Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

Version 1 Next »

@font-face

Unknown macro: { font-family}

@font-face

Unknown macro: { font-family}

@font-face

Unknown macro: { font-family}

p.MsoNormal, li.MsoNormal, div.MsoNormal

Unknown macro: { margin}

p.MsoHeader, li.MsoHeader, div.MsoHeader

Unknown macro: { margin}

p.MsoFooter, li.MsoFooter, div.MsoFooter

Unknown macro: { margin}

span.HeaderChar { }span.FooterChar { }.MsoChpDefault

Unknown macro: { font-size}

div.WordSection1

Unknown macro: { page}

Olivier Crépin-Leblond:           Good morning, good afternoon, and good evening.  This is the community call on the Security, Stability, and Resiliency framework. It’s an At-Large community briefing call on the 26th of April 2011.  With us we have Patrick Jones, who is ICANN’s coordinator on the security group, so he’s going to be speaking to us about the financial year ’12 internet SSR framework. We have linked to our agenda a report which was approved in Cartagena, which was – was it drafted in – well, obviously November 2010 and approved in Cartagena in December 2012, and without any further ado, Patrick, I give you the floor.

Patrick Jones:                          Thank you, and I’ll do my best to take questions throughout.  I’m glad I have an opportunity to go through this with At-Large, and do similar briefing with other stake-holder groups. One of the messages that I heard very clearly from the community in Cartagena was that they were fine with – it was okay to have the SSR plan the way it was presented then, but whenever we come out with the next one that we should do a really good job of making it more streamlined, less repetitive, more actionable.

                                                I really tried to do that with this version. It’s not a 60+ page Word document that’s very dense; it’s being presented as a framework, something that can be built upon as the fiscal year systems go through, but it’s in a PowerPoint format. RAA makes it very clear what the foundation for ICANN’s role in security, stability, and resiliency, where it fits in the ecosystem and then the [Part V], which I would intend could be swapped out per year, focuses on what priorities the organization is going to focus on for fiscal year ’12, and then what other activities may be happening in the system and where ICANN may be playing a role as an observer rather than as a coordinator or facilitator.

                                                So that’s just the background on why this document looks different than the previous two SSR plans. So with that introduction, I’m going to go through a subset of the slides.  This opening slide is just what you could call a brief introduction of what ICANN is, and this is intended for a mixed audience.  The SSR framework is not just for those who are familiar with ICANN, what its role is and what it does, but also potentially for people who are new to the community or who may be familiar with how the internet works, but now with what ICANN’s role is.

                                                So this is an opening slide that could be used by other on ICANN as a global organization who coordinates the internet’s unique identifier systems. So as I mentioned, Part A describes ICANN’s role in SSR, and the ecosystem laid out as how we’ve divided this, and it shows this is a new framework rather than a Word document, and it gives you an overview of where it is.

                                                So with security, stability, and resiliency, what are we talking about?  Well, with security, and these are definitions that were in the previous SSR plan, but intended to be basic.

Olivier Crépin-Leblond:           Sorry, Patrick, if I can just – my screen is not going through the PowerPoint presentation at the moment. I’m not sure whether it’s the same way to everyone, but at least my screen is not moving.

Evan Liebovitch:                     Mine either.  It was for me, but I don’t have the ability to advance it.

Cheryl Langdon-Orr:                Nothing for me either.

Patrick Jones:                          How’s that?

Cheryl Langdon-Orr:                Whoa!

Evan Liebovitch:                     That’s more like it.

Olivier Crépin-Leblond:           I thought I would mention this, because I saw you were starting to go through the slides, but the slides were just not moving.

Patrick Jones:                          Okay. It’s working now; everyone should see Security, Stability, and Resiliency at the top? So these are basic definitions, but it gives some context of what we’re talking about.  So for security, it’s the capacity to protect and prevent misuse.  Stability, to ensure the system operates as expected and users have the confidence that the system operates as expected, and resiliency is the capacity of the unique identifier systems to effectively respond, react, and recover from attacks and disruptive activity.

