Europeans Deeply Divided Over Internet Routing Methods
VIENNA -- Members of RIPE, the IP-address registry for Europe and the Middle East, moved to secure the IP address routing system with X509-certificates, which would harden the Internet network against attacks on messages that are in transit. But the 116 RIPE members voted to slow down implementation of the Routing Public Key Infrastructure (RPKI), citing potential collateral damage by the necessary centralization of the routing system. RPKI will be rolled out in the U.S. in 2012.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
"The vote is a clear signal that people want us to act with caution,” RIPE CEO Axel Pawlik told us. RIPE in January started to issue certificates for IPv4 and IPv6 addresses. Malcolm Hutty, head of public affairs at the London Internet Exchange (LINX) and president of EuroISPA said there’s no policy approved by the members for route certification or the use of the certificates. “We don’t even have an actual proposal,” he said before the vote.
Opponents of the certificate system at the RIPE meeting said it would fundamentally change the routing system. Centralizing the system would create a “single point of failure.” Wilfried Woeber, network and routing expert from Vienna University, said if network providers consistently rely on automated filtering of non-validatable routes based on only one trust-anchor -- the long-term RPKI design -- sites or complete networks could drop out of the routing table, and thereby off of the Internet.
Hutty and several other RIPE members said the possibility of devalidating a route at the top the IP address registries might become easy targets for law enforcement agencies. Randy Bush, network engineer from the Internet Initiative Japan, the first commercial ISP in Japan, said there was a chance that the registries would be approached by law enforcement, but operators must stop the problems stemming from so called “fat finger” mistakes, typos that caused wrong routing.
Beside the concerns about yet another avenue for filtering and blocking, there are also political concerns about adding additional centralization to the Internet. The Russian Telecommunication Administration, according to a leaked document, raised concerns about RPKI at ICANN. It requested a thorough study into alternative ways for secure routing “to prevent grave negative effects [that] are anticipated to substantially alter the structure of the interaction between all the Internet’s components."
Filtering and blocking in the domain name system also was a hot topic at the DNS Working Group at the RIPE meeting. Software and registry providers said there’s a lot of pressure to provide for filtering technology in order to keep out “bad stuff” -- with the interpretation of “bad” varying from malicious to unwanted. Joao Damas of ISC, the provider of the BIND DNS name server software, said: “The logic behind this is the people who want to do it are going to do it anyway; if we don’t provide them with a way that limits damage, they are going away from BIND and pick software that is going to generate additional damage.”