On Sat, 29 Nov 2003, vinton g. cerf wrote: > >I can't seem to recall during my 2 1/2 years on ICANN's board that there > >ever was any non-trivial discussion, even in the secrecy of the Board's > >private e-mail list or phone calls, on the matters of IP address > >allocation or operation of the DNS root servers. Because I was the person > >who repeatedly tried to raise these issues, only to be repeatedly met with > >silence, I am keenly aware of the absence of any substantive effort, much > >less results, by ICANN in these areas. > > The fact that there were few board discussions does not mean that staff > was not involved in these matters. Discussions with RIRs have been lengthy > and have involved a number of board members. Discussions "with staff" hardly constitutes responsible oversight by ICANN as a body responsible to the internet public. All you have said is that ICANN has not merely abandoned its oversight of DNS and IP addresses to the root server operators and the RIRs but also that the only elements within ICANN that even bother to observe are the occassional board member and some perhaps some unnamed staff members. I raised the anycast issue several times to the board. "Staff" received those e-mails. I do not except as valid an after fact explaination that says "Even though nobody bothered to answer Karl's inquiries, ICANN's staff was really making informed decisions, in secret, about anycast." ICANN's job is not to make decisions in secret, by unknown members of "staff", based on unknown criteria and using unknown assumptions. To do so, which is what you are saying has been done, is simply yet another abandonment of ICANN's obligations. The switch to anycast for root servers is a good thing. But it was hardly without risks. For example, do we really fully comprehend the dynamics of anycast should there be a large scale disturbance to routing on the order of 9/11? Could the machinery that damps rapid swings of routes turn out to create blacked out areas of the net in which some portion of the root servers become invisible for several hours? Could one introduce bogus routing information into the net and drag some portion of resolvers to bogus root servers? I'm pretty sure that the root server operators have answers to these questions. However, it is incumbent on ICANN not to simply accept that these people know what they are doing; ICANN must document it, ICANN must inquire whether some of the decisions are made on public-policy assumptions (in which case "the public" needs to become a party to those decisions). Considering that we know that there would be no ill effects to adding even a hundred new top level domains, one has to wonder at the degree of automatic deference (deference amounting to an institutional decision to be blind) to the deployment of anycast as compared to the hyper detailed inquiry into matters even as irrelevant as the pronouncability in English of a few proposed new top level domains. In addition, an argument could well be made that anycast violates the end-to-end principle. For instance, it's hard, or impossible, to maintain a TCP connection that spans a routing change that sunsets one anycast partner and sunrises another. Given that one of the strongest arguments against Verisign's Sitefinder is that it breaks things, and that it violates the end-to-end principle, Verisign lawyers must be very pleased that they can so easily demonstrate that ICANN is willing to act with overt bias, to let slide, without inquiry, those things proposed by ICANN "friends". > Sorry, anycast has been out there for quite a while; I am surprised you > didn't know that. No need for sarcasm. As you must be well aware, was the one who explained to ICANN's Board how anycast works. Indeed, I was the one who brought the deployment of anycast roots to the Board's attention. I know that the ICANN Board considers its communications secret. However if I am required to defend myself from what I consider to be an unwarranted and unsupportable assertion regarding my professional knowledge I would have to consider it my right to defend myself and publish any and all relevant materials from the archives of the Board's e-mail. But you miss the point - the deployment of anycast for root servers was a bold operational decision. It was a decision made by the root server operators alone, without ICANN. ICANN's obligation is to guarantee to the public the stability of DNS at the root layer. ICANN's failure to engage in the issue of anycast deployment was simply and clearly and abandonment of ICANN's responsibilities. > >[I believe that the anycast change was a good one. However, there is no > >way to deny that that change was made independently of ICANN.] > > Anycast may even have preceded the creation of ICANN Yes, anycast has been around for a long time. Multicast, NATs, and OSI all also preceded the creation of ICANN. But does that mean that ICANN should freely and and without question allow the deployment of those technologies for DNS root servers? > The RIRs have agreed to use the ASO as the mechanism for conducting > global policy discussions - you seem to think that unless ICANN is > dictating everything it is doing nothing. Sorry, I don't buy it. So, I take it that you consider that ICANN's role is to rent meeting halls in which groups may meet and make decisions? ICANN, in order to guarantee the public that the DNS and IP allocation systems of the net are stable is obligated to have a final veto power. As it stands ICANN has abandoned that power to the RIRs. These are not idle issues. The issue of NATs has filled several IETF threads. Most of us considers NATs to be ill-starred creations. But they are quite popular. And why are they popular? Partially because of the policies of the RIRs that restrict IP address allocations. Yes, the RIRs have many and good reasons for their policies. But those policies are one of the forces that are inducing more and more NATs. It is easy to conceive of ICANN disagreeing with the RIRs over an allocation policy that would further drive NATs. ICANN, in its present role, has abandoned the final authority over that question to the RIRs and in so doing has abandoned ICANN's responsibility to the public. ICANN has left operational issues of the DNS roots to the root server operators. ICANN has left the final authority for IP address decisions to the RIRs. I personally have no major objection to that. But it is a situation that makes ICANN superflous except for the protection of trademarks and the granting of top level domain franchises. > >I have serious doubts that ICANN will be able to meet its obligations > >under the most recent terms of the oft-amended Memorandum of Understanding > >between ICANN and the Department of Commerce. I see no sign that the DNS > >root server operators or the RIRs are going to allow themselves to become > >dependencies of ICANN and to allow their decisions to be superseded by > >decisions of ICANN's Board of Directors. > > they don't need to become "dependencies" for this process to work Either ICANN has the final authority to dictate decisions to the root server operators and RIRs or it does not. If ICANN does not then ICANN has simply abandoned its responsibilities to the root server operators and the RIRs. "Coordination" is a weasel word. Either ICANN has the authority to make a guarantee of internet stability to the community of internet users or it does not. As I read your comments you seem to be saying that ICANN does not have that authority. If that is the case, I can only ask, why should be have an ICANN if it is simply a toothless bureaucracy whose job is simply to stand by and let other more competent bodies made final decisions. > I am not interested in having the decision of the Board of Directors supersede > RIR or Root Server recommendations. Which is simply to say that you are not interested in an ICANN that is able to make a guarantee to the public that the root of the DNS and the IP address systems are being operated responsibily and in the best interests of the stability of the community of internet users. ICANN can be merely a "coordinator" if it wants. But to do so it needs to stop trying to deceive the public that it is a player and start being truthful that its role is merely that of a cheerleader. Harry Truman was famous for his desk plaque that said "The buck stops here." But in the land of ICANN it is clear that the ultimate responsibility is not ledged in ICANN; it is in the hands, good will, and expertise of the root server operators and the RIRs. At the present time those hands are competent, the will is good, and the expertise great. But in the absence of clear ultimate authority in ICANN, things could change leaving the internet community vulnerable and without protection. --karl--