RIPE 50 Plenary Minutes
1. List of presentations
Monday, 2 May 2005
- AS Numbers Missing in Action - A comparison of RIR statistics with RIS
observations
- Quality of Service Measurement in IPv6, Issues and Solutions
- How to set an Internet2 Land Speed Record
- Report from the National Academy of Sciences: "Signposts in Cyberspace:
The Domain Name System and Internet Navigation"
- DSL deployment in Sweden
- An IP Management system
Tuesday, 3 May 2005
- Anycast and BGP stability - A close look at DNSMON data
- NTP from the IX
- DDoS Detection & Mitigation Experience using Arbor/Peakflow & Cisco/Guard
- Watch your Flows with NfSen and NFDUMP
- SP DOS/Worm Incident Response Methodology: Detection, Analysis, Traceback
& Mitigation Techniques
- BGP Convergence: Characterization and Optimization
- OpenBGPd
- Current status of multicast IP
- IPv6 routing table status
Wednesday, 4 May 2005
- From IPv6 Networks to Large Scale Development
- Operational Considerations of Mobile Networks at 10.000 Meters
- UK Network Operators’ Forum
- Aggregation ? – Effect of business practices on the Internet
today
- BGP Flap Dumping
- INOC-DBA Hotline Phone System
- DNSSEC Deployment Panel: An informal Discussion about DNSSEC Myth
and Facts
- Updates from the other RIRs
- Global Policy Update
- NRO Statistics Update
- RIPE NCC Number Update
- Report from the ARIN XV IPv6 Roundtable
- A Commentary on the ITU-T Proposal for National Address
Registries for IPv6
- Auto-Detecting Hijacked Prefixes
- Consumer Broadband: Performance in the ‘Last Mile’
- Monitoring High-Speed Networks Using ntop
Friday, 6 May 2005
- Report from ICANN ASO Address Council / NRO Number Council
- Comments on RIPE Policy Development Process Proposal
- Open Microphone
2. Plenary Minutes: Monday, 2 May 2005
Meeting commenced at 14:00.
Rob Blokzijl, RIPE Chair, welcomed the attendees.
He noted the different structure to this RIPE Meeting, with most presentations
appearing in one stream in what was formerly the European Operators’ Forum
(EOF).
Rob noted that at the closing Plenary on Friday, there would be a chance to
discuss the Policy Development Process (PDP) and evaluate how the new structure
for RIPE Meetings worked at RIPE 50.
Presentation: AS Numbers Missing in Action - A Comparison of RIR Statistics
With RIS Observations
Speaker: Rene Wilhelm, RIPE NCC.
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-mon-asmia.pdf
Comment: Geoff Huston noted that the Regional Internet Registry (RIR) statistics
files do not show the same thing in each region. He noted that in APNIC the
statistics file shows what has been assigned to the National Internet Registries
(NIRs). It was added that this leads to a two-step allocation process so the
dates differ somewhat from the RIPE NCC region.
Geoff noted that his work is parallel to the content of this presentation.
He noted that he had made similar observations, and that he’d noticed
5% of Autonomous Systems (ASes) disappearing each year. He added that the allocation
rate of new ASes was around 12 – 15 ASes per day over the last three months.
He noted that the growth model is increasing and is not linear. He added that
in a linear model, we could run out of ASes in 2014. He noted that if the allocation
rate keeps growing, then ASes may run out by September 2010. He noted that with
2010 as a possible date of AS exhaustion, the Internet community should start
doing something before September 2006, otherwise there will be problems.
Comment: If the Internet community does not have confidence in the vendors
and the standards bodies, they could develop alternate plan Bs.
Question: How many people have asked their vendor
for a 4 byte AS?
Two people said they had asked their vendor for a 4 byte AS.
Presentation: Quality of Service Measurement in IPv6, Issues and Solutions
Speaker: Alessandro Bassi, Hitachi
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-mond-ipv6-qos.pdf.pdf
Presentation: How to Set an Internet2 Land Speed Record
Speaker: Anders Magnusson, Lulea Tekniska Universiteit
Presentation: Report from the National Academy of Sciences: "Signposts
in Cyberspace: The Domain Name System and Internet Navigation"
Speaker: Patrik Fältström, Cisco
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-mond-signposts-cyberspace.pdf.pdf
Question: What is a base root name server? They are
all equal. There are no such things as “base.”
Answer: You have one source from where you run and operate these root servers.
The “base” refers to where this and the staff of the main operation
is located.
Question: Is there any intention to apply the DNS
Moda recommendations to TLD root servers?
Answer: We can discuss this during the DNS Working Group. But my work here
is to talk about what is in the report from the National Academy of Sciences
and not extrapolate.
Question: DNSSEC needs to be there, all the way through
to the resolver. Why have you drawn the line at the root zone and Top Level
Domains (TLDs)?
Answer: Deployment closer to the leaf in the tree seems to be working better,
but deployment near the root seems to be stalling. So we must push for DNSSEC
at the root.
Presentation: DSL Deployment in Sweden
Speaker: Mikael Lind, TeliaSonera
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-mond-dsl-sweden.pdf
Question: What’s the extent of the movement
across to Ethernet?
Answer: This depends on the network topology.
Question: Was the movement away from ATM to Ethernet
a redesign?
Answer: This was a big change, involving changing the physical infrastructure
of lease lines.
Presentation: An IP Management System
Speaker: Tobias Cremer, Cable and Wireless
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-mon-ip-management.pdf
Question: Why have you built this route onto the
existing RIPE functionality? Was this for cost-effectiveness or because existing
system was not good enough?
Answer: Most IP address management software is not cheap. The main point was
to have a defined interface to the RIPE software. We wanted to avoid another
process and interface where we’d have to submit our inetnums
to the RIPE Database and by using RIPE Database software we can avoid this.
