AIDs, but is controlled by Baidu in one, can they claim it? If not, what about the user confusion that would entail?

Regardless of the answer to this question, I expect in an AID world everyone would start using external domains for the stronger guarantees they provide. So Yahoo would be permanently yahoo.com.A. Which is complicated by...

* 4. Blocking.

If AIPs start blocking resolution of specific external domains, what happens? Obviously China would like this, but for the internet at large, having siloed intranets would likely be a huge problem. Every time someone misconfigures BGP and one region of the internet cannot talk to another, things break. A shifting set of resolvable domains would likely cause exactly the same headaches, only they wouldn't go away with the next BGP update.

* 5. Proxying and scale.

The AIP DNS are required to proxy requests to external domains (3.2 from the draft). Presumably this is to facilitate blocking, but it would also impose significant load issues and key bottlenecks. Note that right now the only equivalent is the root DNS, and it only handles resolution for the TLDs. Something far larger would need to be set up to be able to handle the load of proxying all external requests.

Overall, this proposal has far too many foundational issues to be seriously considered. I am personally happy it was drafted - work to break the One True Root should be done in the open with all relevant parties involved. But this draft isn't going to cut it.

[1] http://en.wikipedia.org/wiki/Alternative_DNS_root [2] http://tools.ietf.org/html/rfc2826 (IAB Technical Comment on the Unique DNS Root)

I thought there wasn't one single root, but 13? And aren't root DNS servers already de-centralized geographically and using anycast?

Here is the map of current root servers: http://en.wikipedia.org/wiki/File:Root-current.svg

Yes and no. There are 13 'installations' (essentially IPs), some anycasted, but they all serve the same contents that are provided by the ICANN. So they are one conceptual root, albeit a geographically distributed one. The IETF has worked hard to make it robust (successfully so far), but the fact remains that 13 hardcoded IPs and one file that comprise the root of the DNS system.

http://en.m.wikipedia.org/wiki/DNS_root_zone has some details.

Those 13 IPs aren't as hard coded as you suggest. They typically ship with the DNS server software (ISC bind for example) but these are updated at regular intervals. As long as all 13 IPs aren't changed at once you could quite easily transition from one set of IPs to others. In ISC bind this root "cache" even has its own zone type; "hint".

Thanks, I wasn't aware they changed regularly. From what I can find, 4 v4 IPs have changed since 1997, plus the addition of a number of v6 IPs over the years. I'd be curious to know the last time all IPs were different, if ever.

If every AIP must have a single unique designation, there must be an organization handing them out.

I've got an idea; let's use two-letter ISO country codes...

Countries sometimes disagree about what is or isn't a country, and also on what lands/people are in what country.

Of course, it's something we already know what we disagree about. Whereas using another set of names is an additional thing to disagree about on top of the existing things we already disagree about.

At discussion here are the root DNS servers, which are at a higher level in the hierarchy than any of the ccTLD or gTLD domains. We're talking about the (.) level.

e.g. www.google.com.

That trailing dot is never used in a web browser, but it most certainly does exist.

ccTLDs are a great idea, but somewhere around 60% of the top million websites in the world are run off of .com domains; there's no guarantee that a country could block an entire gTLD or ccTLD and successfully limit all questionable content.

If you can refer to outside "roots" by appending some kind of suffix, it's not really a root.

  > * 3. Ownership conflicts
I have been wondering how ownership conflicts will work with GTLDs. If someone buy's "lol." and puts up "yahoo.lol.", how is that conflict resolved since "lol." is not managed by a "neutral" company but by the people that in fact own "lol."?

All new gTLDs are required to support the Uniform Dispute Resolution Policy (UDRP), the Uniform Rapid Suspension policy (URS), and the Trademark Clearing House. These policies are in differing stages of development, and in the case of the Trademark Clearing House are not even fully nailed down.

[1] http://gnso.icann.org/en/ongoing-work/issues/udrp.htm [2] http://www.icann.org/en/news/public-comment/urs-15feb10-en.h... [3] http://gnso.icann.org/meetings/transcript-sti-tch-25nov09-en...

