Norms and Standards

Last October at NANOG89 in San Diego, John Curran exhorted us to work together to document best practices before governments developed their own.

John pointed out that in many industries, technical requirements and standards inform public policy goals, and vice versa. Then, when regulation is enacted, it refers to the standards developed by those technical experts. For example, the policy goal of protecting people from house fires is promoted through building codes (laws) which reference fire and electrical codes developed by standards bodies.

Governments are instituted by people to provide national defense, perform public services, protect children and vulnerable people, safeguard privacy and freedom, and prosecute those who transgress the above[1]. However, governments don’t operate the Internet, so when there are threats to or violations of the governmental role, they look to us. As John notes, they are increasingly looking at their roles with respect to the Internet.

If we don’t work together to provide tools to enable governments to fulfill their legitimate role, they will do what they think is best.

If we have agreed on some norms and standards, then they can point to those and say, “This looks like best practice.” In many cases, that gives us a safe harbor against additional action from governments—if I can show I’m following accepted best practices, I’m less of a target than my non-compliant competitors.

What should we work on together?

  • We already have MANRS, KINDNS, some anti-spam (no open relays, block port 25, etc.).
  • DDoS mitigation. BCP38, communities for RTBH, packet scrubbing, etc. What can we do collectively?
  • Infrastructure protection. Best practices for protecting your devices and services.
  • Critical infrastructure protection. Do we have a role in protecting power plants, hospitals, etc., more than others?
  • Net neutrality. Is there more than just “don’t inspect above L3”? Do CDNs or caches privilege some content unfairly?
  • IPv6? The government angle is mostly anti-CGN, but this is a greater problem outside this region.
  • Other ideas?

If a group of people can pick one topic and start documenting best practices, we may be able to do something good. I’m not worried about process yet: content first.

Is there a topic above, or another one, on which folks would like to collaborate to describe best practices?

Lee

[1] Even if you disagree that there is a legitimate role for governments, they think they have these roles, and they have the power to compel.

Hi, I would like to volunteer to help with bullet two: “DDoS mitigation. BCP38, communities for RTBH, packet scrubbing, etc. What can we do collectively?”.

-Rich

If folks think it might be helpful I can get an instance of “allourideas” running. We can deploy one for either (1) gathering ideas on what to work on or (2) aggregating best practices. The apps are helpful in (1) gathering ideas and (2) providing a way of getting prioritized rankings of norms/practices.

There is a long history of the operational community engaging with various governmental entities on many of these topics, FYI.

It might be a good idea to ensure that this context is understood by participants, as well as curating the relevant content which has already been created & made available.

I would like to point out that an effort along these lines was taken about 10-12 years ago and documented here : https://nabcop.org/index.php/DDoS-DoS-attack-BCOP

This likely can be refreshed or used as input material for something new.

There are other items on that site and OIX (previously Open-IX) still references the Peering related BCOP.