3. Tuesday, 3 May 2005
Presentation: Anycast and BGP stability - A close look at DNSMON data
Speaker: Daniel Karrenberg, RIPE NCC
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-tue-anycast.pdf
Presentation: NTP from the IX
Speaker: Peter Lothberg, STUPI
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-tue-clocks.pdf
Question: Regarding slide 61 ("Time distribution
node"), why do you want to steer the things that give you frequency? Why
do they want to have the correct time as well?
Answer: You don't want to touch the clocks. You want to do the steering afterwards.
You just let them free run and compare them later with national standards. This
way, you have historical data of the clocks and you can make predictions for
the future. The blue clocks that provide time for SONET are steered based upon
that data, but their timing information isn't used for time calculation, they
just provide time. The NTP server is provided with the current clock offset
using a SSL connection from the control box so if a clock fails, it is easy
to switch over.
Question: Who is covering the cost for all this?
Answer: Basic timekeeping for the nation of Sweden is covered by the government
of Sweden. They own the National Standards Institute and thus are covering the
costs for the people that keep the national timescale. Hardware to distribute
time to Internet users is paid for by the Netnod customers. Operating of measuring
time is paid for by PTS. So either it's the user who is using it or the government
who covers the bill.
Question: This is an important resource, a public
service that is UDP based. What about DoS countermeasures?
Answer: An NTP server is so fast that the network is practically limiting DoS
possibilities.
Presentation: DDoS Detection and Mitigation Experience using Arbor/Peakflow
and Cisco/Guard
Speaker: Christian Panigl ACONET, Vienna University
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-tue-ddos.pdf
Question: Have you already seen IPv6 services being
attacked?
Answer: The problem is that host products are currently not IPv6 ready.
Question: This is what I understand, that these products
cannot deal with IPv6 right now and I'm more wondering how big a problem IPv6
denial of services attacks are for your network. We have seen some attacks and
they have not been a big problem yet, but we are much smaller and have no big
problem with IPv4 attacks either.
Answer: Well, the IPv6 network is kind of a pilot project. It's not in full
production. We are not running at full stake yet. We have a dedicated IPv6 router,
so in case a denial of service attack would hit us, it would hit us very soon
because this dedicated IPv6 router is not really a core device. If we had an
attack we would see it soon.
Question: So it’s not your core router?
Answer: I am afraid that the IPv6 router would be the first to fall over before
any customer server can be hit by those attacks. But we haven't seen any of
these attacks yet.
Question: Are you charging your customers for using
this service or do you give it out for free?
Answer: No, we have implemented these things to get a better sleep at night.
So, we are not charging anything extra.
Question: Are you also offering a new service where
customers can look at their existing networks and achieve what kind of traffic
attacks and so on are going on there?
Answer: Well, we plan to have this. We are investigating whether these tools
we are currently using are the right ones to offer this. But if we have a chance
to offer this to our customers, then they will get it for free. There will be
no additional charge.
Presentation: Watch Your Flows with NfSen and NFDUMP
Speaker: Peter Haag, SWITCH
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-tue-nfsen-nfdump.pdf
Question: You said you're getting 20 gigabytes of
raw flow into your system?
Answer: Yes.
Question: And as far as I've gathered, you're using
normal flat files to store all the data?
Answer: Yes.
Question: You're using flat files for every five-minute
flat files?
Answer: Yes.
Question: The pictures look suspiciously like RD2
files. Are these correct?
Answer: It is our Dtool as our backend. Everything is based on standard compliance.
It’s RD, It's Perl, it’s PHP.
Question: You had very nice graphs and you could
view the TCP, UDP, ICMP and the other traffic. What’s the other traffic?
Answer: These could be some tunnels, IPv6 tunnels, and all the other protocols
assigned which are transported through the network.
Question: I always wanted to have clickable maps
on our e-graphs. Did you do that yourself?
Answer: Yes.
Question: Did you try other flowtools software?
Answer: We started with Archis in our very first days, but it turned out to
be too CPU intensive. I also tried flow tools because they are very popular
and very commonly used. But flow tools have very cumbersome filtering software
for my taste, so I decided to go for my own software.
Question: Are there any tools to advise on the purity
of the data? And maybe any system that allows the seconds collector working
on external storage to work with the tools. Because if you have a DNS service
attack you can lose the data, which your tools could analyse. Can you work with
multiple collectors?
Answer: Yes, you can. The security of the data is what netflow exports as data.
Question: Are you detecting anything and could your
system send an alert if you lose packets between the router and netflow?
Answer: No. Indeed, the information exists, but we do not use it so far. So
you don't see if you lose data so far. It could be implemented, but we don't
do that.
Comment: The problem is not only losing the UDP package, the problem is that
if you have a really high amount of flows. The problem is that the router itself
will not report all the flows. So having two collectors is nice but it's not
a guarantee that you will see everything.
Presentation: SP DOS/Worm Incident Response Methodology: Detection,
Analysis, Traceback & Mitigation Techniques
Speaker: Danny McPherson, Arbor Networks
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-tue-attack-fingerprint.pdf
Question: How many of the audience think that Danny
is exaggerating the problem as it is his business?
No one from the audience raised their hand.
Question: Do you think that these solutions will
scale or is it at such a point that we continually fall further behind and have
to look at different approach?
Answer: Yes. I think that the scale we see today indicates exactly that. The
response mechanisms today are not made as such that you can effectively scale
mitigation or response mechanisms to these attacks. So host security is the
big issue there. In short, I understand what you are saying.
Comment: It's more the disturbance caused by this which worries me a lot, because
if that's really the case, then end-to-end transport packets doesn't work anymore.
