|Working Group:||RIPE NCC Services|
- content to the Chair of the working group.
- format to webmaster _at_ ripe _dot_ net.
Meeting: RIPE 59, Lisbon, Portugal
Date: 7 October 2009
Time: 16:00 - 17:30 CET
Chair: Kurtis Lindqvist
Scribe: Gerardo Viviers (RIPE NCC)
A. Administrative Matters
- Select a scribe
- Jabber Monitor
- Microphone Etiquette
- Approve Minutes from RIPE 58
- Finalise agenda
B. RIPE NCC Update
Axel Pawlik, RIPE NCC
There were no questions.
C. Registration Data Quality Update
Robert Kisteleki, RIPE NCC
There were no questions.
D. Contractual Relationship Requirement for End Users
Andrea Cima, RIPE NCC
Gert Doering (AP WG Chair) thanked the RIPE NCC for its efforts. He was curious about the amount of unused resources being returned by LIRs. His LIR came across at least one AS Number that was not being used and this was returned to the free pool.
Andrea did not have the data at hand but said he had seen several of these cases, although it was not yet an impressive amount. He expected to see more of these cases appearing when the RIPE NCC begins to contact the End Users of "orphaned" resources. The RIPE NCC will check if the resources are actually announced and approach the End Users based on these findings.
Niall O'Reilly (University College Dublin) asked if legacy resources were still out of scope for the 2007-01 policy proposal implementation.
Andrea confirmed that legacy resources are out of the scope for proposal 2007-01. He said that he expects a separate policy will be necessary for these resources. Niall asked if this would be done after 2010.
Andrea stated that it would be done if the RIPE community asks for it.
Kurtis Lindqvist (WG Chair) asked if the RIPE NCC came across cases where resources were used outside of the RIPE region.
Andrea commented that this falls outside the scope of this specific project implementation, but that if the RIPE NCC comes across one of these cases, it investigates them.
Sebastian Riesinger (via Jabber) asked what the timeframe for reclaiming orphaned resources was and how the RIPE NCC will contact these End Users.
Andrea stated that there was no exact timeframe yet and that the RIPE NCC is still assessing the current situation to decide what the best options are. To contact the End Users, the RIPE NCC will rely on the information in the RIPE Database and various other available tools.
Uwe Rasmussen (Microsoft) asked if the top five LIRs requesting independent resources were complying with the contractual requirements.
Andrea explained that the RIPE NCC made additional efforts to contact and involve these members in this process and that they have effectively participated in the policy.
Michiel Klaviers (Luna.nl B.V., via Jabber) wanted to know if there was any legal basis for pushing End Users into contracts with LIRs or the RIPE NCC.
Andrea confirmed that that there was a legal basis and that the RIPE NCC requested legal advice on this. Based on the decisions taken by the RIPE community, the RIPE NCC can request the End User to enter a contractual relationship with a sponsoring LIR.
Wilfried Woeber (speaking independently) suggested offering automated support for changing the status of an orphaned independent resource based on agreements made between LIRs to "adopt" a resource marked as 'orphaned'. He considered that this was more efficient than simply letting the RIPE NCC search for different ways to contact these End Users and coupling the resource to an LIR.
Andrea agreed that it would be a good point to consider and mentioned that there is a procedural document (http://www.ripe.net/ripe/docs/ripe-475.html ) that explains how the resource movement procedure between LIRs works.
Gert endorsed Wilfried's motion and suggested that it would be much easier if there was a standard mechanism to mark which independent resources belonged to which LIR.
Andrea agreed that it would be easier and that this feature would be a nice addition to the list of improvements the RIPE NCC is currently making to the LIR portal software.
Kurtis suggested that the RIPE NCC carries out a survey on the features members would like to have in the LIR Portal software. He also pointed out that the legal advice received on the contractual requirements was brought up several times in the Address Policy Working Group (AP WG) when it was being discussed and requested that the information be sent to the mailing list.
Andrea agreed to send the information to the mailing list.
E. Certification Update
Alex Band, RIPE NCC
Michiel Klaviers (Luna.nl B.V., via Jabber) enquired if the RIPE NCC had rules for revoking certificates. He said that this is a potential 'Internet police' function for the RIPE NCC.
Alex acknowledged that this is an ongoing discussion and said that the RIPE NCC must be careful about this situation. He explained that there are several options available to address this issue: - Longer expiry times - To revoke the certificate only if the holder of the resources agrees to that - Place a flag on the certificate marking it as revoked and letting the End User choose if they want to go on with the revocation or continue to use the resources
Alex recognised that this was a complex situation from a political and legislative point of view. Feedback from the community is needed and is very important.
Daniel Karrenberg pointed out that the set of rules requested is called the "certification practice statement" and that it was being addresses in the AP WG. He encouraged anyone interested in this to check the earlier AP WG proceedings and participate in the AP WG mailing list discussions.
Sebastian Riesinger (via Jabber) asked if the RIPE NCC could be ordered to revoke a certificate under Dutch law.
Daniel explained that the RIPE NCC is a legal entity under Dutch law and would need to comply with any request from the Dutch legal system. He commented that the RIPE NCC is in contact with the Dutch public prosecution service and some other law enforcement agencies to encourage dialogue and understanding on both sides. He pointed out that trying to enforce the revocation of a certificate would not have the effect they expect.
Remco van Mook (Equinix) thinks Daniel's reply raises another question: should the working group accept this or not? If not, the wrong technology might have been chosen for this purpose.
Alex pointed out that participation is important, as this affects many people in many different countries with very different legislations. It is important that we look at each individual situation and look after all those people.
