World Wide Alliance of Top Level Domain-names

ccTLD Constituency Meeting in Marina del Rey

ICANN Network Security Discussion-Chinese Group

Date: November 13, 2001
Time: 3:45p.m. -5:30p.m.

Venue: Santa Monica

Moderators: Vincent W.S. Chen .TWNIC. & Qiheng Hu .CNNIC & ISOC-China.

Attendees: Lulin Gao.CNNIC., Mao Wei .CNNIC., James Yu .Neu Star., Monika Ermert .Heise., Joanna Tso.TWNIC., Anthony S. Lee .TWNIC., Albert Wang .TWNIC., Alan C.K. Wang (ITS-HK), Ted Hardie (Nominum), Ching-Shen Lin(MOTC-Taiwan), Ching-Fu Kuo (TWNIC), Sean H.W. Chu (DGT-Taiwan),Chien-Wen Wang (BSMI-Taiwan), Nan-Hsin Chen (NSYSU-Taiwan)

The following proposed suggestions are to ICANN for improving and re-strengthening the network security. The suggestions separate into four divisions: Root Server, TLD Name Server, DNS, and other Recommendations, which represented and expressed the attendees. opinions, to provide ICANN and the Internet community for network security references.

Root Server

Security Concern(s):

1. Currently, there are 13 Root Servers located in different sites around the world, and the 13 Root Servers administrators are on the base of voluntary management, resulting the increasing risk and leading to jeopardize network security.
2. Root Servers have been developed and deployed over thirty years from the beginning of the Internet history, thus current technologies and management model should be reviewed and amended in order to reduce the risk of being attacked by hackers.

Suggestion(s):

1. ICANN should form a Security Committee to manage effectively the increasing network security problems and establish security policies for the stable Internet operation.
2. ICANN should sign contract or agreement with Root Server administrators to ensure the responsibilities and obligations for both ICANN and Root Server administrators.
3. ICANN should set a guideline to Root Server administrators, instating administrators. responsibilities, regular security report, contingency plans and performing security auditing once per year at least.
4. ICANN or IANA should shorten the time in renewing data and provide another way to amend data if emergency happened to ccTLDs.
5. Root Servers should have abilities to change Slave Servers to Master Servers if Master Servers were attacked. Especially, those high risk countries in war should let Root Servers more distributed globally. Based on guidelines and objective indicators like a number of Internet users to re-evaluate the Root Servers distribution mechanism.
   ICANN or IANA should provide contact person for 24 hours not via e-mail if ccTLD.s Name Servers under attacked and help to reassign related Name Server.s information to restore the DNS resolution timely.

TLD .gTLD &ccTLD.Name Server

Security Concern(s):

1. Most gTLDs. servers were located in the U.S.A. Based on the situation, the Internet would be disconnected if the servers got some problems or were destroyed in the U.S.A.
2. ccTLD servers should face same concerns with gTLD.

Suggestion(s):

1. Encourage TLDs to set up their Name Servers according to the number of consumers for reducing the risk.
2. Multi-homing should be a better way to establish secondary level servers and backup operations to avoid the possibilities of being disconnected from international network.
3. Replicate and cache Name Servers with other countries especially to encourage regional collaboration.
4. The Name Server for small ccTLDs should be given attention regarding their operation since it may not be easy to have good operation under the given condition. Suggest to create .Best Practice to TLD Name Server operations. to be as a guideline for TLD.s Name Server operation.
5. TLDs either to Root Servers or to its Name Servers should need digital signature as requesting

DNS

Security Concern(s):

1. The version of BIND should influence DNS.s security and hacking would be occurred.

Suggestion(s):

1. Speedup Secured DNS System.s implementation including DNSSEC/TSIG.
2. Encourage ccTLD registries to collaborate with International Security Organizations (ex. First Organization and Local CERT organization) for DNS security training and periodic security scanning and diagnosis.

Other Recommendations:

Security Concern(s):

1. How to avoid the possibility of registries. /registrars. database were destroyed under security consideration?

Suggestion(s):

1. Encourage registries should backup applicants. data for rapid recovery in case registries. database was destroyed (Thick Registration Model). If applicants. registration data is mainly stored in registrars. database, registrars should regular backup their database (Thin Registration Model).

Security Concern(s):

1. Routing security issue should be taken into consideration for network security because it is the lower level of the Internet and take an important position in influencing network.

Suggestion(s):

1. ISPs should establish a plan or project to resolve security problems within a specific district alliance.

Attendee's Contact Information:

Organization	Name	e-mail	Economy
TWNIC	Vincent W.S. Chen	wschen@twnic.net.tw	Taiwan
ISOC-China	Qiheng Hu	QHHU@public.bta.net.cn	China
TWNIC	Albert Wang	albert@twnic.net.tw	Taiwan
TWNIC	Joanna Tso	joanna@twnic.net.tw	Taiwan
TWNIC	Nan-Hsin Chen	nschen@cc.nsysu.edu.tw	Taiwan
ABMI/MOEA	Chien-Wen Wang	Cw.wang@bsmi.gov.tw	Taiwan
TWNIC	Ching-Fu Kuo	cfkuo@dgt.gov.tw	Taiwan
MOTC	Ching-Shen Lin	Js-lin@motc.gov.tw	Taiwan
DGT	Sean H.W. Chu	seanc@dgt.gov.tw	Taiwan
ITS-HK	Alan C.K. Wong	ackwong@ctsd.gov.hk	Hong Kong
Nominum	Ted Hardie	hardie@nonimun.com	U.S.A.
CNNIC	Lulin Gao	lulin-gao@yahoo.com	China
CNNIC	Mao Wei	mao@cnnic.net.cn	China
NeuStar	James Yu	James.yu@neustar.com	U.S.A.
TWNIC	Anthony Lee	Anthony@twnic.net.tw	Taiwan
Heise	Monika Ermert	m.ermert@gmx.de	Germany