And you actually have to look at creating networks which have application gateways
all over them to try and create real barriers. If this doesn't scale, or won't
scale, the way we're doing it, then the architecture is at risk.
Comment: I have a comment on how the ISPs need to work together and the awareness
thing. I have been receiving complaints to abuse desks, with responses like
"due to data protection laws, we are not permitted to store any records
about our customers, we have no idea who used this IP address. Thank you for
your report, but we are not going to do anything." This is what worries
me because I see there are bots within their network scanning our networks again
and again, just hiding behind protection laws. Because if you do it in real
time you can see who is online with them and kick them out. But they are just
hiding away from the work.
Comment: The whole idea of a promiscuous Internet doesn't work unless ISPs
work a lot harder than actually anybody is actually capable of doing. I worry
about e-mail and the stuff you've been talking about has an impact on e-mail.
E-mail can't just go on as it is and it's not quite clear when people are going
to get that message and accept that e-mail is a different thing. I worry about
this. My question is this: I'm not quite clear why people are distinguishing
between the various classes of bad things. For instance, I don't understand
why on some days of the week, things are caught by anti-virus software and the
next day things are not caught because that’s spyware. Does anyone understand
that?
Comment: Marketing. It’s only about money.
Question: People are bashing the core networks and
I think that the problem is further out. Do you see any reaction from the people
who produce the code that is susceptible to these entries, operating system
vendors, and software system vendors? How do they react to this? When you try
to bring the problem forward to them – do you see any activity? Because,
I don’t, so I was wondering if you see anything behind the scenes.
Answer: I think it’s hardly a host issue and a host security issue, but
it becomes a network issue. What evolves from that is that you get a market
for selling core products to protect the vulnerable products. Probably not the
answer you wanted, but the fact is “you’re vulnerable, buy this
firewall from me and you’ll be less vulnerable etc.” But if the
vulnerabilities weren’t there in the first place, it wouldn’t be
an issue. But that’s not going away anytime soon. I don’t know if
anyone else in the room has an answer to that.
Comment: So, we will eventually reach a “balance of terror” when
the cost of actually running your home computer by having to buy new software
and new modules to it will actually take out the practical use you have of it
by obtaining information and communicating with your friends and colleagues.
Comment: I was talking to some lawyers a month ago and I asked them, “In
your country, if you leave your car outside, unlocked with the key in the ignition,
or running, and if someone takes that car out and hits someone and kills them,
are you going to end up in court?” Every one of them replied yes, you
would end up in court.” And most of them said you’d probably get
convicted of something that’s on the books. And then I asked them, well
if you do the same thing with your computer. If you leave it there with the
“engine” running and the “keys” outside, is it likely
that within my lifetime that this will be on the books as a criminal offence
or at least as something where I can bring civil charges? And each and every
one of them said no. That’s the current situation. And before this pushing
is applied obviously there is no incentive for anyone – either the people
who operate their home computers or the people who produce the bad software
– to do anything about it.
Question: Yes, but which way is it heading? Are they
going to remove the stuff from the computer situation or add it to the car situation?
Comment: They said that maybe in my lifetime they will add the stuff to the
computer situation, but they all said “not in my lifetime”. I see
the supporting trend seeing more intelligence in the network and see firewalls
more as evil things because they take away the Internet as I like it. I think
we will have to realise that we will lose the Internet as we know it unless
we fix the end system problem.
Comment: But what you will see instead is a layered network where we will communicate
over tunnels and more tunnels…
Answer: I already do that!
Comment: I just have one comment as to the reason why some of the operators
don’t do anything about complaints. From my point of view I think it’s
partly related to the sales model that some of those ISPs have. As soon as they
have quite a few answers, acted and been used as DDOS agents, they are making
more money – if they have a volume-oriented charge model. That’s
one of these things. And the other issue is more within the framework of “what
is the value of privacy as opposed to the traceability and stability of the
Internet?” I read an interesting paper about what should be in a Whois
database in 2005 onwards and one of the things that I started to think about
is that we should maybe treat an assignment of an IP address space in a somewhat
similar way to getting a delegation for a DNS domain. You are not only getting
the permission and the privilege to use resources, but you are also getting
the responsibility of using it carefully and of using it within a set of reasonable
framework rules. And if you don’t do that, and if you don’t want
to do that, you are probably not in a position to receive and IP address assignment.
And in this situation, maybe the IP address assignment should stay with your
upstream or whatever organisation you are getting your IP addresses from. Because
then you have the chance to get out of that vicious circle of “I am the
ISP and I can’t do anything about it because the user is the user of the
IP address and you are not supposed to talk to the End User because of privacy
issues.” If we are able to break that vicious circle, then the ISP maintains
responsibility for the user of the address space. So, we might be able actually
improve the situation a little bit or to be able to stop this downturn of the
culture in the Internet.
Question: Is there “background chatter”
across the Internet now of viruses that have mostly been patched, but that continue
to propagate back and forth between machines that still haven’t been patched
from five-year old viruses? Is there any sense of what percentage of the Internet
traffic is junk, i.e. old worms and viruses exchanging between machines and
being passed around?
Answer: Some of the research that I have from the University of Michigan shows
that we still see 100 unique codes per day that are code red infected. So in
short, yes. That happens and there is a lot of garbage out there.
Comment: I can confirm that from the viewpoint of Switch. We see that we get
a lot of probes from very old viruses.
Presentation: BGP Convergence: Characterization and Optimization
Speaker: Clarence Filsfils, Cisco
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-tue-bgp-convergence.pdf
Presentation: OpenBGPd
Speaker: Henning Brauer, OpenBSD
Question: Is there support for IPV6 and VPN etc.?
