Marco Hogewoning wrote on 07/05/2021 11:12:

We will continue to track the legislative process and keep you informed about the progress.

Hi Marco, [cc: routing-wg] Thanks for the work y'all have been doing to sort out some of the DNS scoping issues. This is really worthwhile and it looks like it changes the proposed text from something which was completely unworkable to something which isn't entirely unreasonable. I had a quick skim through the rest of the document and came across Amendment 13:

(54a) In order to safeguard the security and to prevent abuse and manipulation of electronic communications networks and services, the use of interoperable secure routing standards should be promoted to guarantee the integrity and robustness of routing functions across the ecosystem of internet carriers. Justification Interoperable secure routing standards are for example Resource-PKI.

I'm quite concerned to see this thrown into the proposed directive at this time. Speaking as an operator who implements RPKI in multiple contexts, I'm not confident that it's matured as a technology to the point that it would be advisable to codify it in legislation. There are several reasons here, e.g. protocol limitations, implementation limitations and potential future scope creep. The protocol limitations relate to the fact that RPKI currently only deals with route origin validation, and it is trivial to bypass the security gains it provides. Geoff Huston has written a couple of articles on this over the last while, and while there are legitimate reasons to want to deploy RPKI, it's also important to understand what it can and cannot do at the moment. In particular, it lacks any scope for routing policy management, which is an integral part of routing security. Operationally, there are still significant problems relating to RPKI TA availability and integrity, and there's been a good bit of discussion on the ripe routing-wg and at the ietf about local cache synchronisation problems. In terms of scope creep, I'd be concerned that if legislators feel that RPKI is appropriate to name in legislation, they may also feel that there might be benefit to other protocols which have been defined with the aim of addressing routing security. BGPsec would be one of these. I totally get why legislators would feel that adding routing security into the cybersecurity directive would be a good thing to do, but I don't think we're there yet with the technology side of things. Would it be possible to see whether there's consensus on this position, and whether we could present some of this to the EUPARL committee in the same way that the DNS proposals were handled? Nick