IGF 2024 - Day 4 - Workshop Room 9 - WS198 Advancing IoT Security, Quantum Encryption & RPKI

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> NICOLAS FIUMARELLI: Good morning, everyone, good afternoon, good evening, wherever you are in the world. 

Please proceed.  Okay. 

Welcome to our session on quantum encryption & RPKI, and IoT, Internet of things, security.  We are going to tackle future challenges. 

My name is Nicolas Fiumarelli.  I came from a tiny country called Uruguay in South America.  I am pleased to serve as the moderator today. 

Assisting with engagement is Althanase Bahizire and in‑person participants are fully integrated into our sessions. 

The session will tackle three essential pillars of the future of Internet security.  One is fighting with protocols.  We stand with the power the quantum computing.  Just a note here because this is the only one session about quantum computing in the entire IGF.  As you might know, next year is called the Year of the Quantum because of the recent advancements on this technology from the different think tank giants around the world. 

The second topic will be on the RPKI, the resource public infrastructure, that is about securing the integrity of the Internet routing, you know, this protocol that is used for routing, PCP. 

Finally, the third will be IoT security.  We will address unique vulnerability of billions of interconnected devices worldwide. 

So it's a challenging position.  So our challenge is to examine the intersection of these technologies, right, the challenges and the opportunities.  Particularly in shaping secure and inclusive digital ecosystems. 

So the format for today will include an initial presentation from our expert panelists from each of the topics.  We are offering 15 minutes into the various expertise.  Following the presentations, we will open the floor for 30‑minute discussion and questions & answers.  We will take questions and take input from on‑site and remote participants

Finally, our Rapporteur will summarize and share some incites about his resource on the Internet engineering mappings. 

Now let me introduce our speakers and the flow of contributions. 

First speaker ‑‑ hi, hi. 

Okay.  First speaker is Maria Luque.  Maria Luque is part of technology foresight and quantum technologies.  She is also the Managing Director of the Future Literacy Group.  She has extensive experience in creating cross‑national skills to advance the creation of quantum technologies in strategic sectors.  So Maria will begin this session with a presentation on cybersecurity for a quantum future, a comprehensive vision of the place of quantum technologies in our shared future, highlight the development of post‑quantum cryptography and quantum key distribution.  So if you can confirm that Maria is online. 

Okay.  So Maria, the floor is yours. 

She has a presentations to share, so maybe the technical team will help her to share the screen. 

Maria, can you confirm you can speak?  Hello? 

Okay.  Okay.  We are waiting for the presentation. 

     >> MARIA LUQUE: Good afternoon.  Can you hear me? 

>> ALTHANASE BAHIZIRE: Yes, we can hear you, but we cannot see you.  Please wait some seconds. 

>> MARIA LUQUE: Can you see my screen now? 

>> ALTHANASE BAHIZIRE: Yes, we can see your screen.  If you want, you can turn on your camera. 

>> MARIA LUQUE: Let me try that.  If it is a presentation, you can hear me. 

You need to allow me to open up my camera. 

>> ALTHANASE BAHIZIRE: You can start, and later they will allow you to put your camera on. 

>> MARIA LUQUE: Okay.  Good afternoon to all of you.  Good afternoon to those in the audience clever enough to pay attention to this presentation right before the closing of the IGF this year.  Thank you for being here. 

I really want to do a brief exercise to start this session.  And this is on par with you not being able to see me through video.  It's very timely.  Because I am going to ask you to close your eyes, if you may.  Those of you in the audience.  I want to paint a picture why we think about quantum technologies today at the IGF

Go a bit forward.  Eyes closed.  By 2035, the world looks nothing like it does today.  Profound transformation has taken place, and all global communications, both terrestrial and space based, they are somehow integrated through optical networks.  This is a rather sophisticated infrastructure born from the gates of collaboration and innovation.  And it enables real‑time data transfers at great speeds, allowing instantaneous communications across the globe and into the farthest reaches of our visions. 

The integration of quantum communications in this time has extended our reach even further and is facilitating secure, near instantaneous transmissions across the earth to the moon and Mars. 

This breakthrough is paving the way for us humans to explore and inhabit, even, other planets while advancing how we understand the cosmos.  But what's more important, in this age, mature quantum sensing and computing technologies have helped us a lot, a new era of capabilities, of possibilities.  We now have distributed quantum sensing networks, and they provide us with extreme precision in environmental monitoring, in space exploration, in early warning systems for disasters in every occasion.  This is enhancing our quality of life and our ability to protect both Earth and our expanding presence in space. 

Quantum computing now is deeply integrated into this global network.  And it enables the confidential processing of highly, highly sensitive data, securing information that is critical to national security, to finance, and to global governance. 

Our relationship with trust in this era is definitely changed.  Technologies have transformed sectors, ranging from healthcare to defense, and the security of intelligence, the military and defensive forces.  It is making it possible to effectively confront asymmetric cyber and kinetic threats to our infrastructures and well‑being. 

Well, now, those of you who share the audience with you can open your eyes.  This picture of is one of the possible futures I would like you to start betting for, starting today. 

Now, we set our eyes on 2045 today, but some nations and cutting‑edge RTOs are getting ready for 2030.  For example, the way we understand smart cities is with the introduction of quantum technologies, such as quantum sensing.  Quantum sensing is a very mature technology, and it allows us to sense the earth, the electromagnetic fields way beyond the scope of today's parameters.  Here in my presentation, you can see a Crystal‑Clear Bet by TNO in the Netherlands of quantum communities to help communities with the energy transition. 

In this picture, quantum sensors can optimize the efficiency of power grids.  They can enhance battery performance.  And they can improve the detection of leaks in pipelines.  And since sensors are abundant in every domain during the energy transition, there are countless opportunities where they can be employed to gather critical data.  For example, heat and carbon uptake in different environments to have better models of our reality so we can choose to make it more sustainable. 