Answer: Currently there is partial IPv6 support. We can do IPv6 transport but
we cannot transport IPv6 routes yet. This will probably be solved soon. We don’t
have special VPN networks. If you can specify what you need it will probably
be fairly easy to add.
Question: Is multicast available?
Answer: Only unicast is available right now. We haven’t found anybody
that needs anything else yet. If there is demand, we will probably write it.
Question: The always compare ‘med’ option
is missing. Is this planned?
Answer: If there’s demand, we can add it
Question: When will you document the CARP protocol?
Answer: There is no RFC style document that describes this protocol.
Question: Have you considered cost?
Answer: We’re currently considering something like local rate but we’re
not very satisfied with that.
Question: Does BGP need BSD?
Answer: All BGP runs on free BSD and net BSD.
Question: Do you see portability as an important
issue or are you more interested in implementing the new prime properties that
you find in your own environment?
Answer: Portability is a secondary goal. We write portable code where possible.
The closer we get to the kernel the less portable it gets. If there was an interface
like the kernel routing socket that worked on all UNIX operating systems that
would be great!
Question: What are your plans to support four-byte
AS fields?
Answer: No plans for it. Do we need it?
Comment: Yes! We need to get ourselves all the way there by 2010-11. There’s
a lot of infrastructure that needs to change. Right now most of the main BGP
vendors seem to be saying that they will only do this if the customers demand
it. This doesn’t seem to be a good way to do this transition. The earlier
we can get some implementations to test and understand the transitional issues
the better it will be. It would be good to see that support in this implementation.
Answer: I don’t have a specific problem adding that support. First we
have been solving our own problems, e.g. replacing zebra box. Now we’re
trying to take feedback from our users and add the things they request.
Question: How well suited is this software as a route
server?
Answer: It’s very well suited, and is used for this on a number of sites.
Question: Is it possible to hide the own AS?
Answer: Yes
Question: Have you implemented flat statistics?
Answer: No. We looked into that and it’s really hard to do. We realised
this is more a technique to preserve CPU time on some routers that tend to have
too little CPUs. This is not a real-world problem.
Question: Even if you’re not damping it would
be interesting to get statistics on what is going on and what you are receiving
from your neighbours.
Answer: You can always dump to MRT tables and analyse this later. We don’t
have explicit statistics for that.
Question: L3VPN NLR types are missing. Is this planned?
Answer: Tell me how this works, and we can see.
Presentation: Current Status of Multicast IP
Speaker: Greg Shepard – CISCO
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-tue-multicast.pdf
Question: Regarding the different approaches shown
to multicast IP by Service Providers as opposed to content owners, it would
seem the latter want multicast, but cannot get it. How can content owners get
around this, in view of their reluctance to actually pay for the service?
Answer: There are some examples of how the business has worked in Asia. In
Europe and the US, there is a demand for ‘flat rate’ IP. The only
way to make this a reality would be to bring pressure on the IETF and hardware
vendors. The main opposition to this approach tends to come from router manufacturers.
Question: How many users might be needed to make
multicast financially viable?
Answer: This would be down to each individual customer. Each would take a view
of the content/license model they use. Content owners tend to want to look at
who their audience is rather than the size of audience. If content is better
targeted to the audience, as it is with Internet2, it will succeed.
Question: For four years a certain upstream provider
has failed to consistently provide multicast capacity. Over time, with staff
changes, the technical know-how to operate these streams vanished. Is it worth
putting pressure on your own upstream provider to demand multicast ability?
Answer: Tunneling would be a way around this problem.
Question: Is there is a way to tell exactly how many
viewers are connected at any given time?
Answer: Many of the existing ways tended to generate too much traffic on the
network. It remains an application problem, though there are currently Internet
Drafts out for discussion that will address this.
Presentation: IPv6 Routing Table Status
Speaker: Gert Doering – SpaceNet
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-tue-ipv6-routing.pdf
4) Wednesday, 4 May 2005
Presentation: From IPv6 Networks to Large Scale Development
Speaker: Bernard Tuy, Renater
This presentation is available as part of the presentation at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-wed-6net.pdf
Question: Why are you not using MSDP?
Answer: The MSDP implementation for IPv4 brings a lot of problems. In fact,
it was developed just to cover immediate needs at the time it was designed,
so we decided to build our implementation from scratch.
Question: Embedded RP is an interesting solution.
Was it a part of the business model from the beginning?
Answer: At the beginning we were more interested
in a development of new protocols, not a business model. But later it became
a part of it. We are still not sure of the consequences of such a model.
Presentation: Operational Considerations of Mobile Networks at 10.000
Meters
Speaker: Brian Skeen, Connexion by Boeing
Question: Are there restrictions on traffic within
the onboard network?
Answer: Yes, we block any direct communications between nodes in the network.
There are security and other concerns.
Presentation: UK Network Operators’ Forum
Speaker: Keith Mitchell, UK Internet Forum
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-wed-uknet-announcement.pdf
Presentation: Aggregation ? – Effect of business practices on
the Internet today
Speaker: Philip Smith, Cisco
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-wed-aggregation.pdf
Comment: Potential savings after proper aggregation of IPv4 space is nothing
compared to the couple of thousands records of IPv6.
Comment: This is not quite the case.
Question: What do you mean by "different ways
to do multi-homing?"
Answer: It's basically when a customer wants to be multi-homed and has a lack
of hardware to implement it and tries to find a compromise that will work as
a solution.
Comment: You are right that there is a big educational problem, but there is
also another big problem: after 10 years, there are no vendors who supply out-of-the-box
solutions with default configuration using classless notation.
