Increasing routing security globally through cooperation | IGF 2023 WS #339

10 Oct 2023 06:15h - 07:45h UTC

Event report

Speakers and Moderators

Speakers:
  • Benjamin W. Broersma, Government, Western European and Others Group (WEOG)
  • Katsuyasu Toyama, Private Sector, Asia-Pacific Group
  • Lauren Crean, Intergovernmental Organization, Intergovernmental Organization
  • Verena Weber, OECD
  • Annemiek Toersen
  • Olaf Kolkman, Internet Society
Moderators:
  • Bastiaan Goslings, Technical Community, Western European and Others Group (WEOG)

Table of contents

Disclaimer: This is not an official record of the IGF session. The DiploAI system automatically generates these resources from the audiovisual recording. Resources are presented in their original format, as provided by the AI (e.g. including any spelling mistakes). The accuracy of these resources cannot be guaranteed. The official record of the session can be found on the IGF's official website.

Knowledge Graph of Debate

Session report

Annemiek Toersen

The Netherlands Standardization Forum plays a significant role in promoting interoperability and provides advice to the Dutch government regarding the use of mandatory open standards. The forum consists of approximately 25 members from various sectors, including government, businesses, and science. One of their key efforts is the compilation of a list of mandatory open standards, primarily focused on public sector organizations. This ensures effective communication and information sharing between different governmental entities.

Open standards are essential for secure and trustworthy data exchange, enabling seamless communication and compatibility between different systems and technologies. They also contribute to accessibility for all individuals, regardless of their technical capabilities, and promote vendor neutrality by reducing dependence on specific vendors.

The Netherlands Standardization Forum utilizes the internet.nl tool to monitor and measure the growth of internet security standards and other open standards. This tool helps conduct annual reviews of procurement tenders, assessing the government’s performance in implementing open standards. The forum reports these results to the cabinet, ensuring transparency and accountability in open standards adoption.

Annemiek Toersen, a supporter of the forum, advocates for the use of Resource Public Key Infrastructure (RPKI) to prevent Internet hijack. To support its adoption, Toersen proposes sponsoring courses on RPKI to educate and train personnel within Dutch government institutions.

Education and workshops play a crucial role in promoting the adoption of open standards. By providing information and training, governments can make informed decisions and effectively implement these standards. The European Union (EU) also monitors the adoption rate of internet standards, including RPKI, to ensure that European countries stay up to date with the latest advancements.

Internet.nl, an open and accessible tool, is available worldwide for implementation. It has already inspired countries like Australia, Brazil, and Denmark to adopt it. The availability of an English version facilitates global cooperation, and the team behind Internet.nl offers assistance and support to ensure successful implementation.

For a procedure to be accepted, substantial deployment and support are necessary. The involvement of multiple organizations helps validate its efficacy and practicality for wide-scale implementation. Public discussions and workshops are necessary to improve routing security and advance technologies like RPKI.

In conclusion, the Netherlands Standardization Forum plays a vital role in promoting interoperability and advising the government on the use of mandatory open standards. Open standards facilitate secure data exchange, accessibility, and vendor neutrality. The forum uses the internet.nl tool for monitoring and measurement, and Annemiek Toersen supports the use of RPKI. Education and workshops are crucial for the widespread adoption of open standards, and the EU monitors the adoption rate of internet standards. Internet.nl is available worldwide, and the acceptance of a procedure requires substantial deployment and support. Continued efforts are needed to progress security measures and advocate for improved strategies in the digital realm.

Olaf Kolkman

Routing security is a critical concern when it comes to safeguarding the core of internet infrastructure. The argument is that protecting the routing space is vital, as it serves as the backbone of the internet. To address this issue, a prioritization of routing security is necessary.

The Mutually Agreed Norms on Routing Security (MANRS) have been established to tackle routing security challenges. MANRS offers a set of measures that participants in the routing system agree to adopt. Different programs are available for Internet Service Providers (ISPs), Content Delivery Networks (CDNs), Internet exchange points, and vendors. The MANRS Observatory helps track incidents and community adoption, ensuring transparency and accountability.

Another proposed measure is the implementation of certification schemes to enhance routing security. Participants can obtain certification through an audit scheme, potentially increasing their market value. The argument suggests that a certification scheme could create higher value in the market, thereby incentivizing participants to prioritize routing security.