                                                There’s obviously more dense definitions than these, but this is to give some basic context into what we’re talking about. So as mentioned, we’ve done two previous plans. If people are interested, here are the links, when there were published for the community and when they were dealt with by the Board.  The reason why we’re looking at this so quickly for FY12 is that the last plan, honestly, was late. And the Board took it on in Cartagena, but that halfway in to fiscal ’11, so we’re really trying to frame the plan, the framework, back in line with the budgeting operating plan process.

So the intention is that we’ll publish the SSR plan by Thursday.  I’m still trying to hold to that, with the translations. So that’ll be something that has been asked for by the community, and it would be open for comment through the end of May. I will continue to do community briefings and discussions; we’ll have more – possibly the Singapore meeting I can give a briefing on the comments that were received.  How we’ve taken those comments into account and ideally the ICANN Board can consider the framework at the Singapore meeting.

I can stop there if people have questions about the timing.  The next set of slides describes the ecosystem, and ICANN’s role.  This shouldn’t be new for anyone here, but for people who might be reading the SSR framework for the first time, or this document, it may be helpful to know what are we talking about.  So there are really three different areas.  There’s internal sort of ICANN organizational operations, our l-root, our internal IT compliance, New gTLD process, even basics down to meeting logistics and administration and finance.

And then there’s the areas such as policy coordination, secretariat support, our involvement with Working Groups and with the greater internet community as a coordinator, facilitator, and collaborator. And then there’s the third area, where ICANN’s an observer of the activities of others, leading but aware of those activities in the ecosystem.

And then we see that there are three layers. There’s the global community, who may not be aware of ICANN or participate in processes, and then we’ll call it greater ICANN community, that’s the few and the others that come to the meetings or participate remotely, and then there’s the orphan organizational operations perspective and staff. And then I have another set of slides to go through.

Participants in the ecosystem, this is very basic.  There’s a lot more detail in the Part A that we are publishing for comment. But this is to provide sort of the foundation for who is impacted and who’s playing a role in the space. I’m actually jumping quite ahead, so I’m going to stop here.  There’s a large set of slides in the framework that we don’t have a lot of time to cover, but they provide some context into the mission and by-laws of ICANN, the challenges that we’re facing on the misuses and attacks that are increasing, and then as well as the affirmation of commitments and the strategic plan to provide the context for ICANN’s role and responsibilities in this area.

So there’s a whole set of slides that I’m not going through that are available, and if you have questions or comments about them, please either send them my way or make a comment once the comment period opens. The next set of slides, and this really gets into the meat of the SSR plan, it covers the RV, which is the FY12 module.

I’ll stop here if anyone has any questions for right now. Okay, so we have three distinct areas, and this is going to cover this, so this slide goes down a level, so when you look at ICANN as from the operational responsibilities, what does that include?  So that’s IANA functions, DNS operations, and l-root.  The key signing, DNSSEC management, IT meetings, continuity, physical, personnel, security, compliance, and then fast-track and New gTLDs.

And we’ve tried to do this – who is responsible for that? And put more information into who has the ownership and responsibility, and there’s a whole other set of areas where ICANN is acting as either coordinator, facilitator, or collaborator, and there are different programs and initiatives around that. So that includes policy development, root zone management automation, the IPv6/IPv4 rollout and distribution, and then areas where we’re doing DNS capacity building as a collaborator with others, including the regional TLD organizations, ISOC, network startup resource center, and initiatives such as RPKI development and protocol work.

Unfortunately there’s a little bit of cutoff of these tables, but in the posted version of the slides, I’m assured that the full text is there. It provides another set of areas in SSR where there’s expected activity for FY12.  We’re looking at doing a global symposium on Security, Stability, and Resiliency in partnership with others, and a date hasn’t been set, but we’re looking at doing that in FY12.

Contributing to efforts in resilience metrics, and in DNSSEC adoption and deployment, there’s also work that I’ll get to; the DSSA, Working Groups, the DNS security stability analysis Working Group that At-Large has a large group of participants who actually – the community as a whole has a large group of participants in that group, but we’re acting as facilitators from a staff perspective and also as subject matter experts available to netWorking Groups.

