Internet Network Shutdowns in Russia

Following the invasion of Ukraine by Putin's troops, there have been several calls for Russian Internet networks to be shut down in one way or another and announcements that Russia is going to make such cuts. This article explores the issue from an exclusively technical point of view (although with some forays into Internet governance). I only talk about the infrastructure of the Internet, leaving aside services like social networks.

First, two warnings. I am not neutral in the face of this war, 99.9% of which is Russia's responsibility. Wanting to put the aggressor and the aggressed on an equal footing (for example by refusing to deliver weapons to the aggressed so that he can defend himself) is not neutrality, it is support for the aggressor. It is therefore important to help Ukraine (and not only via humanitarian aid but also directly by helping Ukraine to cope). Secondly, this article explores the technical aspects of possible shutdowns, which does not mean that I think they would be a good idea (I'll give you my opinion right away: no, it would not be a good idea).

Ah, a third warning though: a lot of things you read on social networks about the Internet in Russia are wrong (for example, when you repeat the Russian propaganda of a disconnection test that has never been independently observed). So, be careful.

If you are not familiar with Internet governance, you should remember throughout this article that there is no chief or president of the Internet (if in an article you come across phrases like "ICANN, the Internet regulator", you can stop reading right away - it proves that the author does not know his subject). Each actor has its own autonomy of decision (within the limits of the laws and politics of its country). Nobody has, for example, the technical or political authority to effectively cut off all communications with Russia, even if they wanted to.

Let's start with domain names. For example, we saw the Ukrainian government calling for the removal of Russian TLDs .ru, .su and .рф from the DNS root. Is this possible?

It is necessary to distinguish between technical and political possibilities. Technically, there is hardly any difficulty. The master copy of the root is managed by a subcontractor of the US government, Verisign (yes, there is also a role for ICANN, but technically ICANN does not edit the root zone file). It would be technically trivial to remove TLDs from this zone, as was done for .yu. This would not necessarily mean that .ru and others would stop working. The manager of a DNS resolver can always configure his software to forward requests for names under .ru directly to authoritative servers. It is likely that many resolvers in Russia are already configured this way, for reasons of sovereignty. If .ru was removed from the root, others would do it. So we would have a complicated situation, where .ru would work in some places and not in others, worsening the "chaotisation" of the Internet (which is already quite high).

But of course the main question about this idea of removing Russian TLDs is political: if ICANN and the US government decide to do it (remember that even .ir has never been removed, despite many requests in the United States), it would mean the immediate end of the unique root of DNS (RFC 2826). The Russians would set up another root, probably with the Chinese, who would be delighted with the pretext, and with other countries that until now accepted the US management of the root since it was still relatively reasonable. (By the way, remember that most of the information about the Internet in the media is false. It is thus inaccurate to claim that Russia or China, before February 24, 2022, were using an alternative root. Discussions were held, projects were set up, but nothing concrete was implemented). As expected, ICANN refused to act.

Rather than requesting the removal of these TLDs from the root, another solution would be to configure the resolvers to refuse to resolve these names. These lying DNS resolvers are widely used in Europe for censorship, for example of Sci-Hub. They also contribute to fragmenting the Internet. Unlike actions on the root, the configuration of resolvers is very decentralised: each resolver manager can block .ru on his own initiative. In France, this refusal strikes for example the channel RT.

But there is more to life than DNS. Hardcore network technicians would even say that the Internet is IP, DNS being only an application, which we can do without. I don't really agree with this point of view (without DNS you don't get very far), but it's still worth looking at IP connectivity. On the RIPE discussion lists, many have called for a block on Russian IP addresses, or even for the RIPE NCC to withdraw allocations of IP prefixes and Autonomous System Numbers from Russia (or, sometimes, just from the Russian government). (Seen on the RIPE NCC website, an example of an IP address prefix allocated to a Russian organisation).

As with the DNS, let's start with what is done at the "central" level before looking at the decisions of decentralised actors. The RIPE NCC is the European Regional Internet Registry (RIR) and the territory under its responsibility includes Russia (but also Iran). Like ICANN, it has no particular international status, it is just an organisation under Dutch law, which must therefore obey the laws of its country. This is the case, for example, with sanctions decided by the European Union. Technically, the RIPE NCC can indeed modify its database to remove Russian resource allocations (for the moment, this is not planned).

However, as with DNS, this withdrawal would not necessarily translate into a concrete effect in the cables. Each operator remains in control of its routing, deciding which prefixes to route and which to block. It is true that many operators automatically filter routing announcements (usually received via the BGP protocol) based on the RIR databases (the so-called IRR). In the event of a deallocation of Russian resources, these operators would be cut off from Russia. This is why Roskomnadzor has asked Russian operators (English translation) to stop using the RIPE NCC's IRR. But other operators do not blindly apply IRRs, especially if they were too clearly used to implement geopolitical decisions. It is therefore not at all sure that routing is cut, only disrupted (another case of "chaotisation" of the Internet).

Note that any deallocated IP addresses could not be reassigned to others. As the old Russian holders would certainly continue to use them, these addresses would not really work in the hands of their new holders, due to the many conflicts this would generate.

The effect of deallocation would be stronger if routing were uniformly secure via RPKI. But this is not the case everywhere.

Again, the main negative consequence for the Internet would come from the end of the current resource management system: instead of international RIRs, we would see different countries setting up competing registries, addresses being assigned twice, and other disorders.

Again, as with the DNS, there may be local decisions. An operator can refuse IP packets coming from Russian addresses or refuse BGP announcements containing Russian ASes. We will probably see a complicated landscape in the coming weeks, where some communications will work in some places.

So far, I've talked about the possibility that people outside of Russia are cutting off communications with Russia. But the cut-off can also be done as a result of a Russian initiative, for example, to prevent Russian citizens from informing themselves freely. For the moment, this does not seem to be the case (and one can watch RT).

Finally, the text of the Ukrainian government that called for cutting .ru also mentioned the CAs. They don't depend on ICANN or RIRs, and they make their decisions on their own, according to the laws of the country they depend on. If they decided to revoke Russian certificates, we would have similar problems: partial communication, Russia setting up its own CAs, and generally weakening security.

This article was originally published in French on Stéphane's blog.