Collaboration among routing system participants is emphasized as a crucial aspect in addressing common action problems. The lack of visibility among participants is seen as a challenge, but by making each participant’s commitment to routing security visible, this issue can be overcome. Increased visibility could incentivize the adoption of routing security measures and promote a more secure routing system.

Olaf Kolkman, although not directly involved in the process, raises a question about the specific Request for Comments (RFCs) used in the initiative. He suggests forwarding the question to individuals such as Bart or RĂ¼diger, who may have the answer. This demonstrates a willingness to seek expertise and knowledge from relevant sources.

In conclusion, securing routing is of utmost importance for protecting the core of internet infrastructure. Initiatives such as MANRS and certification schemes aim to enhance routing security. Collaboration, visibility, and certification can incentivize participants to prioritize and adopt routing security measures. Seeking input from relevant experts highlights the commitment to obtaining accurate information. An integrated approach is necessary to address challenges and ensure the secure functioning of the routing system.

Verena Weber

Routing vulnerabilities persist in the world of internet security due to various challenges. These challenges include the collective action problem, where the actions of one actor depend on others in the system. The cost of implementing routing security practices is also a challenge. Furthermore, available security techniques require a layered approach, which can increase the risk of mistakes.

To improve routing security, there is a need to enhance the measurement and collection of time series data on routing incidents. Governments can support this effort by funding and ensuring continuous measurement. Several countries, such as the United States, Netherlands, Brazil, and Switzerland, have shown a proactive approach towards routing security and can lead by example.

Governments can play a significant role in bolstering routing security by implementing best practices, facilitating information sharing, and defining common frameworks with the industry. Information sharing and wider adoption of implemented practices can also contribute to improving the situation.

At a broader level, awareness-raising and training at the EU level are important to equip individuals with the necessary knowledge and skills to tackle routing security challenges effectively.

In summary, routing vulnerabilities persist due to various challenges, but governments have an increased interest and can play a crucial role in improving routing security. By actively engaging in efforts to enhance data collection, implement best practices, and facilitate information sharing, governments can strengthen routing security. Additionally, awareness-raising and training at the EU level are essential for addressing routing security issues effectively.

Moderator

During the discussion, operators expressed concerns about the deployment of Resource Public Key Infrastructure (RPKI). Some operators were hesitant to pay for routing securities, raising doubts about the effectiveness and value of such investments. These concerns indicate a negative sentiment towards RPKI deployment. It was also noted that further steps, including ASPATH validation, are needed to enhance routing security measures. This suggests a neutral stance towards the need for additional measures to improve the security of routing.

Operators’ skepticism about investing in routing securities reflects their reluctance to allocate resources without clear benefits or guarantees. This negative sentiment emphasizes the need for persuasion and reassurance to encourage operators to adopt and invest in routing security measures.

Furthermore, there was a request for clarification regarding the tracking of governments on internet.nl. The concern raised implies uncertainty or confusion about the extent to which governments can monitor or track activities on the internet.nl platform.

On a positive note, it was highlighted that Annemiek Toersen’s team provides assistance and inspiration to other countries through the English version of internet.nl. This knowledge exchange among countries, such as Australia, Brazil, and Denmark, illustrates the positive impact Annemiek Toersen’s team has in promoting the use of internet.nl and its code.

Lastly, the moderator sought clarification from Annemiek on RPK standards during the discussion, indicating a need for further understanding or insight into the implementation and impact of RPK standards.

In conclusion, the discussion highlighted concerns and skepticism among operators regarding RPKI deployment and investing in routing securities. The need for additional measures, such as ASPATH validation, was emphasized to enhance routing security. There was also a request for clarification regarding government tracking on internet.nl. However, the positive contribution of Annemiek Toersen’s team in supporting and inspiring other countries with the English version of internet.nl was acknowledged. Further clarification on RPK standards was sought from Annemiek, indicating a desire to gain more insights into this topic.

Katsuyasu Toyama

The deployment of Resource Public Key Infrastructure (RPKI), specifically the use of Route Origin Authorizations (ROAs), varies across regions. Europe and the Middle East have greater adoption of ROA, with approximately 70% usage, while Africa and North America lag behind with less than 30%. This difference was observed in data from APNIC Labs.

