An important debate about the implications of BGPSEC - a new protocol that would use a hierarchical Resource Public Key Infrastructure (RPKI) to validate Internet route announcements – is taking place in the IETF’s Secure Inter-domain Routing (SIDR) Working Group.
It’s a highly technical discussion, but its significance for Internet governance is profound. It is orders of magnitude more important than the silly tiff over whether a reference to “bulk electronic communications” in the ITU’s International Telecommunication Regulations would lead to an authoritarian takeover of the Internet.* If civil society activists and technologists both had a better appreciation of the intimate relationship between technical architectures and global Internet governance, they would be paying far more attention to this than they paid to the WCIT.
In essence, what is now being debated in SIDR is whether routing – one of the last areas in which Internet operations is distributed and autonomous – will become rigidified and centralized by what one participant in the debate calls “slamming a hierarchical PKI into a distributed routing system.”
As a means of validating who is the proper owner or holder of IP address resources, RPKI seems to be workable and consistent with what we know about the important, but difficult to execute correctly, role of registries in facilitating property exchange. It is the attempt by BGPSEC to use RPKI to also validate routing announcements, however, that is raising operator concerns. Inserting RPKI into route validation also inserts increased complexity, as well as hierarchy and control, into real-time operations.
RPKI is being advocated by US government-funded contractors and US government agencies such as the US National Institute of Standards and Technology (NIST). The engineers leading the revolt against BGPSEC in its current incarnation, on the other hand, are coming from operators – i.e., the people who actually have to run things. One of them, VeriSign, is raising serious questions about the scalability of RPKI in routing. Beyond that, they are pointing out that despite all the scalability questions and new dependencies that RPKI/BGPSEC creates, it still does not solve many of the most pressing routing security problems, such as the use of expired data, route leaks, and other problems.
The SIDR output has all the earmarks of a government-driven standardization process. It reveals the self-perpetuating cycle of the defense-industrial complex, in which a real routing problem was identified by researchers, a contractor proposed a solution, an agency hired them. The funding cycle ends, the contractor writes another proposal and convinces the agency to continue funding. This is done largely in absence of empirical evidence that the problem identified is the same problem operators actually deal with.
The precipitating cause of the current controversy was an attempt to estimate RPKI’s scalability. A team of technicians from Verisign Labs produced a paper trying to calculate how big a fully deployed RPKI would be and how long it would take to download all the informational objects from all repositories needed to do the required validation computations. According to the current paper, it could take 4-5 days to gather all the information needed if router certificates are not included, and 19-20 days if one includes router certificates. This long lag time raises doubts about the feasibility of the standard.
The first version of that paper was subjected to some harsh criticism by BGPSEC defenders at NIST, but the second version, which is posted here, seems to have addressed those problems and its plausibility as a first-order approximation, as far as we can tell, has not been challenged.
Archives of the debate, which began in November and continued through most of December, can be seen here.
*If authoritarian governments were smarter and really did want to assert direct control over Internet operations, they would forget about the ITRs and push for passage and implementation of BGPSEC, and then make plans to assert legal control over the ROA certificates. Oddly, the only government that seems to be present in SIDR is the USG. Hmmm…