And then there’s the category of activities where ICANN may have some awareness, but we’re in more of the observer role, and so that includes international cyber exercises, government developments on cyber security and critical infrastructure, law enforcement initiatives, risk management, academic research. So all of these initiatives that are listed in the three slides before give some context to different things that are strategic priorities for the next three years. So those from the strategic plan fall into four main categories; it’s maintain and drive DNS uptime, increase the security of overall systems of unique identifiers, increase international participation, and coordinate DNS global risk management.

So how does that fit?  There’s community work that will be going on that includes local DNSSEC adoption, so it’s driving the – now that the root’s signed, it’s getting TLDs to adopt DNSSEC and having registrars come up with tools so that end users can come up with ways to make that as a protocol, more usable for people. That’s in addition to whois internationalization, IPv6 rollout, and the exhaustion of the IPv4 address space, and then work around developing resource public key infrastructure.

So that’s IP address resource certification. From a team perspective, the security team focuses its efforts in five main areas. That includes global security, engagement awareness, collaboration with others, capacity capabilities building program with ccTLD managers and now others, as well as our internal corporate security, which includes risk management business continuity efforts and cross departmental support, which is a broad area, but that includes work that the team is doing to support the New gTLDs Program, IDNs, DNSSEC, compliance, global partnerships, and policy development.

So now, from those five main areas, the next set of slides show what the team is planning to do for FY12.  So for global security outreach, it’s conducting an SSR symposium, and that might be in the third quarter of 2011, or early in 2012.  We’ve done two of these at Georgia Tech University in 2009, and then in 2010 at Kyoto University, in Japan. So we didn’t do one in FY11, and there’s now an interest from the academic community and others in doing another DSSR symposium, so we’re beginning to explore our options.  Once we know more about the timing and the topics, we’ll reach out to this group and to others for participation.

On collaboration, we’ve been working as a contributor to the RIPE NCC’s project, it’s called ATLAS; this is to put nodes on the edges of the network to – this is probably worth a whole other call, but it’s an effort to provide another look into what’s happening in the DNS, and ICANN’s been supportive of that. There’s also a very long, ongoing project to automate the root zone and work with NTIA and VeriSign, so we’re continuing to support that, from a security team side.

There’s – on DNSSEC, the fifth key ceremony is going to be in Culpepper, Virginia, coming up next week. Does someone have a question?

Olivier Crépin-Leblond:           I cannot see anyone having put their hands up yet. You can go on.

Patrick Jones:                          So as you can see, there’s quite a bit of work projected in the collaboration area, and some of this is where security team members are supportive of others, so that’s technical evolution of whois, this one where there’s other ICANN staff who are really leading this, but we’re providing some subject matter expert support, in addition to policy development, and the DSSA Working Group that I mentioned.

                                                Our corporate security programs, we’re continuing to improve on an internal side, meaning best practices, documenting and improving staff training and resources and improving – for l-root, we did a contingency exercise in February of this year, publishing an after action report, and then implementing what we learned out of that, so that the community is aware that we’re serving as an example for leading world class infrastructure.

                                                And the next slide provides more detail on the other aspects of the corporate security program, including meeting security and cross departmental activities. So under community work, there is still an effort on dealing with the conficker botnet, and similar botnet cleanup.  So recently Microsoft was involved in an action against what’s called the Rustock botnet, and there is an effort to prevent domain name generation for command and control. So ICANN is still involved in conficker and conficker like situations involving collaborative response. That will continue, as well as work in some of these other areas supporting SSAC and RSAC activities.

                                                The SSR framework has a whole section that’s much larger than this, that shows the affirmation of commitments SSR review is currently underway, and that review is going to look at three areas; it’s our plans on continuity and consistency, how ICANN’s maintaining clear processes related to Security, Stability, and Resiliency, and the extent that the plan focuses on emerging threats and risks.  So under contingency continuity work, this includes the capacity building program, and internal exercises that we’ve done, and also our work with others.

                                                So participating in exercises with registries and with other governments and that includes the cyber storm series and the European equivalent, and then testing of that escrow and registrar’s escrow. A little bit more detail about the DNS capacity building program.  I think this week we either just finished up or there’s training that’s happening in Nicaragua; there’s also a training in Ghana, but we’re not involved directly. That’s a NSRC, Network Startup Resource Center activity.