So if we are lucky, five years from today, most of the critical data that we will gather will be gathered through quantum technologies.  And to make that happen, quantum computing and all applications of quantum tech are precise.  We mentioned observations for environmental global monitoring.  But we can also think of wearable IoT devices with a quantum sensor, transmitting even critical biomedical data from a soldier to a logistical base.  This critical data will be coming increasingly valuable because it's either going to give us a competitive advantage for the industry, a strategic advantage, for example, for defense; or more quality of living, just as we saw. 

And this data is going to be needed to compute and craft the knowledge of the future.  As we know, data is short lived.  So in a few words, the learning curve of future knowledge models, AI models, to compute solutions for the energy transition, for defense, for food security, depends on this high‑quality data.  So we can expect in the near future that quantum technologies gather data.  We have been feeding up these models, first through AI‑powered.  Ultimately through quantum computing. 

That leaves us in a scenario where this "exchange coin" for our well‑being ‑‑ which is data ‑‑ is going to circulate all over Earth and space. 

And my message today is quite different from the one that I gave the last IGF in Kyoto last year.  My message today is that not only a cryptographically relevant quantum computer and its advent is a threat to this future that I just pointed out to you, to how we leverage this data for good; not only harvest now and decrypt later is a threat to this.  Today, carbon standards for our IT and OT cybersecurity in our critical infrastructures, these standards are very unclear in most cases.  Some of them still operate on cybersecurity biosecurity.  And the bad news is that it's only going to get worse because, on the one side, there's this trend of AI in everything that is going to expose our critical infrastructure to more and more blind spots.  And also our definition of critical infrastructure is growing in assets.  For example, we now have satellites, LEO and ground stations and optical communications. 

So my bet is that to protect the future that we are trying to build, that we are talking about throughout the entire IGF this year, to protect all of our collective investments in AI, in compute, in quantum and space, a new framework of cybersecurity working is essential.  And to make all this happen, quantum security is essential. 

Now, this year I am going to make it easier.  I am giving very high‑level overview of cybersecurity in the quantum era.  Given that today is about a multi‑stakeholder future for all, I am going to give you an overview of what we need to focus on today, tomorrow, and let's say the day after to unlock the kind of secure communications that we need for the next set of quantum class AI to progress in our industries. 

Today, the new normal of today has a focus on protection regarding quantum security.  This means that we are working on integrated with our co‑cross‑cryptography standards and those approved by, for example, of North America's NIST and our digital infrastructures.  And quantum computer takes these algorithms, not unveil the underlying information behind the data. 

Real work needs help from the tech industry and building common understanding for this, such as under the GSMA Post Quantum Crypto Task Force.  Our national governments are issuing guidelines to help us start our migration to post‑quantum cryptography frameworks.  And most hyperscalers, such as Amazon, Google, Apple with their iPhones, are introducing them into our platforms. 

So during the most recent year, we have seen a mandate toward ISKs by 2030 by North America's NIST, and statements in the European Union Cyber Resilience Act. 

So today, while diagnosing the problem is the easy part and we have done that, but aligning national and international policies is much harder.  In the meantime, if the future is quantum, as I presented earlier, the present is hybrid.  The new normal of tomorrow, today and three years from now.  The focus is to gather various material balance, which promises to render data and interact with physical properties of light, to start hybridising it in classical networks and infrastructures. 

The bounces in quantum communications we shared last year, I can tell that they keep upscaling.  For example, this last week, in the European Union, we signed a contract for a constellation, which will be ready for optical communication links.  So we will ensure we feed this on the quantum communications infrastructure.  Worldwide, we are very active in proof of concepts, in the integration of RPKI.  And those in the Netherlands, or for example, a network in New York. 

This today, two years from now example, what we need to do to start quantum communication and existing infrastructures, is undergoing a lot of challenges.  First one is the challenge of standardization.  And this might be the second most important message of the session today for me.  The challenge of working on interoperability of these technologies with existing operators and infrastructures.  Also, the challenge of starting the substitution of RF for optical communication ground stations globally.  Or even how to develop quantum memory so we can make quantum machines of great size. 

The day after tomorrow, this is the part where we collide with a vision.  To be really in 10 to 15 years, we have the Quantum Internet Alliance, which is in the European Union, striving to material quantum working accountabilities, to start deploying the dream application that is we started the session with.  Decentralize and blind computing of data between actors who then necessarily have to trust each other to make joint decisions.  You name it.  We also have statements from NASA's programme, speaking about the U.S.‑led global quantum network by 2035.  But we don't have much more than that.  And for global benefits to occur ‑‑ for this scenario 2035 to occur, we need to build these networks as jointly as possible with interoperability as a key priority.  Otherwise, the bright promise of a quantum future will turn into a zero‑sum nightmare between societies.  We need to start with quantum security today, right where you are. 

Remember that investment in quantum‑reach in 2024 is outpacing other pilot projects.  Many people speak of quantum projects in different countries, nations among them China. 

My final message in this very high‑level overview that I am presenting today is that quantum‑gathered data is needed for all of the knowledge models that we want to advance with artificial intelligence and high‑performance computation. 

In a very short time, we are going to deal with very sensitive data in our communication infrastructures, in our critical infrastructures affecting us personally.  So the time to start investing in quantum security is today, right where you are.

>>NICOLAS FIUMARELLI: Thank you so much, Maria.  It was very clear.  Your message, I think, is this is a huge moment we are having now in the era of the Internet of the future.  It's important to see that the first approach is to have (audio cutting in and out).

Sorry.  My microphone. 

Okay.  Can you hear me? 

>> Yes. 

>> >>NICOLAS FIUMARELLI: What I was saying the first step is to have quantum, that is to have the algorithms like we have today are not quantum resistant.  That means that when you send a WhatsApp message, for example, from your phone to another phone, you can see that the message is encrypted from end to end; right?  But for the most powerful classical computer nowadays, it will take like 200,000 years to decrypt any WhatsApp message.  But for a quantum computer, it will be so rapid, like seconds; right?  So with the post‑quantum cryptography algorithms, we are having a way that quantum computers will take hundreds of years to also decrypt in these new cryptographical. 

