Russia and the "Internet Disconnection"

Russia and the "Internet Disconnection"

After the invasion of Putin's troops on Ukraine 🇺🇦, we heard, on the one hand, numerous calls for the cutting of Russian Internet networks, and, on the other hand, the announcement that Russia was going to make such cuts. This article examines the issue from a technical point of view only (albeit with some incursions into Internet governance). We are only talking about the software infrastructure of the Internet, leaving aside services such as social networks.

First, we want to mention that in the face of this war, we are not neutral. The responsibility is 99.9% to Russia. Wanting to equate the attacker and the victim (for example, by refusing the weapon to the victim in order to defend himself) is not neutrality, it is the support of the aggressor. Assistance to Ukraine (not only through humanitarian aid but also directly through Ukraine) is therefore important. Second, this article explores the technical aspects of possible cuts.

Be careful when you read information on the Web and especially on social networks: a lot of things about the Internet in Russia are false (for example when we take up Russian propaganda of a disconnection test that never been observed independently).

If you are unfamiliar with Internet governance, it should be remembered throughout this article that there is no chief or president of the Internet (if in a article you come across phrases like "ICANN, regulator of the Internet", you can stop reading right away, it proves that the author does not know his subject). Each actor has their decision-making autonomy (within the limits of the laws and policies of their country). No one, for example, has the technical or political authority to effectively cut off all communications with Russia, even if they wanted to.

Let's start with domain names. For example, we have seen the Ukrainian government call for the removal of the Russian TLDs .ru, .su and .рф from the DNS root. Is it possible? It is necessary to distinguish between technical possibility and political possibility. Technically, there is hardly any difficulty. The master copy of the root is maintained by a US government contractor, Verisign (yes, there is also an ICANN role but technically it is not ICANN that edits the root zone file). It would be technically trivial to remove TLDs from this zone, as had been done for .yu. That wouldn't necessarily mean that .ru and the others would stop working. The manager of a DNS resolver can always configure his software to transmit (we speak of forwarding) requests for names under .ru directly to authoritative servers. It is likely that many resolvers in Russia are already configured this way, for sovereignty reasons. If the .ru was removed from the root, others would. We would therefore have a complicated situation, where the .ru would work in certain places and not in others, aggravating the "messiness" of the Internet (which is already quite high).

But of course, the main question facing this idea of deleting Russian TLDs is political: assuming that ICANN and the US government decide to do so (remember that even .ir has never been deleted, despite numerous requests to the United States), this would mean the immediate end of single-root DNS (RFC 2826). The Russians would mount another root, probably with the Chinese, who would be delighted with the pretext, and with other countries which, until now, supported the management of the root by the United States since this management remained relatively reasonable. (By the way, remember that the majority of information about the Internet in the media is false. It is therefore inaccurate to claim that Russia or China, before February 24, 2022, used an alternative root. Discussions have taken place, projects were set up, but nothing concrete was implemented.) As expected, ICANN refused to act.

Rather than requesting the removal of these TLDs from the root, an alternative would be to configure resolvers to refuse to resolve these names. These lying DNS resolvers are widely used in Europe for censorship, for example from Sci-Hub. They too contribute to fragmenting the Internet. Unlike actions on the root, the configuration of resolvers is very decentralized: each resolver manager can block .ru on his own initiative. In France, this refusal hits the RT channel, for example.

However, there are more than DNS in life. Diehard network technicians would even say that the Internet is IP, DNS being just an application, which we can do without. We don't really agree with that view (without DNS you don't get very far), but it's still worth looking into IP connectivity. On the RIPE mailing lists, many people have called for a blocking of Russian IP addresses, or even for the RIPE-NCC to withdraw the allocation of IP prefixes and autonomous system numbers from Russia (or, sometimes, only from the Russian government). Below is an example of an IP address prefix allocated to a Russian agency:

As for the DNS, let's start with what is done at the "central" level before seeing the decisions of the decentralized actors. The RIPE-NCC is the European RIR and the territory under its responsibility includes Russia (but also Iran). Like ICANN, it does not benefit from any particular international status, it is just an organization governed by Dutch law, which must therefore obey the laws of its country. This is for example the case during the sanctions decided by the European Union. Technically, the RIPE-NCC can indeed modify its database to withdraw Russian resource allocations (for now, this is not planned).

However, as for the DNS, this withdrawal would not necessarily result in a concrete effect on the cables. Each operator remains in control of its routing, decides which prefixes to route and which prefixes to block. Admittedly, many operators automatically filter routing announcements (generally received via the BGP protocol) on the basis of the RIR databases (what is called the IRR). In the event of a disallocation of Russian resources, these operators would therefore be cut off from Russia. This is also why the Russian telecommunications regulator, Roskomnadzor, has asked Russian operators to no longer use the RIPE-NCC IRR. But other operators do not blindly apply IRRs, especially if these were too clearly used to implement geopolitical decisions. It is therefore not at all sure that the routing will be cut, only disturbed (another case of "messiness" of the Internet).

Please note that any IP addresses that might be deallocated could not be reassigned to others: as the old Russian owners would certainly continue to use them, these addresses would not actually work in the hands of their new owners, due to the many conflicts that this would generate.

The effect of deallocation would be stronger if the routing was uniformly secured via the RPKI. But this is not the case everywhere.

Here again, the main negative consequence for the Internet would come from the end of the current resource management system: instead of international RIRs, we would see different countries set up competing registries, addresses being assigned twice, and other disorders.

Again, as with DNS, there may be local decisions. An operator can refuse IP packets coming from Russian addresses or refuse BGP advertisements containing Russian ASes. We will undoubtedly see in the coming weeks a complicated landscape, where certain communications will work in certain places and not in others.

So far we have talked about the possibility of people outside of Russia cutting off communications with Russia. But the cut can also be made following a Russian initiative, for example, to prevent Russian citizens from obtaining information freely.

Finally, the text from the Ukrainian government that called for cutting .ru also mentioned CAs. They do not depend on ICANN or the RIRs, and make their decisions on their side, according to the laws of the country on which they depend. If they decided to revoke the Russian certificates, we would end up with similar problems: partial communication, Russia setting up its own CAs, and, in general, a weakening of security.

Get started with 100,000 free lookups: sign up