Increasing routing security globally through cooperation | IGF 2023 WS #339

10 Oct 2023 06:15h - 07:45h UTC

Table of contents

Disclaimer: It should be noted that the reporting, analysis and chatbot answers are generated automatically by DiploGPT from the official UN transcripts and, in case of just-in-time reporting, the audiovisual recordings on UN Web TV. The accuracy and completeness of the resources and results can therefore not be guaranteed.

Full session report

Annemiek Toersen

The Netherlands Standardization Forum plays a significant role in promoting interoperability and provides advice to the Dutch government regarding the use of mandatory open standards. The forum consists of approximately 25 members from various sectors, including government, businesses, and science. One of their key efforts is the compilation of a list of mandatory open standards, primarily focused on public sector organizations. This ensures effective communication and information sharing between different governmental entities.

Open standards are essential for secure and trustworthy data exchange, enabling seamless communication and compatibility between different systems and technologies. They also contribute to accessibility for all individuals, regardless of their technical capabilities, and promote vendor neutrality by reducing dependence on specific vendors.

The Netherlands Standardization Forum utilizes the internet.nl tool to monitor and measure the growth of internet security standards and other open standards. This tool helps conduct annual reviews of procurement tenders, assessing the government’s performance in implementing open standards. The forum reports these results to the cabinet, ensuring transparency and accountability in open standards adoption.

Annemiek Toersen, a supporter of the forum, advocates for the use of Resource Public Key Infrastructure (RPKI) to prevent Internet hijack. To support its adoption, Toersen proposes sponsoring courses on RPKI to educate and train personnel within Dutch government institutions.

Education and workshops play a crucial role in promoting the adoption of open standards. By providing information and training, governments can make informed decisions and effectively implement these standards. The European Union (EU) also monitors the adoption rate of internet standards, including RPKI, to ensure that European countries stay up to date with the latest advancements.

Internet.nl, an open and accessible tool, is available worldwide for implementation. It has already inspired countries like Australia, Brazil, and Denmark to adopt it. The availability of an English version facilitates global cooperation, and the team behind Internet.nl offers assistance and support to ensure successful implementation.

For a procedure to be accepted, substantial deployment and support are necessary. The involvement of multiple organizations helps validate its efficacy and practicality for wide-scale implementation. Public discussions and workshops are necessary to improve routing security and advance technologies like RPKI.

In conclusion, the Netherlands Standardization Forum plays a vital role in promoting interoperability and advising the government on the use of mandatory open standards. Open standards facilitate secure data exchange, accessibility, and vendor neutrality. The forum uses the internet.nl tool for monitoring and measurement, and Annemiek Toersen supports the use of RPKI. Education and workshops are crucial for the widespread adoption of open standards, and the EU monitors the adoption rate of internet standards. Internet.nl is available worldwide, and the acceptance of a procedure requires substantial deployment and support. Continued efforts are needed to progress security measures and advocate for improved strategies in the digital realm.

Olaf Kolkman

Routing security is a critical concern when it comes to safeguarding the core of internet infrastructure. The argument is that protecting the routing space is vital, as it serves as the backbone of the internet. To address this issue, a prioritization of routing security is necessary.

The Mutually Agreed Norms on Routing Security (MANRS) have been established to tackle routing security challenges. MANRS offers a set of measures that participants in the routing system agree to adopt. Different programs are available for Internet Service Providers (ISPs), Content Delivery Networks (CDNs), Internet exchange points, and vendors. The MANRS Observatory helps track incidents and community adoption, ensuring transparency and accountability.

Another proposed measure is the implementation of certification schemes to enhance routing security. Participants can obtain certification through an audit scheme, potentially increasing their market value. The argument suggests that a certification scheme could create higher value in the market, thereby incentivizing participants to prioritize routing security.

Collaboration among routing system participants is emphasized as a crucial aspect in addressing common action problems. The lack of visibility among participants is seen as a challenge, but by making each participant’s commitment to routing security visible, this issue can be overcome. Increased visibility could incentivize the adoption of routing security measures and promote a more secure routing system.

Olaf Kolkman, although not directly involved in the process, raises a question about the specific Request for Comments (RFCs) used in the initiative. He suggests forwarding the question to individuals such as Bart or RĂ¼diger, who may have the answer. This demonstrates a willingness to seek expertise and knowledge from relevant sources.

In conclusion, securing routing is of utmost importance for protecting the core of internet infrastructure. Initiatives such as MANRS and certification schemes aim to enhance routing security. Collaboration, visibility, and certification can incentivize participants to prioritize and adopt routing security measures. Seeking input from relevant experts highlights the commitment to obtaining accurate information. An integrated approach is necessary to address challenges and ensure the secure functioning of the routing system.

Verena Weber

Routing vulnerabilities persist in the world of internet security due to various challenges. These challenges include the collective action problem, where the actions of one actor depend on others in the system. The cost of implementing routing security practices is also a challenge. Furthermore, available security techniques require a layered approach, which can increase the risk of mistakes.

To improve routing security, there is a need to enhance the measurement and collection of time series data on routing incidents. Governments can support this effort by funding and ensuring continuous measurement. Several countries, such as the United States, Netherlands, Brazil, and Switzerland, have shown a proactive approach towards routing security and can lead by example.

Governments can play a significant role in bolstering routing security by implementing best practices, facilitating information sharing, and defining common frameworks with the industry. Information sharing and wider adoption of implemented practices can also contribute to improving the situation.

At a broader level, awareness-raising and training at the EU level are important to equip individuals with the necessary knowledge and skills to tackle routing security challenges effectively.

In summary, routing vulnerabilities persist due to various challenges, but governments have an increased interest and can play a crucial role in improving routing security. By actively engaging in efforts to enhance data collection, implement best practices, and facilitate information sharing, governments can strengthen routing security. Additionally, awareness-raising and training at the EU level are essential for addressing routing security issues effectively.

Moderator

During the discussion, operators expressed concerns about the deployment of Resource Public Key Infrastructure (RPKI). Some operators were hesitant to pay for routing securities, raising doubts about the effectiveness and value of such investments. These concerns indicate a negative sentiment towards RPKI deployment. It was also noted that further steps, including ASPATH validation, are needed to enhance routing security measures. This suggests a neutral stance towards the need for additional measures to improve the security of routing.

Operators’ skepticism about investing in routing securities reflects their reluctance to allocate resources without clear benefits or guarantees. This negative sentiment emphasizes the need for persuasion and reassurance to encourage operators to adopt and invest in routing security measures.

Furthermore, there was a request for clarification regarding the tracking of governments on internet.nl. The concern raised implies uncertainty or confusion about the extent to which governments can monitor or track activities on the internet.nl platform.

On a positive note, it was highlighted that Annemiek Toersen’s team provides assistance and inspiration to other countries through the English version of internet.nl. This knowledge exchange among countries, such as Australia, Brazil, and Denmark, illustrates the positive impact Annemiek Toersen’s team has in promoting the use of internet.nl and its code.

Lastly, the moderator sought clarification from Annemiek on RPK standards during the discussion, indicating a need for further understanding or insight into the implementation and impact of RPK standards.

In conclusion, the discussion highlighted concerns and skepticism among operators regarding RPKI deployment and investing in routing securities. The need for additional measures, such as ASPATH validation, was emphasized to enhance routing security. There was also a request for clarification regarding government tracking on internet.nl. However, the positive contribution of Annemiek Toersen’s team in supporting and inspiring other countries with the English version of internet.nl was acknowledged. Further clarification on RPK standards was sought from Annemiek, indicating a desire to gain more insights into this topic.

Katsuyasu Toyama

The deployment of Resource Public Key Infrastructure (RPKI), specifically the use of Route Origin Authorizations (ROAs), varies across regions. Europe and the Middle East have greater adoption of ROA, with approximately 70% usage, while Africa and North America lag behind with less than 30%. This difference was observed in data from APNIC Labs.

One of the contributing factors to the slower adoption of ROA is the lack of knowledge and skills among internet service provider (ISP) operators. In Singapore and Thailand, it has been reported that some operators lack the necessary expertise to effectively implement ROA. This skills gap impedes the deployment of ROA and highlights the need for more practical understanding in this area.

Another challenge arises from the operation of ROA cache servers, which are currently available as open-source software. Efforts in Japan are being made to provide ROA cache servers at Internet Exchange Points (IXPs), but concerns have been raised regarding the security of the communication channel between routers and the ROA cache. The absence of encryption raises security concerns and emphasizes the need for improved measures in this domain.

To encourage broader adoption of RPKI and ROA, it is recommended that organizations or governments issue recommendations for their deployment. In Singapore, for instance, governmental regulations have helped to some extent in promoting ROA implementation. Such industry or country-level recommendations can lead to wider adoption and improved routing security.

The occurrence of route leaks underscores the importance of striving for improved global routing security. Route leaks have negative impacts on internet stability and security. The need for enhanced security measures, such as Autonomous System Path (ASPATH) validation, is evident. However, ASPATH validation is acknowledged as an imperfect solution that requires further development to address existing limitations.

The enforcement of RPKI is currently driven by penalties imposed on non-compliant entities. Although this serves as a motivation for deployment, operators remain skeptical about investing in routing securities. Their skepticism may stem from concerns about practicality, effectiveness, and potential costs associated with implementing such measures.

In conclusion, the deployment of RPKI, particularly the use of ROA, varies across regions, with Europe and the Middle East leading in adoption. The skills gap among operators, challenges related to ROA cache server operation, and operator skepticism towards investing in routing securities present obstacles to wider adoption. However, recommendations from organizations or governments, improved global routing security measures, and ongoing efforts in ASPATH validation can contribute to broader deployment of RPKI and advancement in routing security.

Audience

The analysis examines the discussions surrounding the implementation and adoption of Resource Public Key Infrastructure (RPKI) and routing security. Various speakers shared valuable insights and perspectives on the subject.

One speaker highlighted the commitment of a non-profit organisation to provide free online training in technologies such as BGP security and RPKI. This initiative aims to assist individuals facing budget constraints that prevent them from travelling or attending physical training sessions. The organisation’s focus on social impact rather than profit-making reinforces their dedication to promoting knowledge accessibility.

Another speaker emphasised the flexible training programs offered by the organisation. They expressed a willingness to negotiate tailor-made programs to suit the community’s needs. Additionally, they were open to discussions about offering discounts for training sessions, considering factors such as the number of participants and potential impact.

The analysis also discussed the automation of RPKI, with contrasting viewpoints presented by two speakers. One speaker suggested that automation has facilitated the expansion of Public Key Infrastructure (PKI) with web servers, citing the example of Let’s Encrypt, which provided free certificates based on Acme. This automation was seen as a catalyst for PKI expansion. However, another speaker disagreed, emphasising the importance of resource holders personally signing statements within the portal. They argued that the process of signing statements is not so complex that it should be automated, underscoring the significance of individual responsibility in this regard.

A digital platform called internet.nl was mentioned, which currently checks only Route Origin Authorizations (ROAs) and not Route Origin Validations (ROVs). This limitation in checking ROVs was acknowledged, as it necessitates separate ISP space that has an invalid route to perform the check. This insight provides context to the capabilities and limitations of the internet.nl platform.

The European Union (EU) was mentioned as monitoring the adoption rate of modern internet standards, such as RPKI and “manners.” This observation indicates the EU’s interest in promoting the usage of these standards and highlights their commitment to enhancing internet security and infrastructure.

The analysis revealed the existence of several Request for Comments (RFCs) that have established RPKI-related standards. These standards pertain not only to the establishment of ROAs and origin validation but also introduce new objects in RPKI, such as the upcoming “ASPA.” The inclusion of these standards demonstrates ongoing efforts to develop and enhance RPKI.

The incomplete implementation of BGP-SEC, a standard specifically designed for RPKI, was a concern discussed by one of the speakers. They expressed their worries about the lack of comprehensive BGP-SEC implementation, which requires significant resources. This issue was described as often overlooked in discussions surrounding RPKI and routing security. This observation highlights a potential blind spot within the ongoing discourse and emphasises the need to address this gap to ensure the effective implementation of RPKI.

The audience also raised important points regarding the need for discussions and improvements in the implementation and deployment of BGP-SEC and routing security. It was suggested that the current focus seems to be on the immediately available options, potentially neglecting the necessity for further advancements and enhancements in the field.

Furthermore, resource allocation was deemed crucial for the future development and deployment of RPKI and routing security. The audience stressed the importance of securing necessary resources, including personnel and adequate security measures, to effectively drive advancements in these areas.

In conclusion, this analysis provides a comprehensive overview of the discussions surrounding RPKI implementation and routing security. The insights shared by various speakers shed light on the commitment of organisations to offer free online training and tailor-made programs, the potential of automation in RPKI, limitations of existing platforms, the EU’s monitoring efforts, the establishment of RPKI-related standards, concerns related to incomplete BGP-SEC implementation, and the need for discussions and resource allocation. These discussions contribute to a holistic understanding of the challenges, opportunities, and directions for improvement in the realm of RPKI and routing security.

Bastiaan Goslings

The analysis of the provided information reveals several important points regarding routing security and the adoption of open standards in the internet infrastructure. One key aspect is the Resource Public Key Infrastructure (RPKI), which offers a more secure method of routing security by using cryptography to verify the originating network of routing information. This prevents impersonation and unauthorised usage. Efforts to promote the use of RPKI and improve routing security are seen as crucial and should be intensified.

The MANRS initiative also plays a significant role in protecting the core of internet infrastructure by promoting routing security. Bastiaan Goslings, a proponent of the initiative, is positive about its next level, MANRS+. There is also an encouragement for participants to spread awareness and convince other networks to join MANRS. This highlights the collective effort required to enhance routing security.

RIPE NCC plays a vital role in providing training courses on RPKI and BGP security, which are essential for the adoption of open standards. They offer free online courses, conduct webinars and host meetings to educate individuals on RPKI and other routing security measures. Additionally, RIPE NCC is open to providing tailor-made trainings and considering discounts based on the potential impact and volume.

While RIPE NCC has not implemented an incentive programme like SIDN for adopting open standards, the idea is open for consideration. The decision to adopt such a programme would require the agreement of the members. This emphasises the importance of collective decision-making within member-based organisations.

The automation of creating RPKI space is not a straightforward process and may be perceived as technically complex or costly. However, it is worth noting that automation, as exemplified by the creation of “Let’s Encrypt,” has proved successful in facilitating the adoption of open standards in the Web PKI realm. This suggests that further advancements in automation could address the perceived complexity associated with implementing RPKI.

Regarding certificate validation, Internet.nl primarily checks Regional Internet Registry (RIR) and Autonomous System (AS) Operator certificates, rather than Route Origin Authorisation (ROA) certificates. This underlines the specific focus of certificate checking on the platform.

The analysis also emphasises the need for further improvement beyond the creation of ROAs and validation in internet regulation. Discussions have taken place regarding organising workshops for Dutch government policymakers and cooperation with RIPE to achieve these improvements. This signifies an acknowledgement of the necessity to go beyond the existing tools and approaches to enhance internet regulation.

In conclusion, the analysis reveals the importance of routing security and the adoption of open standards in the internet infrastructure. Efforts to promote the use of RPKI and improve routing security are crucial. The MANRS initiative plays a significant role in this regard, with supporters like Bastiaan Goslings actively encouraging participation and spreading awareness. RIPE NCC provides essential training courses and is open to considering incentives. Automation of the RPKI space and further improvements in internet regulation are also areas of interest. Overall, the analysis highlights the ongoing efforts and challenges in enhancing routing security and promoting the adoption of open standards in the internet infrastructure.

Session transcript

Bastiaan Goslings:
Good day, everyone. For those who are not seated yet and do intend to attend the session, please be seated. We’d like to start. We’re already a couple of minutes over time, we have a busy schedule. My name is Bastiaan Gosselinks. I work for the RIPE NCC, and I have the honor to be coordinating and coordinating a session called Increasing Routing Security Globally Through Cooperation. I think we are all very much aware, you know, we’re a couple of days into the IGF and it’s been mentioned multiple times what the impact of the internet is and the essential role it plays in many of our societies. So whether it comes to work, leisure, education, doing business, even public service, more and more everything is being delivered online and we’re so accustomed, you know, to using apps and devices to communicate and to consume content. It’s a given, like electricity coming out of a plug or water coming from a tap. The internet just works, which is a great thing. So seeing, you know, what happened during the COVID crisis and a lot of traffic, you know, more being generated because people are working from home and learning from home. But because of all of this, the dependency of underlying functionalities that support our uses of online services and apps, we need to take a closer look. And in this case, we’re going to do so at the routing that underpins the internet. It’s actually one of the building blocks that everything else depends on, the actual exchange of internet traffic. So what we do is get some experts from different stakeholders on a panel and, you know, see what their different perspectives are, either regional or from a stakeholder view and see, you know, what answers we can provide potentially and hopefully also have a discussion with people in the room and people online. So I have the honor to present, firstly, Verena Weber, Policy Analyst for the OECD. And then here to my left, Katsuyasu Toyama. He works for the Japanese Internet Exchange Point, JPNAP, and is also chair for the Asian Pacific Internet Exchange Point Association, APIX. Then on my right, I have Annemie Coutours, and she works for the Dutch Forum for Standardization. And they’re doing some interesting stuff with regard to certain routing security tools. So she’s more than happy to share that more with you. I will be providing a perspective from the RIPE NCC, what we do, both technically and in terms of engagement and community and, you know, and spreading the message. But I especially also want to thank people who were involved in preparing this, Lauren Crean from the OECD and Benjamin Boersma from the Dutch Internet Standards Platform. This is a sequence of the speakers, and we aim to have at least a half an hour of interactive dialogue with the audience. So we look very much forward to hear what you think on this. But let me start off. Routing security, RPKI specifically as the tool, which I’ll go into a bit more detail later, and the role that the RIPE NCC provides as a regional internet registry. So what actually could you consider to be the internet? Well, in this case, we’ll use a definition that the internet is actually a collection of individually managed networks. In technical terms, those are called autonomous systems. There are more than 70,000 of those in the routing system. And for people to actually experience one internet, these networks need to seamlessly or at least, you know, not visibly for others outside of this ecosystem. They need to interconnect with each other in order to create an end-to-end connectivity from every single endpoint to every single other endpoint. And in order to do so, these networks need to speak to each other. They need a common language. And that’s what we refer to in internet terms as standards and underlying protocols. There’s no central coordination. It’s actually an organic thing, the way that networks interconnect. It’s mostly based on commercial business relationships and need for reachability. But there’s no like central management or authority, you know, that runs all of this. So the protocol, the language that these networks speak is called the border gateway protocol. This is actually quite an old protocol. It’s from the 90s in the previous century. And in theory, using this protocol as a network, you’re the one that sounds maybe very obvious, but you’re the one that should be announcing your network identifier and the IP addresses behind that, right? That’s what the end users and the end devices use. You’re the one that should be announcing your network. But with this protocol, it’s actually technically possible for anyone to announce anything. This protocol actually assumes that everyone is telling the truth. There is no real hard built insecurity in this protocol. So again, in any autonomous system, any network can announce any prefix subset of IP addresses. And even, you know, like all these 70,000 networks are not directly interconnected to all of each other. So most of the time, traffic, you know, goes through a series of networks before it reaches its destination. This sequence of networks is called an AS path. And that’s not even, that’s also like a given, if you receive such an announcement, you will in essence accept it. There’s no way to actually verify whether it’s correct or not. When this information is not correct, and people just share this amongst each other, people propagate to the entire internet. Again, as I mentioned, this is an old protocol. And implicitly, it actually assumes that everyone, you know, that uses it and interconnects with each other is trustworthy. And when this was developed, people knew each other. So it’s like this peer review, and you know, this, what we call in Dutch social control, that was part of it. The main goal was just to make it work, no overhead. And there were no like ex ante security concerns here, because there was no need to. And again, no single authoritative source, no central control. Which makes this susceptible to incidents. If you think of abusive behavior, an attacker can use this, right, to impersonate itself as another network, to intercept traffic from others, to prevent another network, you know, from being reachable at all, basically disappearing from the internet. And if you are able to redirect traffic, you can use it for other purposes, maybe stealing credentials, stealing cryptocurrency, sending spam. But that’s when malicious purposes, there’s a real intent to do something bad, that actually most of the time, it’s accidents, you know, people configuring routing sessions, configuring their routers, and just making typos, and this wrong information then being propagated on the internet. So in order to make this routing more secure, and again, that might sound quite obvious as well, you need to be able to verify the routing information received from another network. And it has IP addresses, an announced prefix that you receive, has it actually been originated by the network that is entitled to do so? Has this sequence of networks, right, that actually point to the originating network, is that correct? Has that been tampered with? You want to prevent the propagation of incorrect routing information. So where does the RIPE NCC in this case come in? We are a regional internet registry, a term I already used. There are five of those globally. And we cover the region, Europe, Middle East, and central parts of Asia. And that is where we, for our members, which is mostly like networks, organizations running networks, traditionally ISPs, that need IP addresses and AS numbers to run their networks, they come to us in order to receive those resources. And these are the resources that are needed to actually route internet traffic. So what we do, we distribute those resources, we register them in a public database, everybody can check who is responsible for what. So we can guarantee the unique holdership, maybe imagine IP address, you know, can only distribute it once, it can only be used by one, for one endpoint, and not multiple times. And combined with that, we can distribute certificates to our members, who can then cryptographically sign their IP addresses, and the relationship with their autonomous system number, so their network identifier, in order then to take the next step for others to check who is entitled to use which IP addresses and what network number. And that’s where the term resource key public infrastructure steps in as a tool, RPKI, so to speak. So how does RPKI improve routing security? Well, as I mentioned, it makes cryptographically with a certificate and a statement with regard to an AS number, a network identifier, and the IP addresses that are associated with it. And these cryptographic statements can then be used by other networks, you can download them, use specific software tools for that, routing validators are called, to actually verify whether statements they receive, when you connect your end router to the rest, to other networks, and receive routing announcements from them, route announcements from them, to actually verify whether those are correct or not. And that, you know, refers to the originator of an announcement, that does not really say anything about the path, the sequence, and, you know, the other networks that are mentioned in there. But that’s actually something that RPKI can also play a role in in the future. And that’s then called path validation. So the five RERs, we are one of them for our region, and then globally, there are five of them, they act as trust anchors here. And then the whole signing of resources happens in a hierarchical fashion. So the RERs distribute certificates to their resource holders, to their members, and they can then use those certificates to sign their resources, and create statements, and those statements are called route origin authorization statements, ROAS. I just want to comment on, to make it more specifically, you know, what RPKI can contribute here, there was already, there still is an older system in place called the Internet Routing Registry. It’s from the 1990s. RPKI was developed shortly after 2010. I think, you know, the IRC was published in 2012. And the IRR system is basically databases as distributed, I think there are 12 of them, when networks, you know, can register their routing objects, you know, and their routing policies. So their AS numbers associated with the prefixes, the IP addresses that they’re responsible for. The thing there is, if you use those database, you need to maintain them, which can be automated to some extent, but it is the responsibility, you have to actually see to it that the information in there is accurate. And here too, the thing is, okay, the information is there, and it’s very useful if it’s accurate, but there’s no hard way of actually verifying that it’s correct, what is in there. And that’s where RPKI steps in. It’s not only because the RERs are responsible for this system, they actually have control, they distribute these resources, they have insight into who can use what, so they have control over the accuracy of the data, so which network can use which IP addresses. And because cryptography is involved, it brings a hard form of trust. So as a mechanism, it’s quite powerful. It can prevent hijacks and route leaks, and I mentioned the stepping stone towards path validation. But the thing is, it’s opt-in. On the one hand, it’s good, right? You’re not going to enforce this, at least not where we’re at now, for people to use this. But there needs to be incentives for people, actually, to start doing this. So in terms of adoption, on our own side, you see it can differ quite substantially per region and per country. On average, on an aggregate level, close to 45% of allocated IP address space, IPv4 in this case, is covered by these statements. So on the one hand, that’s good, and we see a growing line. That’s not going fast enough. So what are the potential factors limiting adoption of routing security, and in this case specifically, the adoption of RPKI? And I think my colleagues here in the panel will go into more detail with regard to their experience in this. But you hear that implementing it is technically supposedly not trivial, especially if you have a quite complex network and customers and suppliers you’re dealing with. The thing is that while many, many incidents happen, they don’t really seem to have a visible impact, so an impact that scares people and that gives them a reason to act upon. And there’s a collective action problem, so to speak. So if you implement this, you basically help the rest, but there’s no immediate, at least that’s what people perceive it, that’s not there. There’s no immediate benefit, so you make your cost, you make the effort, and what does it then bring you? Yeah, it makes it for others easier, but while on the other hand, you think if all your services are provided online and it’s about continuity of service and also reputation, right, damage that you could do to reputation if things go bad, that there definitely is a reason to get your act together. And I think the OECD will also maybe go into that in a bit more detail, but there seems to be, it’s a bit of a challenge to get really robust data on this and insightful data and also that others and policy makers can use. So briefly before I end, so what’s the IRIPE NCC doing here? Well, it’s hard in our strategy, strategic goals to operate a resilient, externally auditable and secure resource certification trust anchor, and combined with that to promote the use in this case of RPKI. We take our role of trust anchor very, very seriously. And yeah, to promote the use, not only are we here at the IGF, right, to talk about this, but we do a lot of training. We provide free online courses, so anyone can go to academy.iripe.net and create an account and take the courses for free online. For those that prefer to have a physical trainer, and we do that initially, we did that especially for our members. We travel around the service region to give in-house trainings to people, also with regard to routing security and best practices. And we host webinars, so then to make it less of an impediment for people that travel, you can do it online. And we do so also on request. So like if there’s a need to, for instance, you know, we did such a thing with the Dutch government, we can organize tailor-made trainings. And then obviously the outreach in a community building. In part, we host many meetings where we talk about this and update the community with regard to what we’re doing and where we’re at. We host ROAS signing parties, so just get people in one room, right? Because it might seem, yeah, quite a large threshold for people to actually do this, but if you then take them by the hand and show them how easy it can be done through the portal and you can do it on the fly, and before you know it, you have your ROAS and everything is in green. So that’s really, that’s quite successful. Technically speaking, we are preparing ourselves for the introduction of ASPA, Autonomous System Provider Authorization, and that’s meant to take it a step further when it comes to a path validation. Once the standards have been finalized and published, we will be ready to support this. And with regard to the infrastructure itself, the hardening of it, of security, we’re working on auditing it and having it formally certified. Also in terms of, you know, we’re not regulated, but we actually try to act as if we are, and for the benefit of us all. Slide I put in there in terms of internet messaging services, just a shameful plug here. There’s a lot of data, you know, that we collect, probes that we have installed all over the place, you know, that give, and via RIPEstat, you know, give people a nice interface to get more insight. And also in terms of routing, there’s a routing information service where we have like three, 23 globally distributed collectors at internet exchange points that collect the routing data and give people insights, you know, and the data has been collected since 1999. So there’s a lot of stuff, especially, you know, for researchers and academics that might be useful there. So that was my introduction, a bit longer than I hoped for, but I hope this made sense. I tried to make it not too technical, and then I would like to hand over to Verena from the OECD. Thank you.