Presentation: BGP Flap Dumping
Speaker: Philip Smith, Cisco
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-wed-flap-damping.pdf
Presentation: INOC-DBA Hotline Phone System
Speaker: Gaurab Raj Upadhaya, Packet Clearing House
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-wed-inoc-dba.pdf
Question: Are you planning to provide solution for
conferencing?
Answer: There is a problem with user authentication, and there is not enough
demand for it.
Comment: You could provide it for authorised users only.
Question: Have you considered encrypted communication?
Answer: Yes and no. This depends on the phone model and should be done by the
phone.
DNSSEC Deployment Panel: An informal Discussion about DNSSEC Myth and
Facts
Chair: Jaap Akkerhuis
Panel: Ed Lewis, Jakob Schlyter, Olaf Kolkman, Peter Koch, Geoff Sisson
Question: Signing zones is costly and will not be
done in the absence of validating clients. Is this a myth or fact?
Answer: When done incorrectly, signing is costly. When done efficiently, it
is not costly. Timewise, it is relatively cheap. The hardware is also relatively
cheap. The distribution of a signed zone might be a problem, depending on the
zone size.
Comment: You also need operational procedures: you need the trained staff and
software to do this.
Question: Why would I sign a zone in the absence
of the validating clients?
Answer: You might sign your zone to get it done with your current deployment
plan. You won't get people to deploy validating clients without the existence
of something to validate. So it's a chicken and egg problem.
Question: How much time does it take to sign the
.se zone, and what kind of hardware do you use for this?
Answer: For a whole zone it takes about five minutes on 2GHz CPU box. For incremental
updates, it takes just a couple of seconds.
Question: Do you require certified hardware to sign?
Answer: No, we do not require it.
Comment: It might not be costly to sign a zone for the first time, but the
maintenance and relationships with the children’s zones that you will
need to have might be costly.
Comment: Costs are relative. You may see your insurance cost in a different
light after your neighbour’s house has burnt down.
Comment: Once two or three registries start to do this we might get together
and document our procedures, so others could use it. This is to lower the costs.
Question: Would DNSSEC have protected against the
recent spoofing attacks?
Answer: There might be different types of attacks, and DNSSEC might be protected
from some of them. It would be protected from the cache poisoning. On some other
attacks, DNSSEC won't help.
Comment: There are different reasons for cache poisoning to appear: one of
them is bugs in the software, and this is the thing that is always possible.
So I would say that the poisoning problem will stay.
Comment: It would help if you use security-aware software that makes intelligent
decisions based on the validation flag or just warns the user that there might
be a problem with that site. There's still a lot to be done on supporting the
application's side, and simple deployment on the infrastructure side will not
improve the current situation.
Comment: I slightly disagree with this. One of the wise uses of DNSSEC is to
deploy it on recursive forwarders. If that is the out-of-the box BIND machine
that is configured with a trust tanker, then at validation failure the user
will get a server failure, which means that applications will not get anywhere.
This is bad for users. They can't work, which means that a lot of phone calls
will be placed to the operator of the forwarder, which will make people look
at what's happening and they could discover they are under attack. So I think
that the out-of-the-box solution we have now will help against this source of
attacks.
Comment: But I don't think ISPs will deploy such mechanisms.
Comment: I agree. Everything that might cause more phone calls will not be
deployed. What is missing is to be a bit aggressive.
Question: I think for the ISPs it is more important
that DNS works than that the resolving answers are validated. How do you solve
this problem?
Answer: This problem is recognised. There is an idea to bring the policy decision
on the DNSSEC validation problem to the application, but this has not been done.
Comment: In terms of business case, we've heard people say that if they provide
a service using DNSSEC they would be less liable for various reasons, and that
would save them money.
Question: What types of services are these?
Answer: People dealing with money.
Comment: There are a couple of services that rely on DNS working properly,
which will not benefit from what https offers, such as ENUM and all of those
more or less well designed anti-SPAM measures. Spammers would not refrain from
more actively exploiting vulnerabilities in current DNS structure and doing
more active cache poisoning, so that might be a case, although not a business
case yet.
Comment: ENUM may be a killer case for DNSSEC.
Comment: Protection against spoofing is very important for ENUM. So there is
a clear business case.
Question: How many people consider signing their
zone? I think the idea that without application support End Users do not care
about DNSSEC is a myth. There are plenty of people who do care.
Answer: The End User is almost always represented through his Operating System
vendor. So we need DNSSEC support in various Operating Systems. This will not
happen until people knock at their doors and say: "We are losing money
because we get to spoofed sites and there's something you could do. Please implement
that".
Comment: The lack of public key maintenance tools is imperative to DNSSEC deployment.
Comment: The situation is the same with PKI, but people are using it.
Comment: End Users will have to maintain their keys. How could they do it if
they are not using EPP?
Comment: There is a demonstration of how to use EPP for this. There is a movement
to use it widely, at least among gTLD operators.
Comment: When we are talking about partner-kid relationship, there should be
a strong business relation between them, and it should be utilised to exchange
the keys.
Comment: Enterprises use machines set up by vendors. We need to convince vendors
to include DNSSEC support out of the box, but it's hard to do. So it might be
better to spend less time on the last-mile API and more on identifying and implementing
what vendors need to do to start shipping DNSSEC-aware products.
Comment: Vendors put pressure on users, but there are forces that could put
pressure on vendors as well: government, military, etc.
Question: Are people aware and do they care about
the enumeration/zone walking problem? This is the problem.
Answer: There is a discussion within the IETF about this problem. It was raised
mainly by large registries. But we need to know who the other possible players
are. So be aware and speak up!
