Improving Technical Security

Resilience of the Commons: Addressing Routing Security Challenges

Why do some innovations take off like wildfire, while others take ages to reach widespread deployment? What makes for a successful protocol? How can we detect a protocol failure ahead of time and correct course? Recently I attended an Internet Architecture Board-hosted workshop on Internet Technology Adoption and Transition (ITAT) that aimed to address these questions.

The workshop stimulated interesting discussions, helping us better understand the enablers of and inhibitors to technology adoption and, since it focused on IETF protocols, what makes for a successful protocol.

The IAB has discussed this before. In fact, in 2008 the IAB published RFC 5218, entitled “What Makes for a Successful Protocol?” Without providing a recipe for a successful protocol or technology, it looked at various factors that “contribute to or hinder a protocol’s success.” It found that for a protocol to be successful, it should:

  • Meet a real need
  • Have open code and specification availability
  • Have open maintenance processes
  • Have good technical design (though for initial success it seems to have minimal impact compared with other factors)

The IAB also found that a successful protocol can be deployed incrementally, meaning that early adopters gain some benefit even if others do not support the protocol. Indeed, ability to use and benefit from a technology independently of other actors makes the deployment strategy clearer and simpler.

But what happens when a protocol’s benefits begin to unfold only when their penetration is substantial, like IPv6 or DNSSEC? Early adopters incur costs and gain little until the number of users reaches a tipping point. It doesn’t make sense to join a social network if only a couple of strangers are on it, or deploy DNSSEC if only a few others have adopted it. Protocols and solutions for securing the global routing system are among this group of collective action problems, too.

Everett M. Rogers, a prolific scholar of communication and social change, once noted, “diffusion is essentially a social process. While the mass media often create awareness-knowledge of an innovation, interpersonal communication with peers is necessary to persuade most individuals to adopt a new idea.”

At the ITAT workshop we presented an approach to tackle these issues based on our work with network operators. Similar to Rogers, our approach is based on the understanding that technology building blocks and solutions are an important aspect, but people are what ultimately hold the Internet together. In our new paper, “Resilience of the Commons: Routing Security,” we argue that to achieve a positive outcome, we must:

  • Build consensus around an understanding of the problem space
  • Share an understanding of the potential offered by different solutions
  • Create a culture of collective responsibility based on an understanding of collective and individual benefits
  • Focus on a positive end goal

We also see improving routing security and resilience as a social process. That is why our efforts in the area of routing security are focused on the people that run the networks and make the global infrastructure resilient. One recent example of such an effort is the Routing Resilience Survey aimed at involving operators in collecting factual data about routing incidents and their impacts. (You can still join the project!)

Security of the global routing infrastructure is to some extent no one’s concern and everyone’s concern at the same time. How can we stimulate improvements in this area – an area where traditional market forces, the main drivers of the Internet’s development, do not work, where regulation may not be effective, where one’s actions may benefit competitors more than one’s own customers?

Technology building blocks and solutions are an important aspect, but Internet development has been based on the voluntary cooperation and collaboration of the peopleinvolved. We believe that is still one of the essential factors of the Internet’s prosperity.