The Internet Architecture Board issued a little-noticed statement February 12 that has the potential to revolutionize Internet governance – and not in a good way. The IAB is now claiming that the application of Resource Public Key Infrastructure (RPKI) to addressing and routing is “a prerequisite for improving the security of the global routing system.”
RPKI is an application of cryptographic keys to the problem of authenticating address blocks, autonomous system numbers, and routes. Like DNSSEC, it authenticates the holder of an address block through the use of digital certificates, and could also be applied to authenticate route announcements. There are a number of different ways to establish trust anchors for these certificates. In its statement, the IAB is coming out strongly in favor a rigid global hierarchy that converges on a single trust anchor, presumably in the hands of ICANN.
What may get lost in all the technical mumbo-jumbo is that RPKI is a technology of globalized control and identification. It is about giving the institutions that dispense critical internet resources the power to enforce more precisely an exclusive grant of address and routing resources to a specific party; to verify at any time that the resource is being used by the entity they gave it to, and the power to withdraw the resource by revoking the validity of the certificate, effectively shutting them down. We need to think long and hard before embarking on a path that would lead to the global centralization of such authority in a single institution's hands. We also need to be aware of the fact that some of the organizations advocating such centralization are the ones in whose hands such power would be concentrated.
The IAB announcement follows an earlier (27 July 2009) announcement by the Number Resource Organization proclaiming that “The Regional Internet Registries (RIRs) believe that the optimal eventual RPKI configuration involves a single authoritative trust anchor.” That statement offered no explanation why a centralized configuration was considered “optimal.” The IAB statement, on the other hand, contains a more extensive explanation. But it is unconvincing technically, and its treatment of the geopolitical and regulatory implications of such a centralization is either incredibly ignorant or incredibly disingenuous.
The IAB writes: “The notion of having a certification hierarchy with multiple equally trusted roots may be appealing from a social and political perspective because of 'fairness' and 'equality' arguments. But that notion allows different organizations to make inconsistent and conflicting assertions about to whom a particular address block has been allocated. In the case of conflicting assertions, the conflict would need to be solved by each relying party, requiring each relying party to have their own security policy and the associated increased complexity. Such an approach does not provide any guarantee that the outcome would lead to a globally coherent view of which resources have been allocated to whom.”
Note how poorly the IAB grasps the political and governance issues. This is not about vague appeals to “fairness and equality.” It is about avoiding massive concentrations of power in a single institutional pressure point that can become targets for malicious forms of geopolitical competition, political obstructionism or litigation. If you don't think that is a credible threat, you are unaware of the past ten years of ICANN's history. The single root also requires that the central authority administering it be subject to serious accountability mechanisms and a strong human rights legal framework – and such a framework does not yet exist.
IAB's technical argument also seems weak. If multiple trust anchors were distributed among a relatively small number of stable, well-known institutions, it seems unlikely that they would willy-nilly issue “inconsistent and conflicting assertions” about address allocations. And if they did, with a limited number of actors corrective recourse seems feasible. Indeed, the IAB undercuts its own argument by claiming that if individual network operators “find [the root] to be untrustworthy, they are free to ignore it and instead enforce policy based on what they believe to be more appropriate data.” If participation in this global hierarchy is voluntary, then how is that any different from multiple trust anchors? Or is IAB assuming that these local defectors will make do without any IP addresses?
But if RPKI in IP addressing is anything like a single authoritative root in the DNS, then the so-called voluntary participation will prove to be illusory. Once the system achieves critical mass, enormously powerful network effects will kick in, effectively forcing everyone to maintain global compatibility by relying on the dominant certification hierarchy and its trust anchor. It is disingenous to pretend otherwise, just as it is disingenous to pretend that anyone who wants to create an alternate DNS root can easily do so.
It is encouraging to see that there is no consensus in the technical community on this. The IAB announcement triggered a week of contentious debate on an IETF list. Phillip Hallam-Baker, a security consultant who used to work for VeriSign, noted bluntly that “This is not a technical issue, it is a political issue. IANA and ICANN have a really, really bad record when it comes to setting up root authorities. Any plan that requires their involvement is going to take considerably more time and effort than one where their involvement is optional.”
David Conrad, who actually works for IANA, tried to defend the IAB, or rather ICANN, against Hallam-Baker's attacks. But some other David Conrad, writing on a publicly archived list back in September 2009, seemed to agree wholeheartedly with Hallam-Baker:
From: David Conrad. Newsgroups: gmane.ietf.sidr Date: 2009-09-11 21:53:32 GMT (2 weeks, 6 days, 22 hours and 32 minutes ago)
“I, perhaps more than most, have had the recent 'joyful' experience of trying to get a security system that has a hierarchical trust model actually deployed. Suffice it to say, it is a non-trivial exercise in non-technical negotiation. From my perhaps biased perspective it would seem that while conceptually and technically, hierarchical trust models are nice and elegant and simple, they do NOT easily map into political and economic realities which are decidedly non- hierarchical. As a result, deployment has required a tremendous amount of time and thrust to actually make appreciable forward progress.
“So, here we are, coming up with yet another security system with a hierarchical trust model (whether there is one root or five or six is irrelevant). However, in this case and as I understand it, implementation of this particular security system can (note: not must) imply the root or roots has, as Randy notes, the ability to _control the routing system_, potentially in real time.
“I will admit some skepticism that this will be remotely acceptable, either in a political or business sense. As such, I have to assume I misunderstand something fundamental about the intent or trust model of SIDR.”
Another Internet veteran, Masataka Ohta of Japan, made a case for what political scientists would call a looser form of networked governance. “Your and my ISPs,” he claimed, “are loosely connected by a chain of social trust relationships between adjacent ISPs, which is why we can exchange packets over the Internet with reasonable security.” Ohta challenged the premise that digital certificates would make it more secure: “The problem of PKI is that its security socially depends on a loose connection of a chain of adjacent Certificate Authorities. …Socially compromising a Certificate Authority in the network is as easy as socially compromising an ISP.” According to Ohta, “PKI, including DNSSEC, is not secure end to end. …there is no point to work unreasonably hard to cryptographically strengthen links between adjacent CAs. So, PKI is useless when there already are loose but reasonable social security.”
Hallam-Baker established an important distinction, noting that authentication of address block possession using RPKI is more easily implemented, if not less objectionable, than using it to authenticate routes: “There are two separate functions in the routing layer. The first function is to map IP address ranges to AS numbers. This is a global mapping, if an IP address range maps to an AS number in France the same mapping will be good in Brazil. The second function is to establish routing maps for AS numbers, effectively setting up mappings of the AS numbers to Internet endpoint networks. This mapping is not global. The best route to London is going to be very different in France and Brazil. The upshot is that the first problem maps very cleanly to standard PKI approaches. You can use X.509 [certificates] with extensions, you could use SAML assertions, the statements are global and work very well. The second problem is a much harder one to address using PKI. It is quite possible that PKI is not the right tool at all.”
Why are the leaders of the Internet technical community addicted to a “single, authoritative root?” Is it because they are wearing technical blinders and simply do not understand the social implications of what they are doing, or is there some other reason? Let's hope that the Internet elders don't get on the bandwagon of people who are determined to secure the internet even if they have to kill it.