                                                Another training is going to be happening in Kenya, so the Ghana and the Kenya event are supported by ASTLD, and the Nicaragua was the last TLD event that we provided trainers for. So we’re planning at least eight training events in FY12, we’ll rotate among the regions. It’s not listed here, but there is an interest from the former CIS, so it’s the Commonwealth of Independent States, country codes in Eastern Europe, and in Russia doing a similar event. So we’re looking into that.

                                                These events are seen as positive and now within the events that just happened, between 250 and 300 participants from all over the world, and they will take this information back and put it into practice.  We’re supportive of efforts to increase the use of best practices at the ccTLD level. Under maintaining clear processes, this includes the registration evaluation panels for the existing top level domain operators as well as in the string evaluation for the IND fast track. This covers how we’re maintaining clear processes, undue risk management, and evaluation of strings for the IND fast track and New gTLDs.

                                                And then there’s quite a bit here on emerging threats. I can spend more time on this is that’s something of interest to this group. This includes areas where ICANN staff is either acting as a collaborator and facilitator or we’re just more aware of what others in the community might be doing. We’ve divided these up into threats that leverage the DNS, so that includes botnets, denial of service attacks, route hijackings, social engineering, and then threats on the infrastructure itself. So that would be registry/registrar failure, disasters either natural or otherwise that occur, or authority or authentication compromise, such as what happened with Komodo and the certificate authority compromises from a few weeks ago.

                                                So these are some things that may be emerging over the next year or so, where there may need to be more community work or some staff work, depending on comments we receive or requests from At-Large or others. There should be more work on implementation of IDNs, acceptance of IDNs in applications.  There’s quite a bit of work still happening around variants, with the variant case study project. There’s also emerging issues around the implications of government interventions into the DNS, as we’ve seen with Egypt and Libya and other countries recently; as well as issues with DNSSEC implementation and adoption, IPv6/v4 address space issues.

                                                The interactions of the DNS with applications, so it’s not very well followed right now, to the extent that mobile applications still use the DNS and that might not be something that’s an ICANN area, but we can still be aware of what that means for the internet as a whole. So the next couple of slides just look at some work that’s happening around emerging threats in FY12. The DNS Security Stability analysis Working Group that’s getting up to speed, I believe the chairs have either had a phone call or are having some discussions, and that it’s now fully staffed with its membership from the different supporting organizations and advisory committees, and that over the next however many months, the group will look into what are the actual level, frequency, and severity of threats to the DNS.

                                                What are the current efforts and activities that are happening to mitigate these, and what are the gaps.  We’re supportive of this group; we’re not trying to drive it in any way. We want to see the group come up with some outcomes, but from a staff perspective, this is really a community driven effort, not a staff driven effort. For FY12, we’re in the process of finalizing the budget and operating plans; that will be posted in May.

                                                I believe that the projection is $69.8 million for expenses, and that SSR initiatives will account for around 17% of the total budget, with is about the same as what it was in the FY11 budget. We’re not projecting an increase for SSR, and at this time there is not much more detail that I can share on the resourcing for particular projects. But I’m hoping that there will be questions and you can see, we really put a lot of thought into reframing the way that this is displayed, so that it is – I’ll just leave it at that.

                                                There’s a lot more detail in the other slides, this is an abbreviated version, and I’m happy to take on questions.

Olivier Crépin-Leblond:           Well, thank you very much, Patrick, for this very, very complete presentation.  In fact, I had several questions before you went through your slides, and as you went from slide to slide, I ticked each one of the questions as they become answered, and I end up with very few questions, in fact, none for the time being.  I just wanted to add one small thing, with regards to the DSSA Working Group, for those who were not on the ALAC cal earlier, the DSSA chairs will be having a call this week, so the ball will get rolling.  It’s underway.  Now, are there any questions from the community? There is not at the moment.

                                                You mentioned a calendar, Patrick, for a comment period on the FY12 framework, starting on the 31st of May.

Patrick Jones:                          No, we’re planning to start the comment period this week, so this Thursday.  It may be Thursday late, but the expectation is that when the comment period is open on the framework that all five translations will be there, so the whole set will be published at the same time, and the comment period will remain open throughout the whole month of May, so that the closing would be May31. 