One of the contributing factors to the slower adoption of ROA is the lack of knowledge and skills among internet service provider (ISP) operators. In Singapore and Thailand, it has been reported that some operators lack the necessary expertise to effectively implement ROA. This skills gap impedes the deployment of ROA and highlights the need for more practical understanding in this area.

Another challenge arises from the operation of ROA cache servers, which are currently available as open-source software. Efforts in Japan are being made to provide ROA cache servers at Internet Exchange Points (IXPs), but concerns have been raised regarding the security of the communication channel between routers and the ROA cache. The absence of encryption raises security concerns and emphasizes the need for improved measures in this domain.

To encourage broader adoption of RPKI and ROA, it is recommended that organizations or governments issue recommendations for their deployment. In Singapore, for instance, governmental regulations have helped to some extent in promoting ROA implementation. Such industry or country-level recommendations can lead to wider adoption and improved routing security.

The occurrence of route leaks underscores the importance of striving for improved global routing security. Route leaks have negative impacts on internet stability and security. The need for enhanced security measures, such as Autonomous System Path (ASPATH) validation, is evident. However, ASPATH validation is acknowledged as an imperfect solution that requires further development to address existing limitations.

The enforcement of RPKI is currently driven by penalties imposed on non-compliant entities. Although this serves as a motivation for deployment, operators remain skeptical about investing in routing securities. Their skepticism may stem from concerns about practicality, effectiveness, and potential costs associated with implementing such measures.

In conclusion, the deployment of RPKI, particularly the use of ROA, varies across regions, with Europe and the Middle East leading in adoption. The skills gap among operators, challenges related to ROA cache server operation, and operator skepticism towards investing in routing securities present obstacles to wider adoption. However, recommendations from organizations or governments, improved global routing security measures, and ongoing efforts in ASPATH validation can contribute to broader deployment of RPKI and advancement in routing security.

Audience

The analysis examines the discussions surrounding the implementation and adoption of Resource Public Key Infrastructure (RPKI) and routing security. Various speakers shared valuable insights and perspectives on the subject.

One speaker highlighted the commitment of a non-profit organisation to provide free online training in technologies such as BGP security and RPKI. This initiative aims to assist individuals facing budget constraints that prevent them from travelling or attending physical training sessions. The organisation’s focus on social impact rather than profit-making reinforces their dedication to promoting knowledge accessibility.

Another speaker emphasised the flexible training programs offered by the organisation. They expressed a willingness to negotiate tailor-made programs to suit the community’s needs. Additionally, they were open to discussions about offering discounts for training sessions, considering factors such as the number of participants and potential impact.

The analysis also discussed the automation of RPKI, with contrasting viewpoints presented by two speakers. One speaker suggested that automation has facilitated the expansion of Public Key Infrastructure (PKI) with web servers, citing the example of Let’s Encrypt, which provided free certificates based on Acme. This automation was seen as a catalyst for PKI expansion. However, another speaker disagreed, emphasising the importance of resource holders personally signing statements within the portal. They argued that the process of signing statements is not so complex that it should be automated, underscoring the significance of individual responsibility in this regard.

A digital platform called internet.nl was mentioned, which currently checks only Route Origin Authorizations (ROAs) and not Route Origin Validations (ROVs). This limitation in checking ROVs was acknowledged, as it necessitates separate ISP space that has an invalid route to perform the check. This insight provides context to the capabilities and limitations of the internet.nl platform.

The European Union (EU) was mentioned as monitoring the adoption rate of modern internet standards, such as RPKI and “manners.” This observation indicates the EU’s interest in promoting the usage of these standards and highlights their commitment to enhancing internet security and infrastructure.

The analysis revealed the existence of several Request for Comments (RFCs) that have established RPKI-related standards. These standards pertain not only to the establishment of ROAs and origin validation but also introduce new objects in RPKI, such as the upcoming “ASPA.” The inclusion of these standards demonstrates ongoing efforts to develop and enhance RPKI.

The incomplete implementation of BGP-SEC, a standard specifically designed for RPKI, was a concern discussed by one of the speakers. They expressed their worries about the lack of comprehensive BGP-SEC implementation, which requires significant resources. This issue was described as often overlooked in discussions surrounding RPKI and routing security. This observation highlights a potential blind spot within the ongoing discourse and emphasises the need to address this gap to ensure the effective implementation of RPKI.

