Hi
Wout,
I'm concerned about this approach to networking security
for a numbers of reasons.
1. Mixing unrelated technologies
RPKI
and DNSSEC are fundamentally different technologies with different
applications in the networking stack. I don't think it's productive to
mix the two together in the same discussion space because their aims and
outcomes are significantly different.
2. It's unclear what is
being proposed
DNSSEC can be deployed at a resolver level, or at a
domain level or at the registrars. The use cases for each of these
scenarios vary widely.
At the domain level, as Michele mentioned,
DNSSEC is a notoriously brittle and complex protocol and while it may
be relevant and appropriate for institutions or large enterprises, it's
not really appropriate for smaller organisations or individuals which
comprise the majority of registered domains.
Further up the chain
at registrars and registries, it's also complex, as the recent .ru
outage showed. Smaller registrars may easily end up causing more damage
than they secure, and there would be good arguments for DNSSEC not to be
a mandatory component of registrar service.
RPKI can be
"deployed" as either creating ROA objects, or else by implementing RPKI
policy at the networking level using validators and routing policies.
Again, these are two entirely different things with different security
goals and outcomes, but there is no clear indication of what the IS3C
consultation is actually promoting.
Overall, RPKI can be helpful
to address certain styles of accidental network configuration, but it is
not a technology which can be used to protect against dedicated
security threat actors.
3. Over-focusing on individual security
elements
Security management is a wide-ranging process-oriented
mechanism rather than an outcome of applying specific security-related
technology components. There would be no reason not to include
assessment of RPKI or DNSSEC as part of a more general information
security management assessment assessment process, but in the scale of
things, they are individual components of a larger security management
whole, and operationally they are by no means among the more important
components for most organisations.
4. Unclear what the focus
outcome is intended to be
There isn't a clear problem statement
or any indication about why it's more important to prioritise RPKI and
DNSSEC over other discrete technology building blocks. For example, in
terms of routing security, the MANRS programs provide a useful and well
accepted set of compliance items, of which RPKI is one of the optional
components, i.e. not even mandatory (disclosure: I am a MANRS SC member,
but this email reflects my personal opinions).
The thing that
will help the Internet's overall security is adherence to Internet good
practice documents, and at the next level, adoption and compliance with
general security management frameworks (there are plenty of these).
Hyper-focus on individual line items will distract attention away from
these aims and the outcome of focusing on individual security items in
the way that this consultation suggests is likely to come at the cost of
the whole.
Nick
Wout de Natris wrote on 11/03/2024
10:00:
Dear colleagues,
IGF DC IS3C invites you to participate in the consultation on
positively enhancing the deployment of two
Internet standards: DNSSEC and RPKI. You are invited to answer either
of these questions: Do the arguments used to favor a positive decision,
convince you to order deployment within your organisation or from your
service provider? / Do they assist you to convince
decision takers in your organisation to invest in security by design?
You are invited to share your views and arguments with IS3C’s expert
team and have been granted commenting rights in this document to do so.
The consultation runs from
11 March to 12PM UTC, Friday 5
April 2024. Your contribution
will be taken into consideration when finalising the text before
publication this spring. Here is the link to the Google Doc:
https://docs.google.com/document/d/1YYq3ie9D03L1Z5ssgPbWKV5becUgNw0h7_fmm9xGWKs/edit?usp=sharing
We hope to
receive your views so we can present the most convincing arguments to
deploy DNSSEC, RPKI and all other security-related
Internet standards and ICT best practices. (FYI, this project us
sponsored by ICANN and RIPE NCC.)
Kind regards,
Wout de Natris
IS3C: Making the Internet
more secure and safer