Presentation: ICANN Nominating Committee (NomCom)
Speaker: Lars Johan Liman, Root Server System Advisory Committee (RSSAC) Representative
on ICANN NomCom
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-wed-icann.pdf
Presentation: Update from AfriNIC
Speaker: Axel Pawlik, Managing Director, RIPE NCC (on behalf of Adiel Akplogan,
CEO, AfriNIC)
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-wed-afrinic.pdf
Presentation: Update from APNIC
Speaker: Save Vocea, Policy Development Manager, APNIC
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-wed-apnic.pdf
Presentation: Update from ARIN
Speaker: Ray Plzak, President and Chief Executive Officer, ARIN
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-wed-arin.pdf
Presentation: Update from LACNIC
Speaker: Ricardo Patara, RSG Manager, LACNIC
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-wed-lacnic.pdf
Presentation: Global Policy Update
Speaker: Filiz Yilmaz, IP Resource Coordinator, RIPE NCC
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-wed-global-policy.pdf
Question: The ARIN policy change you referred to
used the term ‘a known ISP’. I believe this means being an existing
Local Internet Registry. Is this correct?
Answer: Yes.
Question: Is it a logical OR not a logical AND?
Answer: It is a logical OR.
Presentation: NRO Statistics Update
Speaker: Filiz Yilmaz, IP Resource Coordinator, RIPE NCC
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-wed-nro-stats.pdf
Presentation: RIPE NCC Number Update
Speaker: Leo Vegoda, Registration Services Manager, RIPE NCC
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-wed-ncc-numbers.pdf
Presentation: Report from the ARIN XV IPv6 Roundtable
Speaker: Geoff Huston, Internet Research Scientist, APNIC
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-wed-ipv6-roundtable-report.pdf
Question: Do you think changing the HD ratio guide
number is the right approach or do we need a more complex formula that better
reflects what the reality is?
Answer: I have thought about the concept of log / log ratios and it is a bizarre
concept. But then I thought, what if every time you triple in size your network
has another level of hierarchy? How many levels does the industry use in general
and what is an address plan that is comfortable? The HD ratio 0.8 theorised
that organisations would have 25 levels of hierarchy but I think that’s
too much. A normal company will probably have five or six and then if you re-apply
that back it actually fits into HD because the HD ratio specifies that the bigger
you get, the deeper you make your address plan. So it’s not a bad way
to approach this. However, I suspect that the figure of 0.8 was just pulled
out and was widely one-sided. The value is a consideration of best common practice.
Comment: Keeping the current formula is probably easier than marketing a new
formula and marketing the justification of a different formula.
Question: Listening to you I have the impression
that the IPv6 guys have got it almost totally wrong, technically and politically
speaking. Do I have the wrong impression? Do you have anything concrete to move
forward the deployment of IPv6?
Answer: Sorry, then in that case my message wasn’t completely clear.
I don’t think this is the responsibility of the IPv6 guys. It is our responsibility.
We are the address policy community, we are the industry forum where this happens.
I really don’t think we have got it wrong. We have done well but there
are two points we can change to help us feel more confident that our margins
of error are ok. We need to think about the precise value of the HD ratio. I
also think there is some benefit at looking at the 48 / 16 bit subnet figures
again. Some of the parameters can be adjusted and maybe we should adjust them.
Maybe in terms of the fairness of the process (i.e. to prevent advantages to
early adopters) we should do this earlier rather than later.
Question: Your presentation hasn’t covered
a couple of basic architecture principles that need to be discussed in a presentation
like this. It doesn’t note the issue of fairness. I think this is an architectural
principle that should now be questioned. You also never mention uniqueness and
that is something that is interesting to me. There is the presumption somehow
that as we go through the lifecycle of IPv6 addresses they won’t be reused
or won’t be private in some sense or recycled in a way that’s more
intelligent than what we currently have. I think that the ability to recycle
addresses, and the lessons learnt from our previous history with the very dark
space that we have in IPv4, might be a guide to one of the things that will
extend the lifetime of the IPv6 space.
With regard to the HD ratio and the issue of fairness, what if the policies
for allocating address space change under certain circumstance? For example,
the HD ratio is different at different times and there is not a single density
ratio that applies in all cases. Then you are able to apply different allocation
policies to express different stewardship policies in different circumstances.
There is the potential to have different HD ratios rather than a flat 0.8. What
that raises from a principle point of view is the question of fairness. Some
people follow one set of rules and others follow another set of rules and this
is where your presentation is very useful. If these rules are established very
early in the process of allocating IPv6 space, then they would be understood.
Just like the authors of the original document, we are not able to predict the
future. I think if we gave some freedom to the way we used the HD ratio we would
also gain some space.
Answer: Some years ago we discussed whether we wanted /48s, /64s etc. and
at that time I believe it was primarily the IETF and IAB people who dropped
the /48 onto us and said: “Don’t worry there are enough of them
and this is the solution that you are looking for”. Maybe they have not
been doing the maths correctly but I am now wondering if you have received feedback
from the IAB / IETF and what they think about this?
Comment: Speaking as an individual IETF member I am very strongly inclined
to have this discussion in the IETF. They need to have an understanding of this
and express an opinion on what they believe the right thing to do is. I have
had some preliminary discussions with people in the hallway and they have said
that we should have another look at this. I will certainly join in on those
discussions.
Comment: Speaking as an operator, having a /56 would make sense for our customers.
There are a few larger ones that use /48s but the smaller ones are very happy
if they can get three or four subnets and a /56 is definitely big enough for
their purposes.
Comment: I think that the issue of waste is a big problem because there is
the idea that IPv6 address space will never end and therefore people can do
whatever they want. Sometimes people don’t understand that recommendations
are not rules. For example, we have a large, open discussion about the addressing
for point-to-point in the routers. You have to always also think about the routers,
so my idea is to use /126 for point-to-point. I do not want to see waste.
Comment: Let’s go through this argument once more with a bit of historical
perspective because we have an address space that already has a conceptual hierarchy.
