Marco Hogewoning wrote on 07/05/2021 11:12:
We will continue to track the legislative process and keep you
informed about the progress.
Hi Marco,
[cc: routing-wg]
Thanks for the work y'all have been doing to sort out some of the DNS
scoping issues. This is really worthwhile and it looks like it changes
the proposed text from something which was completely unworkable to
something which isn't entirely unreasonable.
I had a quick skim through the rest of the document and came across
Amendment 13:
(54a) In order to safeguard the security and to prevent abuse and
manipulation of electronic communications networks and services, the
use of interoperable secure routing standards should be promoted to
guarantee the integrity and robustness of routing functions across
the ecosystem of internet carriers.
Justification
Interoperable secure routing standards are for example Resource-PKI.
I'm quite concerned to see this thrown into the proposed directive at
this time.
Speaking as an operator who implements RPKI in multiple contexts, I'm
not confident that it's matured as a technology to the point that it
would be advisable to codify it in legislation.
There are several reasons here, e.g. protocol limitations,
implementation limitations and potential future scope creep.
The protocol limitations relate to the fact that RPKI currently only
deals with route origin validation, and it is trivial to bypass the
security gains it provides. Geoff Huston has written a couple of
articles on this over the last while, and while there are legitimate
reasons to want to deploy RPKI, it's also important to understand what
it can and cannot do at the moment. In particular, it lacks any scope
for routing policy management, which is an integral part of routing
security.
Operationally, there are still significant problems relating to RPKI TA
availability and integrity, and there's been a good bit of discussion on
the ripe routing-wg and at the ietf about local cache synchronisation
problems.
In terms of scope creep, I'd be concerned that if legislators feel that
RPKI is appropriate to name in legislation, they may also feel that
there might be benefit to other protocols which have been defined with
the aim of addressing routing security. BGPsec would be one of these.
I totally get why legislators would feel that adding routing security
into the cybersecurity directive would be a good thing to do, but I
don't think we're there yet with the technology side of things.
Would it be possible to see whether there's consensus on this position,
and whether we could present some of this to the EUPARL committee in the
same way that the DNS proposals were handled?
Nick
