Dear all, first - I personally agree with Marco's assessment of the potential impact which the proposed new recital 54a would have. Second, I would like to ask if maybe an update on the state of play regarding the EU Cybersecurity Strategy could be a topic of general interest for the upcoming RIPE82 meeting. IIRC the Cooperation WG does not have an agenda for this meeting yet.
Kind regards Sabine Sabine Meyer _________________________ 312 - International Coordination Telecommunications Bundesnetzagentur für Elektrizität, Gas, Telekommunikation, Post und Eisenbahnen Tulpenfeld 4, 53113 Bonn Phone: +49 228 14-3128 Mobile: +49 172 7084686 E-Mail: [email protected] Internet: www.bundesnetzagentur.de -----Ursprüngliche Nachricht----- Von: cooperation-wg <[email protected]> Im Auftrag von Marco Hogewoning Gesendet: Freitag, 7. Mai 2021 16:31 An: Nick Hilliard <[email protected]> Cc: cooperation-wg <[email protected]>; routing-wg <[email protected]> Betreff: Re: [cooperation-wg] Update on NIS 2: Proposed amendments by the Parliament alter scope on (root) DNS Dear Nick, > Marco Hogewoning wrote on 07/05/2021 11:12: >> We will continue to track the legislative process and keep you informed >> about the progress. > > Hi Marco, > > [cc: routing-wg] > > Thanks for the work y'all have been doing to sort out some of the DNS scoping > issues. This is really worthwhile and it looks like it changes the proposed > text from something which was completely unworkable to something which isn't > entirely unreasonable. > > I had a quick skim through the rest of the document and came across > Amendment 13: > >> (54a) In order to safeguard the security and to prevent abuse and >> manipulation of electronic communications networks and services, the use of >> interoperable secure routing standards should be promoted to guarantee the >> integrity and robustness of routing functions across the ecosystem of >> internet carriers. >> Justification >> Interoperable secure routing standards are for example Resource-PKI. > > I'm quite concerned to see this thrown into the proposed directive at this > time. Personally I am not that worried about this particular amendment. IMHO the way it is worded leaves it fairly open as to what technologies to deploy, with RPKI being just flagged as an example. Important as well is that changing the recital like this, doesn't alter the scope of the directive. In that sense it only stresses the need for entities that fall within the scope to think about routing security and take appropriate measures to prevent the risks in that area. And I think we can all acknowledge that those risks do exist, so would be hard to argue against. We are not in scope for the current directive, so I have little knowledge on the details, but I have understood that similar requirements are already in place for entities within the scope of the current NIS directive. Where the requirement is to "secure against routing attacks" and deploying RPKI is seen as one, but not the only, way to satisfy that requirement and be compliant. In other words: "I do RPKI" is an acceptable answer, but you can also argue that you have other measures in place that would remove or reduce the risks and be compliant with the directive. The amendment introduces new text, but I don't think it actually introduces new requirements compared to the proposal as-is or the way the current directive, as it is in force, is implemented by the national authorities. > Would it be possible to see whether there's consensus on this position, and > whether we could present some of this to the EUPARL committee in the same way > that the DNS proposals were handled? If you have a consensus position to bring forward, it is always worth reaching out to the people involved and see if there still is a possibility to make changes. But I would recommend to take into consideration that striking the text altogether might be quite a big "ask" at this stage. Probably easier if an alternative text could be found that would remove the community's concerns, whilst still addressing the need to secure routing. As it mentions RPKI only as an example, would there be others to add or alternatives that would produce the same result? Because it might actually help if you can list several alternatives, as a way to stress that legislation should be agnostic on technologies. Best, MarcoH