So that is like the first step; right?  To have post‑quantum cryptography algorithms in all Internet and ICTs. 

Then the next step, if I remember from Maria's presentation, was about the quantum key distribution.  This is a technique that uses quantum physics to send information in a way that is teleporting information.  It is a property of quantum physics.  And in this sense, no one will know your key, so once you exchange this key by the quantum network or the quantum facilities, then you can encrypt your messages with this in the classical Internet.  That is the second step. 

And the third step is about the quantum Internet, that everything goes in this new model of the quantum. 

And the last mile is the quantum Internet working session because with these sensors and with distributed quantum computing, you could have more calculations, and you could have a lot more features that uses this technology. 

So now I am head to go Sofia Silva to introduce the second topic of today, that is the RPKI.  And then later in the ‑‑ later in our session, we will address some policy questions.  So we will return to you, Maria.  Sofia Silva Berenguer is the Programme Manager at APNIC, specializes in Internet routing and improving cryptographic framework across regions.  Sofia will dig into the critical role of RPKI, which is a security extension for the Internet routing.  You know that the Internet goes with packets, and these packets are routed by something calls autonomous systems.  So Sofia will delve into the important role of RPKI talking about route optimizations, which is a concept, route validation, route hijacks and misconfigurations.  She will talk about challenges and capacity‑building efforts and some solutions, there is a standardization body called Internet Engineering Task Force, where every protocol you have heard about ‑‑ HTTP, DNS, FTP ‑‑ everything was made in that standardization body.  And they are every day having new discussions in mailing lists about different new (Audio breaking up.)

One of those is ASPA, autonomous system that is looking to secure route impacts.  With that, Sofia, the floor is yours for your presentation.  Thank you. 

>> SOFIA SILVA BERENGUER: Thank you so much for the interaction, and thanks for having me today.  Hello, everyone.  I am connecting from Uruguay today.  I am here visiting family. 

So as Nicolas mentioned, I will be talking about securing the Internet routing.  But I want to start by briefly sharing why we need to do that. 

So Internet is not just a network.  Internet is the network of networks, in which networks learn where other networks are using the border gateway protocol that Nicolas mentioned, BGP.  So basically, networks exchange announcements where they tell each other you can reach these prefixes through me.  But the thing is that this protocol was designed under the assumption of trust.  Back in the day when the Internet started, everyone knew each other.  They could trust what everyone else was saying.  But then in the '80s, when the Internet was open to the commercial sector and it started growing exponentially, this assumption of trust didn't work well anymore.  And it started to become clear that security needed to be addressed in some way.  The problem was that the Internet was already working.  We could not just replace the routing protocol with a new one.  So new layers had to be built on top of existing protocols, and RPKI was one of those layers to add security.  So I will be talking a bit about RPKI today. 

So you may have heard about route hijacks, and that's one of the things that can happen in the Internet nowadays, in particular back in 2008, there was a big incident where the Pakistan Government instructed Pakistan Telecom to not allow traffic, and in trying to do that, there was an accident in the configuration, where routes were leaked and went beyond Pakistan.  The idea was to keep that local, but it went outside of the Pakistan border, and it cost them for a little while. 

That is just one big ins dent that made the ‑‑ incident that made the news, but there have been other incidents that have been quite big and could have been avoided.  So sometimes those instances are malicious, a proper attack.  But in some cases, they are what we call "fat fingers," so someone that mistyped something, for example, or in the case of YouTube and Pakistan, a lack of consideration. 

I will be talking more in a couple of slides.  The good news is that incidents like that that happened in 2008, there were a few back then that made the news and were quite big.  But we hear less and less about those in the news, so that's a good thing.  I will tell you more why we are hearing more about that. 

So as I mentioned, RPKI is that, like, layer of security that has been added on top of BGP, and how that works is that RPKI allows network operators to make statements of what are the routing intentions.  In terms of what is the other auto no, ma'am us system.  RPKI allows network operators to make statements on routing intentions that are cryptographically verifiable.  In particular nowadays, it's route origin authorizations, and that is to originate a set of prefixes. 

There is one side of RPKI, the creation of ROAs allows you.  And on the other side, what we call route origin validation is using the information in ROAs to decide what to do about BGP announcements.  So what my very simple diagram in this slide is trying to show here is that when a router, that black thing in the middle, receives the BGP announcement, based on what they see in the RPKI system, based on the RPKI data, they can decide whether to use that BGP announcement to create a new entry in the routing table and learn, maybe, a new path, or if they just ignore it and discard that BGP announcement. 

So where are we on this journey to securing the Internet routing?  ROAs, this particular object type that, as I mentioned, is the most popular nowadays, it was standardized more than ten years ago.  And at first, like any technology, it took a little while for it to start being used.  But as you can see, in the last five years or so, it has been more quickly been used.  These charts in particular are from NIST, from the U.S. Government.  And it shows the percentage of unique prefix‑origin pairs that are covered by ROAs.  And you can see that for IPv4 and IPv6, we are in a very similar situation right now where it's 54% for IPv4, it's 60% for IPv6. 

But as I mentioned, creating ROAs is just one side of RPKI.  The other side is using that information to do validation.  And this is where it gets a bit tricky to answer the question where we are on the journey.  And actually, I recently saw an article from a blog from one of the Internet registries talking about IPv6 adoption.  I will not be talking about IPv6 today, but it mentioned tracking and how IPv6 is like two states at the same time.  And I feel that it's very similar with RPKI.  Depending on who you ask, some people may tell you adoption of RPKI has been a success.  Recently, there was an article from Job Snijders, who is very active in the technical community.  He was describing an incident that was kind of similar to the YouTube versus Pakistan telecom that I mentioned, but this time, the incident didn't make the news.  That is because there was no real consequence or bad consequence of that incident because of RPKI.  So in his article, he thinks that RPKI adoption is a success, and this is proof that RPKI works. 