The audience also raised important points regarding the need for discussions and improvements in the implementation and deployment of BGP-SEC and routing security. It was suggested that the current focus seems to be on the immediately available options, potentially neglecting the necessity for further advancements and enhancements in the field.

Furthermore, resource allocation was deemed crucial for the future development and deployment of RPKI and routing security. The audience stressed the importance of securing necessary resources, including personnel and adequate security measures, to effectively drive advancements in these areas.

In conclusion, this analysis provides a comprehensive overview of the discussions surrounding RPKI implementation and routing security. The insights shared by various speakers shed light on the commitment of organisations to offer free online training and tailor-made programs, the potential of automation in RPKI, limitations of existing platforms, the EU’s monitoring efforts, the establishment of RPKI-related standards, concerns related to incomplete BGP-SEC implementation, and the need for discussions and resource allocation. These discussions contribute to a holistic understanding of the challenges, opportunities, and directions for improvement in the realm of RPKI and routing security.

Bastiaan Goslings

The analysis of the provided information reveals several important points regarding routing security and the adoption of open standards in the internet infrastructure. One key aspect is the Resource Public Key Infrastructure (RPKI), which offers a more secure method of routing security by using cryptography to verify the originating network of routing information. This prevents impersonation and unauthorised usage. Efforts to promote the use of RPKI and improve routing security are seen as crucial and should be intensified.

The MANRS initiative also plays a significant role in protecting the core of internet infrastructure by promoting routing security. Bastiaan Goslings, a proponent of the initiative, is positive about its next level, MANRS+. There is also an encouragement for participants to spread awareness and convince other networks to join MANRS. This highlights the collective effort required to enhance routing security.

RIPE NCC plays a vital role in providing training courses on RPKI and BGP security, which are essential for the adoption of open standards. They offer free online courses, conduct webinars and host meetings to educate individuals on RPKI and other routing security measures. Additionally, RIPE NCC is open to providing tailor-made trainings and considering discounts based on the potential impact and volume.

While RIPE NCC has not implemented an incentive programme like SIDN for adopting open standards, the idea is open for consideration. The decision to adopt such a programme would require the agreement of the members. This emphasises the importance of collective decision-making within member-based organisations.

The automation of creating RPKI space is not a straightforward process and may be perceived as technically complex or costly. However, it is worth noting that automation, as exemplified by the creation of “Let’s Encrypt,” has proved successful in facilitating the adoption of open standards in the Web PKI realm. This suggests that further advancements in automation could address the perceived complexity associated with implementing RPKI.

Regarding certificate validation, Internet.nl primarily checks Regional Internet Registry (RIR) and Autonomous System (AS) Operator certificates, rather than Route Origin Authorisation (ROA) certificates. This underlines the specific focus of certificate checking on the platform.

The analysis also emphasises the need for further improvement beyond the creation of ROAs and validation in internet regulation. Discussions have taken place regarding organising workshops for Dutch government policymakers and cooperation with RIPE to achieve these improvements. This signifies an acknowledgement of the necessity to go beyond the existing tools and approaches to enhance internet regulation.

In conclusion, the analysis reveals the importance of routing security and the adoption of open standards in the internet infrastructure. Efforts to promote the use of RPKI and improve routing security are crucial. The MANRS initiative plays a significant role in this regard, with supporters like Bastiaan Goslings actively encouraging participation and spreading awareness. RIPE NCC provides essential training courses and is open to considering incentives. Automation of the RPKI space and further improvements in internet regulation are also areas of interest. Overall, the analysis highlights the ongoing efforts and challenges in enhancing routing security and promoting the adoption of open standards in the internet infrastructure.

Speakers

Speech speed

0 words per minute

Speech length

words

Speech time

0 secs

Click for more

Speech speed

0 words per minute

Speech length

words

Speech time

0 secs

Click for more

Speech speed

0 words per minute

Speech length

words

Speech time

0 secs

Click for more

Speech speed

0 words per minute

Speech length

words

Speech time

0 secs

Click for more

Speech speed

0 words per minute

Speech length

words

Speech time

0 secs

Click for more

Speech speed

0 words per minute

Speech length

words

Speech time

0 secs

Click for more

Speech speed

0 words per minute

Speech length

words

Speech time

0 secs

Click for more