RIPE 66

RIPE NCC Services Working Group - Sessions I and II
Wednesday, 15 May 11:00-12:30 and 16:00-17:45

Chair: Kurtis Lindqvist
Co-Chair: Bijal Sanghani
Scribes: Antony Gollan, Laura Cobley

A. Administrative Matters

Kurtis Lindqvist, RIPE NCC Services Working Group Chair, welcomed attendees and thanked the Chairs of the Address Policy Working Group for donating their second slot to the RIPE NCC Services WG.

Kurtis pointed out that the agenda would differ greatly from the one posted on the website.

The minutes from RIPE 65 were approved.

Kurtis said that contrary to the posted agenda, Richard Hartman would present first, as he was waiting online.

B. Discussion on PDP

Richard Hartman (remote presenter, no slides uploaded)

Richard ran through the five proposals and asked for a show of hands of who had read them.

Kurtis noted that quite a few people put their hands up.

Kurtis asked if the proposals should go through the PDP, if they should be discussed on the mailing list, or if the Richard should have the RIPE NCC sort them out itself.

Tore Anderson, Redpill Linpro, said he had recently made a big proposal and it would’ve helped if the authoritative format was plain text, or something easier to work with standard tools as opposed to something scraped off a web page. He added that if the RIPE NCC was willing to work with Richard without a formal policy proposal, this was the preferable option.

Ruediger Volk, Deutsche Telekom, said a number of the proposals addressed concerns he held and he was happy to see that. He asked what tools they had to determine consensus on the proposals, as all he could see were either completely informal tools or the PDP. He said if they were to bypass the PDP, it might be helpful if the RIPE NCC produced a document outlining how it would handle the requests, and that this could be a good starting point for further discussion.

Kurtis said this was a very good suggestion, but noted that the problem was that the format had to fit the proposers and the community.

Niall O’Reilly, University College Dublin, said he thought the proposals were very sensible, though some minor details might need to be worked out. He said that as they were about administrative operations in support of the PDP, he supported Ruediger’s suggestion that the RIPE NCC should come back with a proposal outlining how it would address the ideas in the proposal. He noted that as this would affect the PDP for all of the Working Groups, perhaps they needed a broader consensus than just the RIPE NCC Services WG.

Kurtis said that this was a fair point.

Wilfried Woeber, Univie/ACOnet, said he didn’t have any strong feelings either for or against the idea of using the PDP to write down very generic principles or expectations from the community. He said that he wanted to caution against putting technical implementation details into a policy document, beyond perhaps requiring that documents should be in plain text. He noted that naming specific software in the policy meant that it would have to be updated frequently.

Richard said that Wilfried raised a very good point and he had edited his proposals to reflect this. He said any policy should be talking about requirements and not technical solutions.

Gert Doering, speaking as Address Policy Working Group co-Chair, said that using the PDP was a heavy-handed approach. He suggested the RIPE NCC look at the problem statements and come up with a proposal to address them. He noted that this was what the Database Working Group mostly did and that this had been working well. He said that if the RIPE NCC was uncooperative, they could then use the PDP to make it implement the change, but noted that he didn’t think this would be necessary.

Brian Nisbet, HEAnet, said that while he agreed with what Kurt and Niall had said and thought most of the proposals were a good idea, he wanted to state his opposition to a new numbering system for policy proposals. He said the community already knew what they referred to and the addition of extra characters and version numbers was not required and would only add more cruft into the system.

Richard replied that Brian was coming from the point of someone who was familiar with the system and who knew their way around the PDP. Richard said it was hard for people on the fringes of the community to understand what it meant when someone told them to look up 2013-01 (for example). Richard added that if you put RIPE-PDP as a prefix into Google, you would always get the correct version, and said that if people could use a suffix to refer to a single specific version it would make it much easier to correlate certain changes to policies with discussions that were happening at the time.

Emilio Madaio, RIPE NCC Policy Development Officer, said he wanted to offer some clarification about the distinction between RIPE Policies and RIPE NCC procedures. He said that if he understood Richard correctly, he was simply suggesting the WG ask the RIPE NCC to make the PDP easier to understand. He suggested making a sub-group to outline a scope statement for Richard’s suggestion, and once the RIPE NCC had come up with a cost-benefit analysis it could present this to the WG.

Axel Pawlik, RIPE NCC Managing Director, said he thought Emilio’s suggestion was a good idea. He noted his concern with earlier speakers who had implied the RIPE NCC might not cooperate. He stated that of course the RIPE NCC would cooperate. He added that if the RIPE NCC had been silent on the issue previously, it was because it had been waiting to see what the WG thought and whether it was to be part of a formal PDP process or not.

Kurtis proposed that Emilio, Richard and others form a sub-group to come up with a proposal. He agreed with Niall that the proposal should also be sent to the other WGs. He asked if others would like to volunteer.

Ruediger volunteered, as well as one other person (unnamed).

Kurtis asked if this worked for Richard.

Richard said that it did.

C. Policy Summary of Where We Are - Kurtis Lindqvist, RIPE NCC Services Working Group Chair

The presentation is available at:
https://ripe66.ripe.net/presentations/213-ncc-services-agenda.key.pdf

There were no questions.

D. 2012-08 – Publication of Sponsoring LIR for Independent Number Resources - David Freedman, Claranet Limited

The presentation is available at:
https://ripe66.ripe.net/presentations/198-ripe66-nccswg-2012-08.pdf

Ruediger said that he was still opposed to the proposal. He said he was sure the RIPE NCC knew who the sponsoring LIR was.

Dave said that he would also like to know who the sponsoring LIR was.

Ruediger said the RIPE Registry was not there for people who were simply curious. He said publishing information without a clear purpose invited others to abuse that information for some purpose they might mistakenly think it was provided for. He said it was fine for knowledge of the contractual relationship to rest with the End User and the sponsoring LIR, and for the RIPE NCC to know about it.

Dave replied that there was already data in the RIPE Registry that had the potential for abuse.

Ruediger asked if this meant they needed to add more.

Dave said they needed the registry to be accurate. He said that they had started the process of collecting data and that this data had an impact not just on the resource holder, but on anybody that dealt with that resource in the future. He said that he felt this should be documented in the registry.

Ruediger said the resource holder should be in the registry with all of the relevant contractual information. He said that the sponsoring LIR was just some legal relation that did not mean anything about the resource or the End User.

Kurtis said there were objects in the RIPE Database where this was not true and there was data in there that he was highly doubtful was correct. He said in those cases he would like to know who the sponsoring LIR was that allowed that to go through.

Ruediger replied that this was the job of the RIPE NCC and not some random person. Ruediger said in these cases someone could send a letter to the RIPE NCC.

Dave said he was not suggesting that they do the job of the RIPE NCC. He noted that the Impact Analysis said it would expose a number of objects where the sponsoring LIR had not been identified. He said he wasn’t suggesting they do anything about that, but said this highlighted that if the RIPE NCC couldn’t get in contact with these people then maybe individuals were best placed to do that.

Sasha Luck, speaking for himself, said that he agreed with Ruediger. He added that publishing the sponsoring LIR in the RIPE Database created the perception of a responsibility for the resource that did not actually exist. He said that the policy so far had been that the LIR did the paperwork and handled contracts for the RIPE NCC.

Dave replied that the services agreement between the sponsoring LIR and the End User did actually come with some responsibility.

Sasha replied that this responsibility was only for the correctness of the information, not for the content or the behaviour.

Dave agreed that this was correct, and asked what should be done if the correctness of the information was in dispute.

Sasha said this was the RIPE NCC’s job.

Dave said that this wasn’t the General Meeting, and that he’d like Sasha to raise that point there if he felt that way.

Eric Bais, A2B Internet, said that as a sponsoring LIR for a lot PI space, he received a lot of abuse messages just because people saw some kind of connection in the RIPE Database, and that was where his concerns lay. He said that the LIR was not responsible for anything the resource did, and that there were already policies in place with the RIPE NCC to fix that.

Dave agreed, but said he thought it was important that LIRs ensured the registration data was correct. He said if a netizen was unable to contact an End User, they had to go to the sponsoring LIR, as it was their job to ensure this information was correct.

Eric replied that it was not the place to list the sponsoring LIR in database objects. He said correct information was something LIRs needed in order to get the contracts in place, which involved the RIPE NCC and the LIR working together to ensure everything was correct. He added that there were negative side effects of publishing the relationship (though he didn’t want to get into publicly explaining how this information could be abused) and he was against the proposal for that reason.

Tore said he saw a potential connection with RPKI certification for PI space. He said if he saw something strange in his routes with the certification of a PI resource, he would like to be able to get in touch with the organisation that had the contractual relationship with the End User. He added that as he understood it, the RIPE NCC would not certify any PI resource that did not fulfil the contractual requirements from 2007-01. He said in those cases he would like to have this information so he could trace the trust chain to the end.

Kurtis said he thought that was an interesting point to keep in mind for one of the later discussions on updating the legacy holder with contact information as well. He said they could come back to that.

Andrea Cima, RIPE NCC Registration Services Manager, noted the earlier point that the Impact Analysis had indicated there were independent resources without a sponsoring LIR. He said he wanted to provide some more information about this. He said that the RIPE NCC was dealing with 35,000 independent resources; some that were assigned 20 years ago. He said they had gone through 25,000 of those and there was less than 10,000 remaining. He noted that there was a process in which the End User was given six months to find a sponsoring LIR before the resources were deregistered. Andrea noted that sometimes it was very difficult to get in contact with the resource holders, and before de-registering the resources the RIPE NCC wanted to make sure they were not in use. He added that the RIPE NCC had to do a lot of searching to make sure it didn’t harm anyone. He also noted that sometimes an LIR and an End User cancelled a contract, in which case they had three months to look for a new sponsoring LIR.

Dave thanked Andrea and said the effort the RIPE NCC had already gone to sounded commendable.

Kurtis said he thought this had been a good discussion. He noted that people had one week left to comment on the mailing list and that he had seen only two emails since the Impact Analysis had been posted. He encouraged everyone to take part.

E. Introduction to 2012-07, 2013-04 and RPKI for PI - Randy Bush, IIJ and Axel Pawlik, RIPE NCC Managing Director

The presentation is available at:
https://ripe66.ripe.net/presentations/208-130515.pi-legacy-intro.pdf

There were no questions.

F. Services for Legacy Resource Holders (2012-07) - Niall O’Reilly, University College London

The presentation is available at:
https://ripe66.ripe.net/presentations/199-Services-for-Legacy-66.pdf

Wilfried Woeber, Univie/ACOnet, thanked Niall for his work. He said they should all move ahead with the policy as soon as possible because they had more pressing needs. He said any corner cases could be dealt with later. He said the proposal had his full support and thanked everyone involved for their efforts.

Kurtis asked if there would be new text coming, as the review phase hadn’t yet ended.

Niall said he expected there would be a new version four of the text.

Kurtis asked if they wanted to wait for the current period to end and seek additional comments before working on the new text.

Niall said he thought they would start on the homework sooner rather than later.

Randy Bush, IIJ, said the RIPE NCC had brought their legal counsel to the meeting with legacy holders the day before. He said they were working on the legacy agreement and the legacy policy. Randy said he thought this should also be published and discussed. He said he didn’t care if it was published as part of the document or published separately.

Wilfried said he wanted to speed up the process as much as possible. He asked if it was worth removing references to certification from the upcoming version four.

Randy replied that these references weren’t there.

Wilfried said that it was listed as one of the services provided by the RIPE NCC. He said he didn’t have a problem with that, but he was asking if it would speed up the process to remove certification from the legacy proposal and deal with it on a more general basis as discussed in Randy’s slides.

Randy said that the intent of the proposal was to say that legacy holders would get all services, and the same would hold true for PI holders. He said the discussion was Eric’s for certification becoming a service. He gave the example that the RIPE NCC might choose to offer espresso as a service.

Kurtis thanked Niall and moved onto the next presentation.

G. RIPE NCC Services to PI Resource Holders - Randy Bush, IIJ

The presentation is available at:
https://ripe66.ripe.net/presentations/206-130515.pi-space.pdf

Jan Zorz, Go6 Institute, said that as a PI holder of IPv4 and IPv6 resources, and running RPKI on his router that announced these resources, he preferred the option where PI holders who were not members would stay under an LIR.

Randy pointed out that the options in the proposal were not exclusive.

Jan said in that case he was grateful for the option and that he was glad that PI holders such as himself could sign their resources.

Gert Doering, Address Policy Working Group Chair, said he liked the proposal and that they would deal reasonably with the edge cases.

There were no further comments.

Kurt said they would wait for the text and would go from there.

H. 2013-04, Resource Certification for non-RIPE NCC Members - Eric Bais, A2B Internet

The presentation is available at:
https://ripe66.ripe.net/presentations/173-2013-04_ripe66.pdf

Sasha Luck, speaking for himself, said he objected to the whole concept of RPKI. He said every objection he had to the RPKI PA Policy applied to this policy as well.

Ruediger Volk, Duetsche Telekom, said it was pretty clear that they wanted and needed the possibility for every well recognised resource holder to get certificates. He said he thought they would do better in the policy to state things in general terms rather than saying “non-members.” Ruediger referred to Randy’s earlier statement that the devil was in the details, and said that one of the particular devils he had seen in one of the texts he read mandated the RIPE NCC to create certificates for AFRINIC resources that were used in Europe. Ruediger said that this would not work very well. Ruediger said the important thing was to get certificates for everything that was well recognised. He added that the particulars, such as the contractual relations and how identities are checked, needed to be worked on, but that he thought they needed a policy that talked in general terms about the ability to issue certificates for resources managed by the RIPE NCC in its domain. Ruediger said that the really tricky details should not be included in the policy and that they should work with the RIPE NCC to solve the answer to those questions.

Kurtis asked if that meant he wanted the RIPE NCC to begin an analysis independent of the proposal.

Ruediger replied that he did, unless the general position was that they did not want RPKI at all, which was something he said he would certainly object to. He noted that it was embarrassing at the last IETF meeting when the networking team couldn’t certify IETF networking space because it was RIPE NCC PI space.

Gert said the fact that they had two kinds of IP addresses was a historic accident. He noted that this distinction was lost when the address space showed up in the routing table. He said this meant that if they did RPKI for PA address space they would need to do it for PI as well. He added that whether they needed RPKI was a different matter. He said Alex Band from the RIPE NCC had already shared most of the tricky details in the RIPE NCC Services WG mailing list in a proposal that would deal with them. Gert finished by saying that he supported the proposal.

Sasha spoke in response to Ruediger. He said that there had been a proposal for RPKI for PI previously and it had failed spectacularly. He said he wondered why it was coming back now.

Randy pointed out that Gert hadn’t mentioned legacy space when he made his distinction between PI/PA space.

Gert replied that any sort of prefixes that could be brought under the RIPE NCC jurisdiction should have the same treatment as far as RPKI goes.

Randy said they were in agreement on that point.

Randy responded to Sasha’s earlier point about RPKI. Randy said he wanted to point out that ISIS was a layer two protocol and only reachable on the link, whereas OSPF was attackable from anywhere in the Internet. He said that was very dangerous, and suggested they ask the IEFT to deprecate OSPF and remove it.

Randy noted that he had presented at a previous RIPE Meeting where he had pointed out some of the dangers associated with ROAs, specifically so network operators could be make an intelligent decision. He added that it was his choice to use RPKI on his network or not. He said it was his network and that other people shouldn’t tell him how to run it. He said he wasn’t worried about the threats associated with RPKI, and pointed out that when those with power wanted to take down a network, they would be able to do so. He noted that 7,000 domains had been taken down the week before, and he referenced Megaupload. He said the real threat was fearmongers who wanted to remove a tool from his toolbox that could protect his network.

Ruediger noted that in the previous week someone had hijacked his address space and he had received an incident message from BGPmon that said a ROA would have prevented the hijack from happening.

Randy said that hijacks happened every day but misuse of ROAs had yet to happen, though he added that they would happen one day. He pointed out that he preferred the term “mis-origination” because he didn’t know if it was malicious.

Kurtis turned the conversation back to Eric’s proposal. He noted that the upcoming proposal to remove the distinction between PA and PI address space would affect the outcome of the proposal.

Eric said it basically provided a way for other resource holders, like the IETF, to participate in the system. He agreed with Kurtis’s point and said that if the distinction between PA and PI was removed, they would have to look at the whole discussion again.

Niall said he didn’t want to say anything about Eric’s proposal because the proper place was on the mailing list and encouraged others to go there too.

Kurtis said that this was a good idea. He encouraged everyone to take all their comments on the proposals to the mailing list and noted that it couldn’t hurt to gather some more views.

Kurtis closed the session.

-----------------------

Session II - Wednesday, 15 May

J. RIPE NCC Survey 2013 - Serge Radovcic, RIPE NCC (and Desiree Miloshevic)

The presentation is available at:
https://ripe66.ripe.net/presentations/239-survey-Serge-NCC.pdf

There were no questions regarding the survey.

I. Report from RIPE NCC - Axel Pawlik, RIPE NCC

The presentation is available at:
https://ripe66.ripe.net/presentations/249-Report_from_RIPE_NCC_RIPE66.pdf

There were no questions for Axel.

K. Internet Governance Update - Paul Rendek, RIPE NCC

The presentation is available at:
https://ripe66.ripe.net/presentations/234-ER-RIPE66-Services-_Paul_Rendek.pdf

There were no questions for Paul.

L. Operational Activities and Updates - Andrew de la Haye, RIPE NCC

The presentation is available at:
https://ripe66.ripe.net/presentations/238-Operational_Activities_and_Developments_-_RIPE_66.pdf

Mirjam Kuhne (RIPE NCC) highlighted RIPE NCC Roadmaps, where planned updates to RIPE NCC Services are outlined.

There were no questions for Andrew.

M. Open Microphone Session

Z. AOB

No additional points were raised.

The session concluded at 17:25.