But I've also seen presentations ‑‑ fork, Jeff Houston, who some of you may have heard of, just recently presented about RPKI and DNSSEC, and from his perspective, he sometimes uses the expression even "market failure."  He believes RPKI should have been adopted much more quickly. 

So again, there's different measurement projects, so depending on where you look, you may find different stats.  And depending on who you ask, the perception on whether we are at a good level of adoption or not might change, is a bit subjective. 

But one of the projects is RoVista.  They have an ACM paper.  If you go to the URL, you can check the methodology.  There's also particular challenges on how to measure ROV.  I feel with other technology that stop attacks or mitigate risks, it's hard to measure things that don't happen.  So I will not go into the technical details on how this is measured, but there are challenges on how to measure route origin validation. 

So according to this particular methodology, one of the charts on my slide here, the one on the left, shows the percentage of autonomic systems that are protected by route original validation, and they split these into partial protected and fully protected. 

Partially is when there is at least one interface where they do router validation.  You can see this number, when I got this chart, a few days ago, it was around 90%.  That's pretty good.  But if you look at fully protected where all interfaces are doing route validation, that's just a bit below 25%. 

I also included a chart.  I will not go into the detail of how economies are doing comparing to each other.  But I thought it was interesting that RoVista describes this score, and they do a weighted average based on the cone size, so it's based on customers and customers of customers.  And so you can see how different economies are at different stages of deployment of these. 

As Nicolas mentioned, there's also ASPA.  I wanted to briefly touch on.  As I said, route origin authorizations, they prevent some types of attack, but it's just based on the other autonomous system.  But there is a new type being discussed in IETF, that also, thanks to your interaction, Nico, people know now the body that standardized protocols in the Internet.  So there is now discussion that has actually made a lot of progress, and it's quite close to being completed and actually becoming a standard.  But it's still being discussed.  ASPA stands for Autonomous System Provider Authorization.  It has already been implemented in a way.  So I included a couple of links if anyone is interested.  There was an article about a first route leak prevented by ASPA and also Hurricane Electric announced they already support ASPA. 

I also mentioned, depending on who you ask, you may be told that RPKI is going great.  Some people think that it should have been ‑‑ the adoption should have been faster.  And I wanted to touch on what are some challenges of, in particular, route original authorizations and validation adoption. 

As we mentioned with the signing part, creating ROAs, the validating part, ROV.  There is a concept in social sciences that I think may help understand part of the challenge for adoption.  And it is that for RPK to provide maximum benefit to the Internet, to everyone, we need each autonomous system in the Internet to do its part.  We need each autonomous system to create ROAs for their space and start doing route validation. 

Also, it's like a chicken‑and‑egg situation, why would I do route origin validation if no one routing.  I think there is enough level that there should be information to create ROAs to do validation. 

Another thing I heard is technical people do understand the importance of this, but when non‑technical decision‑makers are involved, it may be hard sometimes to justify the work required to implement this because sometimes the commercial benefit cannot be immediate. 

To that, what I want to say is that we need to keep in mind that by implementing best practices, and not just RPKI, but best practices in general, what we are basically doing is preventing reputation damage.  That should be an adequate justification. 

I know I am running out of time.  I will try to pick up the pace -- sorry, Nico -- to keep with time. 

Since I am the Programme Manager for the ROA RPKI programme, I want to briefly touch on what we do to encourage adoption of RPKI. 

So first, very generally, some approaches to encouraging adoption.  One is providing support, so by raising awareness, building capacity, engaging with organisations, and those that are responsible for implementations working on system improvements is a way that we can encourage adoption.  And then there's also two big approaches that you may have heard of.  That is based on reputation, there's an example of the Mutually Agreed Norms for Routing Security, where there's different aspects of routing security that are described as best practices, and network operators can subscribe to MANRS and then become part of this kind of ranking on how much they implement those. 

But there's also regulation‑based approaches, where you may have heard earlier, the United States, for example, the big example of publishing a roadmap to enhancing Internet routing security, by which governmental agencies are now mandated to create and start doing route validation.  There is a similar example from Finland. 

As I mentioned, I am directly involved with the Regional Internet Registry.  I work for the NRO, the number resource organisation that brings together the five RIRs.  What the RIRs do to support adoption is to organize events.  They have e‑learning platforms where they help with the capacity‑building side of things.  They engage with member organisations, with governments and other entities to support them in the adoption of RPKI.  And we have recently launched -- actually, just in January this year we launched the RPKI programme that I am a programme manager for to create more consistency across the RIO because each has implemented RPKI in their own way.  It has become more and more important to create more consistency among the five of them. 

And geographically relevant example is the RIPE NCC.  That is the RIR that covers this part of the world.  In 2023, worked closely with the Saudi Arabia government, organizing workshops both for decision‑makers and for technical people.  And that showed an immediate increase in the uptake of RPKI.  So I think that that's a good example of how we support RPKI adoption. 

As I mentioned, I am the Programme Manager for the NRO RPKI programme, and what we want to do is bring more consistency to the RPKI implications of RIRs, but most importantly, we want to create a space of coordination and collaboration.  Historically, RIRs do coordinate and collaborate, but for RPKI in particular we wanted to create it more structured, clear priorities, and we have some specific objectives that we want to achieve in 2025. 

And I have left a couple of links there so that if you want to learn more about the programme or if you want to get in touch, you can do that. 

So in bringing my presentation to a close and trying to connect with the previous topic that is quantum, I am no expert in quantum.  But my reflection is, as I mentioned, the segments that we produce through RPKI rely on cryptography, or they are cryptographically ‑‑ we can validate them cryptographically.  As quantum computing represents a disruptive force that could undermine the current cryptographic standards, RPKI may be affected. 

