IABOPEN @ IETF 125

Chairs: Dhruv Dhody and Yingzhen Qu
When: Wednesday, March 18, 2026
Where: Grand Ballroom 2

Summary

The IAB Open session featured status updates on IAB activities, a liaison report from M3AAWG, a summary of the recent IAB Workshop on IP Address Geolocation, and an invited technical talk regarding internet resilience and trust in the era of AI. Key highlights included the transition of the IAB leadership, updates on the WSIS+20 process, and architectural discussions regarding privacy and consent in geolocation services.

IAB Update

Slides: Chair Slides

Dhruv Dhody (incoming IAB Chair) and Yingzhen Qu opened the session. Tommy Pauly (outgoing Chair) provided remarks on his six-year tenure.

• Administrative Updates: The IAB highlighted the importance of the Note Well and encouraged community engagement via the architecture-discuss and iab mailing lists.

• Document Status:

  • The IAB adopted draft-iab-protocol-greasing from the EDM (Evolvability, Deployability, and Maintainability) technical program.
  • Work continues on 4052bis and 4053bis regarding liaison processes.

• WSIS+20: The UN General Assembly reaffirmed the multi-stakeholder model and secured a permanent mandate for the Internet Governance Forum (IGF).

• Outreach: Yaroslav Rosomakho was introduced as the new outreach coordinator. Recent activities included engagements at ICANN Mumbai (GAC/ALAC) and operator communities (APRICOT/APNIC).

Liaison Update: M3AAWG

Bron Gondwana

Bron Gondwana presented the M3AAWG Liaison Summary.

• M3AAWG focuses on anti-abuse for email, SMS, and RCS.

• While the meetings operate under "Chatham House-style" rules to protect sensitive anti-abuse techniques, the organization regularly publishes public Best Common Practices (BCPs).

• Discussion included current threats like "SMS Blasters" (mobile infrastructure used for localized SMS spam/attacks).

Questions:

Arnaud Taddei: I haven't been to M3AAWG in a long time. Are you dealing with SMS issues as well, or just mail?

Bron: Mail, SMS, RCS, that has been an area of discussion. Other kinds of abuse that go over it too are some big topics.

Arnaud Taddei: I recently discovered the SMS blaster program. Is this something you've identified in M3AAWG?

Bron: I don't do much in the SMS space myself but there are groups in M3AAWG working on it.

Workshop Report: IAB Workshop on IP Address Geolocation

Jason Livingood and Tommy Pauly summarized the IAB Workshop on IP Address Geolocation.

• Use Cases: IP geolocation is widely used for service optimization (finding nearby pizza), CDN traffic steering, content rights enforcement (licensing/jurisdiction), and emergency alerting.

• Mechanisms: Current standards include CSV formats (RFC 8005) and discovery/authentication updates (RFC 9632).

• Challenges: The rise of CGNAT, VPN proxies (e.g., Apple Private Relay), and LEO satellite providers (e.g., Starlink) complicates location accuracy.

Eric Rescorla: I'm surprised to hear you describe the consent area as a gray area. I'd like to hear how the IAB is thinking about how to remove this privacy hole, not about how to create a new one.

Tommy Pauly: I agree. Not everyone but a lot of people in the workshop were bringing up these fundamental privacy and consent issues. Two things reflected in the report are that having more consent and intent would be a good thing. There's enough evidence that the use cases people have are not going to be going away. In order to wean things off of using IP geolocation we need to have some mechanisms to satisfy these use cases.

Eric Rescorla: What I hear is we're not going to work on the important problem, we're going to make it worse. I want to hear from the IAB how to solve the problem, not create new mechanisms.
Jason Livingood: The notion of location we discussed is fairly coarse grained; it's not a street address or location in a building, it's a city.

Mallory Knodel: Thanks for writing the report. I agree that it needs to be solved. I wanted to answer the question about where this work should go. I looked to find participation from RIRs in this workshop. I see Ripe, but mostly because they have Ripe Atlas. Have you looked at this from the ASO side and numbers side? I'd love to see cooperation between regional bodies and IETF more; they're also jurisdictionally based to deal with some thorny use cases like law enforcement. Seems like an obvious gap.

Jason Livingood: We did have more people participate than who presented papers. We did have members from RIRs in the workshop, but not giving papers.

Vittorio Bertola: If you want to build something new you have to get the requirements. This space is very hard to define in terms of requirements around consent. There are multiple cases in which users want to be located to get a better service or the service operator wants to locate the user and the user doesn't have the legal right to object. Make sure you talk to the policy community and regulators.

Christian Huitema: We are not going to get a good system by building a good system. If we build a good system we'll keep using the bad system because it's easier. The only way to make the system evolve is to burn it to the ground and make damn sure that we have as many ways as possible to inject noise, falsehood, whatever. How do we make that thing impossible to work right so that people are forced to do the right thing?

Ted Hardie: From an architectural principle, what we're striving for is that geolocation data and routing information are completely distinct, and the mechanisms you use to reveal your location should require consent and the mechanisms which are used to query that location should require your consent. Those are principles that could be articulated by the IAB. We've tried this in the past; GEOPRIV was an effort I was involved in for many years and it was frustrated by requirements from ECRIT and other places that location be attested to by trusted entities as opposed to asserted by individuals. There will be a great deal of friction but I think it's worth facing it.

Resilient and Trusted Internet: Avoiding Fragmentation

Prof. Xing Li delivered an invited talk on Resilient and Trusted Internet.

• Evolution of CERNET: Discussed the transition to IPv6-only backbones and the need to combat "walled gardens" at the network layer.

• The 8th Layer: Li argued that AI represents a new layer above the application layer and below the human user.

• Fragmentation: Technical (IPv4/IPv6 incompatibility), commercial (walled gardens), and geopolitical factors are fragmenting the internet.

• IPv6 and AI Agents: Li proposed that AI agents will be the primary "users" of the future and will require unique IPv6 addresses to maintain end-to-end connectivity without relying on cloud relays.

• Proposal: Li suggested that every new RFC should include an "AI Considerations" section, similar to Security or IANA considerations.