Verena Weber:
Thank you, Bastian. And we’re just trying to sort out the technical issues. So Bastian, could you log in on Zoom to share the presentation, so it seems, so that our remote participants can see the slides as well. Meanwhile, I’ll start. So good morning, good afternoon, good evening, everyone. My name is Verena Weber. I’m working for the OECD where I’m heading the communication infrastructure and services policy unit. So for those of you who don’t know the OECD, so we are an international organization that is composed of currently 38 member countries. We have a further six countries that are currently in the accession process, and our membership spans from the Americas, Asia, and Europe. So the idea of the OECD is really to write a forum for member countries to exchange best practices and advise on public policies. And we do like, as the organization, the entire organization covers a huge range of issues from trade to education and digital policies, which is where my team sits. So, and like, we have one working party that is dealing with telecommunication issues, which has the same name. So we’re a working party on communication, infrastructure, and services policies. So basically we have a program of working budget where our member countries tell us those are the key issues we would like to work on with you guys in the next two years. And you’ll see that security was one of those priorities. We do the broadband statistics for the OECD. So if you go to the OECD broadband portal, you’ll find all our statistics on broadband for our member countries. And as I mentioned, like we had quite an important work stream with our assistant working party on security in a digital economy, where we looked at how we can secure communication networks. So this was a series of three reports. We had one more general report looking at the main trends, how communication networks will evolve and what does that mean in terms of security implications. We had one more specific report on the DNS and we had a third one, which is the one that I want to present today, which is on routing security. And I would like to acknowledge my colleague, Lauren Crean, who you can see now on the screen. Hi, Lauren. So she was instrumental to the report. So let’s dive right in. So you could think, okay, it’s quite strange that actually the OECD is looking into routing security. So why is that? And so our members wanted to know more about the issues that Bastian already presented around routing security. So basically, what’s the problem? What are the scope and scales of routing incidents that we’re facing today? So that was one important point that we tried to address. Then obviously, if we all agree, okay, there are incidents when it comes to routing security. The next question is, okay, how can we mitigate that? So what security techniques have been proposed are available. Bastian mentioned some of those and how effective are they? And then of course, one important point, and this is the one I’ll focus on during this presentation is what is the role of policymakers, right? So what should be their role in this multi-stakeholder community in securing the routing system? And I think like one conclusion from Bastian’s presentation is that, well, routing vulnerabilities have been understood for many years now, but they persist, right? He already went into the fact why that’s the case. Bastian, could we move to the next slide, please? We’re still figuring out tag issues. Perfect. So what are the challenges we see? And there is a great overlap with Bastian, which is good news because otherwise, I think we should start to get word on this panel. So first of all, I mean, the internet is a network of networks. So that you mentioned, collective action is needed. So that means that basically that one actor’s actions depend on the actions of the other actor in the system, but this is also why we’re all here to have a multi-stakeholder approach to discuss these issues. The next issue that I think Bastian has mentioned so far as well, actually that costs money, right? The implementation costs a bit of money, but if you are implementing routing security techniques, you’re not directly benefiting from that, right? And you still have a problem if there are other actors in the ecosystem that don’t do so. So that’s the second issue. And then obviously, there are now like a set of different solutions out there to make routing more secure. But I mean, basically companies need quite a layered approach to secure their routing efforts. So which can also increase the risk of mistakes and misconfigurations. And so there’s not one thing at the moment that actors can do to fix the problem once and for all. So this is the background we’re facing. Next slide, please. So we looked a bit at what countries are doing in the OECD. And what we do see is that our countries are becoming more interested in routing security. I mean, this is not surprising given that more of our lives are digitally being transformed. I mean, all of our economies are going digital. So the internet is increasingly seen as a critical infrastructure that we need to protect. So on the slide, you see just a couple of examples. So for example, the FCC launched an inquiry in February of 2022 about internet routing vulnerabilities and followed up on this notice of inquiry together with CISA. They hold a workshop in August of this year, published a blog post outlining recent actions. And one of them includes basically the federal government’s BGP security practices, basically meaning cleaning up a bit their routing techniques, including RPKI. Then we have Sweden. So Sweden and the regulator of Sweden, PTS, they undertook quite an extensive monitoring of BGP vulnerabilities. So they looked at, you know, how well are their companies doing? And basically what they found in this exercise, which took them a few years, is that like broadly speaking, it’s fine, but they had some recommendations for certain actors to improve. And the third action I would like to mention is the one by ENISA, which is the European Network and Information Security Agency, which published a report on seven steps to shore up the border gateway protocol. If we go to the next slide, please. So now, you know, if we take a step back and say, okay, you know, what should and could our governments do? So we identified four key pillars in the report. And one important point I would like to make here that this is really not about measures that one place undue regulatory burden on operators. So this is certainly not what we intend to do, nor to centralize the control of the routing system, right? So our four recommendations for policy actions that we identified is like one, we need to get better in the measurements of routing incidents and the collection of time series data. So just during the period where we basically were actively working on the report, we found that some data collection has been discontinued. We found that data collection is heavily dependent on really interested individuals in the community, right? This is individuals that have been doing this for their entire lives for a very long time that are really passionate about this. But for example, we found one person who changed jobs and then suddenly, you know, we have a problem, right? So this is something that’s not ideal. What we also see, and so we are showing different measurement efforts in the report on routing incidents is that, you know, they vary quite a bit in terms of results. So basically we had to explain policymaker, okay, this is the available, but yes, it might not always be consistent. And yes, there are different measurement approaches. So really like one big action for policymakers would be to really fund and ensure, you know, continuous measurement of routing incidents really, and, you know, to build up a time series that we can work with. Now, the second important area is that obviously governments could lead by example by implementing routing good practices and promoting the deployment of available techniques, especially obviously when it comes to government-owned IP addresses and autonomous systems. So, and even, you know, what I mentioned, all these techniques are currently like a bit incomplete, but because none of the techniques fully addresses the issue. I mean, they offer a lot of protection against routing incidents. Now, my third point here is that governments obviously have an important role in information sharing between different stakeholders through, for example, formalized feedback groups. So we could also think about, you know, using established systems, such as the certs that we have across many OECD members to basically, so use them to enhance information sharing. And finally, governments could also define a common framework with industry on how to improve routing security. And, you know, there is a big, there are a lot of different options on how to do this. So they range from formalized partnerships to regulatory monitoring of implemented techniques to voluntary guidelines, or finally, you know, and that’s like the strongest step to more defined secondary legislation. So on the next slide, I have a couple of examples. That I would like to share with you. So the United States has been doing great in promoting the measurement and collection of time series data. So this is through the NIST RPKI monitor that tracks the global implementation of RPKI. And then of course, you know, we know that the technical community, like including RIPE NCC and APNIC provide very useful data, but we can see that, you know, in some cases it makes sense that a government complements and supports that data collection effort. Now, when it comes to leading by example, so we have one very successful case in the Netherlands, and we will hear more from Annemieke in a minute. So this is why I won’t go into further details. I did mention like the US, we have the National Cybersecurity Strategy that commits the government to implement good routing practices and security in its own IP space, which is basically one of the OECD recommendations we have. Australia is getting more active. So through the Australian Cybersecurity Center, so they have guidelines for gateways that provide information and recommended action to improve security. And they also provide information on BGP route security and namely RPKI implementation. Then in our host country, Japan, we have the Ministry of Internal Affairs and Communications, the MIC, that sets standards for safety and reliability of information and telecommunication networks that propose further information sharing among operators, especially during security incidents to one, determine the cause of the incidents and two, consider appropriate countermeasures. And finally, when it comes to defining a common framework with industry, we have a couple of countries such as Brazil and the United States that have quite a good multi-stakeholder collaboration with industry and other stakeholders. So the Japanese guidelines that I just mentioned are an example of voluntary guidelines, but then we also have more legal frameworks. So for example, Switzerland has broad general guidelines for communication services providers that aim to establish a minimum level of security of communication infrastructure and services. And Finland, zooming into BGP, has basically legislation that stipulates to uphold basic security of the BGP. So you can see like they range from like a pure consultation cooperation with different stakeholder groups to legal requirements. So that’s the range of measures that we’re seeing at the moment. And if we move to the next slide, please. So the main takeaways of this presentation. So we all know that routing vulnerabilities are happening. Not all have severe effects, but some can have them. And they can affect the availability, integrity and confidentiality of communication services. And this is something we don’t want to happen. Only what gets measured gets improved. So at the OECD, we’re quite evidence-based driven. So we really need better data on routing incidents. We do see several ongoing efforts to improve routing security, but no single technique at the moment meets all of the challenges. And then finally, governments have an increased interest in routing security. And so we propose several actions in the report to really improve overall routing security. Thank you very much.