So my question for reflection is whether the cryptographic algorithms that are used nowadays by RPKI could eventually be replaced once there's suitable post‑quantum algorithms to migrate, that are standardized, whether the ones we use today for RPKI could be replaced with new ones.  I will leave the question out there.  We can come back in the discussion, I guess.  Thanks, everyone, for your time, and thanks again for having me today. 

 

>> NICOLAS FIUMARELLI: Sofia, thank you very much for your contributions.  RPKI can sound very strange for non‑technical persons, but basically, this is a security extension of the Internet; right? 

And one thing that I would like to highlight here is that these technologies, in general the security extensions, are optional; right?  It is something that the operator needs to deploy these technologies, and also the operator needs to deploy the validation of this technology, routing validators. 

And there are several reasons for that; right?  While we are having enforceable mechanisms, like Sofia mentioned, in the USA, different countries mandating for deploying these security extensions, you know there is a topic that is very highlighted in the Internet Society that is about fragmentation; right?  What happened if you mandated everyone needed to have RPKI?  You can be disconnecting networks in some manner.  Because for the ones that does not implement RPKI.  But on the other side, you will be exposed to high shocking and route high shocks.  So we need to have a balance. 

And I think these approaches we are seeing in different countries, Saudi Arabia example that Sofia mentioned, are some examples of ways to go. 

So now, continuing with RPKI, we have Wataru Ohgai from the Japan IGF.  He is a representative from JP Nick ‑‑ JPNIC, with extensive operator and has been part of adopting in the Asia Pacific region.  I thought he would present in the global moment of global operators in RPKI, discussing the milestones, and he will address different aspects of RPKI, also articulate more on the post‑quantum cryptography and RPKI.  But yes, let's talk more about how to deploy, what are the strategies of deploying RPKI and about this global moment.  So the floor is yours, Wataru. 

>> WATARU OHGAI: Thank you for the introduction, and hi, everyone.  My name is Wataru, from Japan Network Information Center, JPNIC. 

For me today, let me talk about the global movement of policy and operation in RPKI world in 2024. 

For those who may not know, JPNIC is National Internet Registry for Japan, which is kind of like a national version of the RIL.  And we are not the one operating .jp domain, but instead, we manage IP addresses in Japan and, of course, running on RPKI repository based on the registry database.  

So it's already December, and let me first look back on what RPKI related matters happened this year.  The biggest news was that the IPv4 ROA global coverage exceeded 50% in RPKI monitor and other global measurement platforms.  It was the first time in this history for exceeding the 50%, more than half of the global network is covered by ROA. 

And IPv6 has been already achieved a few years ago.  So that means over half the Internet is already protected by RPKI.  This is not just a wonderful achievement, but it also means that we are already in the next stage, the ROV. 

Regardless of tier 1 or not applying ROV, the network is no longer optional.  Over half the world is ready to go, and there is no reason anyone can stop it.  So the stage of maybe or considering for ROV is already passed.  Why am I so sure?  Let me explain some background in the next slide. 

The first one, and it's also a big step, is that one of the tier 1 networks over at Google is now phasing out route‑based peering in Internet Exchange Point, and moving bilateral for direct peering.  This affects those peering with Google, route servers, shift their peering plan, and also requires them to be RPKI ready.  In Google's policy, there is no clear incentives for that, but they apparently require ROA assurance for any direct bilateral peering network as the best current practice.  Refusing everyone with everyone's with Google to be PRK ready.  This could be an indication that networks like Google is now gearing up for full‑scale ROV, and of course, Google and other big parties are already starting ROV in their networks. 

The second background is the national security.  We've talked about the importance of RPKI in private sector so far.  The same thing can be also applied for the governments who want to protect the whole environment of the country. 

The United States is considering seriously about ROV implementation mandatory, not only in the Federal Government organisations, but also big companies in the country, business sectors, for the national security.  The U.S. is not the only country, but some other countries also are presenting their interest on ROV this year. 

Thus, in some day, whether we like or not, some countries will force domestic companies to do ROV.  But clearly, the Internet persons don't like governments to decide what we do or what we don't for security.  So we should go do this by our own hands before they force us. 

I have talked about what happened and what is going on.  Then let's see what will happen or what could happen in the near future. 

The first point there is a decided future, as I talked, in the future, implementing ROV will be just one of the normal operations, nothing special. 

Then "NotFound" routes which are known for ROA associating it, no RPKI ready routes will be banished from the global entry.  Of course, not to mention the "invalid"s vanishing from the table. 

In the second bullet, there will be the operational challenges.  As you may know, ROV is, in fact, not a predefined term, like ROA.  If you say we are doing ROV, then you can handle invalid routes to be rejected or give some local preference variable so that they are not likely to be used for routing.  That's the ‑‑ ‑‑ it's your organisational model, not operating model. 

This year, in cooperation with Japanese authority and other sectors created guidelines for both operators and engineers by command reference, which I hope contributes to this situation.  But it's still your choice. 

And another concern is SLURM.  SLURM is an intentional way to ignore ROV results based on other trust.  Technically, if someone issued an invalid ROA by mistake and you notice that the ROA and actual routes coming first, you can apply SLURM to ignore that operation period.  But how do you know if it's just an operational failure?  Or how can you tell the incident from malicious attack or even the Internet changes of network?  We already have technical protocol, SLURM, but we are still in need of the operational policy. 

We are also facing the trust issue in ROA itself.  ROA validation is done based on what is written in ROA.  So the trust in ROA is a considerably big issue. 

This year one of the largest network operators in the world, located in Spain, which is a ripe region, had their online account used to creating or modifying ROA taken by a bad actor.  And that bad actor modified their ROA so that the original route advertised in BGP to be invalid in ROV result. 

The recovery took a few hours, and the rest of the world are forced to trust the forced ROA.  The company already changed their password and re‑created, and RIPE responded quickly to this and introduced two‑factor authentication on their platform and passkeys, the newer authentication methodologies, for their entire customer account to prevent further attacks. 