Ruediger Volk (Deutsche Telecom) suggested that a closer look into the technology that is used is taken and precautions are built in so that threats like this do not have effect. He said he was happy to know the ways for finding and invalidating those threats were quite clear.
Geoff Huston (APNIC) wondered if it was possible under Dutch law to force the RIPE NCC to remove all the registration records for a certain party. He questioned if this issue was about certificates or about maintaining the integrity of the registration system.
Alex said that the issue is caused by a fear of not being able to oversee all the possible implications and thus not being able to make an informed decision.
Steve Kent (BBN Technologies) mentioned never having heard of a Certificate Authority being required to revoke a certificate, except in a civil context. He pointed out that the certification being discussed here is a different PKI, it does not exist anywhere else and is being created from new. The problem is about wanting to shut something down. The law enforcement agencies should be redirected to the responsible ISPs for these type of requests.
Alex commented that he had never actually seen a request to remove registration data. Law enforcement agencies realise that this does not really have the desired impact.
Daniel commented that once the community has a certification system set up, it opens the doors for many possibilities, like having BGP automated. In the future, it would then be possible to automatically configure routing. The benefits of auto-routing are fighting against cybersquatting and more security against making mistakes. There is a trade-off though as there are the buttons to make mistakes.
Kurtis said that he considered the law enforcement agencies to be much smarter than to take these kind of measures. He commented on the current legal disputes where some rights holders put extremely hard pressure on some providers to cut connectivity to some sites. He said that although these things might happen, they won't affect the current system.
Rob Blokzijl (RIPE Chair) pointed out again that the RIPE NCC has regular meetings with several law enforcement agencies. He commented on how, in the beginning, these agencies thought that IP addresses were like domain names and how it has been explained to them that IP addresses are not the same. It is more important to have registration of who uses what IPs than to remove the registration information.
Aaron Hughes (6connect, Inc.) commented about filtering already being done from IRR data. He said he didn't see any reason to fear certification and sees it as a major step forward.
F. Discussion about inet(6)num and aut-num objects to reference sponsoring LIR
Piotr said he would propose the idea in the Database Working Group as it is for implementation in the RIPE Database.
Kurtis remarked that the proposal would first be handled in the RIPE NCC Services Working Group because of the implementation costs and efforts for the RIPE NCC.
Marco Hogewoning (XS4ALL) commented that having more contact points will make the existing confusion even bigger. He asked that this is taken into the discussion of the proposal. He said that the End User should be the responsible for misuse and not the LIR.
Piotr said that he was aware of this problem. The idea is that the LIR is responsible for keeping the data up to date. This can help to keep data actual.
Marco said that an LIR is not always responsible for the data traffic and that complaining to the upstream provider might have better results.
Wilfried Woeber (speaking independently) supported the idea of having LIR information also embedded in End User assignments. He agreed with taking the proposal to the Database WG, but said that it also had policy and services aspects. He said that the data must be maintained and the problem is who controls the data. More things need to be discussed before talking about implementing.
Piotr commented that Andrea had raised this same question in a private conversation with him. Piotr explained that his intention was to see if the proposal was a good idea.
Ruediger said that he agreed with Marco Hogewoning. This kind of relationship does not need to be publicly documented for the usual purposes of the RIPE Database. If there is a need to attach to a record or a pointer to who is responsible, the IRT object is there and is not being used correctly. This proposal may create more confusion. He said that it is better to explain how to use what there is and not to increase the confusion.
Piotr said that he did not see this proposal as being the same as using an IRT object. He wanted to propose something that is controlled by the RIPE NCC and not by the End User. He considered this to be more reliable.
Kurtis suggested that this proposal is discussed further on the mailing list.
G. 2007-01 implementation survey. Discussion - Piotr Strzyzewski
Kurtis proposed that this issue is included in the next RIPE NCC survey.
Marco (XS4ALL) did not see any reason to do a specific survey. He said that there is a risk that this survey would actually be about what people think about policy proposal 2007-01. This was already surveyed in the mailing list before the implementation.
Axel acknowledged there has been feedback from the community and this is always taken into consideration.
H. Recovering resources assigned to non-existing entities
Uwe Manuel Rasmussen, Microsoft
Ruediger pointed out the importance of distinguishing between actual criminal activity on the net and the ways to fight this from the administrative procedures. It is not related to the RIPE administration processes.
Uwe agreed with this, but mentioned that this didn't lead to the entity with the real responsibility.
Ruediger stated again that the registration is not the point, and that you must get to the "box" and that this may be a botnet. The administrative data in the RIPE Database is irrelevant to this.
Uwe stated that there should be a check that organisations requesting resources actually exist before assigning to them.
Nick Hilliard (INEX) pointed out that this check is already done by the RIPE NCC. However, there is little the RIPE NCC can do if documents are fake. The RIPE NCC is not the routing police.
Uwe agreed but would still like a way to be able to challenge an assignment.
Carsten Schiefner (DENIC) commented that there is a similarity with TLDs. There is still no solution to guarantee WHOIS accuracy.
Uwe explained that he was not looking for WHOIS accuracy, but for a solution to remove the people that don't exist.
John Curran (ARIN) explained how this is done in the ARIN region. He said that ARIN does verification, but when a fraud is uncovered, ARIN does act to revoke resources. This is not related directly to the criminal activities, but due to a violation of the policy.
Uwe agreed that it is not the RIPE NCC's job to determine what is legal or not, but pointed out that allowing somebody that obtained resources to use these resources for illegal purposes leaves him outside the law. He said that he will present propositions to the mailing list to reformulate the text in RIPE Document ripe-452 to revoke resources if an organisation if found not to actually exist.
-End of session-