Bastiaan Goslings:
Yeah, thank you very much, Evelina. Very insightful. And I’m very glad that you, from that perspective, could share this with us.

Katsuyasu Toyama:
Next is Katsuyasu Toyama from JPNAP and APIX. Probably more technical perspective. Yeah, thank you very much. My name is Katsuyasu Toyama. Yeah, I’m from the operation community. So operating the JPNAP Internet Exchange in Japan and also a chairperson of an APIX Association of Internet Exchanges in Asia-Pacific region. So today, from this standpoint, I’d like to show you about an Asia or world situation. Okay, please, next. So I well remembered approximately six years ago. So we had a big failure that has caused the big tech. Oh, this is like Google, maybe you remember. Yeah, they leaked the peer traffic to upstream provider. Please, next. Yeah, so they leaked the prefixes and then the traffic is rerouted to the worst one. So at the time, the connection, sorry, the communication with the content and the eyeball is in the loss or delay. So the degree of the quality of the communication. Okay, please. Yeah, so these kind of a misoperation, but also the hijacking is often frequently. Yes, please. So, but as Bastien mentioned, the routing insecurity is another long time, very important things. So network operators have been trying to secure our Internet for a long time. So at first, the route filling with an IRR, yeah, that is the routing information, which is not authorized or certified, but we use the data for a long time. But. that was sometimes not up-to-date, obsolete. Yeah, so sometimes to use that data. So the 2010s, yeah, so RPKI started. So now we are moving to the RPKI. So please go next. So how widely RPKI is deployed? Please state. Oh, ROA and ROV already mentioned, so please. So this is the data from APNIC Labs, which are published on the web. And the summarized, according to the regions, the basically the RIR region. So the Africa, North America, Asia and Oceania, Latin America, Europe and Middle East. And each regions, they have some kind of ratio of deployed the ROA. So the green part, you can see, that is a range or ratio of ROA enabled. So as you could see, the Europe and the Middle East, the many space, approximately 70% are already covered in the ROA. But in Africa or area, that is the North America region, there’s still less than 30%. Yeah, so according to the regions, the deployment or penetration of the RPKI, especially the ROA part is not different. Okay, so please go to the next slide. Yeah, so this is also the same, the comparing from the route object. Okay, so you could see some ROA invalid. I think this is not on the hijacking, but I think the misconfiguration of an misregistration of an ROA and such kind of things. Okay, but still, yeah, Europe is very widely covered by the ROA. Okay, go please. So why the networks have registered or deployed ROA? I think, I believe that some global tier one providers and also the big techs are recommended to register ROA. And sometimes they’re saying to the eyeball networks, if you do not register ROA, in a future, we will reject your routes. Yeah, so like in the Japanese, for example, the Japanese operators, they are all fear to lose the connection. Yeah, and cannot access to the such and the famous and the popular services. So they gradually started to deploy and register the ROAs. I think that is a risk. Yeah, so if they do not register the ROA, maybe they will lose the customers. And that means that they lose the money. Okay, so next please. Okay, so as I mentioned, I am conducting the APIX and there I asked and did a survey about ROA and RPKI kind of things. Okay, so why ROA is used or not used in your country or economy? And we got not many, but a few replies. So in Bangladesh, as you could see, in Bangladesh, ROA becomes approximately 90%. Okay, so they said that did no big challenge and networks, they’re doing that by themselves and it becomes a normal. It’s a great thing, I think. In a Singapore case, the government recommended, government regularly recommended a few years ago, but that is not regulated, only the recommendation. And that becomes an approximate 60%. Okay, and the Thailand case, oh, they also the 43%, yeah. And, oh, the obstacles or, yeah, what is in the, yeah, prohibited or not allowing to do the ROA is sometimes they are saying, if you look at Singapore’s answer, oh, there, some ISPs operators do not have a necessary knowledge or skillset. Okay, and also in Thailand, they are saying the same kind of things. So operational level, they should learn more and make convinced, yeah, doing the RPKI things. Yeah, oh, I think that the management level of the Thailand, oh, they are allowed to do that, but the engineers have not much knowledge or skill about it. Okay, so these are the operators’ reactions. So please go to the next. So then, oh, how about ROV? So as far as I know, not so many networks deployed on ROV. Yeah, oh, this is a feedback from such operators in HPEC. And, oh, I asked two IXP friends in the HPEC region and Bangladesh guys replied, oh, they are not deployed ROV in their internet exchange. But the person says they are in the deploying phase and maybe deployed by the end of this year. And Singapore already, I guess, this is in the SCIS and Thailand case, the mechanics, they are deploying the ROV. So, oh, yeah, some of the internet exchange are doing the ROV on their route servers. Yeah, but then also they are saying that sometimes the knowledge is not so enough to do that. And especially as, yeah, some kind of a peer to lose some kind of that valid route. So please go to the next. So this is a feedback from Japanese operators. Yeah, so why they do not deploy ROV? Yeah, because sometimes they appear about the invalid route or mistakenly judged, that is very dangerous. Yeah, so that is one of the reasons. And the other reasons are still the software engineer need it because RPKI softwares are basically open source and not appliance provided. So need more software engineers. And also the not many network engineer itself is not so many. For example, then small ISP or cable TP operators, they do not have enough engineers. Only one engineer operator, that is not a rare case. So in that case, they are very busy. So not too time to learn over the RPKI. Okay, so please go to the next. So what can ISP do for this case? So of course in the ROV at an internet exchange, this is a typical case. We are doing the ROV for a long time. And also the invalid routes are not announced to the peer. So we have discarded that. Okay, so this is, of course, and as I mentioned, several internet exchanges in APAC region are doing this kind of the ROV. This will reduce the burden of our networks. Okay, so this is another good thing. And, okay, so please go on to the next. And not only that, we are doing the experimental project to facilitate ROV. Yeah, as I mentioned, some networks, some operators says they do not have enough software engineers to deploy it and several kind of software. So some of them say that, oh, internet exchange people, please operate. Please do the service about an ROA cache servers. The ROA cache servers is left as open software. And it is sometimes very difficult to operate. So in Japan, we are now trying to challenge to provide ROA cache servers at the IXPs, and which can be used by IXP users. Okay, yeah, but there is some kind of difficulties because the ROA cache should be operated in one. It’s, yeah, so the communication channel between the routers and the ROA cache not encrypted in general. And of course, there are some options to encrypt and on top of it to exchange some kind of information. But still, the part, we think that no good standard, not good implementation, it’s not, we don’t have that. Okay, so that is a concern. Okay, please go next. So as a conclusion of my talk, I would like to suggest that for to deploy the ROA, so some organization in a country should recommend that. Now, I like the approach to industry by doing them by ourselves, but sometimes the cost issue or the engineers are not so many, so need some justification. And higher level or easy or persuaded, if there is some kind of a standard or recommendation of a country level, that is easy to do that. So NIR or regulator, government, maybe you can do that kind of a recommendation. That is one of the good things, I think. And of course, the RPKI solicitation and implementation should be updated. Yeah, as I mentioned, there are some lack part or that less part, so that should be implemented. And of course, the global routing security, that is a long and winding road, as you know. So the first case I told about the root leak, that should be needed as an ASPAS validation. Yeah, so that is not the next or next step. Yeah, but then we have to do a lot of things, but we should go for that goal. Okay, thank you very much.