As I talked in previous slides, we have technology called SLURM.  But handle this type of incident from the viewpoint of non‑network operators, we still don't know when to apply SLURM.  The current answer to this SLURM is double‑checking the information in community mailing list; however, I believe there is current sophisticated ways to evolve. 

Let's move on to the brighter future now.  And there is another technology based on RPKI, which is ASPA.  Current ROA and ROV is basically just a matching of the IP address prefix and its originated AS.  But as many of you may know, the Internet, the BGP consists of exchanging route information.  So there should be a certain path that the pacts should go with network through this and through this like that.  ROA and ROV is not sufficient to do that.  Currently, ASPA is the most finished process, and we are seeking for implementation and actual operation. 

A post‑quantum cryptography is another topic of this session.  Yes, we are talking about post‑quantum cryptography implementation in RPKI world.  The current situation in PGC is something they can adapt after the compromise to RSA or other algorithm by quantum computers.  And others think they need to implement PQC before this happened.  One thing is to implement quantum‑safe RPK today, the day before the entire world is done in ROV implementation. 

So this is my last slide, and the ultimate question from me is that who can you trust?  Why are they trustworthy?  What mechanisms establish the necessary trust? 

It's all about the trust, cryptography, RPKI, the Internet, everything is about the trust.  Both policymakers and engineers are now required to collaborate to design flexible policies as a way to answer these questions. 

Thank you, and I am giving it back to you, Nico. 

>> NICOLAS FIUMARELLI: Thank you so much, Wataru.  You made interesting points.  I was wondering how this could happen.  You have a password for accessing your RIR platform to create these routing, and once ROV says the validators will validate you, your route, this is a huge problem because what happens if someone tampers with your login credentials and then change, as you said, so you, the clear effect here is that you will be out of the Internet.  All your entire network will be fragmented from the rest of the Internet, and that will be a very complicated thing.  So yes, I think that managing credentials of the RPKI systems is something that is very important. 

And also, interesting that you mentioned that there are some quantum‑safe RPKI ways.  In my opinion, that needs to be before that everything explodes on the Internet, when the quantum computer develops ‑‑ finally develops.  So those are some of the challenges that we have for the future now. 

So heading to our other part of the session today, sadly, some of our speakers couldn't make it, now we have established about RPKI.  About quantum computing.  And we need to talk about how to integrate it in governance frameworks; right?  Across the different regions.  So Althanase will briefly talk to us about some advanced security measures or how these can be integrated into multi‑stakeholder efforts or governance frameworks, particularly in the Global South.  So how (audio breaking up) ‑‑ address these challenges in harmonizing policies across regions?  The floor is yours, please. 

>> ALTHANASE BAHIZIRE: Thank you so much, Nico.  Thank you so much, Nico.  This is a very important topic, and particularly in Africa, the capacity of different regions are different.  And with the advance of quantum technologies, you see, we need, actually, enough resource to host quantum computer, which resources, some of the time we don't actually have in Africa now a quantum computer. 

But the idea is that we should be proactive.  And Wataru was talking about it.  Again, we don't have to wait until we have the full capacity to start leveraging on this technology.  And I am going to share some of the great things that are being done in Africa in order to embrace, actually, these emerging technologies. 

One of the things, when you are talking about, actually, the measures that are being put in place, the UN Economic Commission for Africa, which is the ECA, has brought the programme to build capacity of different governments in Africa when it comes to security measures.  And in these security measures, we tend to go around some of the DNSSEC, which is very important, and how we can secure systems.  And at this level, we are building the capacity of the different governments so they can understand the stakes.  But then we didn't manage to get to very technical aspects, such as RPKI and quantum encryption, which I believe we should incorporate in these capacity‑building initiatives. 

We also have now MANRS, and what is happening is it is voluntary.  There is no obligatory measure that says to the ISPs that you need to implement the MANRS, which is kind of giving ‑‑ becoming challenging.  And we have tried to discuss with the ISPs, and you see they will tell you that to deploy these technologies, it's additional resources and additional staff, technical staff.  And some of the time we can see the emerging needs, why we put it for legislature.  Again, I am emphasizing why we have to be proactive and start having an idea of the future, when how we are developing our solutions, when we are securing our systems. 

And when it comes to harmonization of policies, we ‑‑ many of the African countries are developing their cybersecurity policies and legislations.  But not all of them have actually ready ‑‑ policies that are ready.  In our country, we have a bill that is actually being examined in the Parliament.  But yet we haven't seen a very much involvement of the technical community in country in the development of this.  And we have a firm at the African level whereby technical community has enough space to influence, actually, bodies emphasizing this legislation.  But at the country level, we haven't seen this much involvement of the technical community.  The technical community that actually has the capacity and the technical understand. 

So I believe it's very important to harmonize what is being done in country with the different aspects, the different aspects that are regional at the Africa level, or the different protocols that are being adopted by whether the IGF or externally. 

Then again, the big challenges are resources.  For our technical community to be able to keep the pace in the advancement of these technologies, the advancement of cryptography, we need capacity, and sometimes we don't have the capacity. 

So we are really calling for more investment in capacity to the technical community, actually, to be able to strengthen our country's strategies and also the collaboration between the government and the legislators that are putting in place cybersecurity strategies with the technical community and various stakeholders. 

And there is also one thing I wanted to mention here when it comes to the security measures we are having now.  We tend not to take very seriously cryptography, as Wataru was giving examples, whereby, you know, putting in place effective authentication in your database and some other very little best practices.  We are not adopting them.  We are waiting for when it's, like, mandatory or it's legislation to adopt, which is not really a good practice, and it doesn't help that much in securing our systems.  So I believe it's time for us to embrace with our law, resources, as we are still building our resources, but also to embrace the benefits that these technologies are bringing to us, embrace best practices in security.  And that will be really very helpful. 

