Challenges and uptake of modern Internet standards (including, but not limited to IPv6, DNSSEC, HTTPS, RPKI) – WS 11 2020
12 June 2020 | 11:30-13:00 | Studio Berlin | | |
Consolidated programme 2020 overview / Day 2
You are invited to become a member of the session Org Team! By joining a Org Team you agree to that your name and affiliation will be published at the respective wiki page of the session for transparency reasons. Please subscribe to the mailing list to join the Org Team and answer the email that will be send to you requesting your confirmation of subscription.
Implementing new technologies and changing standards has normally been met with debate and multiple concerns – whether technical, operational, financial, organisational, policy-related or an aversion to change. In this session there will be insightful analysis of the slow uptake or non-adoption of these consensual and agreed upon Internet standards, leading to a discussion on ways to encourage adoption.
The world is in constant change, and the Internet Community expects new technologies and engineering processes to meet growing demands (on capacity, functionality, security, privacy, etc.).
Internet Standards are normally approved with consensus from the technical community and other stakeholders, although some (like DoH - DNS over HTTPS) are controversial for different reasons.
It stands to reason that "consensual" new Standards implementation / deployment would be beneficial for the Internet Community, but for a multitude of reasons, many Standards have not been deployed as quickly as expected.
Some reasons for delay or deliberate non-adoption:
- Lack of demand by customers (most non-technical customers don't understand the implications);
- Decision makers and staff lack information and/or education/training (technical, security and privacy implications, costs versus benefits, capacity to understand the implications, etc.);
- Resistance to change (e.g. "currently working, changing may fail and put my job or bonus at risk", etc.);
- Financial reasons;
- Insufficient human resources to implement change.
Some reasons for forced adoption:
- Legal / regulation (e.g. Public institutions must comply with certain minimum standards);
- Pressure from big players (e.g. Google's forcing of HTTPS);
- Marketing / commercial (e.g. "Everyone now supports it, we'll look bad if we don't");
- Technical limitations (not enough IPv4 addresses, and more recently, exhausted);
In this session we'll:
- Identify the "consensual" modern Internet Standards that had / are having implementation problems;
- Implementation statistics;
- Critical cases (e.g. points of no return, impossibility to continue to provide services or provide them at reduced functionality/performance, etc.);
- Case studies for unsuccessful implementation, and respective reasons;
- Case studies for successful implementation, and how can these positive examples be used in unsuccessful cases;
- Consider how the strain in Internet and Cloud resources caused by COVID-19 has affected the perception of these problems, both on customer and provider perspectives ("Will this be an awareness turning point?").
The session discussion will feature multiple Key Participants (as well as Org Team members) representative of relevant stakeholders (technical community, Internet providers, political and regulatory, business and individual consumer groups, etc.).
Participation from the audience is encouraged.
Scheduled: 2020-06-12 (Friday), 11:30 - 13:00 CEST (UTC+02)
Duration: 90 minutes
- Introduction:Scope of the session, list of standards, key people intro, etc. (moderator) [max.5 minutes]
- Statistics of standards adoption (Geoff Huston) [max.5 minutes]
- Highlights from "Setting the Standard For a more Secure and Trustworthy Internet" prepared for the IGF (Wout de Natris) [max.5 minutes]
- Interactive discussion (key participants + audience)
- Discussion will focus on case studies, scenarios of successful or unsuccessful implementation of current Internet Standards
- Q&A (ongoing)
- Messages (Ilona Stadnik), feedback and final notes [max.10 minutes]
Information about each person in this section is in the respective LinkedIn page.
- André Melancia - Technical community, Portugal
Organising Team (Org Team) (in joining order)
- Vittorio Bertola - Head of Policy & Innovation at Open-Xchange, Italy
- Eva Ignatuschtschenko - Department for Digital, Culture, Media and Sport (DCMS), United Kingdom
- Jan Zorz - VP of 6connect Labs at 6conect, Slovenia
- Carlos Friaças - Head of RCTS CERT at FCCN, Portugal
- Andrew Campling - Director at 419 Consulting, United Kingdom
- Wout de Natris - Owner/consultant De Natris Consult, Netherlands
- Denesh Bhabuta - Collaboration Enabler and Industry Unifier; DNS-OARC, UKNOF, PTNOG, Meidan Ventures, United Kingdom
- Eduardo Daurte - Technical Director DNS.PT, Portugal
- Roberto Gaetano - "Retired but active", Former Chair of the Board at Public Interest Registry, Austria
- Kris Shrishak - Researcher, Germany
Subject Matter Expert (SME)
- Polina Malaja - Policy Advisor at CENTR, Belgium
Key Participants are experts willing to provide their knowledge during a session – not necessarily on stage. Key Participants should contribute to the session planning process and keep statements short and punchy during the session. They will be selected and assigned by the Org Team, ensuring a stakeholder balanced dialogue also considering gender and geographical balance.
Key Participants and Org Team members are representative of the relevant stakeholder groups for this workshop (technical community, Internet providers, government, consumer groups, etc.)
- Caroline Greer - Head of European Public Policy at Cloudflare, Belgium
- João Damas - Senior Researcher at APNIC Labs, Spain
- Geoff Huston - Chief Scientist at APNIC, Australia
- Arda Gerkens - Member of the Senate (SP), Netherlands
- Wido Potters - Manager Support & Sales at BIT, Netherlands
- Martin Vliem - Microsoft, Netherlands
The moderator is the facilitator of the session at the event. Moderators are responsible for including the audience and encouraging a lively interaction among all session attendants.
- André Melancia - Technical community, Portugal
Trained remote moderators will be assigned on the spot by the EuroDIG secretariat to each session.
- Lilian Weiche - Policy Fellow at German Informatics Society, Germany
- Elisabeth Schauermann - Policy & Communications Officer at German Informatics Society, Germany
- Rochelle H.
Current discussion, conference calls, schedules and minutes
See the discussion tab on the upper left side of this page.
This page includes Org Team and Key Participants meeting information, summaries of relevant mailing list mails and preparatory discussions.
- Several agreed upon Internet standards and protocols (HTTPS, IPv6, DNSSEC, RPKI, etc) have been slow in deployment for decades.
- The adoption of these standards and protocols is challenging due to multiple factors such as: market incentives, unwillingness of the tech community to make an effort, and the discrepancy between the efforts spent and the end result regarding the safety and security of protocols.
- We need to create pressure points in society to spur the deployment of standards. First, we need to address the marketing problem by making security gaps in the Internet transport layer visible to users through education. Second, we need to carefully discuss political tools of pressure, including commercial, political, legislative and others, all of which have pros and cons.
Find an independent report of the session from the Geneva Internet Platform Digital Watch Observatory at https://dig.watch/resources/challenges-and-uptake-modern-internet-standards-including-not-limited-ipv6-dnssec-https.
Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-719-481-9835, www.captionfirst.com
This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document, or file is not to be distributed or used in any way that may violate copyright law.
>> HOST: All right. Hello, EuroDIG here in Studio Berlin. I am Elisabeth Schauermann, your host together with my colleague Lillian. We’re here from the German Informatics Society to keep the session up and running.
This brings me to the code of conduct. Andre, if you want to share the slide. Okay. Thank you very much.
Right. For those of you that have already participated in sessions, this is just a brief reminder on the top of every session how we interact here. So please all those present in the Zoom room identify yourself with the full name. You can change your name yourself. If you struggle, please let us know so we can help you out in that. When you want to ask question or make a comment, please use the raise hand tool. We have now made all the speakers and also all of the Org Team co‑hosts. You don’t have the hand‑raise function. Please identify your wish to speak, otherwise, either in the chat or through video.
Once you are given the floor, please switch on your [indiscernible] if you like. And state your name and affiliation before you make your comment or ask a question.
Contributions can also be made in written form in the chat and in the forum, and Lillian will review them and try to bring them into the discussion.
As the Zoom rooms are for registered participants only, please don’t share the session links with anyone on the outside. If anyone fails to comply with the code of conduct, the session hosts, me and Lillian, will remind you. As a last resort, participants can be removed from the room. I hope we don’t have to take this step.
Another important note, I’m happy to announce we’re working with Geneva Internet Platform for reporting the EuroDIG 2020 messages again this year. Ilona Stadnik is here in the room already and will be reporting for this workshop.
And the last five minutes of the session are for her so she can present the main points to us that we’ll have a look at and in a rough consensus way carry further after the session.
With this, I would like to close my opening remarks and open the session which is Workshop 11, Challenges and Uptake of Modern Internet Standards, which is moderated by Andre Melancia.
Over to you, Andre, and have fun.
>> MODERATOR: Welcome, everyone. This is going to be a session talking about technical things, but hopefully all the audience will not be technical as well. We will not go into the terrible details that technical things include.
For today, as Elisabeth mentioned, my name is Andre Melancia. I am from Portugal. I take part in technical communities both in Portugal and all over the world. But here, we are here today to discuss why some of the standards that have been widely leaned upon haven’t been widely deployed.
First of all, I should mention can go to the wiki page for this session. We have add a lot of links with a lot of documentation, a lot of case studies, a lot of different types of standards that you can have a look at. Some of them have positive adoptions, others a bit negative adoptions. And we will try to have all of this panel here today as well as anyone else who would like to join, discuss all of these.
So first of all, I should mention that any of you can participate if you want to. So please join us by raising questions in the chat. If you prefix them with question words, so our remote moderator, Lillian, can actually say those questions out loud.
If you would like to join in by audio, you can also use the hand‑raise function, and just speak, if you would like.
And from that point on, just let’s continue. Please make sure that you open the wiki page whenever we are discussing this. I think it will help you get some information across as well. I have just shared the link in the chat, if you would like to use it.
Having said that, let’s discuss the people here today. Besides of course the Organization Team and subject matter expert, which is Polina Malaja, of course. We also have Caroline Greer, she’s from Cloudflare. She will help us of course discuss some things today, especially RPKI. Also Joao Damas and Geoff Huston from APNIC and Arda as well. Not sure if she is here already, hopefully she will be here. We should also have Paul van den Berg, although I’m not sure if he’s here as well. So may be some technical issues. Finally, we have Wido Potters as well. So from the stakeholder group, which is the ISPs and generic providers as well.
Besides that, we have the amazing Organization Team that helped build the session together. You have each of their names in the wiki page. As well as links to the LinkedIn profiles for each of these, and you can find more information about each person on the wiki pages as well.
Before we get started I will steal something from the previous session, yesterday or the day before. Someone said the definition of a standard was actually to use widely agreed way to do something. This is of course true.
We will have a few standards to talk about. I’ll give you a list in a bit. These standards have been agreed upon. So things like IPv6 which have started to be deployed or tested anyway in the ’90s and nowadays they are fairly stable. And we will try to understand why some of these standards are not being used, let’s say, at 100% usage at this moment and why we still use things like IPv4. The same for the other standards, but we’ll see that in a bit.
So all of these standards that we’ll discuss in this session are the consensual ones. We tried to make a distinction between this one in the session and any others in previous sessions. Because we have had sessions for DoH DNS over HTTPS and DNS over TLS as well. And those standards do have issues regarding privacy and things like that, which sadly make a lot of people not adopt them. So hopefully the standards we’ll talk about today will be the standards that only includes or mostly include consensus.
So having said that, here’s a possible list of standards to discuss. This is of course not limited to these standards. So if you feel that there are other standards that meet this criteria, feel free to discuss them of course.
Mention some of these. I would like a brief introduction, some people may not be technical in most cases to understand what the standards do. HTTPS, everybody knows HTTPS at least from the address that you get in your browser. This is the protocol that you use to guarantee that you can communicate web pages.
This is the protocol that you use for even things like Zoom, although there are some better protocols to transport information, such as video and things like that, lately because of firewalls and other kinds of problems connecting. You use HTTPS because it is a protocol that is allowed in and out of firewalls.
The current usage is widespread. So – recently players like Google have forced using HTTPS, otherwise you would get a really bad ranking in their search. This works a bit better. Also others like let’s encrypt allows certificates for free if you use HTTPS, instead of HTTP. So this is a force. You have IPv6 which is the successor of IPv4. IPv4 was started in the beginning of the Internet. It is limited to a certain number of addresses. It used to be 2 thousand million addresses, although these are much less in reality because of reservations for certain number of things. And IPv6 gives you almost a virtual number of addresses in which you can get maybe an address for every two atoms in the universe, to give you a general idea on this. You have DNSSEC, that guaranties that any name you translate into IP addresses, does have some security associated with it. So you cannot change that in the middle and do an attack on a person. RPKI is used in the backbone of the Internet, not something the normal user sees. These are used to guarantee that whenever you have routing between places. That changes sometimes because the Internet is that dynamic.
This is only changed to things that are legitimate. We had scenarios in which for instance, we’ll talk about this of course, but we had scenarios in which operators tried to manipulate the direction of the Internet and change the entire flow of the Internet. Such as a telecom company in China trying to redirect traffic for things like Facebook and other things. And actually change half of the Internet traffic going into Chinese servers.
This happened for other scenarios as well. Finally, one of the things that people usually don’t talk about which is the WCAG, the web content accessibility guidelines for people who have things like visually impaired people or – which can be either blind or people have bigger difficulties in seeing. This guaranties things like websites deploy some standards, some guidelines to ensure that everyone is able to see the content in a good way.
Some Governments already force public institutions to use WCAG, whichever version of that you can. So one would be better than nothing. A lot of people won’t use it, especially in the private sector it is not being used.
There is of course more. We have condensed a list of all of the protocols. And a lot of links that you can look at in the wiki page. Feel free to look at the wiki. Someone updated the link, because the link I sent for some reason, the dots did not follow‑up as a link. But thank you very much.
Okay. So before we actually go into the debate, we have two small presentations, one by Geoff and one by Wout regarding in the first case statistics, and in the second case some suggestions or solutions to fix this, then we’ll hand this over to everyone for debate. Geoff, are you ready to start?
>> GEOFF HUSTON: I certainly am.
>> MODERATOR: Just ask me to move the slides and I will move back and forth with the slides, if that’s okay.
>> GEOFF HUSTON: Thanks. Good morning, good evening. In Australia, it is evening. Welcome. I am pleased to be here. Joao Damas and I have the unique opportunity to run I think the world’s largest measurement system. We have done so now for the last 10 years. We actually make between 10 and 20 million measurements each and every day. They use online advertisements and like sort of everyone who gets them, if you script these advertisements, you can see the Internet the way everyone else sees the Internet, from the outside looking in.
So when we measure things like IPv6 and DNSSEC and RPKI, which I will talk about in the next four minutes and 50 seconds, what we’re looking at is how users see it. Not what network operators see. Not what infrastructure operators see, but how the network itself is seen by users. Next slide.
So here is an awfully big graph. It encompasses five‑odd years. It is looking at the uptake of IPv6. Eight years, actually, since 2012. It has been a long and very slow picture for many, many years. Since 2012 – which I think was the time of IPv6 date, uptake was still 1%. It has only been in the last three or four years we have seen concerted industry effort across all parts of the world. There were some leading efforts in Belgium initially, and in some areas of France. But then it was Japan, then the United States, and more recently, massive amounts of movement in China and India.
Today, it is quite an achievement, 25% of the Internet user base, if they are given an IPv6 URL, they will manage to retrieve it. Next slide, please.
How about Europe? No. Just a little bit down. Around 20% of Europe’s user base have IPv6 today. So in some ways, Europe has been a much more steadier and slower adoption pace, but it is also relatively small. Next slide.
The impression is that that 20% is everywhere. It’s not. What we actually find – it is typical of many of the new technologies, is that the uptake is extremely diverse. Germany, stunning, bright green. A lot of IPv6 there. The same in Greece. Sort of the next tier, we see Finland, the United Kingdom, Portugal, and – oh, you’re stressing my geography here. I think it is Hungary. Someone will correct me if I am wrong in the second tier. And other countries without any IPv6 at all. It is different countries, different operators in different countries have entirely different motivations. We need to understand in some ways, it’s not uniform. Let’s move on and look at DNSSEC.
Now, this is a different view – oh, sorry. Here’s a list of countries. Belgium, well done. Moldova, less than well done. Lots of others in between. 61% at the highest rate to less than 7%, and that’s just the top 20 or so countries. So uptake is not uniform, we don’t all have the same sets of drivers for the uptake in new technologies. Next slide.
So the next one I want to look at is DNSSEC. I’m not looking at signing a zone. This isn’t the producer. This is the consumer. Will you go to a DNS if it is badly signed? If someone is trying to mislead you and send you to different DNS places that shouldn’t be there? This particular test offers the user a badly signed DNSSEC name and then she counts the number of folk that refuse to go there. That is badly signed. I’m not going there. This is around the last four years. I think the fascinating thing is the deep around 2017, 2018. Why did it go down?
Those of you who are involved in the role of the key signing key might actually see there is a correlation here. That there was a certain amount of fear and uncertainty over the outcomes of the key signing key and validating resolvers. Some operators felt quite nervous about this, rather than simply go she’ll be fine, actually turned it off for a little while. It is only in the last 18 months or so have we seen DNSSEC resume as deployment for validation. This is resolvers, not zones. This is consumers, not producers. Next slide.
Europe ahead. In DNSSEC terms, Europe is up 30%. What does that 30% mean? 30% of users in Europe will not go to a domain name if it cannot validate the DNSSEC signature. Those folk cannot be misled by badly or errant DNS. They will see and detect a lie in a signed domain. Again, what you even see is that this is rising. I should note in the last few months, when we have all been doing lockdown, when you think the network would be in spaces, make no change, the number keeps rising. We’re deploying DNSSEC and have been over the last few months and that trend of rising in Europe has certainly been going on for 18 months, which is fantastic. Next slide.
But again, it is not the same. It is diverse in every country. It is different countries. So up in the Scandic countries where there is little IPv6, there is a huge amount of DNSSEC validation. In United Kingdom IPv6 yes, DNSSEC no. Germany, much less DNSSEC than France. Oddly enough, it is the same but different diversity. Not everyone is doing the same thing, Greece big on IPv6 but not so much of DNSSEC validation. Not that ISPs do a lot, they tend to pick and choose. They tend to deploy technologies according to their timetables. Next slide, please.
So the last one here and we just started this, so this is a new measurement, by “just started” I mean around three weeks. Looking at the adoption of RPKI and throwing out routes that are not able to be validated, that are provably invalid routes.
So across the entire world, when we in this experiment set up a route that is obviously wrong, it has the wrong credentials, and folk that are doing RPKI filtering will not go there. That is 5.3% of the world. Even at this early stage, a fantastic number. Europe less so. 1.7%. Next slide, please.
Same picture. It is all rather bleak. No one is really excelling here. I do notice some countries and a different set including Russia at this point, sit behind the validation systems. RPKI is different from IPv6 and DNSSEC. It is not so much you as the transit network you are using. Sometimes you need to do nothing. If the transit network provider is doing RPKI, you are just fine.
This map doesn’t necessarily reflect where deployment is happening. But it does reflect where users sit behind areas of deployment of this kind of technology. Next slide, please. I’m about to come to the final few slides here.
Why? Why is everyone different? Back in the telephone system, everyone was doing the same thing all the time. That is what the ITU was about in some ways making sure we were all largely in lockstep in technology. What is going on here is actually quite different. We’re definitely not. I suspect it is because we’re market‑led. This is a deregulated and highly competitive environment. The rules are the rules of the market.
And because it is the rules of the market, there are many, many different players. And each of them have their own perspective on what leads them into various solutions.
And oddly enough, with enough diversity, every single approach will be explored sooner or later. Next slide, please. So as well as the market there comes the issue of planning. I worked in the telephone industry, and in 1987, there was so well prepared that they’re actually doing their IPv6 – the year 2000 transition plan in 1987.
This industry doesn’t look forward. It really, really doesn’t. I don’t think anyone remembers the plans they had 10 years ago. I don’t think I even remember the plans I had five years ago. So when you get long‑term transitions that actually require cohesion and planning over many, many years, we forget it. Because the market works in much, much shorter time frames. Quarter by quarter.
So this industry works by quarter by quarter. Decisions are made, implemented or forgotten. No long‑term planning. Next slide.
Last but not least, it is not the Internet we knew. It keeps on changing. We are a CDN feeder network. Content data comes across to local exchanges, goes out to server cones and the Internet is the last mile of network. Transit is dead. This is a different Internet from the Internet of the ’80s, the ’90s, or even the ’00. We keep changing the architecture. Technology changes in response to that.
Why don’t we do uniform adoption of technology? Why is this discussion about we should do X, Y, IPv6 or DNSSEC when oddly enough we’re all diverse, we have very different motivations, don’t do long‑term planning and the architecture keeps on changing. So what is going on?
Next slide. Maybe the folk who aren’t adopting have really good reasons. IPv6 is old. It is really old. It is actually a 1990 solution to a 1980s problem that does not exist anymore. We have been running the network over network address translators for more than 10 years. We’re really good at it. We don’t need to uniquely address every device. Some security folk would argue that is the wrong thing to do anyway. The addressing plant we used in the 1980s doesn’t actually answer a current problem. Maybe IPv6 was a good solution then, but it is not clear it is the right solution now. It is not today’s answer.
And what about DNSSEC? Well, oddly enough it is only implemented in the middle not at the edge. You, your machine, your laptop, my laptop, my machine, none of us do validation. Oddly enough, if we pushed validation to the edge of the network, actually the DNS will break. When we tried to do this with an alternative technology for security called DANE which did validation at the edge, it was so slow, everyone stopped using it. Because things have to be fast. It is a millisecond world.
If we try to do validation at the edge with DNSSEC, you don’t live that long. What about RPKI route origin validation? That is a mouthful. The issue is it is only half the solution. The emperor still has no clothes I can still hijack your route. It only makes it slightly harder for the attacker. It is actually not a defense, it is a placebo. It is hard to actually understand why we should invest a whole bunch of effort into a solution that only half works.
So part of this diversity is that it is not the folk who haven’t done it, are missing data, are missing information, are doing something wrong. There are reasons why people adopt, and there are reasons why people wait. And in this very diverse market we have, we are going to keep on seeing all kinds of solutions out there. Perhaps it is too much to hope for that we all march in lockstep these days. We are going to continue to see a diversity of technology, in my view. Thank you very much.
>> MODERATOR: So, thank you, Geoff. And up next, Wout. Can you take over?
>> WOUT DE NATRIS: Yes, I can.
>> MODERATOR: I have your slides here.
>> WOUT DE NATRIS: I can see them, thank you very much. Welcome, everybody, to this workshop that I helped organize. My name is Wout De Natris I run a consultancy with my own name and specialize in Internet governance on a global level. In such a capacity I worked last year with the Internet Governance Forum to write a report on the reasons behind the slow adoption of Internet standards and ICT best practices and standards. It was wider than just Internet standards.
As my own motivation, I think about 23 years ago, I entered the Internet for the first time, very soon I started to be surprised by the lack of security and incidents that happened. And then I entered the spam enforcement and my challenges were even bigger where the Internet is concerned. We’re still looking at the same sort of problems today.
The study went into the reasons behind the slow adoption or nonadoption of certain standards. And it came up with fairly obvious results. Many people answered the question: Why is this slow adoption? They said there is no business case. There is no demand and there is no supply.
But looking behind that most obvious answer, we found out that there is almost no pressure on the people deciding on whether standards are deployed or not. And that makes it a nontechnical question. And most people do not participate in this discussion because it is seen as highly technical.
And the reasons for nonadoption may be less technical than some people perceive. So what we wound up with is that it is a collective action problem. No one benefits from looking at adopting the standards first. It is even a negative where profits are concerned because you have made less profits than the people that do not deploy. So if that is the case, we came up with – you can see the front of the report in front of you. So we can go to the next slide, please.
We looked at how to proceed. And that gives a much more diverse picture than otherwise. Because the recommendations are – if we can go to the next slide also. Thank you. The recommendations are very obvious. You have to create a business case. We have to get ICT security into education, where there is too much lacking, apparently. Et cetera.
But how to make that happen, because the recommendations are as I say, fairly obvious. But the happening is not so easy. We’re discussing this topic for over 20 years, and it is not as if it has changed a lot. And the focus is mainly on the technical level. People asking the technical level, are you able to deploy. They say yes or no and they get a course on how to deploy – sorry. But then they often hear well, we’re not going to do that, because it costs too much money and we’ll lose too much money like Geoff said on the quarter to quarter basis. We looked at the identification of pressure points – I am not going to sum them all up. They’re 25 of them.
The most obvious one that most people answered is just put it into law and everybody has to do it. And almost 100% said we do not want a law. In my opinion, it is not necessary to have a new law. In the first place, there are current laws. So that means regulation could perhaps look at topics like duty to care. Or look at specific specifications on a technical level. Look at consumer protection to see if that can be done. And I will come with two or three examples later.
Other ones, consumer advocates could do specific testing on the lack of certain standards or ICT security in products. We see some examples happening already. Having little red flags besides your product also means that quite obviously, you are scoring more negative than others. In the media, there could be more attention for the topic like this. Parliamentarians can ask awkward questions to industry when they’re lobbied by industry on a topic like ICT and Internet.
It could become part of the education curricula so the children leave the vocational training at universities know about architectural entity, and how to build for example, a website. If you don’t know how to make a website safe you will only look at the beautiful buttons on the website and never what is behind it. Industries in Government can go into procurement. There are excellent examples in the world on how the companies can be pushed into more security through procurement.
So are things changing at this point? Yes, there are excellent examples in the world that you can find in the report. Also very currently, Amazon was taken to court recently in Germany over not having the TLS standard deployed by privacy advocates. There is a duty to care court case that came by yesterday – so I haven’t had time to explore it really, but a company was fined that they did not secure the company, despite the company saying I don’t want you to build a secure product for me. They should have said, according to the judge, you should have not taken this customer on because you’re not fulfilling your duty of care. A major incident here in the Netherlands that happened early this week is that the safety environmental and health institution that is monitoring the COVID‑19 crisis here and asking people to put in all sort of private data through their website, the first simple test of the website proved it to be completely open to the whole world.
So in other words, Government at the vital points are making these mistakes. It is makes on the side of the organization, they have no clue what Internet security is, but also the people who have built the website for them apparently have no clue because it is still not repaired after six days.
So in other words, that is something of a crisis of confidence. How do we proceed? With the Internet Governance Forum, the proposal has been to start a policy track on this topic, to make sure that all sort of stakeholders who are not participating in the discussions like this on a general basis, like regulators, consumer advocates, like privacy but also decision‑makers at a higher level in industry start to participate in this topic and come up with policy suggestions that can be taken up elsewhere in the world.
And this proposal is being discussed, hopefully next week in the multistakeholder advisory group of the IGF and it is in need of support. Because if it does not happen, I do not personally see another institution in the world that is able to take on a discussion with all stakeholders involved. And it is about try ago there are some up on end. It is about trying a different direction to get the Internet standards deployed in a fast way and leaving behind what we have been trying to do in the past 20 years without too much success.
So that is something – a call for support for this work to be continued as is obviously is very important to every single individual Internet user in the world. But also on the way the world can develop further in a more secure environment. I will leave it at that. Thank you for the opportunity, Andre, to present.
>> MODERATOR: Okay. Thank you very much, Wout. And Wout is of course part of the Organization Team for this workshop.
At this point, let’s – by the way, I did add the link to the paper in the chat. It is also available on the wiki page, as well as many other links on the wiki page, also available for other kind of technologies as well.
So at this point, let’s review the list of technologies and give the floor to people, starting with our invited speakers, first.
So let’s start this in the order that we see in the wiki. And no particular order. But maybe if Caroline, would you like to start?
>> CAROLINE GREER: Sure. Thanks very much, and this introduction was extremely helpful. I come from a public policy background, so I still find myself learning a lot from technical presenters on these matters.
So I’m representing Cloudflare. Cloudflare for those that don’t know our company, we’re a cybersecurity company. And our mission is to help build a better Internet, make it a more secure and private Internet. So in general, we are very quick adopters of Internet standards and protocols. Particularly if they are in furtherance of that mission to help build a better, more secure Internet. So I think, you know, all the standards that we see here, I must confess WCAG, I’m not sure, but certainly the others we have jumped on quickly.
Our goal as a company is to make it ridiculously easy for our customers to transition to these protocols. We typically provide free supports for all of them. So just looking at that list, I mean IPv6 we have had full support for that for our customers from 2012. DNSSEC we have been deploying since 2015. We integrated that with our domain name registrar product and HTTPS, yes, automatic support for our customers through SSL certs. And there are many others. Some we haven’t discussed this morning, such as TLS1.3, which we given to customers since 2016. DoH, DOT, pretty much, you name it, we adopted it. Yeah, I think it is an interesting conversation to what are the drivers to help industry adopt these protocols and standards.
I mean RPKI is a big interest area for us. So in 2018, we decided to take on a leadership role and to help secure BGP routine. We did that because we believe network operators need to take a different mind‑set toward BGP security. RPKI is certainly one step in the path towards doing that. Reflecting, I think Geoff’s comments, possibly in the chat, you know, it is just one step. Not the full solution. But we would really push for providers, in particular, to adopt this standard.
We have blogged comprehensively about this, and the risks of BGP leaks, hi‑jacking, and in particular, would point you to a blog that we did last summer, where we discussed the impact of our friends at Verizon not having deployed RPKI. There is an impact on the whole ecosystem of a large decision or not to take on RPKI. It is the angle we come from.
It is not naming it directly at providers but given there is a cascading effect on the whole ecosystem of not adopting this, assigning the route, it is problematic.
I would sort of agree that regulation is perhaps not the right route here. I mean, we would really try to work through industry Coalitions, industry groups to encourage that take up. And sometimes we don’t frankly understand why there is such resistance. It could be, you know, there is no ROI on this or it requires engineering work. You know, it is somewhat down the list for some companies.
But we did, we sort of stepped up a little bit on RPKI with a campaign that we launched in April of this year where we launched a website called isBGPsafeyet.com. You can test whether your ISP has deployed RPKI. That might seem like an aggressive campaign, but we have been pushing this for two years and we haven’t seen the progress we would like to see on that. For us, the Internet is too vital for all of us.
Okay. This campaign was launched during a pandemic, and there was criticism from the community as to why we did that when we did, but, you know, if anything, we saw that the Internet was more vital to all of us during the time of the pandemic, and Internet security is an ongoing permanent issue.
I will say from that campaign we did see an increase, particularly in the first week of that campaign. It was a single‑digit percentage increase based on previous weeks. We did see a rise. We have been very constructive and encouraging conversations with providers. And, you know, we would like to help. We’re there. The code is open source. It is all out there. Definitely appreciate this, time. We’re in this together. This is a shared challenge we need to confront together.
That is why we launched that particular campaign. So yeah, maybe I will stop there. Hopefully that is helpful. I am happy to take any questions or continue the discussion on some other standards.
>> MODERATOR: Thank you very much, Caroline. Before we move on to the next speaker, let me just mention that both you and everyone will be able to come back and answer any follow‑up questions. So the idea here is to keep all of these as short as possible so that each person has more than one turn at this.
So I have a lot of questions here in the chat. Some of them have been answered. But because half of these have been addressed by either the key participants or all the Org Team in a bit, after we go through a few more speakers, I will let them discuss this over the audio and video as well.
So coming up, let’s see if Joao is available.
>> JOAO DAMAS: Yes, I’m here. If the question we are having in this workshop is why do standards get adopted or not, I think in the end, it is all down to the economy. Whether the economy is wanting to adopt them or not adopting them. So you see these people perform risk benefit analysis. I think about already mentioned something with that. There is no – generally no incentive for someone to be the first. So there is always a little bit of reticence of adopting something if you are going to incur expenses that don’t provide you with profits.
But sometimes it is not only that, sometimes it is that the expense and benefit are not aligned. Maybe I have to incur an expense so you get some benefit. In that case, within the dynamic agent, I don’t think that will happen. Because why would I? Why would I spend money so that you can benefit? Why you see this in many standards. I mean, the ones we are talking about, the problem is like IPv6 still costs money that you can do without right now, mostly. So what’s the case? Yes, there are solutions. There are solutions that are increasingly complicated. Eventually, I think the cost and complexity of the new solutions will make it that IPv6 might be worth people’s while.
But it’s not a matter of trying to push and convince people. People know what they’re doing in their business. The ones that don’t they simply disappear. So DNSSEC for instance, is another one. There is still a perception that you are more properly protected by the use of TLS in websites than you are by DNSSEC. Because traditional DNS is something you don’t see. It works behind the scenes. You type the URL, you get a website. All the machinery set in motion between those two events, most people don’t see. DNS is certainly part of that. How do you incentivize that? Hard. I think there – the RPKI, RPKI has a fundamental problem, from my IPv4. It’s that – it not a security mechanism, it is a safety mechanism.
In some languages, that translates to the same work. Like Latin languages, you use typically the same word for both concepts but they’re different concepts.
English thankfully splits them. It is mostly today a safety mechanism against mistakes that you made yourself. So like – because it is easy to bypass. If an attacker wants to bypass it, he will be able to fairly easily bypass it. It is mainly you protecting yourself against mistakes with the operations. The problem with the safety mechanisms is like, is it more likely to incur mistakes by adding complexity layers than it is – that they already occur in the normal operations? Am I more likely to suffer from problems of introducing another layer of technology than by making sure as I can that my people won’t make mistakes? It is hard to tell. You have to look at the risks and benefits of any of these things, especially because none of this by itself is a universal solution. And that’s why things develop at different paces and different places. Right? Public perception plays a role. If there is a fixation with some aspect of security, you might see more security mechanisms. In the absence of that, it is just life as normal.
People get mugged in the street just like they get their credit card stole on the Internet. Most of the time, it is because the website is actually the problem. Not the transport mechanisms that we used to reach the website. So it is not a unique answer, but at least not in the specifics, but in the generals, I think that is there, basically where the economy goes, technology goes. I think that’s all from me.
>> MODERATOR: Okay. Thank you very much Joao.
I see that the chat is very active. So yesterday and the day before, we have seen some sessions where there was a parallel discussion in the chats. I will try to make sure that I copy all of the content from the chat into the wiki page as well. [Background noises]
Okay. I am also interested to hear a bit about other stakeholders as well. So far we have discussed mostly technical problems and sometimes economical problems as well. But I’m also interested to understand the political problems. Arda, would you like to intervene at this point?
>> ARDA GERKENS: Yes, sure. Thank you. I wasn’t in the meeting in the beginning, I had problem to get in. I listened to all of it. I have been there all the time. Just to let you know.
>> MODERATOR: Common issue. No worries.
>> ARDA GERKENS: Let’s try to view this from the point of view of a politician. Sometimes I feel like I am repeating myself in the discussion when it comes to politics and IPv6.
The thing is that you don’t have politicians with knowledge about the subject. You might encounter a politician with a little knowledge or a little more. Most of it they don’t have any knowledge at all. Looking at the Dutch Parliament, 225 people in both parliaments. I think maybe three or four of them have any ICT knowledge. Then we don’t even talk about the technical situation.
It is not a sexy subject. Even if we talk about privacy, security, all the time to go to this what we would as politicians see as a minor situation, to talk about the standards, it is not sexy at all. Actually what you have is a marketing problem. You can dive into all the technical situations, why do we need IPv6? Why do we need DNSSEC? I think already also I think in the report of Wout, we stressed that there are much more actors to make sure we have security everywhere. For instance, in education, like Wout said, the example of the website on COVID‑19, which was built without any basic security shows how that knowledge is lacking on the people who need to have that.
But we as politicians are not going to solve that minor problem. What you actually have a marketing problem. I think the example of Cloudflare shows that once you start a campaign on why is the security so important and what does it do to you as a consumer, that might help.
I will give you an example, and then we had a campaign. That campaign was made from the banking, the financial sector. The banks had a campaign that said three times knocking. You have to knock three times. They had three checks you had to do before you go to your bank on the website. So is it secure? Do you have your lock? Is there – well, it is three checks and balances you can do before you would enter.
And that really helps. You can see people thinking now, okay, I have to check before I move on. I don’t think people or the public will start asking for this security elements. I must say, I was triggered by something that was said by one of the speakers before who said that is a market‑driven market. Yes.
So it is – I think they have indeed a short‑term policy. And I would like to compare it with another job that I am doing. I am the managing Director of the Dutch hotline on child sexual abuse material. Actually, you have the same problem over there. The majority of the hosters don’t really want child sexual abuse material on their website or Internet, but you know as long as there is no incentive or pressure from outside, they will not really work hard to get it done. Because it takes time to get it down.
It takes time to implement tools. It takes money sometimes. So once you start pressuring them with legislation, or maybe fines, or with more regulations, then they start to wake up. If you offer them easy tools – which I think that they are already there – they will run on the subject.
I think politicians should actually put more legislation on there. And Netherlands we have had good examples of policies made, but there was no consequences to the policies. If you didn’t implement them, nothing really happened. Well, we had at that point a minister who had very good guidelines, very good policy, but we had workers who didn’t even know that policy existed because there was no consequence to it.
I think basically what I would advise to you is get a marketer to translate your problem and the consequences for the Internet to the politicians. Please, stop all the technical talking. Because I can see already now you would – you know, discuss amongst each other on one side why it is necessary to implement them. And on the other side, why one is better than the other and what is technically hampering them. As a politician, that you know, really turns me off. I don’t want to know about that. I want to know about the importance.
If I make one last comparison. It is like a car. At one point, we decided everybody should have the security belts. Everybody knows we should wear one, still we don’t do it all the time. Which is stupid, it could kill me if I don’t. It is the fine that makes me put that thing on because otherwise it will cost me a lot of money. I as a consumer don’t have what standards they have. They have standards, they’re tested every year in the way I bring my car to the check for the annual check. But I don’t know what the standards are. I don’t care. That is for the industry.
So I think that’s a good comparison for you to start with and get some marketers out there, like Cloudflare did. I think that might get us somewhere. Thank you.
>> MODERATOR: Thank you very much. You made some very good points. Let me just say that in my country, some of the standards were actually adopted at the Government level, so they determined that all public institutions needed to comply with certain things, in this case, I’m referring to the WCAG, the accessibility guidelines.
Would you feel that those specifically, which are actually not that technical. These are more like practical. Same way as putting signs on the door or fire signs or something like that. Would that be something that you would feel reasonable to force on private companies as well?
>> ARDA GERKENS: I think the word “force” is the keyword. We have the same thing. We have the guidelines. I tell you, a couple of years ago, one of our bigger cities, they built a new website. Cost about 20 thousand euros. They didn’t follow those guidelines. That is a public organization. That is just crazy. So yes, we have all those guidelines, but if it we don’t force them to use them or fine people if they don’t use them, I don’t think we’ll ever get there. So you need to have something to – you need to have a consequence.
I think is it a good thing if you put it into your policies as a Government, that once you have a new project, then it needs to follow these guidelines. But again, if it doesn’t, if there are no consequences when you do it, you know, we have the guidelines and there are people still not following it.
>> MODERATOR: Thank you. Let me mention you brought up another interesting example. You know, I’m young, I still look very young. I got my driver’s license in the ’90s. And at the time, it was already 10 years since there was a mandatory seat belt, you know, obligation. So I’ve always used a seat belt. Sometimes when I use a car without the seat belt just to drive it for a bit, it feels very uncomfortable not to wear it because you feel something is missing.
With regards to this, I have a video. Let me set this up. There was the Safer Internet Day here in Portugal. A few companies, one of them was our National Guard, but also companies like Microsoft, others decided to do this. They had something between 500 and 1,000 kids. So just in the workshop that we did for safety, actually hacking, but let’s not get into that at this moment, we had 500 kids just understanding the problems with security.
And in one of those cases, this was the result. So in the beginning, there was no sound, but you do have subtitles. Okay?
>> MODERATOR: Okay. The video was quite simple. When I saw this, this was very nice to see. This goes to the example you mentioned which is about the seat belt. In this case, someone this young – I’m not sure if you were able to hear the sound correctly. But I believe the subtitles worked. The sound was – this was actually very interesting for her to say this.
Because kids from an early age can see the browser and they immediately understand if something is green that that is good. If something is red, that means. It is bad. So in that scenario, we can understand that normal people not I.T. people do have some understanding about things like security, maybe other things as well. And maybe also people can interact and with providers and request that they guarantee some of the things like make sure everyone uses HTTPS and a lot of companies in Portugal wouldn’t use it until recently. So people complained, hopefully not bands or anything like that.
This is a video I wanted to bring up to spark debate as well. So if this is okay, maybe we can go on to the next – with the next victim. Which is Wido. Are you around?
>> WIDO POTTERS: I’m around.
>> MODERATOR: Please join us.
>> WIDO POTTERS: Well, I want to confirm what Joao said, with part of what he said about economics, where it is vital for adoption of standards, at least in the private sector.
I do have to disagree with what he said on RPKI that it only protects you for your own mistakes. That is not true, it protects you from routing mistakes others make. It will only partially protect you from malicious actors. But still it doesn’t only protect you from your own mistakes but also mistakes others make.
I believe that a large part of the routing issues that we see on the Internet are mistakes. Almost mistakes and are not malicious actors being active there.
I’m from Netherlands as well. And Arda said that there is a comply or explain obligation for Governments when they do something on the for all of the standards. I do have to agree with her as well, it should have consequences, for the Governments when they do not strictly follow this policy.
To give an example, I work for a provider hosting an access provider where we have been adopting all of the standards for years. So this full list and more, all of them have been adopted by our company. And what I see is that when I talk to Governments or when I sent them a quote or something when they have like a public offers or a public – I’m sorry, I’m looking for the English word for it. When they ask private companies to send them an offer for something they want to buy or a service they want to take from this Internet company is that this policy is there to comply or explain, but it is very, very easy for them to not follow up on this policy.
I believe stricter monitoring of following this policy is really necessary and it does not only cover it when having this policy. Actually, very interesting. I see the same type of incentive or the same type of behavior in a private company or partly private company, the Dutch registry, which is the responsible for the [?] they have an incentive for the registrar to adopt standards as well. So if you buy a domain from them, and you implement all of those standards, you will get a discount on the price of the domain. Which has been very useful for the implementation of the DNSSEC on the domain names. They started for IPv6 and email standards, et cetera. It has been a real success for at least the content side on the Internet in adoption of standards on the content side of the Internet in the Netherlands. They spent lots of money on this.
At the same time, I see it happens quite often that they have to buy services or goods, and they decide to buy them from companies that do not follow up on the standards. There are other issues more important for them. And I think that when you have such a policy within your company or within your Government that you should be strict on it. Do not make it a wish, but demand for it.
And if the supplier cannot offer these standards, then it just doesn’t cut it. It is just not good enough then. So yeah. That’s what I would like to suggest to the audience. Yeah.
>> MODERATOR: Thank you very much. So next up although for technical reasons we cannot have Paul van den Berg here today, from the Dutch Government, we do have Martin William from Microsoft, if you would like to take the floor.
>> MARTIN: Can you hear me? I short perspective of the vendor. Microsoft. We have been evaluating whether we would use DNSSEC and they in our email systems. Basically on the same reason and other big email vendor said, well, there are some challenges with DNSSEC, one of the main challenges was the low adoption rate. And for DNSSEC to be successful, both the sender and receiver need to implement the protocols, otherwise you basically fall back to unprotected DNSSEC.
So at that time, many years ago, we thought, well, if we are still dependent on both parties, let’s at least try to figure out a system where we can protect our users without that dependency on DNSSEC and without dependency like senders and receivers like other vendors were using.
Interestingly enough, adoption grew. Then actually, basically, I think [?] would have been talking about that also, Paul would have talked about that also. Based on several examples in the Dutch Government that basically mandated or tried to supply the explain list for the protocols. We said it may be interesting to see if we implement this and what the use cases would be.
A further approach in there is also the Dutch Government basically made it mandatory for itself, basically, to set an example through the market and through other organizations about implementation of the standards.
And based on that approach, and based on that feedback, and also growing feedback from other organizations, other countries, other customers, we said let’s see what it takes to implement the DNS DNSSEC in our system. You don’t flip that switch over one nighttime. Especially if you process many hundreds of billions of emails each month. You have a large system, you have available challenges there. You have other challenges to cover. That takes time. Interestingly, we heard a lot of speakers about the pro and cons of DNSSEC and why you would or would not adopt it. Interestingly enough our own security people at first instance were hesitant whereas normally if engineering proposing to implement a new security standard they’re always in favor of it.
Concerning DNSSEC there were hesitations. Indeed if you look on the Internet you see a lot of website that publish a lot of issues customers have or down time issues that organizations have after implementing DNSSEC.
So we were warned in a way. But still, we see a rise in adoption. We do still see more experiences and we work a lot with standard parties within the Netherlands. I think there is also someone from them also joining here. Who basically also explained about the maturity, increasing maturity, and pitfalls. That also helps, collaborating with the sets available from different institutions and organizations. Basically participating there, during some sort of partnership.
Still, it is going to take time. We have to figure out performance. We have to figure out SLA, we have to figure out technologies like key rotation, all sort of things that make it difficult or challenging to do this at huge scale, because that is what we’re talking about.
Of course, there is also something like customer choice. It is interesting. For example, what would you do if we send an email and try to protect it using DNSSEC again, and the receiver doesn’t support it? What does our user want to do? Do we drop that mail? Do we keep that in a queue? But you may be understand that if you have to keep millions of emails in a queue, well, we may have to double down of our data center capacity there. There are a lot of policy decisions we have to make.
But still, we have now agreed to basically implement this. It will take some time. But it is interesting to see all of the forces in play in there. So both from a political side and pressure that actually works. But also increasing maturity, also the partnership. And I think that collaboration works in driving this and driving all the protocols towards a more common implementation scenario.
>> MODERATOR: Thank you very much, Martin. So in the screen, I actually added some of the feedback that people can have and request features. This was about four years before this was really started. Ironically you are probably familiar with this name. Ha‑ha.
But one of the interesting things I notice here are the number of votes. There aren’t that many votes here. If you go to this one for DNSSEC. Previous one was IPv6. This actually has 4,500 votes and it is still under review. So yes, the actual need for DNSSEC, especially because a lot of academic institutions all over the world, et cetera, do insist a lot of DNSSEC, and there are some positive and negative things about all of this, of course. But it seems at least from this perception that people require DNSSEC more than IPv6, which is something that I would not expect at first glance.
Anyway, let’s open up the floor now to everyone. And before we do that, let’s go to our remote moderator. Let’s talk to Lillian and see if there is any questions you would like to ask. Then we’ll get someone to answer those questions. So Lillian, are you around? Okay.
>> LILLIAN: Thank you Andre.
>> MODERATOR: Oh, okay. You’re with some feedback, but let’s try it anyway. No worries, this is normal in this scenario.
>> LILLIAN: Thank you, Andre. [Feedback]
>> MODERATOR: Feel free to try to speak. Maybe turn off your audio and just speak the question.
>> LILLIAN: Okay, can you hear me now? Perfect, great, we had a slight technical issue. While there are plenty of questions on the chat, I think most of them have been answered already. I have one of the latest questions was from Eduardo. And he said some countries in Europe have a good IPv6 adoption rate but some have the delivery networks that don’t fully support it so Telecos are doing a better job than content providers.
>> MODERATOR: Okay. So who would like to take the floor on this? Feel free to unmute yourselves and just speak.
>> WIDO POTTERS: I would like to say something about this.
>> MODERATOR: Wido, yes.
>> WIDO POTTERS: Yeah. Well, I think that the biggest difference is that in Europe, in most countries, I think 90% of the market is divided among two or three or maybe four telecom operators.
Therefore, when two or three of them – of these access providers implement IPv6, then the result is highly visible and – well, the example is Belgium where the two largest Teleco operators having implemented IPv6 and it shows in their statistics or in the statistics of course. And the content – on the content provider market, there are a lot more players there. And I think that’s one of the reasons why we see on the exit side so many differences between the countries. I think that on the content market, the percentages are more – are in the same range, compared to the access market.
I think that on the content side, actually numbers look quite good. But I don’t have numbers here available at this moment. But what I see in the Netherlands is that there is quite a content available offer for IPv6.
>> MODERATOR: Okay. Thank you.
>> GEOFF HUSTON: Can I make a quick comment here.
>> MODERATOR: Yes, Geoff, go ahead.
>> GEOFF HUSTON: If you refer back to the map I did of IPv6 deployment, and I noticed Spain and Italy, for example, had very low levels. A content provider is actually protocol agnostic. They just want to deliver the content. They take a pragmatic view. They use whatever protocol they need for complete coverage. In Spain it is pretty sure a content provider would be delivering most of its content over IPv4. In Germany it is almost the opposite, because of the strong IPv6 base, they would deliver over IPv6. But I think it’s putting the cart before the horse to think that the content provider is going to change the market because they’re protocol agnostic, they really don’t care. Whatever protocol works is the protocol they use. You see the carrier market which is trying harder to distinguish itself from the competition has some diversity in IPv6 adoption because some carriers think it is a competitive edge. That may be the course. In the content world, no such market forces exist, they will go with whatever is available. That is perfectly reasonable from their point of view. Thank you.
>> MODERATOR: Thank you, Geoff. That is a good point. This is similar to the analogy of someone buying maybe a cell phone or something like that. They prefer green over blue or over red, but not really care about what’s the underlying technology in the cell phone.
So let’s see if we have.
>> JAN ZORZ: May I add something?
>> MODERATOR: Yes, Jan, join us.
>> JAN ZORZ: To be said on what is said on IPv6, what I am seeing lately is there is more new network operators that would like to build networks especially in rural parts, communities like this. They come in, they want to build a network and they go to IPPC and whatever RA are that. They ask for the address and the answer is no, you can’t get one IPv4 address before. You can get IPv6. But no IPv4. So for these people, it is not a question to deploy IPv6 or not. They actually – they don’t have – they don’t have other option. Because, usually when you start the network, you can do net for some time, but then the experience shows that keeping up with net and starting and trying to grow your ISP becomes cost prohibitive. Because category net is something that you need to have sort of like high availability on the Internet, two or three devices, the problem is where you put the net. The CGN, the place of putting the net.
Then it becomes cost prohibitive. This is not something that comes cheap. So people that we have – that put some thinking in it, run some numbers, they usually start with IPv6 and then try to put some translation devices in the core to actually accommodate the IPv4 traffic. In this way they have the exit strategy. Because more and more services on the Internet are deploying IPv6. This means more and more service, more and more traffic is actually going from IPv4 to IPv6 and this means interconnect no translation. That is how these people try to see the light at the end of the tunnel at the end of the day.
So it’s not just old ISP, not just content providers, we should also take into consideration new small guys that are trying to do something.
>> JOAO DAMAS: Can I add something to what Jan said?
>> MODERATOR: Please go ahead, Joao.
>> JOAO DAMAS: I want to make a shout out to your statement. I don’t think it is if you don’t have any IPv4 addresses. It is clearly a market, if CG net is too expensive, maybe you need to go to that market. Maybe that market is too expensive. Then you have a different issue. That is something that possibly politicians is interested in, large players trying to exclude smaller players from the market. That is not true that you have to use IPv6 as your only option.
>> JAN ZORZ: Usually it is cost prohibitive. The real world – I have been dealing in last couple of years, a lot with community networks and building community networks where you are basically building a network on a shoe string. It is cost prohibitive, believe me.
>> MODERATOR: Okay. So let’s now hear from Andrew.
>> ANDREW CAMPLING: Good morning at least where I am, good afternoon there. I want to pick up on a couple of points from the Zoom chat which attracted my attention and throw those in. One was a point raised by Simon and others in response to one of the points brought up earlier, is this idea that if in procurement requirements, particular standards were mandated, that would help.
I think the observation from the comments on the chat is there is no shortage of mandating of standards. The problem is in different countries, many different mandates and standards. There needs to be agreed a common list. If there isn’t a common list, it won’t drive behavior. That would seem like a fairly easy, nontechnical win to be done. And then the second point.
Again, this was in response to better marketing. I can’t see the chat comment now, I can’t remember who made it. Apologies. This was do we need – I mean, there are a widely recognized, widely marketing kite mark type system to cut through the detail, the complexity, the technology and just say, the equivalent of, you know, this is an approved seat belt, or this is an approved emission, friendly imagine. This is an – friendly engine and an approved set of standards to tell you the ISP, CDN or not a kite mark, but some kind of traffic system to tell you how secure. Something to really simplify this for the 99% of the population that don’t understand and don’t care about the techs. That is a bit on the great deal of comments on the chat that attracted my attention.
>> MODERATOR: Okay. Let’s open up the floor to anyone to request it. You can just unmute yourself and speak, if you would like.
Okay. No victims. Ha‑ha‑ha.
>> Andre, I had one comment which didn’t really come in. We have discussed about companies not necessarily having an incentive to adopt certain standards, but I think especially with respect to RPKI, there have been [?] that are worried to be in this country and lose out on business. Not only not getting benefits, but also the fact that they might lose business, that puts them off as well. I wanted to throw this in.
>> MODERATOR: So the economical side is probably one of the biggest reasons. I also see a similarly related reason as well. Which is about responsible.
One of the big Portuguese telecom companies have IPv6 implemented widely in all of the telecom company. But they did not deploy it because someone have to give the order to deploy it. It was not a technical problem. It was a bureaucracy or responsible problem, something like that. So that can also occur.
So anyone else would like to join in before we finish? Any final notes? Any final comments?
>> GEOFF HUSTON: This is Geoff here, Andre, can I make a quick comment?
>> MODERATOR: Of course. Go ahead.
>> GEOFF HUSTON: We put in the grab bag, HTTPS, IPv6 DNSSEC and RPKI. Oddly enough they’re all different. As a routing technology, the RPKI, it doesn’t matter at the edges, only matters in transit. HTTPS is actually not a transportation technology, it is what happens with content. And the trust systems behind it, again, have an entirely different deployment universe. IPv6 straddles content and carriage and both have to work at once. Well, DNSSEC, that is its own very special type of nightmare.
In some ways, the economic and mark dynamics of the new technologies, actually differ depending on the type of technology. We should be wary about saying, well, if we did one approach, it would all work. Oddly enough, the responses that we need from industry to move this Internet forward actually do need to be tailor driven against the type of technology you are dealing with. Mechanisms that might be effective in persuading folk that they really should get their toes wet in IPv6 are probably not the same as RPKI and definitely not the same as DNSSEC. When we craft into this “what do we do next”, be aware that the responses we need, need to be carefully thought through and tailored and styled for each particular technology we’re looking at.
>> MODERATOR: Thank you very much. Danesh would like to join in as well.
>> WOUT DE NATRIS: Andre, as well, can I make a comment?
>> MODERATOR: Go for Danesh, first. I will have you afterwards.
>> DENESH BHABUTA: Thank you, Andre. I think listening to the comments and coming to my initial thoughts as well. It seems to me to be quite clear that what we need to do is bring simplicity into this. There seem to be a lot of complex parts trying to work together and what we as the tech industry or as engineers or implementers think about is we don’t think – what we don’t think about is we don’t think about the end user. For me, this is all about the end user and because if it wasn’t for the end user we wouldn’t have the economy, we wouldn’t have the industry, the industry just wouldn’t survive without the end user being there. Because who are we selling to at the end of the day, the enterprise, the organizations and stuff, or even me as an individual. As far as I’m concerned about an individual, why do I care about IPv6? Why do I care about DNSSEC? Why do I care about RPKI? The thing is as an end user, I don’t care, but if there was some benefit to me, as in, oh, actually I could reach more, and more security here, oh, less attacks going on at server level, which means I don’t get hacked. There is simple messaging that we need to think about, in my view. If we think about the simple messaging, it is easier to sell to the end user. Not that the end user needs to know the technology behind it. Actually, here’s the benefit to you, first, making sure that your provider does X, Y, Zed and that way, if the provider if they build it, the people will come.
That’s it, really.
>> MODERATOR: Okay. So we have Wout just saying some quick final words.
>> WOUT DE NATRIS: Yes, thank you, Andre. Reflecting also on the workshop on Internet standards yesterday, I had a question in the chat about how we could engage the real hardcore technical people into this discussion, because as we noticed yesterday, it was impossible to get an IETF representative in the panel.
With the work I have been doing last year and early this year, it was impossible to get any engagement from ISOC and IETF. Apparently because I had two‑state actor‑oriented process. And as you can see, the idea was to absolutely not do that.
So the question we need to think about is: Do we necessarily have to include the hardcore technical people where adoption is concerned? And if so, how do we make sure that they get on board? So what are the criteria that they would be interested to participate in a discussion to actually make the standards that they create be deployed in a faster way. Thank you.
>> MODERATOR: Thank you very much. Let’s hand this over to Ilona Stadnik. And have a look at some of the messages from the session, and then just afterwards, we’ll give you some few seconds for anyone to intervene. Okay?
>> ILONA STADNIK: Okay. Hello, everybody. Can you hear me well?
>> MODERATOR: Yes, we can, please go ahead.
>> ILONA STADNIK: Okay, I’m Geneva Internet reporter, I will be here to provide key takeaways from the workshop and the full report later. Can I have at next slide, please. I ended up with three main takeaways. I hope we will find the rough consensus on them.
I let you know all the messages are subject to public comments. Stick to that update when the comment is open. The first message is pretty obvious. Several agreed on consensual Internet standards and protocols have been slow in deployment for decades.
The adoption is challenged with multiple factors, market incentives, unwillingness of tech community to make an effort, discrepancy between the efforts spent and the end result regarding safety and security of protocols. We need to create a pressure point in society to spur the deployment of standards. First, address the marking problem by making the security holes in the Internet transport layer visible to users through education. Second, carefully discuss political tools of pressure including legislation.
Over to you, Andre. Is there any objections in the audience?
>> MODERATOR: Okay. So far I have positive comments. I have difficulty understanding the term consensual standards. That is my fault. That is my fault. I used that as a consensual standards in a way that to distinguish them from things like DNS over HTTPS, something like that. But I do understand the work can be difficult. We can take this to the mailing list and come up with better words to describe these.
>> ILONA STADNIK: So I can leave the words in the text so far.
>> MODERATOR: No worries. We can discuss this later in the mailing list. So is everyone okay with the majority of the, you know, generic logic of the messages?
And by default, if no one says no, I would say that this is a yes.
>> I think there was a comment from Peter in the first bullet point where it has HTTPS IPv6 DNSSEC, RPKI, et cetera. Should be added.
>> MODERATOR: Yes, police, yes.
>> ILONA STADNIK: Okay I will add it.
>> MODERATOR: I didn’t see that one. Where was that?
>> Oh, sorry, it was not Peter.
>> WOUT DE NATRIS: This is Wout. The part on the legislation might take from the discussion could be it should be a last resort because we will lose a lot of participants if legislation is put up‑front in this way. But sort of a comment.
>> ILONA STADNIK: Okay.
>> MODERATOR: Please go ahead. Yes. Please go ahead.
>> ILONA STADNIK: So it says like carefully discuss political tools. So it’s a bit general recommendation. But you are free to comment on this further. It is not the final version of the key messages.
>> MODERATOR: So one final message, which is from Sam. All standards are not consensual, but in reality, if you go to technical discussions, this is never the case. But this is a different problem than for today.
So I think we are running a bit out of time. So I think that we can add some of the things which are in the chat. I will add the chat to the wiki page as well. At least the public part, of course. And hopefully I’ll get more feedback from anyone later on so that we can improve the exact words of the messages, and also anything else like adding a few links to the wiki page, if that is necessary.
So feel free to reach out, and we’ll try to sort that out. So we would want to thank everyone for being here. All of the key participants and all of the people in the Organization Team that did a lot of work in the last few months to make sure that this also happened.
I also want to thank our studio hosts and our remote moderator, and finally, I want to thank our reporter for handling this as well. And last but not least I want to thank Polina for being the subject matter expert and also taking part and making sure everything was okay.
So thank you all for being here. I hope you have an amazing rest of EuroDIG, and we’ll see each other over the Internet as well. Okay? So thank you very much, everyone.
>> HOST: Thank you, everyone. Just a quick note.
>> MODERATOR: Please go ahead.
>> HOST: Yeah. This room will stay open over the lunch break, you can use it to exchange. We will have some amendments to participate in if you would like to. We can also make it a talking space where you can unmute yourselves. Just let me know. I’ll be here for your networking needs.
Otherwise, I wish you a wonderful lunch break. We will resume here in this room at 2:30 Central European Time with the next session on universal acceptance.
>> MODERATOR: Okay. Thank you, again, everyone. I’m really sorry we’re not there in person to actually eat lunch and all of the good food we usually get at these meetings. But thank you all. See you soon.
>> Thank you very much.
>> Thank you.
>> Bye‑bye all. Have a good day.
Chat log from the session is also available in the Discussion page.
The list below included only some Standards, including respective case studies and comments.
- Unsuccessful adoption for the majority of websites (1994 - 2018). Exceptions: e-government, e-commerce, e-banking, etc.;
- Successful: In 2018 Google "forced" adoption by downgrading the ranking of site inaccessible by HTTPS ( https://en.wikipedia.org/wiki/HTTPS#History );
- LetsEncrypt innitiative also helped!
- All browsers quickly supported HTTPS (several encryption protocols existed and most supported quickly - the famous green/red address bar), but website creators didn't support it;
- Some companies have IT policies forcing HTTPS only (no insecure HTTP traffic allowed except redirects);
- Rights and privacy organisations have supported using HTTPS;
- Some governments have legislated forcing HTTPS (NL - see further links below), while others insist on low encryption (justifying the need to for law enforcement to detect criminal and terrorist activities);
- Further links:
- 1990s work, RFC published in 1998 ( https://tools.ietf.org/html/rfc2460 ). Academic adoption by many NRENs in mid 2000s decade;
- Most commercial providers mostly didn't adopt IPv6 yet;
- Most companies don't care about not having IPv6 until it becomes a problem;
- IPv6 adoption has been promoted by academia, NREN and niche companies (not too much luck spreading to the overall community);
- NL registy has an incentives programme: https://www.sidn.nl/en/news-and-blogs/registrar-scorecard-yields-great-results
- Any governments legislated forcing HTTPS?
- Facebook claims to have IPv6 only (not dual-stack) internal datacentres;
- Current global adoption is around 30%. Depending on the country, from 0% to 58%. In Europe, top are Belgium with 55% followed by Germany. Bottom are Spain, Italy, Denmark, Sweden, all with less than 5%.
- Further info:
- Cloud providers are also not very advanced on this...
- Microsoft Azure has multiple requests to support IPv6 for the last 5+ years, but only around 2019-09 have they really started implementing IPv6. "General Availability" of IPv6 in Virtual Networks dates 2020-04-01 (not a joke! https://azure.microsoft.com/en-in/updates/ipv6-for-azure-virtual-network-is-now-generally-available-2/ ), but not services support it yet, especially serious when they have public IPs;
- https://feedback.azure.com/forums/217313-networking/suggestions/8399100-make-all-services-available-with-ipv6-addresses - Started being handled 4 years later;
- Microsoft Azure deployment in NL didn't meet requirements? (also for DNSSEC);
- History: 1995 - 2005 (insecure). Slow gradual adoption for the next 10 years (?) mostly by TLDs. At present time, most TLDs except in Africa have DNSSEC ( https://www.internetsociety.org/deploy360/dnssec/maps/at ), but most providers don't yet sign the domains they host;
- Case studies:
- Microsoft has multiple requests to support DNSSEC since at least 2016, but haven't started yet ( https://feedback.azure.com/forums/217313-networking/suggestions/13284393-azure-dns-needs-dnssec-support )
- Microsoft Azure deployment in NL didn't meet requirements? (also for DNSSEC)
- Further Links
- Securing BGP with X.509 PKI certificates to prevent route hijacking (RFCs 6481 to 6495 date from 2012-02);
- Case studies:
- Further links:
- WCAG 1.0 (1999) were made into LAW in some countries. In 2007 in Portugal, WCAG 1.0 became mandatory for any websites by public institutions (https://dre.pt/home/-/dre/642547/details/maximized ) and WCAG 2.0 became mandatory in 2012 (https://dre.pt/pesquisa/-/search/191863/details/maximized ). Still, not all public institutions enforced it, and a lot of website providers claiming the sites were WCAG accessible, while they were not;
- Mostly ignored by decision makers;
- Some governments legislated forcing WCAG for public sector. Maybe also for private sector?
- DoH/DoT have privacy and other issues
- Future (not now): https://www.huawei.com/en/industry-insights/innovation/new-ip
- Generic info
- RFC 5218 "What Makes for a Successful Protocol?"
- https://www.forumstandaardisatie.nl/sites/default/files/BFS/4-basisinformatie/publicaties/Ondersteunend/Handreiking_Governance_of_Open_Standards.pdf - A guide for CIO's on the the governance of standards