Regulator gets internet strategy started with focus on BGP/RPKI and IPv6
Adoption, standardisation and certification of open internet standards
In 2023, the regulator responsible for the Dutch internet industry – the Authority for Digital Infrastructure, or RDI – joined the Platform for Internet Standards, best known for its Internet.nl test portal. By joining the platform, the DPI hopes to strengthen its ties with other stakeholders involved in promoting the use of open (harmonised) internet standards in the Netherlands.
"As the industry's technical regulator, we also want to be more closely involved in standardisation and certification, in the interest of interoperability. We've been doing that for a long time where radio and devices are concerned. And it's vital that we work with other stakeholders to build a similar position on digital standards in the Dutch market."
Much broader responsibilities
"In recent years, the RDI's responsibilities have changed enormously," says Jasper Nagtegaal, Director for Digital Resilience. Our new role is reflected in a new organisational structure and a new name: after previously being the Radiocommunications Agency, we became the RDI last year. "Our main focus always used to be management and use of the radio spectrum. So, for example, we were responsible for auctioning and licensing the various frequencies, because the radio spectrum is a scarce commodity. And for checking for interference from electrical equipment. Our remit has also traditionally included activities under the legislation that regulates information exchange on networks, known by the Dutch acronym WIBON, and its predecessor, the WION."
"In recent years, we've acquired a lot of additional duties: from telecoms and MNOs (Odido, Vodafone and KPN) to digital radio. We also have responsibilities under European legislation such eIDAS and NIS(2) [Wbni] plus the new Cyber Resilience Act and AI Act. The Digital Europe programme has implications for us as well."
3 nested primary themes
The RDI's enlarged portfolio of regulatory responsibilities is now divided across 3 nested primary themes:
Availability: seeing that physical infrastructures work properly
Resilience: network continuity and availability
Trust: service security and reliability
Nagtegaal's directorate is responsible for the Resilience theme.
For details of the RDI's various duties and activities, see the organisation's latest annual report.
Contact with other Dutch stakeholders
Asked about the RDI's involvement in the development and promotion of modern internet standards in particular, Nagtegaal explains that his organisation's first step has been to forge ties with other Dutch stakeholders – by joining the Platform for Internet Standards, for example. The RDI is also a member of the Dutch Anti-DDOS Coalition and attends meetings of the Dutch Network Operator Group (NLNOG).
"For the moment, we're still getting to know the people involved with the Platform for Internet Standards and the themes that the organisation works on," explains Isabel van der Ley, Resilience Team Leader at the RDI. "The idea is to identify where we can make a contribution in line with our remit."
"As newcomers to the group, we're mainly playing a listening role to begin with," continues Nagtegaal. "We want to build up a picture of the players and the main issues, so that we can make informed decisions about the best approach to take. Once we know the lie of the land, we'll see whether we can help on certain themes with knowledge and guidance."
BGP/RPKI and IPv6
Where internet standards are concerned, the current focus is mainly on BGP/RPKI and IPv6. The RDI has previously published a BGP/RPKI best practice guide in consultation with bodies such as the Ministry of Economic Affairs and Climate Policy (the RDI's 'parent' ministry), RIPE NCC (the RIR for greater Europe) and 2STIC (a Dutch partnership for research into future internet networks).
Last summer, the RDI also teamed up with the Dutch Cloud Community (DCC, an organisation for internet service providers in the Netherlands) to deliver an information session on the theme of DDoS resilience.
Nagtegaal cares about promoting all relevant standards. "Unfortunately, though, we have to make choices. Then we'll come up with a plan and see whether it works."
"We've decided to begin by concentrating on a small number of particular standards," adds Van der Ley. "It takes time to develop a position. So we're working in a few focus areas, acquiring insights that we can subsequently utilise in relation to other standards."
Internet (security) standards
The RDI's current approach and choices are based on the Stratix report Internet Infrastructure: Standardisation, Technology and Geopolitics, published in December 2022. After making an inventory, the research team behind that report identified the top 10 issues, for which they also proposed solutions or pathways to progress.
The researchers' top 10 issues included 3 problems involving internet (security) standards:
1. | BGP route hijacking: a malicious actor taking control of someone else's route (i.e. their IP addresses) with a view to either diverting the route owner's traffic to themselves, or abusing an address block for sending spam or mounting DoS attacks. Another possibility involves making a network unavailable by mounting a DoS attack on the network itself. However, it's much more common for routing problems to arise accidentally, as a result of either a route leak or the operator announcing incorrect route information. The normal way to protect against both route hijacking and route leaks is to use the RPKI/ROV and BGPsec security standards. One can also follow Best Current Practice BCP 38 (RFC 2267, ingress filtering), which should prevent providers, hosters and network operators sending packets across the internet with source IP addresses that don't belong to them. |
2. | IP spoofing: falsifying the source IP address of internet traffic, typically with a view to mounting a DoS attack (flooding). The normal way of countering this kind of spoofing is to follow BCP 38, mentioned above. |
3. | Lack of infrastructural innovation, flexibility and adaptability: the huge installed base of hardware and software hampers modernisation of the network itself. The slow adoption of IPv6 is mentioned in the report 6 times as an example of a standard that's sorely needed, but whose implementation is being held up. However, the same is also true of internet (security) standards in general [1]. |
Technical regulator
"The scope of that study was the transport layer," continues Nagtegaal. "It gave us a picture of current developments involving the internet infrastructure and its standardisation. The findings served to identify where we could intervene and make a difference. And that led to us joining the Platform for Internet Standards and deciding to start promoting the adoption of BGP/RPKI and IPv6."
However, Nagtegaal is keen to make the point that the RDI is a technical regulator. "We don't concern ourselves with economic aspects, market factors or geopolitical competition. Matters like that are the province of policymakers at the Ministry of Economic Affairs (which is also a member of the Platform for Internet Standards). The topics we address are mainly EU-wide and have a technical basis."
The RDI's work does nevertheless have economic significance. Interoperability is a priority topic for the European Commission, which wants to ensure that data exchange is possible both with and between government organisations, and at the same time remove obstacles to European digital market activity. [Interoperable Europe]. Open standards for data storage, exchange and security play a vital role in that strategy, as does open-source coding (sharing and reuse).
Continuity, freedom and security
"We can't force people to use IPv6," says Nagtegaal, "because there's no law saying that they have to use it. What we can do is work with stakeholders such as SIDN, the Forum for Standardisation and the Platform for Internet Standards to encourage the use of IPv6, to emphasise its importance and to include it in our conversations."
"It's fine for us to push organisations to raise their level if they are still using legacy technology. Most European legislation is drafted on the basis of the market principle. We focus on the technical side of things: continuity, freedom and security. We define and perform our role accordingly. The adoption of open internet standards can't be enforced, but does have economic benefits."
"IPv4 does still work, but it's more expensive and addresses are scarcer. For example, the availability of IPv6 is very important in relation to the IoT and AI, because it enables you to connect a large number of devices to your network."
Adoption, standardisation and certification
"At the moment, we're still looking for ways to encourage adoption that are within our mandate," asserts Nagtegaal. "What communication channels should we use? And what's the best way to work with other stakeholders such as SIDN and the Platform for Internet Standards? The Forum for Standardisation has done some really good work in that regard."
"As the industry's technical regulator, we also want to be more closely involved in standardisation and certification, in the interest of interoperability. That implies paying attention to the use of open standards and security standards. In tandem with the EU, the standardisation bodies and market players, we've been doing that for a long time where radio and devices are concerned. And it's vital that we work with other stakeholders to build a similar position on digital standards in the Dutch market."