That way, there would be a few weeks time to publish a thorough summary and analysis of the comments before people leave for Singapore. And that way, in Singapore, there can be a discussion on what we learned out of the summary, of the comments that were received, what might be changed or updated or additional detail that could be provided.  But the plan is that it’s open for comment throughout the month, and that if people have specific comments or questions there will be an opportunity to have it done.

Olivier Crépin-Leblond:           And so the document is what you just presented to us?

Patrick Jones.                          No, well, what I’ve presented is an abbreviated version. The SSR framework itself is in two parts, and I did send both parts, and Heidi or Gisella, I don’t know if those were posted into the At-Large Wiki space, but I did send those around in advance.  Sorry it was late yesterday and not early enough for people to see it, but you’ll see it shortly.

Olivier Crépin-Leblond:           Okay, because I had a question actually in regards to the format of it.  The previous one was in text, a long document, and you mentioned that this one was going to be a presentation of both parts.

Patrick Jones:                          Both parts are PowerPoints; there is a Word document that combines the two, although I really wanted to get away from having the SSR framework be a dense Word document.  For one, it makes it difficult to translate, and to present very clearly what our focus is one.  I think that the PowerPoint presentation, and people can comment on this if you think that it’s not right, but I do think that the presentation format is helpful for communicating what is the foundation for ICANN’s role in this, what are the other players in the ecosystem doing, how does ICANN interact with them?

So there’s still another set of slides that I just didn’t have time to include in this briefing, but it describes contracted, non-contracted parties, partners in the space, those organizations that have memorandum of understanding with ICANN. If other entities that ICANN interacts with at a different level, and I think that foundation sets the stage for what ICANN – where its place is in the ecosystem, how it’s just one piece, and that there are others that are doing quite a bit of work around security and stability of identifiers besides ICANN.

Olivier Crépin-Leblond:           Okay, any questions from anyone else out there? I see no hands up.  I do have another question, but it goes to the DSSA, and that was the – it’s not a standing Working Group; it’s one which has a goal.  What is the timing for the DSSA, with regards to producing its results?

Patrick Jones:                          I think that’s really up to the Chairs and the other participants in the group to come up with.  I would hope that it’s a group that can have international calls before Singapore, and then maybe meet face to face for those who are going to be at the Singapore meeting, or provide a remote participation for those who can’t. 

Between the Singapore and the Dakkar meetings, maybe the group can come up with some identification of threats and risks and what groups are existing in the space. So that’s just what I would think.  Now the Working Group can come up with its own timeline, and staff doesn’t want to be seen as providing direction to this group –

Olivier Crépin-Leblond:           So we don’t know what’s expected, but what’s somehow wished for.

Patrick Jones:                          Unlike what happened a year ago with DNScert, this is definitely something that we’re supportive of a community driven effort, and I would just hope that the group that’s come together, which is large, but also full of some very talented and experienced people can come up with some initial observations between now and Dakkar; that would be fantastic.

Olivier Crépin-Leblond:           Okay.  So I ask another time then; any questions, comments?

Patrick Jones:                          We’ll look at this as an early preview, and kind of do a better job of engaging all parts of the community, including At-Large, so we haven’t started the comment period yet.  Once you can look at the document, questions come up; feel free to raise them in the comment period. 

I will try to do something novel and actually respond to questions that come up in the comment period, so that there’s a running – we did this in the last SSR plan as well, but I don’t think it’s useful for people to give feedback, so the door is open and we want to continue that.

Olivier Crépin-Leblond:           That’s an interesting point that you just made, because in general the At-Large community, and ALAC actually, makes one statement, doesn’t make just a number of comments in separate comments.  It just tends to do one statement, usually just one that is true consensus prior to having the statement sent out.

In establishing this discussion with comments coming in and you answering comments, would you be willing to perhaps look at some of the discussions that are taking place within the At-Large space, whilst we’re building our comment?  Or is this something that goes outside the realm?

Patrick Jones:                          Well, I think it might be useful; I’ll refer back to the last SSR plan as an example. We did the briefing for At-Large, and then there were some individuals who commented, and I think even the chat log from that session, I was able to use that and answer those questions during the comment period. 

