About this blog…

I am employed by Netnod as head of engineering, research and development and am among other things chair of the Security and Stability Advisory Committee at ICANN. You can find CV and photos of me at this page.

As I wear so many hats, I find it being necessary to somewhere express my personal view on things. This is the location where that happens. Postings on this blog, or at Facebook, Twitter etc, falls under this policy.

The views expressed on this post are mine and do not necessarily reflect the views of Netnod or any other of the organisations I have connections to.

Blocking – not very effective…

We Internet people have said all of this before, that blocking access (specifically by using DNS) does not work. ISOC point that out in a statement on Wikileaks. In reality, any blocking, at any layer in the Internet Architecture, will always be a combination of not be effective and hurt more than what is the intention.

Two examples:

  1. A domain name is blocked, for example in the resolver(s)
    • This will block not only the content on a specific URL, but all URLs that share the same domain name
    • This will NOT block access if other resolver(s) are in use, for example a resolver the user run themselves
  2. An IP address is blocked, for example in the routing system
    • This will block not only the content on a specific IP address, but everything using that IP address (including all virtual hosts)
    • This will not block the same content on other IP addresses and changing IP address is easy (keep same domain name)

But blocking in the DNS is specifically bad now when DNSSEC is introduced. The signatures in DNSSEC is designed in such a way that they indicate both existence and non-existence of a domain name. Blocking is a third category, and is simply not part of the DNSSEC architecture. Unknown things will happen in the applications that use DNSSEC. Slow non-existence responses to the degree that people will not turn on DNSSEC, which imply the collateral damage by use of blocking can be considerable.

Instead, before starting working on real technical mechanisms, I think the following is needed:

  • Whoever want blocking of any kind must understand any blocking is just making is harder for people to access information. And that it always have side effects. Can never ever make it impossible to access information. And people that absolutely want to share the information will do it anyway.
  • Specifically, if there is considerable interest in the information itself (such as Wikileaks) the information will spread so fast that “blocking” in reality have absolutely no impact what so ever — if it does not happen on “day zero” (which set some interesting requirements on modern police work — see below).
  • Blocking is something that, as discussed at several meetings, have very large impact on everything related to Freedom of Speech. Both the constitution in many countries, and the UN Declaration of Human Rights. Because of this, even though the blocking is not a very effective tool (see above), it is important that the process that say what is to be blocked is extremely robust, and because of that transparent, effective and trustworthy. Blocking must be worth the side effects created by the mechanisms used. With transparency I do not say the URLs or hostnames should always be public, because maybe they should not be (due to be part of a criminal investigation), but people under NDA should be able to see the list — before the list end up in some Google index or Wikileaks…
  • It must be clear who makes the rules, who makes the decisions and who executes the blocking. And with “who”, I really talk about a definition both from a legal point of view and practical point of view.

When now all of these things are fulfilled. We can start to discuss what can be done “as effective as possible, with as minimal damage as possible“. Because of course ISPs (for example) already have some technical mechanisms installed to handle ddos attacks etc.

But it will never ever make it impossible to access the information in question. If information is to be taken down, the computer is to be found where the information is, the responsible person dragged to court etc. I.e. normal police work.

And of course we can discuss what (new) tools (if any) law enforcement agencies need to do this work. Part from changing the methods they use today. New tools should not be created just because the police is lazy, or still living in the previous millennium, but I am pretty sure new tools are needed. My discussions with law enforcement agencies tell me they need help. That said, I am very disappointed with the theoretical tools that are created for them. Not developed according to the process I explain here for example.

Comments are closed.