Will Cisco Products phone home to ICANN?

IGP has spent a lot of time trying to get people to appreciate the massive global governance issues caused by adding security to the Internet's core infrastructure. We just didn't expect them to become this obvious so quickly. Case in point: various technical lists are abuzz with news that Cisco, the world's largest router manufacturer, is discussing the possibility of making every one of its products do DNSSEC validation by default: 

That $50 Linksys home router/WiFi Access Point you buy down at Fry's will do DNSSEC when you plug it in. So will that Umi telepresence unit. So will the WebEx client, for that matter. And the network management software, and the management processor in your blade server, and whatever else you can think of. The present direction is to apply this to any and every Cisco product that uses DNS and has access to the necessary computing resources.

That may just sound like a new product feature, but wait: Cisco is seriously considering using the DNS itself, and ICANN specifically, to help manage the security of these devices. After reviewing the options in a post to an IETF discussion group on DNS security, John Bashinski, an individual Cisco employee, concluded that

Using DNS is appealing because it introduces minimal extra code and relies on no extra communication paths, but it's not required.

But what will be the default trust root used by these millions of products? Think of that old Linksys router gathering dust in your closet. How will it initiate DNSSEC validation after being offline for some period? Maybe Cisco's private or the existing “public” X.509 PKI? Bashinski's “preferred answer” is interesting:

Get IANA and the root
zone [i.e., ICANN] to provide some kind of service for getting [products] up to date starting from old trust roots. This is our preferred answer…

Bashinski provides a list of reasons for why outsourcing to ICANN might make sense (e.g., familiarity, transparency, longevity) – and he is also adamant that nothing is decided yet, not by Cisco or by anyone else. But for better or worse, what we're talking about here is making ICANN the default “phone home” start-up point for a very large slice of the world's networking equipment. While arguments over the technical virtues continue, this discussion clearly illustrates the tendency to rely ever more heavily on ICANN for critical public governance functions, simply because it's already there.

Comments are closed.