“Do not complicate routing security with Voodoo Economics”

That was the eye-catching subject line in a recent note from Randy Bush to the North American Network Operators Group (NANOG) about secure Border Gateway Protocol (S-BGP).  His note critiqued a paper, Let the Market Drive Deployment: A Strategy for Transitioning to BGP Security, which was presented recently at SIGCOMM and NANOG meetings.  In the paper, researchers argued that given 1) modified S-BGP software, 2) adoption of S-BGP by a small group of influential Autonomous Systems (ASes), and 3) assuming ASes select certain routing paths based on security, the transition to secure routing in the Internet could be driven by ISPs' incentive to increase their revenue-generating

traffic.  It prescriptively suggested that governments and industry associations could foster those conditions to facilitate the transition to secure BGP.

For those not familiar, “voodoo economics” refers to then presidential candidate George Bush Sr.'s (no relation to Randy, I think!) critique of Ronald Reagan's 1980's supply-side economic policy, which stated that you could cut tax rates and still get more government revenue. I guess Bush (Randy, that is) was voicing disagreement with the paper's supplier-oriented thesis. I won't go into detail here about the paper's assumptions about ISPs that he questioned. Needless to say, they inspired a discussion among network operators and the paper's authors that partially came down to the recognized need for better empirical data. This will likely result in an interesting paper being improved.

But Bush's main argument was that focusing on the economic incentives affecting ISP routing decisions in light of S-BGP may be missing the point. As he put it:

The largest obstacle to deployment of BGP security is that the technology being deployed, RPKI-based origin validation and later BGPsec, are based on an X.509 certificate hierarchy, the RPKI. This radically changes the current inter-ISP web of trust model to one having ISPs' routing at the mercy of the Regional Internet Registries (RIRs). Will the benefits of security – no more YouTube incidents, etc. – be perceived as worth having one's routing at the whim of an non-operational administrative monopoly? Perhaps this is the real economic game here, and will cause a change in the relationship between the operators and the RIR cartel.

That is, Bush views it as an economic and institutional problem (i.e., rules, governance structures), one which we clearly identified in a special issue of Communications & Strategies on the Economics of Cybersecurity (contact me privately about the paper) earlier this year.  In that paper, we argued that the introduction of RPKI dramatically changes the existing decentralized governance model by linking resource allocation and routing.  And this change shapes the incentives of the various organizations involved to adopt the technology.  The dilemma is clear to anyone following the debates between the RIRs or between ISPs and the RIRs over resource certification policy, or the back and forth between ICANN and the RIRs over creating a global RPKI trust anchor. The issue is who has hierarchical control over whom?

While there certainly is a need to understand the micro-foundations surrounding adoption of Internet security standards like RPKI, S-BGP or DNSSEC, understanding and resolving the institutional problems must happen

simultaneously.  Why this hasn't been addressed more explicitly by researchers in the United States is probably two-fold.  A substantial amount of attention to date has been focused on defining the technology and understanding operator incentives.  Examples include long-standing DoD and DHS S&T initiatives, a decade of NSF studies, and most recently a FCC working group set to identify best practices and recommend a “framework” for industry agreement regarding adoption of specific procedures and protocols.  A related point is that the USG and the Internet governance institutions themselves, given an understandable desire to preserve the institutional status quo, might want less attention paid to who runs the existing regime.

Comments are closed.