Bastiaan Goslings:
Thank you, thank you very much. I think very insightful because like practical experiences, what operators are doing and what you can see at your internet exchange. So I think it’s very much adds, it gives the perspective on what we’re talking about here, the evidence-based approach, so to speak. I suggest any questions, comments, let’s do them after the last presentation from Annemiek, who will be speaking on behalf of the Dutch Forum for Standardization of Thinking. Floor is yours. I thought I’d put it on.

Katsuyasu Toyama:
Thank you very much, both of you, all of you.

Annemiek Toersen:
Thank you for the compliments, Verena, for the whole thing and the backgrounds, Katsuyasu. My name is Annemiek Toersen from, yeah, you could call it the Dutch, but we have to say Netherlands Standardization Forum, but it doesn’t make sense. So if you put the next screen on, sheet on, then you can follow everything. What is the Netherlands Standardization Forum? It’s a think tank with about 25 members and focused on interoperability and advises the Dutch government as a whole. And those members are on personal title involved in this forum, and they have a background in the government, but also in businesses and science. And the focus, the main focus of the forum is a list with mandatory open standards. This is our core business is focused on the mandatory of the open standards we were talking about earlier. And the scope of this list is only for public sector organizations. Of course, private, it’s not, can also use it. Can also use it. There will be a nice, next slide, please. But what are, why are we using those open standards? Well, as you all might know, because you’re joining this workshop, the open standards are for interoperability, exchanging data safely and trustworthy. Security, in order to be trustworthy to the society. It should be accessible for everyone. 25% of our population in the Netherlands are not able to watch internet or they have no access to it. So we should realize that. And of course, vendor neutrality. So we shouldn’t be dependent on vendors. For open standards is very important in your services. Next slide, please. An adoption of strategy internet security standards, we have three levels or three points, three items, which I here have a slide of. First of all, we focus on the obligations. I already told you of the mandatory. We do that with a comply or explain lists. So, well, I’ll come back to that later on. And that is, of course, comply or explain for new investments. Furthermore, we have public commitments with implementation deadlines. So later on, I will show you also what that means, especially RPKI is one of those. And we have obligations by mandatory by law. So lately, July the 1st, we had in the Dutch government approved a law for HTTPS, for instance, and ASTS. An open security standard. Furthermore, we have second one is monitoring and third cooperating. I will go first deeper in the obligations. I already told you about the comply or explain list, but the list is for about 40 standards and all those open standards, 15 of them are security standards. And what we do on the list is we have experts gathered to collect it in order to evaluate those standards and the criteria are mentioned here. You have to go to the next slide, please. Okay. Okay, let’s see if you go back to the former sheet, please. Yeah. And then we have the security standards. If the adoption strategy, number two and the monitoring, I go, yeah, sorry that I mixed up, but I had different slides deck, but that’s not a problem. I go from the sheets. The mandatory, we had by law. The second was cooperation. So that means we cooperate a lot with public and private companies. We have contact with vendors. An example is that we have letters written to Microsoft in order to implement Dane. Not only we, yeah, due to our fact we wrote letters, other countries followed like European countries. And therefore the coming spring, they announced that they will implement Dane, well, next year, 2024. And we exchange a lot of knowledge. And that’s nice because, yeah, then we promote adoption in that way. Monitoring, the last one is that we used the tooling of internet.nl. We monitor, apart from that, we review vendors. So if we procure ICT service in the government, you should ask for open standards. If you don’t do that, then you have a reason to explain in your annual report in order to explain, for instance, it’s too much expenses. Could be a severe reason. If not, then you have to use them. The measurements will be published twice a year and offered to the cabinet. So if I can have next slide, please. So, oh yes, you need, if you have only one company or one organization using open standards, then it doesn’t work effectively. You better have, you can only have advantage of it if there are more organizations using open standards. Therefore we call it a critical mass needed. And another thing is that end users don’t know any, and can’t verify. So you need more transparency and awareness is needed. So the information asymmetry is necessary. If we can have the next one. This one I recognize, sorry for that. I apologize, but this is okay. I was talking about criteria. The most important is the openness, added value, market support, and proportionality. And apart from that, open standards do also have different kinds of categories. For instance, internet and security standards. RPKI is one of them, but we also have document and web in the e-invoicing and administration. Accessibility, for instance, the WCAG is also a famous one. And when governments invest or buy such, they must choose for the relevant standards on the list. Otherwise they should have a severe reason to explain in the annual report, as I just mentioned. If you’ll go to the next one, please. I already talked about the internet security standards. Here you see a couple of them. In total, there are about 15. The most, we mostly recognize HTTPS. I already mentioned that there is a mandatory for it. Now, well, of course, here we are for RPKI, but there are more. Next sheet, please. The second, we cooperate. We cooperate, let me see, because my slides are different. Cooperation, including contacts with vendors. So I already mentioned that we, for instance, have contacts with large suppliers. Here you have vendors and hosters, like Cisco, Microsoft, OpenExchange, and Google. Akamai is also, well, you can read yourself here. But we also do international contacts. Like last week, we were represented in the Michieux, workshops on the modern email security standards with European governments. And we reused the internet.nl code. And other countries take that notice, just like Australia and Brazil and Denmark. So they use internet.nl for their measurements. That’s very nice that we can inspire other countries So if you are interested, actually, in also using the internet.nl, please send us a mail and then we can help you in the future. Next sheet, please. We also mentioned monitoring, so measuring. There are two things on the procurement. If you, once a year, we take, go through all the tenders which are done in the Netherlands and we review them. And during the review, we see what’s happening and we see how the growth of using internet security standards are growing and other open standards as well. And we offer this report to the cabinet. So governments will be spoken of. Yeah, they will call, well, they are announced. They will see how they do well or not well. So therefore, the next is that we, the second part is that we measure by internet.nl. We do that twice a year, but that is specific on the internet security standards. Can we go to the next sheet, please? Okay, here you see internet.nl, how it works. It’s actually very easy. You put your URL in it or your email and you find out in one sheet what you’re doing. We also have a Hall of Fame. So if people have 100% score, they can have a special t-shirt from us. And it’s a collector’s item actually, but what we do is more naming than shaming and that works out very well, quite well. Next sheet, please. Yeah, that’s so slow. And if you don’t ask it, you don’t get it. Yeah, well, anyway. Next sheet, please. Okay, if there are any questions in that way, I would also mention that the reason we have RPKI on our list of open standards is that the Ministry of Foreign Affairs was hijacked. We are one of the examples of, unfortunately, Katsuyasu mentioned in his story. We were hijacked and that was a big problem because in 2014, November, this journalists found out and we were in the newspapers in the Netherlands. Later on in 2015, it resulted in parliamentary questions, unfortunately. So it could be worse actually, but due to the RPKI in future using, we can prevent this disaster. It was accidentally found out actually because the Netherlands, the NCST in Holland, submitted RPKI to be continued in the complier explain list. Due to the hijack, they submitted it to us in 2019. Unfortunately, we could implement it in 2022 in the internet.nl measure tooling. So therefore we now check also all governments using RPKI. And well, that means that we have a good site of RPKI in future among the governments and that will be nice. But yeah, if there are any further questions about it, I would love to answer them. Thank you very much. And excuse us for the wrong presentation.

Bastiaan Goslings:
Yeah, thank you. Thank you very much, Annemieke. And yeah, I also feel like somewhat uncomfortable and apologies. I think you did really well despite the fact that the latest version of the presentation somehow did not end up in the slide pack, but I think the message came across very, very clearly. You did really well. So I wanna use the remaining time we have according to plan, 25 minutes to open up the floor for anyone who would like to contribute here, ask questions, ideas, comments. Let me first check if there’s online anyone who would… No? Okay, thank you. In that case, in the room, is there anyone who would like to… Gentleman here, Olaf, please go ahead.

