ietf
[Top] [All Lists]

Re: national security

2003-11-29 17:07:14
At 03:39 PM 11/29/2003 -0800, Karl Auerbach wrote:
On Sat, 29 Nov 2003, vinton g. cerf wrote:

I strongly object to your characterization of ICANN as "abandoning"
the operation of roots and IP address allocation. These matters have
been the subject of discussion for some time.

I can't seem to recall during my 2 1/2 years on ICANN's board that there
ever was any non-trivial discussion, even in the secrecy of the Board's
private e-mail list or phone calls, on the matters of IP address
allocation or operation of the DNS root servers.  Because I was the person
who repeatedly tried to raise these issues, only to be repeatedly met with
silence, I am keenly aware of the absence of any substantive effort, much
less results, by ICANN in these areas.

The fact that there were few board discussions does not mean that staff
was not involved in these matters. Discussions with RIRs have been lengthy
and have involved a number of board members. 

So, based on my source of information, which is a primary source - my own
experience as a Director of ICANN, I must disagree that ICANN has actually
faced either the issue of DNS root server operations or of IP address
allocation.  And ICANN's "enhanced architecture for root server security"  
was so devoid of content as to be embarrassing - See my note at
http://www.cavebear.com/cbblog-archives/000007.html

The DNS root server operators have not shown any willingness to let ICANN
impose requirements on the way they run their computers.  Indeed, the
deployment of anycast-based root servers without even telling ICANN in
advance, much less asking for permission, is indicative of the distance
between the operations of the root servers and ICANN.

Sorry, anycast has been out there for quite a while; I am surprised you
didn't know that. We had discussions about anycast with the SECSAC and
the RSSAC and confirmed that there were few risks. The GAC requested and
received a briefing on this as well.


[I believe that the anycast change was a good one.  However, there is no 
way to deny that that change was made independently of ICANN.]

Anycast may even have preceded the creation of ICANN - perhaps an IETF
source or one of the root server operators can say when the first ANYCAST
deployments were done.


Sure, ICANN prepares, or rather, Verisign prepares and ICANN someday hopes
to prepare, the root zone file that the DNS root servers download.  But to
say that preparation of a small, relatively static, text file is the same
as overseeing the root servers is inaccurate.

In addition, the root server operators have shown that they are very able 
to coordinate among themselves without ICANN's assistance.

ICANN absolutely recognizes the critical role of the RIRs

Again, recognizing the RIRs is an admission that ICANN has abandoned its
role as the forum in which public needs for IP addresses and technical
demands for space and controled growth of routing information are
discussed and balanced.  Fortunately the RIRs have matured and are
themselves the IP address policy forums that ICANN was supposed to have
been.  Moreover, the RIRs have shown that they are more than capable of 
doing a quite good job of coordinating among themselves.

The RIRs have agreed to use the ASO as the mechanism for conducting
global policy discussions -  you seem to think that unless ICANN is
dictating everything it is doing nothing. Sorry, I don't buy it.



There is still need for coordination of policy among these groups
and the other interested constituents and that is the role that
ICANN will play. 

Again, ICANN can not demonstrate that it has engaged, because it has not
engaged, in the "coordination" of IP address "policy".  Sure, ICANN has
facilitated the creation of a couple of new RIRs.  But again, there is
vast distance between that and ICANN being the vehicle for policy
formulation or oversight to ensure that those policies are in the interest
of the public and technically rational.


I have serious doubts that ICANN will be able to meet its obligations
under the most recent terms of the oft-amended Memorandum of Understanding
between ICANN and the Department of Commerce.  I see no sign that the DNS
root server operators or the RIRs are going to allow themselves to become
dependencies of ICANN and to allow their decisions to be superseded by
decisions of ICANN's Board of Directors.

they don't need to become "dependencies" for this process to work - you are
setting up a strawman that I don't buy into, karl. What we are looking for
is coordination of policy development in such a way that affected parties
have an opportunity to raise issues. That's what the reform of the ICANN
process was all about. 

I am not interested in having the decision of the Board of Directors supersede
RIR or Root Server recommendations. I am interested in assuring that any 
policies developed have input from affected constituencies and that these
are factored into the policies developed. 

vint cerf



               --karl--

Vint Cerf
SVP Technology Strategy
MCI
22001 Loudoun County Parkway, F2-4115
Ashburn, VA 20147
703 886 1690 (v806 1690)
703 886 0047 fax
vinton(_dot_)g(_dot_)cerf(_at_)mci(_dot_)com
www.mci.com/cerfsup 




<Prev in Thread] Current Thread [Next in Thread>