Ah yes, Kessler's space shredder, something to be feared by all satellites!
It appears that we are very close to an unstoppable runaway process of collisions in space.
On one hand, nice that we prevent rich guys from running away to other planets after ruining this one.
On the other hand, a lot of services require GPS, it would be chaos if that were to disappear...
> On one hand, nice that we prevent rich guys from running away to other planets
Kessler syndrome has little to no effect on trajectories only briefly transiting any given orbital shell. The collision probability of anything going straight "up"/"out" is negligible.
> On the other hand, a lot of services require GPS
GPS is in MEO, Starlink is in LEO. There's absolutely no chance any material will be propelled up to MEO via a series of even very unlucky LEO collisions, as far as I know.
GPS is in geosynchronous orbit, insanely far from the Earth's surface.
You can't get chain-reaction collisions to happen at such an outrageously high orbit. That amount of mass you'd have to put into orbit is just insane. It's like trying to crash the moon.
But you still need a public key for TLS? Well, just put it in DNS!
And assuming your DNS responses are validated by DNSSEC, it would be even more secure too.
You'd be closing a whole lot of attack vectors: from IP hijacks and server-side AitM to CA compromises. In fact, you would no longer need to use CA's in the first place. The chain of trust goes directly from your registrar to your webserver with no third party in between anymore. (And if your registrar or webserver is hacked, you'd have bigger problems...)
The biggest blocker for DANE at the moment is that it doesn't have a transparency story. There is no good visibility into whether your TLD advertises a second pair of zone signing keys to few you don't control. We can add some transparency logs as with CT, but then we have a rate-limiting problem. You could have a mix of heavily rate-limited free DNSSEC logs and some paid DNSSEC logs. This is starting to look a lot like the current WebPKI then. I must say that this is an under explored area.
But you don't need the transparency!
The whole transparency thing was added because we have hundreds of Certificate Authorities all over the world who would otherwise have the power to secretly sign a cert for your website without anyone ever knowing.
And if you DO need the extra monitoring, all it takes is periodically retrieving the DNS record and send an alert if it changes. (There is no certificate that needs periodical rotation, you only need to renew the keypair if the server is compromised.)
That's a serious blocker, but the biggest blocker for it is that it can't reliably be deployed; too much of the Internet is on links that won't pass the records required to verify DANE, which means that browsers need fallback paths for DANE, which means DANE expands, rather than contracts, the threat surface area of the WebPKI.
We already knew that the poorer countries are impacted worse by the IPv4 shortages.
CG-NAT didn't solve anything but only delayed long enough to do even more damage.
Now these already poor countries also have to do CG-NAT, which is very expensive.
They cannot afford this.
I guess that a poor country could go with only IPv6?
Local services would be IPv6-only as well and most popular services already have IPv6.
And everyone else would have to make this switch eventually, so there'd be benefits...
Yes, it makes a difference: about 8 milliseconds.
Properly implemented IPv6 has a lower latency.
(and is more efficient, though i believe the energy savings are negligible)
See this map: https://stats.labs.apnic.net/v6perf
It appears that we are very close to an unstoppable runaway process of collisions in space. On one hand, nice that we prevent rich guys from running away to other planets after ruining this one. On the other hand, a lot of services require GPS, it would be chaos if that were to disappear...