Olaf Kolkman:
Yeah, Olaf Kolkman, Internet Society. I would be amiss if I wouldn’t be talking about what I’m going to talk about. I strongly align, very strongly align with everything that the panel said. Routing security is a top priority if we want to protect the core of the internet infrastructure. The routing space… I’m big on that screen. The routing space needs protecting. And Lauren said it, and you all actually all said it, it’s a common action problem. And that common action problem comes with a lack of visibility. It’s very difficult to see whether a participant in the routing system deploys routing security measures and make that visible, and thereby create a little bit more value in the market. And when thinking about this, and this has been a discussion within the technical community for already a couple of years, I think five or six now, the community came up with a set of norms called the Mutually Agreed Norms on Routing Security. And basically these are a number of measures that participants in the routing system agree to take. They’re different, we have different programs, we have programs for ISPs, we have programs for CDNs, for Content Distribution Networks, we have programs for internet exchange points and for vendors, and there are some different requirements there. And with this program, we try to get visibility in sort of general terms for people to understand whether people are good players in the routing space. We also want to see whether that has impact. So we have an observatory called the MANRS Observatory in which we track incidents, but also how does the community adopt and adapt to certain technologies. And yes, the incidents come from data sets that may or not be all trustworthy. And by the way, not all incidents are actually caused by malice. What more do I want to say? Yes, in taking that other step about creating value, the community is now looking at what we call MANRS+, it’s the working title, whereby we are trying to identify stronger controls than the ones that are now in the MANRS program that can actually be audited. And so with an audit scheme, you can also imply a certification scheme. And with a certification scheme, you might create a higher value. If you are certified, you have probably a higher value in the market. And we hope that by making the consciousness of routing security more visible, we hope that that also creates the value for the participants when they sell their goods and their connectivity services. So that’s what I wanted to add, because I think the MANRS community, which we host as Internet Society, the MANRS community is actually trying to forward the incentives. And I know JPNexus, GeneXus is a member. Thank you.

Bastiaan Goslings:
Thank you for that, Olaf. Interesting. I was very much aware of MANRS, so you had the opportunity to plug that. I think it’s a very, very important initiative in taking it to the next level, right? MANRS+, I think it’s good. It’s been around for quite a while. I’d assume, right? And it’s a good thing that those entities, organizations, companies that join MANRS, right? And I think you have like different programs, right? ISPs, Internet Exchange Points, CDNs. You might even have more by now. Those are the ones. And again, that’s a good thing that actually want to commit to this, right? And want to live up to the spirit of it and also the practicalities of what you then need to comply with. But what about the rest? You know, that is not there. So I do hope that the members, I don’t know if they’re members, but like the participants also go out to take out the message, you know, towards their respective communities. And I had the slide here, you know, with some of the factors, limiting adoption of routing security and whether, especially when it comes to those that operate networks and the technicalities of using these type of tools, as well as potentially, you know, costs involved to implement it. The projects can be quite significant, especially if you have a large countries, you know, spending network with a lot of equipment, et cetera. So I do hope, you know, that the MANRS participants also help to spread the gospel and to work with other networks who not yet are on board to convince them, hey, you know, it’s not that complex or it’s not that expensive or I can help you do this or that.

Olaf Kolkman:
Yeah, I think it is a community of ambassadors, so to speak. We actually have MANRS ambassadors that try to do that. And mind you, that doesn’t exclude the things that internet.nl does. And for instance, the procurement approach that is being taken. Those are all kinds of additional things that help boost routing security.

Bastiaan Goslings:
And that’s why we’re in the game. I fully agree. No, thanks for that. Sorry, is there someone online who wants to? Yeah. You have to do that first and then Professor Muller.

Moderator:
It’s more of a comment from Benjamin Bruceman. And the question actually, the domain name registry of the Netherlands sidn.nl has an incentive program to give discounts if the domain owner uses some open standards, for example, DNSSEC, Dane, et cetera, to improve adoption. And the question is, did RIPE NCC look into giving discounts to IP space owners? Thank you, Benjamin. I saw that one there coming. I know it’s a very fair question.

Bastiaan Goslings:
And I think, you know, sidn, the Dutch CCCLD operator for .nl, yeah, did really great work there and it had an impact. I think it’s quite a low margin business being a registrar and most of those organizations do hosting and other stuff as well. But there’s not a lot of money there to be made. So any discount they can get, you know, and if it’s relatively trivial to implement the NSSEC, then they’ll go for it. And I think the situation for the RIPE NCC is somewhat different. SIDN is not a member-based organization like us. So the management can more easily decide, you know, let’s do this. Combined with the fact that .nl actually receives part of the fee that registrants pay registrars. So per .nl domain name, part of it goes to SIDN. So they have like room to give a discount. For the RIPE NCC, we’re a member-based organization and we don’t charge based on the resources that our members receive or use or whatever they do with them. Everyone pays a straight membership fee. So whether you are a small host or a very big international, one of the big tech companies, everyone pays the same. But this might be an idea and I’m thinking out loud now that that would have to be decided by the members themselves, right? They’d set the membership fee, whether that would be an interesting thing to consider in order to help move this forward. But it’s not up to the RIPE NCC and in this case itself to decide upon that, but it’s a fair question. So thanks for that, Benjamin.

Annemiek Toersen:
Thank you very much. I can also thank RIPE for, yeah, government, Dutch government institutions, because RIPE sponsored courses for RPKI in order to adopt this open standard. So therefore you can sponsor also in a way, not give a discount, but also sponsor by giving courses about RPKI. That might be a suggestion for other environments and other countries, other governments. Thank you.

Bastiaan Goslings:
I’m very happy to take that on board and maybe even more happy to say that that’s actually what we’re already doing. I mentioned it briefly, we do give these, I don’t think it’s scalable to give them away for free, like the face-to-face ones, right? Like you have an actual trainer that travels to go somewhere and spends a number of days with people and has a backup, et cetera. Like we’re a nonprofit organization, so this is not a moneymaker for us anyway. And it’s more about, it’s important to spread the message and to help these people to learn of these technologies and to actually use them. We have also for BGP security and RPKI, free online trainings. So they’re available to anyone. So if you, for whatever reason, I can understand that, right? Like in terms of budget, it’s a challenge to actually come to travel or to go to an actual training. Then the online courses are free of charge available. So that, I think at least as a first step would be good for people to be aware of. So if you guys are not aware of them, I think we need to do a bit more marketing in terms of spreading the message that this is available. And on the other hand, and I think it’s a good example of what we did with the Dutch public officials, right? People from the Dutch government and agencies, et cetera, that we are more than happy to have like a dialogue and to see like what in a tailor-made form we can provide in terms of training. And then maybe also including a discount, no problem. Depending also on the amount of people and the impact that we potentially can have. So, and anyone that has questions about that, feel free to contact me, to come to me and to see what we can do here. Thanks for the suggestion. Sorry, go ahead.

Audience:
So, we’ve been studying the web PKI and one of the big actions that facilitated the expansion of PKI with web servers is the automation and the creation of let’s encrypt which offered free certificates based on this Acme, which later became the Acme standard of automating is, is it possible for some kind of automation to happen in the RPKI space or is it so different that you can’t use that model. I’m not aware of the technicalities of the example like or the analogy that you make with regard to PKI. From what I’ve seen, like, this is something you know we’re not going to automate in terms of, we are not going to create a row as you know to the sign statements for the resource holders, that’s something they need to do themselves but like seeing the way that this actually works within the portal it’s so trivial is maybe too big of a word you need to know what you’re doing but for the people you know that you’re speaking very fast, could you slow down and speak a little louder so people actually understand what you’re saying.

Bastiaan Goslings:
Yeah. Okay, well I’m sorry for that. The way you know that our members, create these statements that were within the portal, it is so easy. Like so that should not be an impediment for them to actually do it this is not something that we can automate and do for them automatically this, it is something that needs to be triggered by the resource holder him or herself to actually create create these statements. I don’t know if that answers your question or not because that will be my initial response. Well I guess, what is the impediment then. Well that’s, I think what we were what we’re discussing here right well what’s the reason for someone not to do it, either they perceive it to be too technically complex or maybe on the validation parts, using the tools, it’s too expensive to you know to configure routers or other equipment they need to get for this accordingly. That’s what they automated in the web API they thought it was too complicated to manage certificates so they created the acne protocol, I just don’t know whether the model is applicable at all but you need to make the choice and then then the tools of course support the choice that you make in such a way. And that part is the tools are sufficiently mature and the way that we do it via the portal, but also the validating software, etc. I don’t, I don’t think. And I’m not a network engineer but imagine and also talking to network engineers that should not be the challenge in itself right if you can run a network you can do this in itself that’s not a technical challenge, but they need to make the choice themselves and do it, probably that’s more of a challenge management approve them to implement this. I have some comments and questions from zoom.

Moderator:
First comment from Benjamin Bruce mark for information manners, the mutually agreed norms for routes and security is currently in procedure to be decided to be put on the Dutch comply or explain list. I have quite a few questions. I’ll ask them one by one, please keep me on the list. First question from Bart Knuben, could we get to a point that RPKI is the default. For example, that networks do not accept routes that are not covered by RPKI roles. Shall I read everything.

