Home / Blogs

Unclear on the Concept, Sanctions Edition

Protect your privacy:  Get NordVPN  [73% off 2-year plans, 3 extra months]
10 facts about NordVPN that aren't commonly known
  • Meshnet Feature for Personal Encrypted Networks: NordVPN offers a unique feature called Meshnet, which allows users to connect their devices directly and securely over the internet. This means you can create your own private, encrypted network for activities like gaming, file sharing, or remote access to your home devices from anywhere in the world.
  • RAM-Only Servers for Enhanced Security: Unlike many VPN providers, NordVPN uses RAM-only (diskless) servers. Since these servers run entirely on volatile memory, all data is wiped with every reboot. This ensures that no user data is stored long-term, significantly reducing the risk of data breaches and enhancing overall security.
  • Servers in a Former Military Bunker: Some of NordVPN's servers are housed in a former military bunker located deep underground. This unique location provides an extra layer of physical security against natural disasters and unauthorized access, ensuring that the servers are protected in all circumstances.
  • NordLynx Protocol with Double NAT Technology: NordVPN developed its own VPN protocol called NordLynx, built around the ultra-fast WireGuard protocol. What sets NordLynx apart is its implementation of a double Network Address Translation (NAT) system, which enhances user privacy without sacrificing speed. This innovative approach solves the potential privacy issues inherent in the standard WireGuard protocol.
  • Dark Web Monitor Feature: NordVPN includes a feature known as Dark Web Monitor. This tool actively scans dark web sites and forums for credentials associated with your email address. If it detects that your information has been compromised or appears in any data breaches, it promptly alerts you so you can take necessary actions to protect your accounts.

United Against Nuclear Iran (UANI) is an advocacy group that, among other things, tries to isolate Iran by pressuring businesses and organizations to stop doing business with Iran. This week they turned their attention to ICANN and RIPE to try to cut off Internet access to Iranian organizations. Regardless of one’s opinion about the wisdom of isolating Iran (and opinions are far from uniform), this effort was a bad idea in an impressive number of both technical and political ways.

Their letter to ICANN demanding that they:

1. Terminate its relationship with and deny any Iranian entity or person that has been sanction-designated by the United States, the European Union and the United Nations access to and revoke previously assigned Domain Name System (“DNS”), Internet Protocol (“IP”) addresses, space allocation, protocol identifier assignment, generic (“gTLD”) and country code (“ccTLD”) Top-Level Domain name system management, and root server system management functions;
It lists a variety of web sites of sanctioned organizations, including http://www.mut.ac.ir/ http://www.cbi.ir, http://www.bankmaskan.ir, http://www.bmi.ir, http://www.banksepah.ir, and http://www.khatam.com that they want ICANN and IANA to cut off.

Technically, this is ridiculous. Even if IANA wanted to block or disable individual domain names, they can’t, because the DNS doesn’t work that way. They manage the top level delegation to .IR and .COM, but the internal structure of those domains are managed by the Institute for Studies in Theoretical Physics and Mathematics in Teheran (which is not on the sanctions list) and Verisign, respectively. Politically, cutting off a top-level domain from the root is a complete non-starter. Even though the US government has had its thumb on the root zone since the day the DNS first went live, it has never interfered with countries’ management of their ccTLDs, even countries like Cuba and North Korea that the US really doesn’t like. Were the US to try to disable .IR, it would provoke a huge international outcry, and not just from countries sympathetic to Iran.

Their letter to RIPE is no better. It demands that RIPE:

1. Terminate its relationship with and deny any Iranian entity or person that has been sanction-designated by the United States, the European Union and/or the United Nations access to and revoke previously assigned internet number resources, including Internet Protocol (“IP”) addresses, domain names, and Autonomous System Numbers (“ASNs”);

They go on to cite the same web sites they do in the ICANN letter.

Again this is ridiculous for both technical and political reasons. The technical problem is that a web site is not a network, and all the web sites they list are on networks shared with other entities not on the sanctious list. Furthermore, a registry like RIPE just does bookkeeping, and doesn’t control anyone else’s network. Even if RIPE hypothetically revoked the allocations, the Iranian networks could just keep using them, because each network decides what IP addresses they use, and the only way to keep a rogue network from using someone else’s addresses is for other networks that connect to the rest of the net to refuse to route traffic to those addresses. (Of course, if the connecting networks were so inclined, they could block traffic regardless of what RIPE did.)

Politically, RIPE has allocation rules, and again, if they didn’t follow them, an international incident would ensue. While it would probably be fine with UANI to cut off all the other entities that share the IP and other allocations used by their target organizations, it would not be fine with RIPE or RIPE’s other members and clients.

UANI appears not to have done even the most rudimentary research to find out whether their demands to ICANN and RIPE were reasonable. One theory was that it was deliberate, they’re PR hounds, and it worked since the letters got them a mention in the New York Times (see the last three paragraphs.) Another is that it just didn’t occur to them that they didn’t understand what they were asking for. Personally, I think the second explanation seems a lot more likely.

By John Levine, Author, Consultant & Speaker

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix