IGF 2023 WS #339 Increasing routing security globally through cooperation

Tuesday, 10th October, 2023 (06:15 UTC) - Tuesday, 10th October, 2023 (07:45 UTC)
WS 1 – Annex Hall 1

Organizer 1: Bastiaan Goslings, RIPE NCC
Organizer 2: Chafic Chaya, 🔒

Speaker 1: Benjamin W. Broersma, Government, Western European and Others Group (WEOG)
Speaker 2: Katsuyasu Toyama, Private Sector, Asia-Pacific Group
Speaker 3: Lauren Crean, Intergovernmental Organization, Intergovernmental Organization


Bastiaan Goslings, Technical Community, Western European and Others Group (WEOG)

Online Moderator

Chafic Chaya, Technical Community, Western European and Others Group (WEOG)


Gergana Petrova, Technical Community, Western European and Others Group (WEOG)


Panel - 90 Min

Policy Question(s)

As routing is fundamental to the functioning of the Internet, so is its security. Numerous reports have been published, analysing routing incidents, risks involved if security is not improved, and recommending tools to increase the overall adoption of routing security techniques like RPKI. - What do we need in practical terms to increase the adoption of RPKI, what is the role of different stakeholder groups? - What are underlying reasons for lacking adoption, do these differ regionally and if so why? - What is required in terms of outreach, education, as well as regulatory and economic incentives to increase adoption?

What will participants gain from attending this session? Participants will learn about the importance of routing security, the role of RPKI, and what this means for different stakeholder groups involved: what are their perspectives and experiences, and what do they think is their role when it comes to increasing adoption. Also potential impediments will be discussed and what the next steps could be, and what is needed in terms of cooperation, to overcome these. Participants are explicitly invited to provide their reflections in a hybrid fashion during the session.



The interconnection between autonomous systems, which are the individual networks that collectively form the Internet, the exchange of routing information among them by use of the external Border Gateway Protocol (BGP) and the actual routing of IP traffic that follows, is fundamental to the functioning of the Internet. As such, the secure functioning of the routing system is in the global interest. Traditionally the exchange and propagation of routing information among autonomous systems has been based on trust. But considering the critical dependencies and the risks involved, as the reliance of our daily lives on services provided online continues to increase, it becomes more important for autonomous systems to validate received route announcements before they are accepted and propagated. Technically the solutions are there, so the question is what should we cooperatively do to improve the adoption of available routing security best practices, specifically when it comes to route authorization and -validation (Resource Public Key Infrastructure (RPKI)).

Expected Outcomes

The importance of routing security best practices and specifically RPKI adoption will be made apparent following the shared experiences and statistics from the different panellists, impediments to further adoption will be made explicit, and concrete recommendations will be formulated together with the participants on how to overcome these as well what is required in terms of cooperation between stakeholder groups.

Hybrid Format: The workshop seeks to bring the views and experiences of different stakeholder groups together in one session, one after the other, and all of these panellists will attempt to recommend next steps in terms of what is required to increase the adoption of routing security best practices and RPKI specifically. Participants, both present and online, can ask clarifying questions. After the panellists’ introductions all participants are invited to participate in a dialogue on what is necessary for increased adoption. A moderator leading the session will see to it that online participants get an equal opportunity to provide input into the discussion.

Key Takeaways (* deadline 2 hours after session)

Routing security is increasingly becoming an area of policy concern. Policy makers and decision makers in industry need greater awareness about how and why they can implement Resource Public Key Infrastructure (RPKI) and other measures. Implementation of routing security measures and collection of data comes at a certain cost, and a challenge to address is that actors might not see direct benefits immediately, even though in the long term, it pro

Call to Action (* deadline 2 hours after session)

Improving routing security requires collective action. It’s vital to ensure that as many networks as possible around the world act for the collective good and adopt routing security best practices and tools like RPKI. It is in their own best interest too, to adopt these measures, as it helps secure the availability and reliability of online services provided, and also helps avoid reputational damage when they are affected by routing incidents.

Increasing adoption of RPKI and routing security practices requires better data gathering and more resources. We need to have more support through incentives and to further develop tools and build awareness to support networks to adopt these practices. RPKI prevents some incidents but does not protect against all route leaks. Autonomous System Provide Authentication (ASPA) needs further examination in this context.

Session Report (* deadline 26 October) - click on the ? symbol for instructions

The workshop on “Increasing routing security globally through cooperation” aimed to examine the gaps or obstacles hindering the adoption of routing security measures such as RPKI. The speakers shared insights into the need for RPKI, global adoption rates, the role of policy makers. 

Bastiaan Goslings, RIPE NCC, provided background information on the technical aspects of the Border Gateway Protocol, how and why routing incidents can take place and how routing security measures such as Resource Public Key Infrastructure (RPKI) can help protect networks. He explained the role of the Regional Internet Registries and provided data on RPKI adoption.

Verena Weber, OECD, spoke about the OECD’s studies on security and the digital economy, one of which focused on routing security. She mentioned OECD government studies looking into routing security such as in the United States (in 2022 and 2023), Sweden (2020-2022), and ENISA (2019). She listed four pillars of action for governments to consider:

·      Promote measurement and collection of routing incidents

·      Promote deployment of good practices

·      Facilitate information sharing

·      Define a common framework with industry to improve routing security

 Annemieke Toersen, Netherlands Standardisation Forum, shared the practices followed to ensure greater uptake of standards. A measure they use is “Comply or Explain”. This is a list of standards that all government entities are required to follow or explain why they have failed in their compliance. Further, the Netherlands Standardisation Forum cooperates with vendors to educate them and finally they share documentation for procurement and also monitor to what extent their standards are followed in the procurement process. Their standards are openly available at Internet.nl which includes a Hall of Fame, as their preference is to acknowledge good behaviour over naming and shaming. She also shared information on how the Netherlands Standardisation Forum cooperated with the RIPE NCC to run training courses and raise awareness about routing security.

Katsuyasu Toyama, JPNAP, shared insights into how JPNAP encouraged different network operators to deploy routing security measures. He recommended that national industry associations play a role in advocating the use of routing security measures; that RPKI implementation specifications should be updated and improved; and that more work should be carried out on Autonomous System Provide Authentication (ASPA).

Workshop attendees then discussed possible incentives for operators to deploy RPKI, the gap between the technical personnel who need to implement measures and managers who might not understand the need for them, the need for greater recognition when operators act in the collective interest (for example the MANRS programme) and the need to ensure that there are enough resources available to the organisations that collect data and develop tools for routing security.