So people came up with questions that I couldn’t answer on the phone.  Those were sent to me, and then I answered those in the summary in the comment period, and that was able to help expand on the input that was received from At-Large. So look at that as another option. 

I think it works fine to come up with a consensus comment and approach, but also if there’s a way to clarify things during the comment period; we have plenty of time to do that.  If not, then we can flag issues that can be discussed in Singapore.

Olivier Crépin-Leblond:           Okay, I think that would be very helpful, definitely, for our community. One thing which I do like to ask sometimes is if some of our members wish to ask you questions directly, I guess they have your email address and they can ask you?

Patrick Jones:                          Yes.

Olivier Crépin-Leblond:           And one thing I was going to ask was to carbon copy the public list, so as for your response to be shared with everyone, rather than everyone asking the same question, two, three, four, five times. So that helps us move fast and you as well.

Patrick Jones:                          Yeah, that sounds a lot like what we did with the last SSR plan, so we want to continue that.

Olivier Crépin-Leblond:           Okay, well, excellent.  Well thank you very much for joining us, and I guess our next steps is to move forward to comments on the time when we can look at it.  And Heidi, are we going to see this in the confluence pages?  Is this already on there?

Heidi Ullrich:                           No, we’re working on that now.

Olivier Crépin-Leblond:           Okay, good.

Patrick Jones:                          Keep in mind that the whole posting will be going up in the next couple of days, so there’ll be an announcement, and Gisella and Heidi can send that to the At-Large list.

Cheryl Langdon-Orr:                If I may, Cheryl speaking, for the record; Patrick, if we can at least have the part with the PowerPoint up on the confluence page, then those people who are putting together the regional meeting agendas, which roll off at the beginning of the month, APRALO is the only one that meets at the end of the month.  Most of the other regions meet in the early part or no later than the middle of the month, they can actually incorporate it into their agendas, and that will allow for the regional and ALS input to be done.

Patrick Jones:                          One more thing I’d add; we didn’t look at this SSR framework as something that is completely separate from the budget and operating plan that comes out. The list of areas of emphasis for the staff and others is only one part.  If there are activities that you, as a community, would like to see and spend more time on, please comment in to the budget and operating plan document as well.

So look at them as – this is intended to complement the budget, provide more detail on what our focus is going to be, and what some of the community focus is in SSR, but it’s not like it’s completely separate.  But there’s a way for you to provide encouragement for more work in a particular area by commenting. Cheryl, did I answer that, or do you have another question?

Cheryl Langdon-Orr:                You answered it, I was just going to say an example of this is this section on…  I’m just starting to find the slide. I think it’s slide 14, part B, something around there.  When you’re talking about the cross-organizational – I mean closed committee about parts of those issues of contractual compliance and New gTLDs implementation – that’s something that the At-Large community has been very keen on making sure is strengthened and a better resource.  And we’d obviously be giving, I would assume we would be giving strong support in those directions as well.  Getting some of this stuff right is pretty damned important, and getting the new stuff right while the old stuff’s still wrong doesn’t fill us with hope and (inaudible) and trust.

Olivier Crépin-Leblond:           Okay, building on what Cheryl just mentioned with regards to having this as an agenda item into the regions, I would say that the first thing that we do is actually send out a note to all of the lists for the comments to take place, because some of the regional meetings do take place later on the month, in the second part of the month, so they won’t give them too little time to be able to comment on this.

But it’s something that will be on the agendas. So thank you very much for joining us, Patrick.  It’s been very, very informative, and we look forward to being able to read through the whole plan and to be able to comment and to engage dialog with you and your colleagues.

Patrick Jones:                          If you want to set aside time, even if it’s brief, in Singapore for me to come back and give an update on what we’ve heard in the comment period and how that’s being taken into account, I can certainly do that.

Olivier Crépin-Leblond:           Okay, point noted.  Thank you. And we’ll work – we haven’t worked out all of our timings and so on yet, we do need to, and we’ll keep that in mind.

Patrick Jones:                          Okay.

Olivier Crépin-Leblond:           Right, well this concludes our call today, and thank you for joining, and thank you for taking the time to explain to us, as I said, this very interesting field of ICANN’s work, and very important too.

Patrick Jones:                          Thank you.

[End of Transcript]

  • No labels