On Sat, 29 Nov 2003, vinton g. cerf wrote:
I can't seem to recall during my 2 1/2 years on ICANN's board that there
ever was any non-trivial discussion, even in the secrecy of the Board's
private e-mail list or phone calls, on the matters of IP address
allocation or operation of the DNS root servers. Because I was the person
who repeatedly tried to raise these issues, only to be repeatedly met with
silence, I am keenly aware of the absence of any substantive effort, much
less results, by ICANN in these areas.
The fact that there were few board discussions does not mean that staff
was not involved in these matters. Discussions with RIRs have been lengthy
and have involved a number of board members.
Discussions "with staff" hardly constitutes responsible oversight by ICANN
as a body responsible to the internet public. All you have said is that
ICANN has not merely abandoned its oversight of DNS and IP addresses to
the root server operators and the RIRs but also that the only elements
within ICANN that even bother to observe are the occassional board member
and some perhaps some unnamed staff members.
I raised the anycast issue several times to the board. "Staff" received
those e-mails. I do not except as valid an after fact explaination that
says "Even though nobody bothered to answer Karl's inquiries, ICANN's
staff was really making informed decisions, in secret, about anycast."
ICANN's job is not to make decisions in secret, by unknown members of
"staff", based on unknown criteria and using unknown assumptions. To do
so, which is what you are saying has been done, is simply yet another
abandonment of ICANN's obligations.
The switch to anycast for root servers is a good thing. But it was hardly
without risks. For example, do we really fully comprehend the dynamics of
anycast should there be a large scale disturbance to routing on the order
of 9/11? Could the machinery that damps rapid swings of routes turn out
to create blacked out areas of the net in which some portion of the root
servers become invisible for several hours? Could one introduce bogus
routing information into the net and drag some portion of resolvers to
bogus root servers?
I'm pretty sure that the root server operators have answers to these
questions. However, it is incumbent on ICANN not to simply accept that
these people know what they are doing; ICANN must document it, ICANN must
inquire whether some of the decisions are made on public-policy
assumptions (in which case "the public" needs to become a party to those
decisions).
Considering that we know that there would be no ill effects to adding even
a hundred new top level domains, one has to wonder at the degree of
automatic deference (deference amounting to an institutional decision to
be blind) to the deployment of anycast as compared to the hyper detailed
inquiry into matters even as irrelevant as the pronouncability in English
of a few proposed new top level domains.
In addition, an argument could well be made that anycast violates the
end-to-end principle. For instance, it's hard, or impossible, to maintain
a TCP connection that spans a routing change that sunsets one anycast
partner and sunrises another.
Given that one of the strongest arguments against Verisign's Sitefinder is
that it breaks things, and that it violates the end-to-end principle,
Verisign lawyers must be very pleased that they can so easily demonstrate
that ICANN is willing to act with overt bias, to let slide, without
inquiry, those things proposed by ICANN "friends".
Sorry, anycast has been out there for quite a while; I am surprised you
didn't know that.
No need for sarcasm. As you must be well aware, was the one who explained
to ICANN's Board how anycast works. Indeed, I was the one who brought the
deployment of anycast roots to the Board's attention. I know that the
ICANN Board considers its communications secret. However if I am required
to defend myself from what I consider to be an unwarranted and
unsupportable assertion regarding my professional knowledge I would have
to consider it my right to defend myself and publish any and all relevant
materials from the archives of the Board's e-mail.
But you miss the point - the deployment of anycast for root servers was a
bold operational decision. It was a decision made by the root server
operators alone, without ICANN.
ICANN's obligation is to guarantee to the public the stability of DNS at
the root layer. ICANN's failure to engage in the issue of anycast
deployment was simply and clearly and abandonment of ICANN's
responsibilities.
[I believe that the anycast change was a good one. However, there is no
way to deny that that change was made independently of ICANN.]
Anycast may even have preceded the creation of ICANN
Yes, anycast has been around for a long time. Multicast, NATs, and OSI
all also preceded the creation of ICANN. But does that mean that ICANN
should freely and and without question allow the deployment of those
technologies for DNS root servers?
The RIRs have agreed to use the ASO as the mechanism for conducting
global policy discussions - you seem to think that unless ICANN is
dictating everything it is doing nothing. Sorry, I don't buy it.
So, I take it that you consider that ICANN's role is to rent meeting halls
in which groups may meet and make decisions?
ICANN, in order to guarantee the public that the DNS and IP allocation
systems of the net are stable is obligated to have a final veto power. As
it stands ICANN has abandoned that power to the RIRs.
These are not idle issues. The issue of NATs has filled several IETF
threads. Most of us considers NATs to be ill-starred creations. But they
are quite popular. And why are they popular? Partially because of the
policies of the RIRs that restrict IP address allocations. Yes, the RIRs
have many and good reasons for their policies. But those policies are one
of the forces that are inducing more and more NATs. It is easy to
conceive of ICANN disagreeing with the RIRs over an allocation policy that
would further drive NATs. ICANN, in its present role, has abandoned the
final authority over that question to the RIRs and in so doing has
abandoned ICANN's responsibility to the public.
ICANN has left operational issues of the DNS roots to the root server
operators. ICANN has left the final authority for IP address decisions to
the RIRs. I personally have no major objection to that. But it is a
situation that makes ICANN superflous except for the protection of
trademarks and the granting of top level domain franchises.
I have serious doubts that ICANN will be able to meet its obligations
under the most recent terms of the oft-amended Memorandum of Understanding
between ICANN and the Department of Commerce. I see no sign that the DNS
root server operators or the RIRs are going to allow themselves to become
dependencies of ICANN and to allow their decisions to be superseded by
decisions of ICANN's Board of Directors.
they don't need to become "dependencies" for this process to work
Either ICANN has the final authority to dictate decisions to the root
server operators and RIRs or it does not. If ICANN does not then ICANN
has simply abandoned its responsibilities to the root server operators and
the RIRs.
"Coordination" is a weasel word. Either ICANN has the authority to
make a guarantee of internet stability to the community of internet users
or it does not. As I read your comments you seem to be saying that ICANN
does not have that authority. If that is the case, I can only ask, why
should be have an ICANN if it is simply a toothless bureaucracy whose job
is simply to stand by and let other more competent bodies made final
decisions.
I am not interested in having the decision of the Board of Directors supersede
RIR or Root Server recommendations.
Which is simply to say that you are not interested in an ICANN that is
able to make a guarantee to the public that the root of the DNS and the IP
address systems are being operated responsibily and in the best interests
of the stability of the community of internet users.
ICANN can be merely a "coordinator" if it wants. But to do so it needs to
stop trying to deceive the public that it is a player and start being
truthful that its role is merely that of a cheerleader.
Harry Truman was famous for his desk plaque that said "The buck stops
here." But in the land of ICANN it is clear that the ultimate
responsibility is not ledged in ICANN; it is in the hands, good will, and
expertise of the root server operators and the RIRs. At the present time
those hands are competent, the will is good, and the expertise great.
But in the absence of clear ultimate authority in ICANN, things could
change leaving the internet community vulnerable and without protection.
--karl--