And one other thing you asked Nico, it's about capacity building, to ensure equitable adoption of all the security protocols.  There are some organisations that are working in capacity building in Africa.  Like we have the Internet Society that has done a lot of workshops with policymakers, with IXP operators and ISPs for ‑‑ around the MANRS, the mutually agreed security.  What is happening here is we have seen quite an increase in adoption of the MANRS after these capacity‑building initiatives.  But I believe we need to do more.  These capacity‑building initiatives sometimes doesn't touch those communities with very low operators ‑‑ operators who have very low capacity who are managing very small network.  So I believe we need to increase this capacity‑building initiative and go up to reaching the various actors who are into play in this. 

And that is where it comes into play, the different stakeholders here.  If the IETF has programmes like this to build capacity.  Or other organisations, if they do have these initiatives, I believe Africa is very open to, you know, embrace and collaborate in order to all go together in these technologies that are coming very fast. 

I am going to stop here, Nico, and back to you.  Thank you. 

>> NICOLAS FIUMARELLI: Thank you so much, Althanase.  You raised a lot of very important points. 

One thing to mention from my side is that in August this year, the National Institute of Standards and Technologies created three standards for the post‑quantum cryptography that ‑‑ sorry for the technical words, but these algorithms are already prepared to be deployed.  There are some challenges like the length of the key that is a little longer than the previous algorithms, such as RSA and ES.  But as the spokesperson from NIST said, there is no need to wait.  We need to start deploying these standards now to be more in the proactive way is what I will say. 

Also you mentioned about the cost; right?  I think that one of the main objectives, maybe, of the NRO RPKI programme, we have in these unified global platforms or, I don't know, documentation or manuals on how to use these interfaces, sometimes provided by the RIRs or by those that can help people with more capacity.  Those that are doing the regional meetings every year, and they do tutorials about this.  And everything, but yes, I think you also mentioned something important that is about the small and medium operators.  These ISPs that sometimes attend low portion of population in isolated cases, they would be outside of these efforts, and maybe they are the ones that have not these RPKI prepared yet. 

So another thing that I want to mention is about the IoT; right?  We missed also one of our speakers today, that is Joao, because he had a collision.  But what happened with IoT is about these constrained devices that sometimes has constraint in battery, constraints in energy, and also in memory.  So these devices cannot rapidly implement these post‑quantum cryptography that demands more and more computation to do the encryption.  So the IETF, the standardization body, is looking for a lightweight protocols that could be post‑quantum resistant.  That is something we need to take a look at because there are millions and billions of IoT devices coming around.  And if these devices are not fully protected, we will be in a very huge problem; right?  So that is another thing to look for, to how to have a hybrid approach on post‑quantum cryptography in the IoT

Now is the part of the session when we open the floor for questions, for the on‑site and online speakers here.  Also, the panelists, if you have been ‑‑ if you have something in your mind you want to also say after all this conversation, please, Athanase will be looking for hands online and here on‑site.  We have 15 minutes for the Q&A part, so just go with this.  I will give the floor, then, to Athanase to moderate this part of the Q&A.  We will be receiving questions, and our panelists will be responding. 

>> ALTHANASE BAHIZIRE: Yes, thank you so much.  We have one question already in the room, so we are going to start by that. 

>> WOUT DE NATRIS: Good afternoon.  My name is Wout de Natris.  I am a consultant in the Netherlands and also here at IGF as a consultant on the Dynamic Coalition on Internet Standards and Safety. 

What we have been doing in the past and are going to do in the near future encompasses everything we heard today.  And my question to the panelists, after I finished, is how can we actually, as a Dynamic Coalition, help you with the situation that we've been ‑‑ you have been describing? 

Last year at the IGF, we presented a report on IoT Security by Design.  Nico was the project lead for that, as our working group chair for that topic.  But we are going to start a new iteration this year and present that in Oslo in June 2025, which combines the post‑quantum cryptography and the state that it is at the moment with IoT security.  But what we are going to look at also is the societal implications when things go wrong, the political implications when it goes wrong, and a bit more that the people who lead it are better at voicing than me as coordinator.  The fact is we have been looking at this comprehensively. 

And my final comment is on RPKI.  With thanks to ICANN and the RIPE NCC, we presented here at the IGF the document that helps the technical people convince their bosses to deploy DNSSEC RPKI, but by default, all other Internet standards, by providing them with arguments that are not technical, but exactly arguments the CEOs and CFOs want to hear what the implication for the company is, if you don't have that, the implications for your reputation, the implications for your customers or your own employees.  So that is what we produced this year. 

But what I with a like to hear is what can you do with us?  Because we invite you to join.  You can go to our website, IS3coalition.org.  And I am going to ask Nicolas to put it in the Chat for me, please, the website.  Also, what can we do for you, because we want to be as relevant as possible?  That's an invitation, but also some of the panelists can reflect on it, and from there, we can take it with us.  Thank you. 

>> ALTHANASE BAHIZIRE: Anyone who wants to comment on that, my panelists, please. 

Yes, Sofia? 

>> SOFIA SILVA BERENGUER: Thanks for that comment.  And I guess from my side, what I wanted to comment in terms of answering the question of what can be done, my final question can also be extended to invite some more work.  As we discuss, the IGF is a space where Internet standards are developed.  Currently, although there is an RFC describing I think it's called algorithm agility.  It's quite old, and it has never been implemented.  And so if there is kind of a theoretical framework for replacing parts of RPKI.  But it has never been put in practice, and some people really, it wouldn't really work.  So there is room there for anyone who wants to be more involved in the IGF or who is already involved in the IGF but wants to be more involved in this space to do work on how to actually, in practice, the cryptography in RPKI could be replaced for, like, something that is post‑quantum.  So I guess that's my only comment.  I am no expert in that space, so I am not the person to help in the actual work.  I am just pointing out an opportunity for some work that anyone interested could be involved in.  Thank you. 

