Probably everyone would agree that security and resilience of the global routing system is an essential element of a well-functioning Internet.
Vulnerabilities of the system are well known and have manifested themselves many times – be it a prefix hijack, like the YouTube incident, or China’s deflection of the Internet traffic for significant amount of networks.
Threats are also real and present, take for instance possibilities of hijacking and impersonating DNS infrastructure, like the case this year with Spamhaus, or so-called route leaks that happen frequently, according to a presentation by Jared Mauch at NANOG41, and potentially allow MITM attacks for a wide variety of traffic paths. The impact can be significant and, since such incidents affect the foundation of the Internet, may have cascading effects.
Not that operators are not aware or do not care – on the contrary, many network operators take routing security very seriously. And there are ways to make the system more secure and resilient – from good old best practices to new technologies like RPKI. And still, there is much room for improvement.
The tricky thing here is that often good netizenship doesn't have an immediate business case, although many would probably agree that it benefits an organization in the long run. The issue of so-called externality, which disconnects costs from benefits, is one of the stumbling blocks for wide deployment of routing security solutions.
And this is also true for other aspects of the Internet security and resilience:
- No one organization can resolve this issue by itself; the level of security and resilience of other players matters.
- Not only the protection of organization's own assets and infrastructure, but management of risks that an organization (by its action or inaction) itself presents to the Internet ecosystem becomes equally important.
- Proper mitigation of many of these risks requires collective action.
In the paper "Understanding Security and Resilience of the Internet” that we published recently we claim that collaboration is an essential component of effective security. "Ultimately, it is people that hold the Internet together. The Internet’s development has been based on voluntary cooperation and collaboration and we believe that is still one of the essential factors for its prosperity and potential."
Throughout the Internet history, collaboration among participants and shared responsibility for its smooth operation has been one of the pillars for its tremendous growth and success, as well as for its security and resilience. Technology alone is not enough, and fostering this shared responsibility seems to be as important.
So what if industry leaders come together and state their commitment to routing security and resilience of the Internet as a whole by taking certain actions, implementing specific best practices, etc.? What if we capture this collaborative spirit of the Internet in a document that can provide guidance to network operators in addressing issues of security and resilience of the global Internet routing system as well as document commitment of the industry leaders to this practice? And if we start small, can we grow this list of signed up networks and create a critical mass?
Can we collectively make a difference?
P.S. Stay tuned for a future post with some specific suggestions we have for action…