RIPE 51 Plenary Minutes
10 – 14 October, 2005, Sweden.
List of presentations:
Please click on the title of the presentation to
view the questions, answers and comments.
Monday
Tuesday
Wednesday
Thursday
Friday
Monday, 10 October, 14:00
Rob Blokzijl, RIPE Chair, welcomed the attendees.
1. Presentation: Hot Potatoes
Heat Up BGP Routing
Renate Teixeira, Labatoire d’Informatique de Paris 6, Université
Pierre et Marie Curie (Lip6).
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-hot-potatoes.pdf
Question: Did you use, or consider using, routing
reflectors?
Answer: All feeds used in my data were from top-level
route reflectors.
Comment: Route reflectors impose their BGP selection
choices on their clients. You can use these route selectors to minimise
instability.
Answer: Even in route reflectors you still need
hot potato routing.
Question: Did you investigate the number of inter-connectives?
Answer: If there is a particular location that
encounters disruption you can prioritise peering connections there.
Question: You noted that monitoring traffic that
is single-homed does not follow the same path as customer traffic.
How did you come to that conclusion? How does multihoming the probe
work in this area?
Answer: The probe can see if there is a problem
in the form of a BGP level loop. But this is challenging because
you would have to have all the combinations that your customers
have.
2. Presentation: Estimating
the Traffic Matrix in IP Networks.
Thomas Telkamp, Cariden
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-traffic-matrix.pdf
There were no questions.
3. Presentation: AMS-IX
Net Performance Measurements
Geert Nijpels, AMS IX
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/amsix-perf-measurements.pdf
There were no questions.
Monday, 10 October, 16:00
4. Presentation: Improving
the Security and Robustness of Internet Routing.
Georgos Siganos
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-improving-routing.pdf
Question: What part of the data should be trusted?
RIR data uses RPSS and is
strongly authenticated.
Answer: mntners are used.
Question: What improvement in the data would make
a difference? Could automation cause a Dedicated Denial of Service
(DDOS) attack?
Answer: Registry data is not updated regularly.
Question: What if registry data is made compulsory?
Answer: That would make the RIPE NCC a police
organisation.
Question: Has any analysis been done on damage
limitation versus the connectivity loss effect of using max-prefix
for dealing with huge prefix leaks or "max-prefix" style
commands on BGP sessions?
Answer: No.
5. Presentation: AON and Grid
Security: XML Web Services vulnerabilities and threats analysis.
Yuri Demchenko, University of Amsterdam
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-aon-grid-security.pdf
Question: Is there a simple recipe to follow?
And if not, why not?
Answer: There is no simple off-the-shelf method
for security. Credentials are the major concern.
Tuesday, 11 October, 09:00
6. Presentation:
IPv6 Routing Update
Gert Doering, Spacenet
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ipv6-routing.pdf
There were no questions.
7. Presentation:
IPv6 Multihoming Status
Kurtis Lindqvist, Netnod
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ipv6-multihoming.pdf
Question: Can an application tell the Shim6 to
initiate a Shim6 session?
Answer: No. With a 50 packet or less connection,
Shim6 will not initiate for a sustained connection.
Comment: After the base specification work is
done, extensions can be written to allow application input to Shim6.
Question: Is it possible to do garbage collection
when not closing down?
Answer: The base specification has a recovery
mode so if you close down early you can recover what has been discarded.
Question: At what cost?
Answer: Three packets.
Question: Does this method exclude multi-homing
with other protocols like UDP? Won't this break DNS?
Answer: No it doesn’t. Other protocols graft
onto the Shim6 process. DNS is an interchange between RFC. DNS Shim6
is not part of that process.
8. Presentation:
IPv6 Address Allocation
Mei Wang, Cisco
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-ipv6-alt-algo.pdf
Comment: This is relevant for IPv4 space but not
for IPv6 due to the fixed /48 assignment size.
Answer: This is a general allocation algorithm
that can be used for any allocation.
Comment: It would also be relevant for IPv6 LIR
ISP allocations for example.
Comment: This proposal was submitted some years
ago to the Internet Assigned Numbers Authority (IANA) from the RIRs
in relation to IPv6 allocations from the IANA to the RIRs.
