DNS DATA SHARING (OR NOT) Stéphane Bortzemeyer & Nathalie Boulvard.
15
DNS DATA SHARING (OR NOT) Stéphane Bortzemeyer & Nathalie Boulvard
-
Upload
reginald-pitts -
Category
Documents
-
view
221 -
download
0
Transcript of DNS DATA SHARING (OR NOT) Stéphane Bortzemeyer & Nathalie Boulvard.
DNS DATA SHARING (OR NOT)
Stéphane Bortzemeyer & Nathalie Boulvard
Summary
1. Technical aspects
1.1. The problem
1.2 The queries contain
1.3 The data is useful
1.4 Anonymization is the solution?
2. Legal aspects
2.1. The issues
2.2. The texts contain
2.3. The contract could be useful
2.4 Anonymization is the solution?
3. Tour de table - Debate
Questions
2
1. Technical aspects
3
1.1 The problem
We operate DNS servers They receive queries They send responses
Very often, we record the DNS traffic (security incident analysis, business intelligence, statistics, etc.). Often called a « pcap file »
4
1.2 The queries contain
Example: « 2001 : 660 : 3003 : 8 : : 4 : 69 » asked for the IPv6 address of www.impots.gouv.fr
The source IP adress of the resolver (not the end user’s machine). Typically a big machine at the IAP. But not always.
The complete name requested (do not believe the CENTR video, it is wrong). We see requests for
_bittorrent-tracker._tcp.XXXX.abo.wanadoo.fr
5
1.3 The data is useful…
…and many people are interested. Can we share it?
DITL http://www.caida.org/projects/ditl/OARC https://www.dns-oarc.net/
Is it personal data? For some requests, clearly yes, for some, clearly no and the rest is in between.
6
1.4 Anonymisation is the solution? We could « anonymyze » (to replace the IP adresses by
a dummy value) Anonymization deletes data (bad for researcher) Anonymization is never perfect (data crunchers know
how to get some information back)
7
2. Legal aspects
8
2.1 The issues
Companies’ rights and interests• Reputation
Individuals’ rights• Personal data - Sensitive data
9
2.2 The texts contain
Under the European rules• The European Union adopted its “data protection
directive” (directive 95/46) on October 24, 1995.
• National independent authorities (CNIL for France) & the “Article 29 Working Party”
• Reform of the data protection EU legal framework (to follow up)
Under the International rules
10
2.3 The contract could be useful……but not only. Can we share?
DITL http://www.caida.org/projects/ditl/OARC https://www.dns-oarc.net/
An example : the OARC Participation Agreement.
11
2.4 Anonymisation is the solution? Well… yes:
No personal data anymore So, No more legal issue!
But as anonymization is never perfect… Let’s carry on with a debate!
12
3. Tour de table - Debate
13
Questions
14
Are you interested in following up this discussion?If yes, how?
Do you think that this entire issue is worth a debate?
If no, why? If no, why?
www.afnic.fr [email protected]
Twitter : @AFNICFacebook : afnic.fr
www.afnic.fr [email protected]
Twitter : @AFNICFacebook : afnic.fr
Thank you!
