Skip to content
Naked Security Naked Security

Russia’s sovereign internet law comes into force

The new law compels the country’s ISPs to forward all data arriving and departing from their networks through special gateway servers.

The Russian government calls it the “sovereign internet” law and from 1 November it compels the country’s ISPs to forward all data arriving and departing from their networks through special gateway servers.

Promoted since 2018, from the government’s point of view the sovereign internet is a way of protecting the country from the bad stuff the internet – or other countries – might throw at it.

To its critics, Runet, as it’s also known, is a straight power grab by a government obsessed with the idea of control, surveillance and censorship of its population.

If this sounds a bit like China’s infamous Great Firewall, senior Russian politicians downplay the comparison. Said Prime Minister Dmitri Medvedev earlier this year:

Certainly, we won’t have Chinese-style regulations. No firewall will emerge here.

On the contrary, he said, Runet was more about pushing back against the historic regulation of the internet by one country, the US, which had the power to threaten the integrity of Russia’s internet infrastructure.

DPI paranoia

At face value, it seems the government’s solution in Runet is to build a sort of parallel national internet, which is connected to global networks but can be disconnected from it if the government decides that’s necessary.

It sounds like an intranet of the sort Iran once proposed – a separate network with connections to the outside world – but its design is closer to that of a giant proxy through which traffic can be made to pass some of the time.

The simplest element of this will be deep packet inspection (DPI), a technology already universally used by ISPs across the world to prioritise traffic, block unwanted protocols, and prioritise specific applications.

But unlike conventional quality of service DPI, this won’t be controlled by ISPs, which will pass traffic to servers in the same racks controlled by communications regulator Roskomnadzor to do Runet’s heavy lifting.

Arguably, this is similar to the Great Firewall because its design sets up government-controlled servers as gateways capable of blocking traffic to applications, websites, and keywords the authorities want to stop citizens from accessing.

DNS 2

DPI has its limits, which is why Runet is trialling a much more radical concept that has some experts scratching their heads – a parallel DNS infrastructure.

DNS is a complex, distributed global address book, listing which IP addresses are associated with which domain names.

Setting up a parallel DNS implies that Russia will somehow mirror or proxy this system, or set up rival root domain servers, allowing it to to filter which domains will be resolved or what they resolve to.

No country has ever tried before and it’s hard to see how it can be done without creating a lot of potential bottlenecks or points of failure.

It looks as if this part of Runet is some way off being operational, which suggests that the technical challenges have yet to be overcome.

There is some justification for Russia’s worry about other countries launching cyber-operations against it – a scattering of reports suggest the US is probing Russian infrastructure (including its infamous ‘troll factory’ in St Petersburg) in a way that should give its leaders cause for concern.

And yet to sceptics, the idea of Runet offering the country glorious isolation is a far-fetched fantasy which ignores the realities of how ISPs and the internet works.

Internet traffic isn’t like a pipe that can be turned on and off or diverted at will. It functions as a cooperative system in which Russian ISPs must peer traffic that is heading to other destinations in ways that belie simple concepts of internal and external, good and bad.

The Russian government’s real battle is with a very narrow range of applications such as messaging app Telegram, VPN network providers (many of which were banned in 2017) and overlay privacy systems such as Tor.

If they are the real target, Runet is just another tool in the box. It won’t stop these from working but it might make accessing them less reliable and dissuade some Russians from using them.

3 Comments

To a non-techie lay person like myself, this sounds very much like another form of government control and isolation

too funny, still seeing all the same attack traffic as before – ALL FROM RUSSIA – ALL THE TIME

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?