Click the comments link on any story to see comments or add your own.
Subscribe to this blog
21 Sep 2012
United Against Nuclear Iran (UANI) is an advocacy group that, among other things, tries to isolate Iran by pressuring businesses and organizations to stop doing business with Iran. This week they turned their attention to ICANN and RIPE to try to cut off Internet access to Iranian organizations. Regardless of one's opinion about the wisdom of isolating Iran (and opinions are far from uniform), this effort was a bad idea in an impressive number of both technical and political ways.
Their letter to ICANN demanding that they:
1. Terminate its relationship with and deny any Iranian entity or person that has been sanction-designated by the United States, the European Union and the United Nations access to and revoke previously assigned Domain Name System ("DNS"), Internet Protocol ("IP") addresses, space allocation, protocol identifier assignment, generic ("gTLD") and country code ("ccTLD") Top-Level Domain name system management, and root server system management functions;
It lists a variety of web sites of sanctioned organizations, including http://www.mut.ac.ir/ http://www.cbi.ir, http://www.bankmaskan.ir, http://www.bmi.ir, http://www.banksepah.ir, and http://www.khatam.com that they want ICANN and IANA to cut off.
Technically, this is ridiculous. Even if IANA wanted to block or disable individual domain names, they can't, because the DNS doesn't work that way. They manage the top level delegation to .IR and .COM, but the internatl structure of those domains are managed by the Institute for Studies in Theoretical Physics and Mathematics in Teheran (which is not on the sanctions list) and Verisign, respectively. Politically, cutting off a top-level domain from the root is a complete non-starter. Even though the US government has had its thumb on the root zone since the day the DNS first went live, it has never interfered with countries' management of their ccTLDs, even countries like Cuba and North Korea that the US really doesn't like. Were the US to try to disable .IR, it would provoke a huge international outcry, and not just from countries sympathetic to Iran.
Their letter to RIPE is no better. It demands that RIPE:
1. Terminate its relationship with and deny any Iranian entity or person that has been sanction-designated by the United States, the European Union and/or the United Nations access to and revoke previously assigned internet number resources, including Internet Protocol ("IP") addresses, domain names, and Autonomous System Numbers ("ASNs");
They go on to cite the same web sites they do in the ICANN letter.
Again this is ridiculous for both technical and political reasons. The technical problem is that a web site is not a network, and all the web sites they list are on networks shared with other entities not on the sanctious list. Furthermore, a registry like RIPE just does bookkeeping, and doesn't control anyone else's network. Even if RIPE hypothetically revoked the allocations, the Iranian networks could just keep using them, because each network decides what IP addresses they use, and the only way to keep a rogue network from using someone else's addresses is for other networks that connect to the rest of the net to refuse to route traffic to those addresses. (Of course, if the connecting networks were so inclined, they could block traffic regardless of what RIPE did.)
Politically, RIPE has allocation rules, and again, if they didn't follow them, an international incident would ensue. While it would probably be fine with UANI to cut off all the other entities that share the IP and other allocations used by their target organizations, it would not be fine with RIPE or RIPE's other members and clients.
UANI appears not to have done even the most rudimentary research to find out whether their demands to ICANN and RIPE were reasonable. One theory was that it was deliberate, they're PR hounds, and it worked since the letters got them a mention in the New York Times (see the last three paragraphs.) Another is that it just didn't occur to them that they didn't understand what they were asking for. Personally, I think the second explanation seems a lot more likely.
comments... (Jump to the end to add your own comment)
Add your comment...
Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.
My other sites
© 2005-2014 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.