Bastiaan Goslings:
I don’t know if I may ask my neighbor here because he thought that was an interesting example you refer to tier one operators and others. I think large content providers, demanding from customers you know that they have their resources assigned so maybe you can answer to that question.

Katsuyasu Toyama:
Yep. So, oh, from the operator sides. Oh. enforcement is in a good way, but usually. So such kind of some kind of penalty is now driving that deployment of the RPKI, but it’s still the people are operators are anxious about So at this point of time, the ROA and ROV is only for certificate and validator origin. So yeah, ASPATH validation is the two or more steps forward. So, not in the perfect solution. So, kind of the enforcement is necessary but then there’s still that is on the way. So, oh, some operators are skeptical to pay the money on that routing securities. Yeah, still. Yeah. So, that is I think the problem. Thank you.

Moderator:
I have another question from Lauren Crayon addressed to forum standardization. Could you provide further details regarding the tracking of governments you mentioned on internet.nl. Will this be tracking ROA creation and or ROV? Thanks.

Bastiaan Goslings:
Hello. Yeah. The last part I couldn’t understand from you. Sorry. Can you repeat that for me. You were mentioning tracking of governments on internet.nl. Would you track ROAs? ROAs? What is it? No, we don’t check ROAs. Sorry, can I interrupt? This is pretty technical about the ROA or the ROV indeed. On the internet.nl, we only check the ROA, so the certificates at the moment.

Audience:
To actually check the ROV is more complicated. It could be done, but we would need separate ISP space to that actually has an invalid route to do the check. Currently, we don’t do that and we use the ethnic data to report this data back to the government or yearly reporting.

Bastiaan Goslings:
Okay, thank you very much.

Audience:
I have another question from Mark Knubben. On its EU Internet Standards Deployment Monitoring website, the EU is also monitoring the adoption rate of modern internet standards like RPKI and manners. What could or should the EU do more? What could or should we do more about measuring or monitoring? Yeah, monitoring the adoption rate of modern internet standards. Well, what we do more is connect governments in order to do so. We inform them, we give workshops, but I’m not sure what he wants to know.

Annemiek Toersen:
We just measure, we offer it, we inform. I don’t know exactly what he really wants to know because, sorry, I can’t answer the question.

Bastiaan Goslings:
All right. Can you repeat it again?

Moderator:
Yeah, sure. So, the EU is monitoring. So, there is a paper EU Internet Standards Deployment Monitoring website, where the EU is monitoring the adoption rates of modern internet standards like RPKI and manners. The question is, what could or should the EU do more?

Annemiek Toersen:
EU, so this question for everyone, I guess. Or not.

Bastiaan Goslings:
Sorry. Yeah, I mean, it’s hard for me to speak on behalf of the EU and I would get in trouble for doing that.

Verena Weber:
So, basically, I mean, I think you mentioned one point, right, like information sharing is good. I mean, I think if you could present what you guys are doing, you know, and have this more widely adopted. I mean, that is probably like another issue, but I don’t know the site well enough to basically say, you know, okay, how well is it working? How many governments are implementing it? So, from our report, I know that, you know, some governments are really quite active, but there are quite a few that are not, right? So, I think, you know, like training, raising awareness and stuff might be also an issue on the EU level, but again, you know, I don’t want to speak for the EU.

Annemiek Toersen:
We inspire two other countries. You already mentioned that, it was Australia and Brazil, and Denmark also uses the English version of internet.nl, so therefore we exchange our knowledge about that and we inspire them. Also, if there are any other countries also here available, if they want to help for that, we can answer, we can help you in assisting using the code. So, the English version of internet.nl is available. So, if anyone needs that here, we would like to know and help you.

Moderator:
Thank you. RĂ¼diger Vogt has his hand up. He also wrote in the chat the question, but maybe I can ask the technical desk if they can unmute him, then he can ask it himself. If that’s possible. Okay. Okay, I can just read it then. My question is to Annemieke. Which RPK standards are you listing in your advice? Are you including advice on standards that still wait for implementation, or would you need to still fill gaps? I don’t understand.

Annemiek Toersen:
That is positive, then it comes to the list, comply or explain. And if not, yeah, then it can be to another list which we call recommended lists. But Olaf likes to have an answer for that.

Olaf Kolkman:
While I’m not involved with the process, I do understand your question. I think your question is which specific RFCs were input to this process. I’m not quite sure if you noticed, Annemieke, but I’m sure that Bart or somebody else in the office would be able to answer that. And I’d be happy to forward that to RĂ¼diger, but Bastian knows him too. I think RĂ¼diger in the meantime is unmuted.

Bastiaan Goslings:
I don’t see the red microphone. RĂ¼diger, can you speak? Yeah, if you can hear me.

Audience:
Yes, well, okay, kind of Annemieke, as Olaf was telling, there are quite a number of RFCs that define RPKI-based standards. And so far, I only have been hearing about use of establishment of ROAS and the use of origin validation. I think Bastian was mentioning the upcoming ASPA, which will be another object in the RPKI. And in fact, the RPKI design right from the beginning was targeting something that has been defined for quite a number of years as full standards BGP-SEC, which is not yet implemented. And which actually needs significant action and resources for getting implementation and deployment. And people are usually not talking about it, which is a problem.

Bastiaan Goslings:
So I’m done.

Annemiek Toersen:
Okay, thank you very much for your question or remark. Most probably my colleague Benjamin could talk more about that.

Audience:
Yes, so I put the reference documentation in the chat. Currently, our RPKI, which went into procedure has like one RFC attached to it, which is 6,380, but also lists three other RFCs with recommendations. Regarding the BGP-SEC, we don’t do that yet because it needs to be put in procedure by somebody.

Bastiaan Goslings:
Is that clear for you?

Olaf Kolkman:
Can I ask a qualifying question with this? For the procedure, in order to be accepted, there is the expectation that there’s a reasonable amount of deployment of a particular standard or specification, is it not?

Annemiek Toersen:
That’s correct, Arlof. You need not only one organization using it, but you have to find a companion, fellow organizations in order to have a severe standard and accept it in practice. It should be in practice and it should be supported.

Olaf Kolkman:
I think that answers RĂ¼diger’s question because BGP-SEC is not very much deployed at the moment.

Audience:
Okay. Hi. Seems I’m still there. Yes, I’m very much aware that BGP-SEC, in fact, is essentially not implemented. I learned over the past few years that public discussion of making use of RPKI and improving routing security tends to essentially stress the stuff that is essentially really available. In many cases, the advocates of that argue in a way that, yes, what’s available now is kind of solving old world problems and ignoring to work on getting the improvements that are still necessary. Actually, one of the really bad problems is that for the future deployment standards, development work needs serious resources. Serious resources, in particular, if we want to progress security. That’s not happening. The question is, how could we actually work on getting those resources available and in place with the proper people? Thanks.

Annemiek Toersen:
That’s a good question. In the Netherlands, we organized a workshop in cooperation with RIPE. We opened a course and only policymakers of the Dutch government could join these courses. That’s what we did together. Perhaps you have an addition, another possibility.

Bastiaan Goslings:
Sorry, RĂ¼diger. I think it’s interesting points you make. Just to confirm, I personally definitely did not want to make the point that we can focus on the tools that are there and that will solve all of our problems. Definitely not. I think when it comes to creating the ROAs and doing the validation, on the other hand, we still have quite a long way to go in terms of adoption, but you’re absolutely making a good point that there’s a lot more that needs to be achieved and that we need to build on. I want to thank everyone here. I’m sorry that’s quite abrupt stopping this now, but the next workshop is going to start soon. People need to prepare for that. I really want to thank everyone for joining. I hope this was interesting. Again, with regard to the topic, if you want to follow up, I’m assuming I speak for all the panelists, right? Come to us and approach us and see how we can together move this forward. I want to thank all of my panelists here. Great for all you guys being here and contributing. I’m really happy. Again, thank you again. Also, the audience for being here and participating also online. Thank you. Thank you.

Annemiek Toersen

Speech speed

144 words per minute

Speech length

2127 words

Speech time

887 secs

Audience

Speech speed

104 words per minute

Speech length

659 words

Speech time

380 secs

Bastiaan Goslings

Speech speed

189 words per minute

Speech length

5211 words

Speech time

1655 secs

Katsuyasu Toyama

Speech speed

145 words per minute

Speech length

1955 words

Speech time

809 secs

Moderator

Speech speed

112 words per minute

Speech length

351 words

Speech time

189 secs

Olaf Kolkman

Speech speed

145 words per minute

Speech length

738 words

Speech time

306 secs

Verena Weber

Speech speed

178 words per minute

Speech length

2536 words

Speech time

854 secs