Home / Blogs

Unclear on the Concept, Sanctions Edition

United Against Nuclear Iran (UANI) is an advocacy group that, among other things, tries to isolate Iran by pressuring businesses and organizations to stop doing business with Iran. This week they turned their attention to ICANN and RIPE to try to cut off Internet access to Iranian organizations. Regardless of one’s opinion about the wisdom of isolating Iran (and opinions are far from uniform), this effort was a bad idea in an impressive number of both technical and political ways.

Their letter to ICANN demanding that they:

1. Terminate its relationship with and deny any Iranian entity or person that has been sanction-designated by the United States, the European Union and the United Nations access to and revoke previously assigned Domain Name System (“DNS”), Internet Protocol (“IP”) addresses, space allocation, protocol identifier assignment, generic (“gTLD”) and country code (“ccTLD”) Top-Level Domain name system management, and root server system management functions;
It lists a variety of web sites of sanctioned organizations, including http://www.mut.ac.ir/ http://www.cbi.ir, http://www.bankmaskan.ir, http://www.bmi.ir, http://www.banksepah.ir, and http://www.khatam.com that they want ICANN and IANA to cut off.

Technically, this is ridiculous. Even if IANA wanted to block or disable individual domain names, they can’t, because the DNS doesn’t work that way. They manage the top level delegation to .IR and .COM, but the internal structure of those domains are managed by the Institute for Studies in Theoretical Physics and Mathematics in Teheran (which is not on the sanctions list) and Verisign, respectively. Politically, cutting off a top-level domain from the root is a complete non-starter. Even though the US government has had its thumb on the root zone since the day the DNS first went live, it has never interfered with countries’ management of their ccTLDs, even countries like Cuba and North Korea that the US really doesn’t like. Were the US to try to disable .IR, it would provoke a huge international outcry, and not just from countries sympathetic to Iran.

Their letter to RIPE is no better. It demands that RIPE:

1. Terminate its relationship with and deny any Iranian entity or person that has been sanction-designated by the United States, the European Union and/or the United Nations access to and revoke previously assigned internet number resources, including Internet Protocol (“IP”) addresses, domain names, and Autonomous System Numbers (“ASNs”);

They go on to cite the same web sites they do in the ICANN letter.

Again this is ridiculous for both technical and political reasons. The technical problem is that a web site is not a network, and all the web sites they list are on networks shared with other entities not on the sanctious list. Furthermore, a registry like RIPE just does bookkeeping, and doesn’t control anyone else’s network. Even if RIPE hypothetically revoked the allocations, the Iranian networks could just keep using them, because each network decides what IP addresses they use, and the only way to keep a rogue network from using someone else’s addresses is for other networks that connect to the rest of the net to refuse to route traffic to those addresses. (Of course, if the connecting networks were so inclined, they could block traffic regardless of what RIPE did.)

Politically, RIPE has allocation rules, and again, if they didn’t follow them, an international incident would ensue. While it would probably be fine with UANI to cut off all the other entities that share the IP and other allocations used by their target organizations, it would not be fine with RIPE or RIPE’s other members and clients.

UANI appears not to have done even the most rudimentary research to find out whether their demands to ICANN and RIPE were reasonable. One theory was that it was deliberate, they’re PR hounds, and it worked since the letters got them a mention in the New York Times (see the last three paragraphs.) Another is that it just didn’t occur to them that they didn’t understand what they were asking for. Personally, I think the second explanation seems a lot more likely.

By John Levine, Author, Consultant & Speaker

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.



Threat Intelligence

Sponsored byWhoisXML API

Domain Management

Sponsored byMarkMonitor


Sponsored byVerisign

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPXO