Internet Routing Security: It’s All About Business…

A few years ago I got cornered by an enthusiastic academic praising the beauties of his cryptography-based system that would (after replacing the whole Internet) solve all the supposed woes we’re facing with BGP today.

His ideas were technically sound, but probably won’t ever see widespread adoption – it doesn’t matter if you have great ideas if there’s not enough motivation to implementing them (The Myths of Innovation is a mandatory reading if you’re interested in these topics).

Here’s a pretty useful filter you can use when someone tries to tell you he solved a really hard problem:

  • Find out all the prior proposed solutions (if the problem is worth solving, someone else probably tried to solve it before);
  • Figure out whether the other solutions failed due to technical reasons (in which case there might be hope);
  • If the prior solutions were technically feasible but weren’t accepted, there might be a business reason for that;
  • If the proposed solution sufficiently changes the business model, there might be hope. Otherwise, move on.

Coming back to BGP example:

  • We had RPKI for years. Uptake was minimal until very recently when large ISPs started using it (NTT announcement) and owners of large parts of IP address space deployed ROA records. For more details, check MANRS participants.
  • BGPsec was also developed years ago. Nobody even thinks about using it due to the additional compute overload it would create;
  • There are tools to generate prefix lists from public routing databases. A very small percentage of ISPs cared enough about the quality of Internet routing to use them… until passionate engineers like Job Snijders started MANRS community and created enough buzz and visibility to make Internet routing security relevant..

In case you’re wondering what’s wrong with the BGP world, Russ White nicely explained it in BGP Security: A Gentle Reminder that Networking Is Business. Have fun!

Revision history

Updated the RPKI status - it’s now used by large ISPs and content providers.

Blog posts in this series


  1. There you have it: "The cost of deployment must be lower than the return on that cost". Same with DNSSEC. It will be a dream forever.
    1. The cost of deploying DNSSEC if you're on Cloudflare is zero (modulo educating yourself which is a good idea anyway). What exactly is your point?
  2. IPv6, RPKI, BGPsec, DNSSEC, ..... whatever the real cost, if the perceived cost is high, deployment will lag severely (or fail). Can we call it lack of "killer app" ? I happened to hear delirious reasons for not going forward with IPv6, all of them based on the FEAR of high support cost. Just that. FEAR.
    On the other hand, you see projects going forward very painfully (and way over budget) because lack of understanding of the real costs and a perceived pontential benefit that it very doubtful.
    So yes, it's UNFORTUNATELY all about business...
Add comment