Comment: This seems to contain assumptions about
the space holders having less slack and imposing the need to refer
back to the space provider.
Answer: Yes, but there is no time limit on when
reporting back occurs. Reporting more often just means more accurate
estimates.
Comment: Large address consumers, such as US cable
providers, are a good example of how this could be applied.
Tuesday, 11 October, 11:00
9. Presentation: AS Number
Exhaustion and the 4Byte Transition Plan
Geoff Huston, APNIC
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-as-4byte.pdf
Question: What happens when routers, which are
used as peering points, have all but one of the peers that is capable
running the “new” AS Number 4-byte code, but one is
still running a zebra box with old BGP implementation? Does that
mean that everyone at that peering point would have to go back to
running “old” AS Number 2-byte code?
Answer: No. When all the new routers send updates
to the old router, they would need to scan their AS path in that
update. If the update contained any AS numbers with the high-order
bits as non-zero, for that update, they would generate a copy of
the existing path, a new AS path and mapping 4-byte to 2-byte conventionally.
They don’t have to run the old code and they don’t have
to be schizophrenic, they just need to process their updates into
the old code in that special way. They will also need to un-map
any updates they receive from any router running the old code. So
the routers running the new code are doing all the work, while the
ones running the old code can continue operating exactly as before.
Comment: In this example, the router running the
old code would see lots of examples of instances of “23456”
as peers.
Answer: Yes.
Comment: In the “open statement” you
can’t change the field length. So, when it goes outwards in
the open message, a 4-byte AS Number will present itself as “23456”
to 2-bytes and will provide more attributes to the other 4 bytes.
Question: Because there is a clean split between
2-byte and 4-byte areas, does this mean that you can only change
the external side after you have changed your whole IBGP “mash”.
Answer: If you were extremely careful in the way
you do reflectors, you can do this in the IBGP world as well. However,
if you did this, I’d hate to be your customer.
Question: What’s going to happen with other
systems that assume 16-bit AS Numbers?
Answer: If you’re grafting an AS BGP attribute
into other systems, you should be prepared for seeing much longer
values. There are a lot of ancillary pieces of code. This includes,
for example, the RIPE Database that will need to understand that
these things are now going to be double in length.
10. Today’s
Challenges in Lawful Interception
Carlo Rogialli
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-lawful-interception.pdf
Question: What is the scale of the cost of this
for an ISP?
Answer: It depends on your government. We have
several models of interception. In the Italian model, the operator
is forced by the government to cover the costs of putting this into
the network. This is quite a huge investment. But then, year-by-year,
the operator receives payback when interception occurs. In other
countries, like the UK, the government pays for the local interception
equipment installed at the operator’s premises. In order for
the entire system to work, the government has to pay for the installation
and for the performance of the system. The nations where local interception
has the most influence over activities are those nations where the
governments pays better for the service.
Question: Is there a European Commission common
legal position on this?
Answer: Yes, but the standards allow for a range
of national implementations. So the protocols used to transfer the
information from the ISP to the law enforcement monitoring facility
will differ. Local interception in the IP world was started back
when standards were not available. So this leads to a situation
where the UK, the Netherlands and Italy are all using different
standards. So any interception system that may be put in the ISP
premises must be adapted to the national standards where it is deployed.
Question: How can legal interception be performed
when there is no ISP, such as in the case of SKYPE, where there
is simply two software clients talking to each other with end-to-end
encryption? In this situation, where could you put a probe and how
would you perform legal interception?
Answer: The only means to provide effective interception
of services like SKYPE is to operate at the company level. Lawful
interception in the IP world has only just started and there are
a lot of problems to solve. In the future, governments will probably
strictly control the growth and development of Internet services
so that some kind of interception can be provided.
Question: Do you think the economic incentives
provided for interception activity might lead to operators deliberately
making their networks more attractive to suspected criminals.
Answer: No. What is quite common is to have payback
based upon the number of interception activities carried out.
Question: You mentioned that providers will have
a clear obligation to provide law enforcement agencies with the
identity of their customers. With the advent of almost ubiquitous
wireless LANs in residential areas, how will it be possible to identify
who is using the connectivity provided by unsecured wireless LANs?
