[governance] ITRs
David Conrad
drc at virtualized.org
Mon Nov 5 11:34:12 EST 2012
Norbert,
On Oct 30, 2012, at 6:47 PM, Norbert Klein <nhklein at gmx.net> wrote:
> On 10/30/2012 10:48 PM, [somebody] wrote:
>> wonk code
> Have mercy with us who are still not native speakers of the language of the Angels=Anglish-English:
Sincere apologies. I had thought 'policy wonk' was a common term of art on this list.
My interpretation of that term is an individual who focuses on/has deep interest in/lives and breathes the creation of policy.
> Do I now understand this sentence:
>
> "I suspect this is policy wonk code for national-level control/administration of RPKI/BGPSEC."
>
> Somewhat. - Not really.
A bit of high level background (skip if you know what RPKI/BGPSEC is):
One of the biggest security weaknesses on the internet today is the routing system. Some folks call the way the current routing system works as "routing by rumor" -- ISPs trust that the routing information they get from their peers is sane, implicitly trusting that information even if it is obtained from their peers' peers with whom they have no direct relationship/no way to verify sanity (and their peers' peers' peers, and so on). This leads to (not infrequent) events where bad routing information is propagated (the Pakistan Telecom/YouTube incident is one example), bad guys pop up on stolen address space to blast out spam, "man in the middle" attacks, etc.
RPKI/BGPSEC is a set of technologies currently being specified/developed/tested/deployed within the IETF, the RIRs, the router vendors, and (some) ISPs to improve the security of the routing system. These technologies provides for a way of tying resources (e.g., address blocks) to the entity to which the resources have been allocated. This allows software to be written that can (e.g.) help an ISP verify that the address space their customer just presented to them is actually address space that the customer is documented as having, ensure that routing information hasn't been tampered with in transit, etc. RPKI (Resource Public Key Infrastructure) does the tying using strong cryptographic certificates (using X.509, the same technology used in SSL/HTTPS). BGPSEC (Border Gateway Protocol Security) is a way to secure the routing information using the resource/resource "owner" relationships defined by RPKI.
As currently specified by the IETF, RPKI assumes the certification of "ownership" of resources strictly follows the allocation hierarchy, that is IANA gives the "title" of resources to the RIRs, the RIRs gives the title of resources to ISPs, and ISPs gives the title of resources to their customers (I'll skip over the part where the IANA isn't actually participating as yet as it just spikes my blood pressure). BGPSEC is intended to be advisory, allowing ISPs to set up filters of routing information based on local policy that would (presumably) include whether the RPKI information they receive from their customers and peers validates correctly.
So, with the RPKI/BGPSEC stuff understood:
My suspicion is that there are folks within (or more likely consulting to) governments that are aware of RPKI/BGPSEC efforts and the implications of those technologies and are trying to insert wording into the ITRs that will allow for national-level control/administration of RPKI/BGPSEC. However, RPKI/BGPSEC is far too technical for the ITRs, so more general, higher level language ("policy wonk code") is used instead.
As Alejandro suggests, I may be giving the folks proposing that language too much credit. However, the alternative would (as Karl aptly described) imply a level of ignorance in the way the Internet works that I would find ... depressing.
Regards,
-drc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.igcaucus.org/pipermail/governance/attachments/20121105/cca38dbb/attachment.htm>
-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
governance at lists.igcaucus.org
To be removed from the list, visit:
http://www.igcaucus.org/unsubscribing
For all other list information and functions, see:
http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
http://www.igcaucus.org/
Translate this email: http://translate.google.com/translate_t
More information about the Governance
mailing list