Challenges and uptake of modern Internet standards (including, but not limited to IPv6, DNSSEC, HTTPS, RPKI)

Event report

The workshop drew attention to the slow implementation of agreed Internet standards such as: Internet Protocol version 6 (IPv6), Domain Name System Security Extensions (DNSSEC), Hypertext Transfer Protocol Secure (HTTPS), Resource Public Key Infrastructure (RPKI), and Web Content Accessibility Guidelines (WCAG), among others. The moderator, Mr André Melancía (LunarCat.PT), gave a brief introduction of these standards and explained what they are meant for.

Mr Geoff Huston (Asia Pacific Network Information Centre (APNIC)) went into detail about the speed of adoption of IPv6, DNSSEC, and RPKI around the world, and Europe in particular, noting that implementation is still dramatically low, even on the regional level. Huston went on to explain some of the challenges of adoption. First, Internet standards are market driven. There are many different actors, each with their own interests that lead them to various solutions. In addition, the industry does not have ‘long-term plans’ for development, and some old standards could be forgotten by the time they are ready to be implemented. Moreover, the whole Internet architecture is completely different now from what it was in the 80s, 90s, and 2000s when those standards were elaborated.

Mr Wout De Natris (De Natris Consult) continued talking about slow standards adoption and referred to his recent report which he presented at the latest Internet Governance Forum (IGF) in Berlin. He talked about the lack of pressure points in society that could push standards developers to work more effectively:

• There are no business models for standards: no one benefits from being the first to adopt the standards
• There is no collective action: people do not take part in the discussion because it is seen as being highly technical

As a recommendation, he suggested enhancing education on practical topics about the Internet, creating business cases of standards adoption, making security scoring of IT products, and stricter procurement requirements. Finally, he announced a plan to create a special policy track on standards adoption at the IGF.

Ms Caroline Greer (Cloudflare) shared the experience of her company in the adoption of the above  mentioned standards. For example, in 2018, Cloudflare decided to take on a leadership role in securing a Border Gateway Protocol (BGP) routine through blogging about the risks of BGP leaks, and the impact other providers that have not deployed Resource Public Key Infrastructure (RPKI) is having, as well as Internet campaigning to test whether a user’s Internet service provider (ISP) has deployed RPKI. Greer argued that regulation is not the right way to force standards adoption, but rather suggested creating partnerships and coalitions within the industry.

Mr João Damas (APNIC Labs) restated the economic factors for standards adoption, saying that ‘generally there is no incentive for someone to be the first to incur expenses that don’t provide you with profits’. Another problem is the invisibility of transport layer standards to most users, which means that they have no incentive to push for changes to things that are working. Damas also distinguished between the safety and security provided by the standards, where the former means protection from your own mistakes in operations, which sometimes create unnecessary complications, but do not protect from attackers.

Ms Arda Gerkins (Vice President of the Senate, The Netherlands) provided the policy perspective on the issue. She said that generally, politicians have little information and communications technology (ICT) knowledge.  According to her, the main problem is marketing – ‘selling’ why we have to talk about standards at all, and explaining what they mean for customers and users. She believes that politicians should create more legislation and incentives, such as imposing fines to spur the deployment of standards.