Answer: The first step is to acquire the same
level of identification as on the normal PSTN network. We will be
able to connect an individual with a phone line or an IP address
at least. It is not perfect. Possibly some certificates or some
smart cards in order to give authentication will be given by some
ISPs in the future. But the governments are currently looking at
the beginning of interception today.
Comment: The EU Commission is currently looking
into something called the data retention directive. The Commission
itself is currently working on proposal. I urge everyone to review
this proposal and send in comments about it. I would recommend you
pay particular attention to the definition of what an operator is.
Depending on that definition, there will be different interpretations
of what “in clear” is. What is payload for someone might
be information about the transaction for someone else, for example.
So the current state of the text is completely impossible to implement
regardless of how much money is invested. This means that the regulation
that matches this will not work. So I urge everyone to try to help
and to suggest ways of making this work. It is important for the
community to read this text, and help with technical input.
11. Presentation: RIPE Policy
Development Process
Leo Vegoda, RIPE NCC
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-pdp.pdf
There were no questions.
12. Presentation: ENISA
Introduction
Boaz Gelbard, European Network Information and Security Agency (ENISA)
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-enisa-intro.pdf
Question: You said that ENISA’s remit involved
increased levels of security awareness in networks in the EU. Network
is a very broad term. What is the scope of ‘network’
for ENISA?
Answer: Network here is the broadest interpretation
of the term, e.g. any exchange of packets over the Internet. With
convergence increasing, it will be increasingly difficult to distinguish
between network operators, service providers etc.
Question: Will this be a resource of law enforcement
agencies in Europe, or do you plan to have an advisory board to
train up law enforcement response?
Answer: ENISA is not a CERT. We will help member-states
that don’t have CERTs to establish them. We will be there
to assist and facilitate the co-operation of the CERT community
in Europe. Law enforcement is outside the boundaries of our mandate.
In the regulations defining ENISA it is very clear that we cannot
deal with law enforcement issues at present. In terms of security
as it applies to law enforcement, this is still under the jurisdiction
of member states.
Tuesday, 11 October, 14:00
13. Presentation: Reasons for
(not) Using EPP for ENUM
Marcos Sanz, DENIC
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-enum-epp.pdf
There were no questions.
14. Presentation: ENUM Tier
2 provisioning techniques
Adrian Georgescu, AG projects
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-enum-provisioning-techniques.pdf
15. Presentation:
ENUM Validation Scheme and process flow
Bernie Hoeneisen, SWITCH
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-enum-validation.pdf
There were no questions.
16. Panel discussion
A panel discussion took place. The following were members of the
panel:
Adrian Georgescu
Bernie Hoeneisen
Marcos Sanz
Carsten Schiefner Chair ENUM WG
Michael Haberler
Niall O'Rielly Co-chair ENUM WG
Comment: You said this information is public,
but a few slides later you mention privacy concerns.
Answer: There are different cases for carriers
and End Users. There is only very general information in the DNS.
Privacy concerns are dealt with at application level. There is no
more information available in the DNS than if the numbers were dialled.
Carriers don't want to disclose what telephone numbers they are
responsible for. So ENUM already goes further than a telephone directory
as there is more information available.
Question: What about a more sophisticated validation
token?
Answer: There is a parallel with IP addresses.
It's not a problem that the information about which addresses belong
to which ISP is publicly available. It is not seen as a privacy
problem. Maybe the public should be educated.
Comment: In regard to IPv4 numbers in the UK,
it’s very difficult to find out which phone number belongs
to which Telco. In the UK, carriers do not want to publish data
about type of service and terminate calls using ENUM. You don't
have go to a Telco for that.
Question: How many registrars are there?
Answer: Two hundred. A quarter use feedback. If
they develop EPP they have to pay.
Comment: Some ENUM registrars provide VoIP suite
and SIP. Others just register data.
Comment: If the market says SIP calls are what
is needed, we might have to change the caller interface. This is
easy to do later.
Comment: DeNIC will do whatever its members want
it to do.
Comment: ENUM is only transition plan.
Tuesday, 11 October, 16:00
17. Presentation:
Combined User and Carrier ENUM under e164.arpa.
Michael Haberler, Internet Foundation Austria
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-enum-user-carrier.pdf
There were no questions.
18. Presentation: Broadband,
BcN (Korean version of NGN) and Wibro Deployments
Jinhyoun Youn, KT
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-korea-internet.pdf
Question: Will the deployment be compatible with
802.16f?
Answer: We chose 802.16e. I don't know if we will
choose 802.16f.
Question: You have been allocated a large IPv6
block. Could you elaborate on the deployment plan?
Answer: IPv6 is currently used for the research
network, it might be deployed for the main IP network, but there
is no market need for it yet.
Question: Can you elaborate on the Wi-Fi to Wibro
roaming option?
Answer: The target is to have single sign-on service,
so we get roaming without user intervention. This is probably at
least two years away.
19. Presentation:
Certificates and IP Addresses
Geoff Huston, APNIC
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-address-certificate.pdf
Question: Is the format of the certificate just
an example? It has RFC1918 space in it.
Answer: We should have used the documentation
prefix, which we didn't. We will only give certificates for public
address space we allocate.
Question: Wouldn't the extensions have to be the
same for all RIRs? Shouldn't there be a common format?
Answer: We are using RFC3379, but we did make
some choices. Implementations will have to support all possibilities
allowed in the RFC. We chose based on what we thought was best.
Question: Does this scale?
Answer: Handing it out will scale, whether it
scales in a routing protocol, that is not currently known and there
is an Internet Engineering Taskforce (IETF) process underway to
look at these issues.
Question: Are you coordinating with other RIRs?
Answer: We are working with other RIRs. APNIC
has the time to work on this, so we decided to do it.
Question: Are there any plans to extend RPSL and
extend this into Routing Registries?
Answer: There are no plans to reinforce RPSL with
this. There are no plans to tie this into the Routing Registry.
Question: This is useful beyond routing in the
provisioning process. Do you have indications that APNIC members
are going to use this in their provisioning?
Answer: This is unknown. We are making tools available
that will make this easier for them. We are hoping that this will
help people to make better decisions than the current lists about
whether or not to route particular address space.
Question: You mentioned the certificates will
expire periodically and revocation is also built in. How does this
work operationally?
Answer: If you don't renew your membership, you
will not get new certificates. We can revoke if your key is compromised.
We are looking at what the best timeline for this is, after a new
certificate is given out.
Question: Does this mean everyone needs to keep
updating things to keep everything in sync with the current certificates?
Answer: Correct. We are already thinking about
multi-year memberships, so that we can hand out long-life certificates.
Comment: It is probably easy with the first level,
but there is a transitive issue. A few steps further and it might
be a lot harder to get everything updated.
Answer: You are talking about how different entities
interface with a certificate authority. We can't build this into
the protocol.
Question: Assuming APNIC is the first to issue
the certificates, how do I find out what will be the full set of
certificate issuers?
Answer: We expect that other RIRs will also hand
out certificates, but what the full set will be and how this will
take shape is hard to predict right now.
Comment: It seems very similar to what RIPE NCC
is proposing for DNSSEC.
Answer: This is separate from DNSSEC for the moment.
We don’t want to run into DNS issues with this.
Wednesday, 12 October, 09:00
20. Presentation:
IPv4 Lifetime Expectancy Revisited
Geoff Huston APNIC
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-ipv4-lifetime-rev.pdf
Comment: The ‘best fit’ graph outlining
consumption growth is not convincing – the first half of the
graph contrasted more strongly with the second.
Answer: I am not convinced that linear growth
would happen, but at this point, it was the best prediction available.
Comment: The address consumption of the five RIRs
seems to indicate the next round of scare stories about IPv4 exhaustion
will emerge around the start of 2009.
Answer: It is likely that at that time, APNIC,
ARIN and the RIPE NCC will probably request /8s from the IANA, leading
to a drain on the global pool as five blocks will be taken.
Question: Was a constant rate of growth assumed
when plotting the graph for combined projections of allocations
by the RIRs?
Answer: Although the projection seemed to be constant
on this graph, there was a trend for increase in allocations over
time. This projection needed a revisit, something that would affect
any date predictions I’ve made today.
Comment: By an interesting coincidence, I received
an e-mail this morning from the IPv6 Task Force suggesting that
IPv4 exhaustion was going to happen by 2008 and that the community
needed to accelerate deployment of v6.
Answer: The predictions I made assumed a constant
rate of growth and no rush to stockpile or safeguard individual
allocations by ISPs and Telcos. In reality, this is unlikely. Perceived
scarcity leads to ‘panic buying’. This will, of course,
impact strongly on the predicted exhaustion dates.
Comment: The size of blocks requested and allocated
seems to be increasing. A few years ago, LIRs were happy with /24s,
these days they seem to be asking for much larger blocks.
Comment: The date remains less important than
work to decide what should happen next.
Answer: Agreed.
21. Presentation:
Network Performance Measurement: Privacy and Legal issues
Andrew Cormack, Ukerna
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-network-performance.pdf
Question: What would happen if, in spite of an
Acceptable Use Policy (AUP) being signed by users, they went on
to break privacy rules? Could the network operator be held liable
for the actions of its users?
Answer: If the AUP said users could do one thing,
but they decided instead to do something else, then the user is
liable. The operators need to simply prove that it has attempted
to stop any questionable behaviour.
Question: There is a case currently in the UK
press, where a user was facing charges under the Computer Misuse
Act. Daniel James Cuthbert stands accused of attempting a directory
traversal attack on the donate.bt.com site. Do you have any comments
on this?
Answer: It is not appropriate to comment directly
as the case is ongoing. From the wording of the act, Cuthbert had
committed the crime that parliament created. The question remains
whether parliament had intended to create the law as such.
Question: What about the legal position when a
user mistypes a URL and perhaps finds themselves on a dubious site?
Answer: A one-off typo could probably not be considered
an intentional crime. If a user did not know he was committing a
crime or had not intended to break a rule, he could not be held
responsible. If the user then went on to do this again, then this
becomes more likely to be an offence. Ignorance of a law is no defence.
Comment: This means that all that was necessary
was for a judge to believe someone intended to commit a crime.
Comment: Daniel James Cuthbert has been fined
£400 with £600 costs for his crime.
Wednesday, 12 October, 11:00
22. Reports from the RIRs
and NRO
AfriNIC’s presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-afrinic.pdf
APNIC’s presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-apnic.pdf
ARIN’s presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-arin.pdf
LACNIC’s presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-lacnic.pdf
The NRO’s presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-nro.pdf
There were no questions.
23. ASO Address Council update
Wilfried Woeber
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-aso-ac.pdf
There were no questions.
24. NRO Statistics Update
Filiz Yilmaz, RIPE NCC
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-nro-stats.pdf
There were no questions.
25. Current Policy Topics - A world-wide view
Filiz Yilmaz, RIPE NCC
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-policy-worldwide.pdf
There were no questions.
26. RIPE NCC Statistics Update
Leo Vegoda
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-ncc-numbers.pdf
There were no questions.
Thursday, 13 October, 09:00
27. Presentation: "The
Peering Manager's Toolbox"
Peter Cohen, TeliaSonera
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-tools-peering.pdf
Comment: You do not mention what your routing
engineering is doing for you.
Answer: That's correct.
Question: Does your tool update the IRRs?
Answer: No, that's done manually. It would be
a nice feature though.
Question: Where can we download your application
- I assume you have released under an open license?
Answer: It's not available for download, but it's
built on simple tools: FreeBSD, MySQL, PHP and Perl.
Question: Do you register your peerings at peeringdb.com?
Answer: Yes we do. It's a useful tool, although
I am not certain if everyone keeps their data up to date.
28. Presentation:
Multicast
James Rice, BBC
There were no questions.
Friday, 14 October, 11:00
29. Presentation: DNS
Deployment
Olaf Kolkman, NLnetLabs
This presentation is available at:
http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-dnssec-deployment.pdf
There were no questions.
30. Presentation: History
of RIPE
Olivier Martin, CERN
There were no questions.
|
you
are here: RIPE -> RIPE
Meetings -> RIPE 51 
