[dns-operations] Kaminsky: Protect IP Act Would Break DNS

David Miller dmiller at tiggee.com
Mon Jul 18 10:20:21 UTC 2011

On 7/17/2011 8:11 PM, Joe Greco wrote:
>> * Joe Greco:
>>> However, those solutions are much more fraught with peril.  When
>>> you start interfering with IP addresses, for example, even assuming
>>> you could inject a v4 /32, you may take down a whole slew of sites
>>> unrelated to what you are attempting to target.
>> This is not rocket science.  You route the /32 to the interception
>> device, and do whatever processing is necessary at the higher protocol
>> level.  It's probably sufficient if you match on a few characteristic
>> keywords/bit strings there.  Clean interception based on URIs (or
>> their application-specific equivalent) is difficult, but would
>> probably be required by law.
> So, you're talking about injecting a /32 in the local service provider's
> network, and then forcing them to buy an interception device and then
> be competent to get that configured to work in tandem without also
> messing up the related sites, and you expect every service provider in
> the country to do this in each of their regional networks without
> screwing it up.
> My friend, that IS rocket science, I'm sorry.
> I purposely chose the term "fraught with peril" for a reason.
> ... JG

We appear to have gotten off track in this thread.

I read the latest version of this bill.

You can too, if you want, at:

We can argue about the internet being global and information wanting to 
be free
no end, however, US lawmakers have decided that they can exercise 
certain control
over the actions of US based companies.  They can and will do this, now with
this bill or later with another - there is too much money at stake for 
them to
just ignore the issue.

So, given the following, what is the expert recommendation for a solution?
1. Congress *can* pass laws that force certain actions by US companies.
2. The domains in question are under registries that the USG does not 
have legal
    control over and are unresponsive to USG requests.
3. The sites/domains in question are hosted outside of the US and in 
places not
    responsive to USG requests.
4. Congress wishes to make it such that these sites/domains are 
unreachable by
    US users and to make it such that these sites/domains do not profit 
from US

None of 1, 2, 3, or 4 above are up for debate, let's just call them 
"facts of the

What Congress has in this law is pretty simple for rogue domains:
1. Stop resolution of the site/domain name on resolving DNS servers in 
the US.
2. Stop payment processors from processing payments to the site from US
3. Stop internet advertising services from providing advertisements 
to/for the
4. Remove the site/domain from internet search engines.

What are the least intrusive methods for accomplishing the objectives?  
We can
either recommend solutions, or we can let folks in Congress that can't 
even type
"design" a solution.


More information about the dns-operations mailing list