If I remember the previous addressing schemes that I have been subjected to,
it was always the case that, as things evolved, there were engineering improvements.
What I learned from this is that if you have a pre-defined hierarchy, you need
to have this ‘wriggle room’ in each part of the hierarchy.
Presentation: A Commentary on the ITU-T Proposal for National Address
Registries for IPv6
Speaker: Geoff Huston, Internet Research Scientist, APNIC
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-wed-itu-ipv6-proposal.pdf
Comment: I tend to go for option two on your last slide. What I have observed
is that what makes an integer an IP address is that an ISP originates a route
to it and other ISPs in a co-ordinated fashion propagate that route. It is basically
just a co-ordination function between those ISPs to make the network work. So
this is just something for these communication providers to co-ordinate amongst
themselves and it has nothing to do with national strategy. In fact it doesn’t
even have national attributes. The important thing is that technical co-ordination
that needs to happen so I agree with option two on your last slide, which says
that we should disagree with the ITU-T proposal for national addresses for IPv6
registries.
Question: Just to clarify, are you saying we don’t
need to do anything because the system will just work out if this happens? For
example, if additional national registries are created and so on, what do you
mean by picking option two on the last slide, which says that we should disagree
with the ITU-T proposal for national addresses for IPv6 registries?
Comment: No, what I am saying is you can give out IPs all you like but you
have to convince ISPs to use them. I don’t think there is a lot of risk
because the economic factors will sort it out for you.
Comment: You must assign address space in a way that allows successful aggregation.
This will not happen if you just leave it to the ISPs.
Comment: I used to agree with option two but I am now going to go with option
three, which says we need to discuss the assumptions behind the ITU-T proposal.
One of the things that RIPE does pretty effectively is reaching out to governments
and regulators and explaining what the history is and what we are doing.
Comment: There are valuable concerns being discussed in the proposal, but this
will give you addresses not routes.
Comment: Emotionally I would like to take option two, but there is a good example
that simply ignoring the issues will not help. The example here is portable
telephone numbers. We are all paying for the incorrect assumption that we can
cheat with routing.
Comment: Two thirds of the people in the world today are yet to feel the benefits
of the industrialised revolution, never mind anything else. If this is to be
a long-term technology for the world, then we have to do better than the geeks.
I think the ITU-T proposal is shocking but the idea behind it is understandable.
If we leave it and do nothing, they will make changes without us.
Comment: Imagine a world where you can only get an IP from one registry, like
in Korea.
Answer: The burden on your Address Policy Working Group is very heavy and you
must think about this very carefully because we will be living with the decisions
for some time.
Presentation: Auto-Detecting Hijacked Prefixes
Speaker: Geoff Huston, Internet Research Scientist, APNIC
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-wed-hijacked-addresses.pdf
Question: How is the proposal in the presentation
any different to the RPS work proposed about five years ago? No one was willing
to adopt it then so how will people be encouraged to do this now?
Answer: No one was willing to do the work required when it was proposed originally.
The longer it is left, the bigger the problems will become. The options are
either a ‘disaster reaction’ or to simply react more quickly.
Question: Do any vendors currently offer VGP and
secure origin-VGP?
Answer: I don’t know of any. The RIRs have been equally slow at putting
the original certificates that VGP and secure origin-VGP rely on into play.
The RIRs should not wait for the protocol because without the certificates it’s
a waste of time.
Comment: The RIS has a PGP table snapshot three times a day, at eight hour
intervals.
Question: Is there an effort to organise global verification
and authorisation for all RIRs? Currently, there are only tools to do this for
the RIPE service region.
Answer: APNIC is committed to providing resource certificates in its current
work program, but I can’t speak for the other RIRs, including the RIPE
NCC. However, I believe some work is already underway but I am unaware of any
timetables.
Comment: Wasn’t the previous question more about routing registries that
are directed towards looking at policies?
Question: I thought the question was specifically
about RFC3779 certificate objects and these actually refer to lists of resources
that can then be attached to a normal X509 certificate.
Comment: The question was about routing policies. There has been an ongoing
discussion about how global verification of routing registries occurs. Routing
registries are not used unless results are checked before they are pushed through
the routers.
Comment: I disagree. There are people who regularly use routing registry data.
Question: What can be done in the short and medium
term about hijacked prefixes? Filtering and validating parts from peers seem
to be far out of reach?
Answer: Currently, if there are certificates based around resources, filters
can be built. Without the actual certificate infrastructure, this process will
continue to go round in circles.
Comment: In recent work, the data available actually differs a lot between
various regions. Within the RIPE service region the data available in the routing
registry has some value because the RIR and routing registry data at least have
a common authentication mechanism. This is better than drawing data from the
RADB.
Answer: It would be good if this happened inside
the protocol instead of constantly going to the RADB.
Question: Is it already feasible to ask customers
in the APNIC region to present certificates?
Answer: According to the timetable for providers, these certificates should
be presented within the next few months, if not by the end of the year.
Comment: Perhaps there needs to be more specific information about the immediate
benefit that ISPs would gain from this and how it would be implemented before
it gets into the protocol.
Answer: I can provide some further documentation on this if needed.
Comment: The data that was seen in the graphs in the presentation would be
useful for those receiving the spam so they could begin eliminating some of
it.
Answer: The data isn’t that reliable yet.
Presentation: Consumer Broadband: Performance in the ‘Last Mile’
Speaker: Niall O’Reilly, Computing Services, University College Dublin
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-wed-consumer-broadband.pdf
Question: Is this presentation about consumers choosing
technology, not choosing high speed?
Answer: The presentation is not about either of those things, but about consumers
having the information to make decisions. There is not a good rollout yet as
local loop unbundling still needs to be dealt with and this is constraining
the marketplace in Ireland.
Question: Are only ping tests planned?
Answer: This was the initial plan but I have personally conducted TP tests
and meaningful results were seen almost immediately. A second phase of TP tests
would be interesting and it would be a good idea to save the results in the
same sort of database as the DNS Watch project uses.
Question: Is the data significant enough to already
do ping tests?
Answer: It is too early to say whether it is significant enough. I am still
in the process of getting enough data to begin to assess where attention should
be focused.
Presentation: Monitoring high-speed networks using ntop
Speaker: Luca Deri, ntop.org
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-wed-ntop.pdf
5) Closing Plenary: Friday, 6 May 2005
Presentation: Report from ICANN ASO Address Council / NRO Number Council
Speaker: Hans Petter Holen, Chair, ASO Address Council
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-fri-ac.pdf
Rob Blokzijl, RIPE Chair, noted that the second draft of the RIPE Policy Development
Process (PDP) proposal had been prepared and circulated for final comments.
He noted that he would discuss the four comments received regarding this second
draft.
He stated that the first comment was from Ed Louis who noted that the proposed
text did not make any reference to a RIPE NCC impact statement. He added that
this impact statement refers to a statement that could come from the RIPE NCC
regarding a possible policy that is being discussed. He explained that such
a statement might contain a comment from the RIPE NCC on whether a particular
new policy under discussion could be practically implemented and how much this
would cost.
Rob noted that he thought that this comment was partly triggered by a comparison
with ARIN, who have similar statements in their PDP. He noted that he had thought
about this and discussed with the RIPE NCC, and that the idea of the current
PDP proposal text is that during the entire process of the PDP, the RIPE NCC
staff members are able to fully participate in the discussions about working
out policy. He explained that this meant that during the development of a policy,
relevant issues could be raised, allowing the RIPE NCC to put up any red flags
earlier in the process. He added that, together with the RIPE NCC, he didn’t
see the need for a separate process to be initiated towards the end of the PDP
where the RIPE NCC would say whether a policy could be practically implemented
or not. He noted that this applies only to policies that are connected to the
RIPE NCC, and not to policies that have nothing to do with the RIPE NCC.
Rob noted that there had also been comments from David Kessens, Hans Petter
Holen and Peter Koch and that these comments had pointed out discrepancies in
the text, or comments on the flowchart at the end of document. He added that
the authoritative part of the document is the text, and not the flowchart at
the end. He stated that once the final comments have been incorporated, the
flowchart will be checked to ensure that it is a fair representation of the
text. He added that the document would be sent back to the people who had made
comments to make sure that it is ok, and that there would be a ten day notice
period. He noted that the RIPE NCC will start to build the new pages on the
RIPE NCC website for these policies, and that the RIPE NCC will begin internal
administrative procedures. He added that there will be discussion with the Working
Group chairs to see what work in progress can be transferred to this new framework.
Rob noted that the PDP is nearly ready. He added that some textual clarifications
were needed but that, hopefully, in a few weeks the PDP will be ready.
Rob asked for comments.
Hans Petter Holen noted that the PDP had already been tried for proposals that
have come up in the Address Policy Working Group. He added that the PDP helps
the Working Group Chair to track what stage a proposal is at, and enables people
to follow the proposal more easily. He stated that he thought it would make
things a lot easier to understand.
Rob noted that it was good hear this positive reaction. He added that the goal
of this was not to come up with new procedures, but to codify existing procedures.
Open Microphone
Rob asked about the new RIPE Meeting format and asked the attendees if they
thought this was an improvement?
Comment: This is a much needed new direction. We need to go a bit further this
way. But this is a definite improvement.
Rob noted that the new format of the Plenary had involved a lot of people,
and no longer relied on just a few individuals. He thanked Joao Damas, Routing
Working Group Chair, for co-ordinating this.
Comment: It is interesting to see RIPE migrating to a single-track environment
like NANOG, while NANOG is going in the other direction towards multi-track.
I like this new direction as it helps with cross-pollonisation. Maybe it would
help to encourage presenters to have white papers. This is something we do at
NANOG to help people have a record of presentation that goes beyond audio and
video.
Rob replied that not many people take the trouble to make white papers. He
added that, if you compare where we are now with ten RIPE Meetings ago, it is
definite progress that we now have the slides of all the presentations given
at the meeting. He stated that if we established a ‘no slides, no presentation’
rule, we could then explore this suggestion as it would add value. He added
that he had also noticed that both NANOG and RIPE have been trying different
meeting formats. He stated that just as NANOG felt the need for smaller meetings
that could be held in parallel, so RIPE felt the need for a single track where
attendees didn’t have to choose between competing presentations. He stated
that he thought that both NANOG and RIPE would find the balance between general
interest items and more focused work. He added that, in the case of RIPE, our
working groups come up with recommendations that can affect the RIPE NCC, whereas
in North America this happens in ARIN open policy meetings, not in NANOG.
Comment: I am worried that people may not offer to make presentations if they
have to do a white paper as well.
Rob agreed that this was true, and that we would never want to insist on a
white paper. He added that it would be nice, but in no way a requirement. He
stated that, at the moment, we think it sufficient if the slides of a presentation
are made available to the public.
The Chair thanked the staff of the RIPE NCC and the organisations that supported
the meeting.
Thanks to: Afilias, Arbor Networks, Cisco Systems, Force10 Networks, Netnod,
NIKHEF, Nokia and TeliaSonera.
The Chair thanked everyone for attending and invited attendees to attend RIPE
51, to be held from 10 – 14 October 2005 in Amsterdam, the Netherlands.
|
you
are here: RIPE -> RIPE
Meetings -> RIPE 50 