From the draft:

> ...network A, B and ... are AIP networks; Domain node "www.yahoo.com" in network B is expressed as "www.yahoo.com.B" for its external domain name.

It mean that www.yahoo.com can co-exist in AIPs A and B. The "external domain names" will be www.yahoo.com.A abd www.yahoo.com.B. Would HTML documents be linked using local names or external names? Local only names are not going to work across APIs unless www.yahoo.com maintains same document hierarchy in all of them!

I don't think China would care at all. If all the links to www.yahoo.com suddenly becomes invalid by default, now the Great Firewall can do whitelisting instead of blacklisting!

On the other hand, they already have access to a ".B" suffix, and it's called ".cn". For exampe, www.yahoo.com.cn.

I suspect the Great Firewall already does whitelisting rather than blacklisting.

When an external (out of china) domain is visited from within china (for the first time), it is blocked. It is then later unblocked.

I've experimented with this a few times, and it always happens like that.

I wonder if they thought about what would happen if Canada, the United States, and the rest of the world adopted this RFC?

For example, lets say an entrepreneur develops a new product and wants to have it manufactured by an outsourced company. Searches for it on Google, but thanks to this RFC the results from China either don't show up, or don't load at all. The entrepreneur therefore opts for a manufacturing company in Des Moines, Iowa.

I guess perhaps the same could happen if only China adopts this RFC, i.e. business people in China who don't know better launch their website on a Chinese only DNS system and wonder why nobody from the rest of the world calls them.

The proposed draft breaks the whole concept of URI's, as they become not unique. Not speaking about the web, even on the identifier side it is quite important that something.org is a single concept, regardless from where it is accessed. Requiring all URI's to have explicit lettered roots (such as something.org.A or something.org.cn) would be a possibility; but implicitly translating from something.org to something.org.B would break things in a million places if sometimes or someplaces it is translated differently.

Perhaps we are all wrong, the authors just want the world to know what the Chinese gov is doing with DNS poisoning and what will be ended up with if we cannot stop it.

that's an interesting thought... a subtle and sophisticated subversive act

Wait ...I think I've almost gotten it decoded now ... wait ... it's a cookbook!!

I can barely read it... the spelling and grammar are terrible.

This can NOT be a real effort... can it?

It is just a proposal by the authors, and not an IETF working group (WG) draft. This can be identified by the name as draft-authorname-* and not draft-ietf-*. Anyone can write an author draft and AFAICS this is not even aimed at a specific working group (it should have been sent to [DNSEXT] and does not appear there or any other DNS-related WG.)

[DNSEXT]: http://datatracker.ietf.org/wg/dnsext/

There are a few grammar mistakes sure, but it makes sense to me.


In order to realize the transition from Internet to Autonomous Internet, each partition of current Internet should first realize possible self-government and gradually reduce its dependence on the foreign domain names, such as COM, NET et al. Then to each AIP network, we can establish a new autonomous DNS, or Upgrade one part of current Internet DNS (core part or non core part) to a new autonomous DNS.

Go right ahead guys, anybody can configure their name resolvers that way if they want to. The part that they're not saying is that in order to force this upon their users they will have to block DNS packets from traversing across their border.

I can't imagine the IETF is going to go for this.

Access to people that write good english can be very hard to get in China, so that is probably not a good indicator of anything in this case.

Unless the Great Firewall also blocks websites offering proofreading services, I'm not sure if that's a valid excuse.

On the flip side, I often see equally poor translations of English documents to Chinese. I'm not sure if we have a similar firewall preventing access to proofreading services.

Why do you think this is not a "real effort"?

Because it reads like it was generated by one of those Markov Chain text generators and then run through Google translate a few times.

You know, putting the merits of the Draft RFC aside, at least this was submitted as an RFC and they didn't just go ahead and unilaterally do this. This way, the RFC can be properly ignored. Or, on the other hand, when China completely disappears from the Internet and starts using its own DNS root system, we'll at least know what they are doing.