>> ALTHANASE BAHIZIRE: Thank you.  And also, thank you for mentioning the work you are doing.  We believe more people need to hear about the work you do, and as for us in Africa, we believe your resources might be very helpful to us.  Thank you for sharing these resources. 

We have a thought in the Chat by Mike Nelson:  After Google's announcement of the willow quantum computing chip, there was speculation that one day Google will use the chip to break the encryption, used to protect the huge stash of Bitcoin created and controlled by Satoshi.  He is wondering if he is the only one fascinated about this possibility, or is it that important?  Anyone want to comment on this? 

>> NICOLAS FIUMARELLII:  Think we didn't incorporate blockchain, but that is at risk as well because if quantum computing can proceed, if you have like your public key from your wallet, the Bitcoin, you will definitely get your private key very instantly.  So that means that you will have the money of that wallet.  But yes, we are talking about a near future; right?  Every day we see a new quantum development, the separate conductors, you know, different parts of the quantum chain, so there was some news recently about a new technique where you don't need to have millions of qubits.  Google is close, they have this one with 1,000 qubits machine already happening.  They cannot maintain the state of the photons a lot of times, but they are close to bridge these gaps. 

In my opinion, when people say 10 to 15 years, for me, it's like five years.  And I think that Maria stated very well in the graphical statistics about this development, just leaving with this to answer the question of blockchain in that. 

Please, if you have another question, I will return it to Athanase.  Yes, Nico, if you have any other questions in the Chat or in the Zoom room, you can raise your hand.  We will give you the floor in the room.  Do we have a question?

No question for now.  Yug was commenting also on the ‑‑ on the Bitcoin case.  He was saying that the advancements are important, as they signify what is to come.  But at this point, it is mostly hype.  There is little practical ‑‑ there is little practical that they can achieve right now.  But yes, Nico said it's maybe not right now, but in the very coming, you may see big change in this. 

Yug, do you want to take the floor and comment on this one?  Can you hear me? 

Yes, I see you unmuted. 

>> YUG DESAI: Do you hear me? 

>> Yes, we hear you now. 

>> YUG DESAI: Quantum is a very new technology.  As is the casein any new technology, there is going to be a lot of hype in addition to the technological happenings that are happening.  It is important to separate the hype from what is real.  Because that is where the policy interventions will come from.  And in the case of these companies, they to hype it up because there is a lot of investment going into these.  So it is important that we don't listen to the hype and focus on what the practical implications are and take actions according to that. 

>> (Audio distorted)

Yeah, okay, I have a comment. 

>> WOUT DE NATRIS: Yes.  Wout de Natris.  You are doing a lot of work on quantum computing.  We are going to do that as G3ict in the coming months.  What is your impression, and how can we potentially cooperate in the coming months?  Thank you? 

>> ALTHANASE BAHIZIRE: I will allow the Rapporteur to also key takeaways because we are running out of time.  We will discuss actionable insights and then we are going to conclude.  Please?  Now you have permission to unmute yourself. 

>> YUG DESAI: Okay.  Yes, thank you, Nicolas. 

I will try to quickly summarize so we have good takeaways to take and think about from this session. 

So Maria started with revolutionizing power of quantum technology, especially in fields of communication and sensing, which are relatively more mature technologies and have great potential in taking precise measurements of the electromagnetic field, for instance. 

Hi, Nicolas, can you hear me?  Okay. 

>> NICOLAS FIUMARELLI: We hear you. 

>> YUG DESAI: So I will start again.  Maria told us about the revolutionizing power and the more mature fields of quantum communication and quantum sensing and how they promise to transform industries like healthcare, defense, and military infrastructure security. 

The critical challenge, of course, lies in bridging what will affect the security we have.  The risk is also particularly acute as we begin to collect data using these quantum instruments and use them to advance AI and existing knowledge models. 

The global response is already under way, and governments are already providing information on how to migrate to quantum secure technologies, hyperscalers, like Amazon and Google, are already implementing quantum security in their platforms.  And a lot of effort is also under way in making sure that the new technologies can integrate with existing technology so you have ‑‑ the investments in quantum space are increasing year by year.  And this is the exact reason why we cannot wait in moving towards quantum secure technologies. 

Then we also had very good discussion on RPKI and how the protocol, the PCP protocol, was created with the assumption of a reality we don't live in.  So RPKI was created as a secure layer, over PCP.  The adoption has not been heterogenous, not androgynous, across the world.  Depending on who you ask, they will tell you whether it was having the desired impact or not. 

The main challenge stems from the collective action problem, where networks need widespread adoption to see the benefits, creating this sort of chicken‑and‑egg situation.  Additionally, the nontechnical decision‑makers often struggle to see to justify the technology that is needed in the transition.  However, adopting RPKI is absolutely crucial, and many ISPs are making this their priority.  And in the future, soon it will become important to have RPKI deployed to connect to some of these networks. 

Also, RPKI is also under threat from quantum computing because it uses cryptography that is vulnerable to potentially cryptographic data and quantum computers.  So we also need to work on making sure that RPKI also becomes quantum safe in the future. 

I also want to highlight what Athanase mentioned about the situation in Africa and how capacity building is really important when we are trying to ensure security in this area of emerging Internet technologies coming in and posing newer risks to security.  Technical communities in Africa and Global South need more resources to combat these emerging threats, and also more capacity building to make sure that the networks of the future remain secure. 

I will end there. 

>> NICOLAS FIUMARELLI: Thank you so much, Yug. 

I would like to thank you.  We are just in time to thank our distinguished panelists for the valuable contributions they have made, as well as all of you both on‑site and online.  Well, I think with today's session, we demonstrated the critical importance of collaboration in addressing different challenges and opportunities presented by these three technologies, quantum encryption, RPKI, and IoT security.  I think that you at least will bring something to your home from all this and by exploring the intersection of these technologies, we could be better prepared to secure our digital ecosystems of tomorrow. 

So hope you enjoy the rest of the IGF 2024.  Thank you so much.  Applause. 

(Applause)