RIPE 29 Meeting Plenary Session Minutes - DRAFT
Chair: Rob Blokzijl
Scribes: Julia Edwards, Paula Caslav
1. Opening:
Rob Blokzijl opened the plenary session of the 29th RIPE meeting.
2. Agenda
The agenda was agreed upon.
3. From the RIPE Chair
Comments from Rob Blokzijl - About Internet drafts RE: IPV6. Daniel and Rob drafted docs w/o consultation with IPv6 wg due to time constraints. Chairs of wg's should keep abreast of what's current.
4. Minutes RIPE 28
No comments/additions.
5. Action items RIPE 28
Actions - Most of the items belong in the WG's instead of overall.
Result - No outstanding items that couldn't be dealt with in the WG's.
6. RIPE NCC Association (RNA)
First of January first day of RNA. Report from Daniel Karrenberg regarding the RNA, the executive board, etc.
7. Report from the RIPE NCC (Daniel Karrenberg)
Quality Assurance Report (John Crain)
(Discussion/questions about auditing)
Question (Kurt Kaiser) Does the audit include address space allocated by the InterNIC before the RIPE NCC existed?
NO, but addresses allocated by the RIPE NCC earlier can also be audited. In this cases the policies in place then are taken into account.
Swipnet - will you have some auditing action when registries change sizes. (I.E. from larger to medium or medium to smaller)
There are plans to put down procedures for old assignments. Only reason this could be done is if space becomes a problem or the LIR's bring up concerns of fairness.
(Comment) Problems with with PGP, (not possible to use or distribute in France) However, Carol Orange assures that it'll still be possible to submit updates to the database, just not by using PGP authentication.
New service agreements had to be signed for new RIPE NCC Association. The RIPE NCC is still processing them. The majority of them has been returned to us.
8. Restructuring the IANA (Paul Ridley)
Discussion (Wilfried Woeber - We have core activities, but do we have any insight about industry involvement) Why separate the IP and domain registration?
Daniel Karrenberg - Different constituencies. The constituency of RIPE NCC is the ISP, but for domain registration is the TLD registrars. Keep the level of politics under control by staying out of Naming.
Paul Ridley - if they are separate they can be more focused. No problem with IP activities taking resources from naming. Funding? funding for IANA from US will stop on Oct 98. IANA still holds funds given by APNIC and RIPE NCC. Regional registries have budgets to pay.
Mike Norris expressed concerns that the LIR's could be losing something in the separation of these two bodies. (ir's and ntld's)
9. IPv6 Addressing Policy
Daniel Karrenberg: 2 drafts were proposed by the IPNG WG of the IETF. They were due to become an RFC when the RIPE NCCs Registration Services pointed out that the address format described in one of them was very limited and would be enough for all LIRs.
The second draft proposed allocation guidelines for these addresses. It was felt that the IETF is not the right place to set address allocation guidelines. This has traditionally and successfully been done by the registries together with the IANA.
It would be more appropriate if the IETF would submit a document with engineering considerations for the proposed address formats and the allocation of them.
A new version of the draft describing the address format has now been submitted by the IESG. A number of bits are now reserved for possible extension of the addresses.
The draft can be found at:
ftp://ftp.ripe.net/internet-drafts/draft-ietf-ipngwg-unicast-aggr-03.txt
Discussion (Thomas Trede) Is it the duty of IPv6 wg to scan documents regarding allocation policies. At RIPE 20 it was agreed that it not be the wg.
Daniel Karrenberg: it is as much part of the WG as the RIPE NCC.
Rob: The RIPE NCC and the RIPE WG need to keep contact with each other.
Thomas: Should the WG be responsible for keeping track of IETF activities?
If the RIPE NCC has questions about IPV6 the WG is the place to pose questions.
Community should be grateful to the RIPE NCC and Rob for bringing up objection to drafts since everyone else missed it.
10. Secure DNS/BIND (Carl Malamud) www.isc.org
History -
Chairman of Internet software consortium.
Came in to be chairman and made it a nonprofit corporation.
The consortium also produces INN and has helped move Kerberos from beta.
They have also worked on Sendmail.
Consortium started by Paul Vixie.
Funding is by providing software support functions to companies.
Secure DNS/BIND
Secure DNS - Based upon RSA, to allow for authenticated zone transfers and queries. John Gilmore went to RSA and obtained royalty free perpetual license for DNS authentication purposes. Which allows for export.
In the first quarter the first pieces will start showing. By the end of 98 more will be out.
Reason for announcement? Strong implication for operation of ISPs and TLDs in use of DNS. It will allow for general purpose key lookup. This will allow for such things as PGP key lookups. Unsecure DNS allows for spamming, spoofing, etc.., this may help stop this.
(discussion) Wilfried Woeber - appreciates input, and says thank you for allowing input. Are there figures of percentage of DNS to be secured?
5 to 10% should be able to be secured in the next 12 months.
(Question) - Could you perhaps provide comments on problems?
If you're not running full version of BIND, then that's the first step. Also, it's better to see some signatures than none at all. If you are signing for your clients, then how much will that mean? So, if the RIPE NCC signs, then this will mean that an object that is submitted will identify.
Daniel Karrenberg- What can be expected from RNA is deploying procs for key management. >From history, most of deployment is educating users. Public key encryption, how do you secure your keys? etc... this does not have to be exclusively for DNS, can help in other areas.
(discussion) Raza Rizvi - What about ISP customers not using BIND?
RSA will extend copyright to other DNS protocol implementations.
If you apply to RSA, they will only commit within the next three years for a perpetual license.
Does the offer extend to commercial DNS protocol implementations?
yes.
The most important point, don't wait forever to start looking and implementing security.
11. Mapping the Internet (Carl Malamud)
Multi Casting, non profit organization. Talked at RIPE in 92 in PRAGUE about radio. Reset-up multi casting in Amsterdam. This was the right place because of new media artists concentration, and infrastructure. This project is to basically map Internet. How do you map across protocols? how do you construct topological maps? While web is beautiful, visualizing has use for those in the business. So, the question is, what organization has what servers running? With a topology map, you get a picture of this.
This is to be a 3 to 5 year project.
Structure - coordinating project.
RIPE NCC is providing support with an office at Nikhef, and by helping to obtain VISAs. But, they are not providing financial support.
This project will return again in a BoF. Other supporters, Sun Labs, and a Japanese consortium, that includes members like Cisco.
Right now very low level RIPE support, only admin support.
CERT question - Data points that need to be collected. There's going to be a certain amount of traffic doing that collection of information. For every packet taken to search for info, there's another packet created, responding.
Yes it has Bandwidth consequences.
When I looked for a machine.. I asked for something like 10gigs RAM and 500 gigs into terrabytes disk. Yes, Sun said, it's possible.
12. Database Security Task Force Report (Joachim Schmitz)
Meetings
* Washington IETF
* prior to this RIPE meetings
Recent Developments
* IETF WGs
* IDR & RPS
Security concerns regarding routing, e.g. hole punching triggered extensive discussion
- -> reference needed
- -> IRR
currently minor security measures
- -> increase security
- -> populate database
- -> educate users
- -> change of the IRR
- -> more responsibilities with registries
Topics
* coordination with other RRs
* role of the IRR
presentations by Gerald Winters, Merit definition for the IRR
* database security trust model in development
* security suggestions by Curtis Villamizar, ANS
* PGP deal: Presentation by Carol Orange, RIPE NCC
(discussion) Wilfried Woeber commented that we need a "known" person to acquire a license, but the license will be granted to the organisation, so if the original person leaves or changes position it's no problem.
(question) Francis Dupont: Will PGP be added to the authentication mechanisms?
Carol Orange: yes, there will then be 4 mechanisms, but no-one will be forced to use PGP or any other strong authentication.
(question) Has there been progress in having a referral mechanism in the database?
Carol Orange: There has been progress in definition but not in implementation. The RIPE NCC has a lack of programmers, but it's high on the priority list.
Wilfried Woeber: We're also thinking of offering checksumming and other security measures, not just authorisation. We're also discussing authentication- who has access to objects, identification, etc.. But we have to have something available now.
13. Reports from the WGs
Spam BoF: Chair- John Martin, presentation Roderik Muit
(discussion) Antonio-Blasco Bonito noted that in Italy new domains have to sign a nettiquette agreement, this might be something to consider for the Spam working group.
DNS Working Group: Chair- Ruediger Volk
(discussion) There was further discussion of "jspnrmptgsbssdir" a Microsoft created DNS confusion. The name "jspnrmptgsbssdir" is queried regularly from a Windows NT server or workstation running the Windows NT Remote Access Service. Try creating an entry for jspnrmptgsbssdir in your zone file.
Find summaries of other working groupmeetings at:
TLD Working Group
EIX Working Group
Routing Working Group
NetNews Working Group
14. Next RIPE Meetings
Stockholm, Sweden May 18-20
Edinburgh, UK September 23-25
Amsterdam, Netherlands January (no dates set yet)
15. AOB
There was no other business
16. Closing
Rob thanked the RIPE NCC for doing a great job in organising this meeting, and thanked everybody for coming.