Keep in mind this was proposed by someone at a business school and two people who work at phone companies, not by government officials.

'though they are all government employees, indirectly.

No, they aren't. Working for a government owned company is not working for the government. They can have no affiliation with the CCP (which isn't possible if you work for a government department).

What distinction do you make between the Chinese government and the CCP? Aren't they pretty much the same thing?

They are the same thing. Government owned companies are not "part of the government" like government departments are. The CEO's and directors are probably all members of the party, but labelling every employee as a party member running the party agenda is false.

There are even 'members' (large numbers) of the party who do not agree/encourage the party agenda.

Why not just take an ax to the Internet cables crossing China's borders, and implement this internally?

I suppose bitcoin mining might suffer.

It doesn't make sense to do this just to block sites. They are already doing it.

Can it be a fallout from the SOPA fiasco? Assuming best intentions :)- It seems like running your own autonomous root DNS enables them to stay up even if the domain name is taken down by domain hosts.

From the draft,

«The main rules of the Autonomous Internet DNS are defined as following:

* Rule 1: Each AIP network itself has a complete set of Domain Name System, which support traditional domain name resolution within the AIP.

* Rule 2: Each AIP network has its own numbered name that is different from the others. The numbered name is taken as the default domain name suffix when the internal domain name of this AIP network is cited by external AIP network. And any IP node's external domain name is consist of its internal domain name and its AIP network default domain name suffix.

* Rule 3: When communicate between AIP networks, the access to IP node of external AIP network must use the IP node's external domain name.»

No! No national internets! I've already paying an extra $10/month just to read blog posts (mainly IT-related) those are blocked by that el gov (Great Firewall).

Still a draft not a RFC. Miles to go before it can become a RFC.

>Chinese RFC proposes separate, independent, national internets and DNS roots

See how it's ALWAYS about politics and never about technology?

I say that for hackers that believe that political action doesn't matter, and that technology will just liberate us every time, because we can always "find workarounds for closed systems, surveillance technologies, DRM" etc...

Will it do much good for you to be able to use some obscure technical workaround, when 99% of your country's population cannot or fears to get to the outside "internet", including all your friends and relatives?

Not to mention, that would only work for your private computer use. I mean, let's say (a contrived example) your country forbids standard SMTP. OK, you can still use it over SSL, over a proxy, etc. But would you be able to use the same workarounds also in your business? Would you be able to give your employees the same ability? What if one of them rats you out to the police?

Cory Doctorow has an excellent examination of this issue (which he coins "nerd determinism") and another similar issue ("nerd fatalism") in his Guardian piece "The problem with nerd politics": http://www.guardian.co.uk/technology/2012/may/14/problem-ner...

For those on the go, here's a direct link to the podcast of said column: http://archive.org/download/Cory_Doctorow_Podcast_229/Cory_D...

The world is divided into two parts: China and Out of China.

In WWDC'12, Apple introduced many features for chinese in the same reason.

Is that distinction into two parts, how you are seeing the world, or are you quoting the Chinese government? If it's your view, can you please elaborate, why you see this as the way to spli up the world, rather than let's say "the world is split up into EMEA, Americas and Asia, to give another arbitrary split.

As to the features Apple announced: There are multiple parts that play into this: First the completely different character set, which requires it's own input system and secondly that the Chinese government try's to cut foreign Internet services off and encourages local solutions it can control/manipulate. Those two issues require to address this market separately. Similar things, however might be true for other markets as well (maybe for different root causes) like let's say in Japan or North Korea. However, these markets aren't big enough to warrant effort on this scale. So I see this as a bad indicator to substantiate separating the world this way. If there was higher monetary value for Apple in this, weight see theworldseparated into Butan andtherest, with the same argument.

the Chinese can take their proposal and stick it where the sun doesn't shine as far as I'm concerned. buy this is hardly surprising, since just as crazy ideas came from less abject governments (acta, usa) of which I had higher expectations. :(

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact