Minutes & Presentations
Monday 17 January, 2006
Paul Rendek of the RIPE NCC welcomed the meeting attendees and thanked the sponsor, ictQatar, the meeting host and connectivity provider, Qtel, and the meeting co-hosts, Carnegie Mellon University (CMU), Qatar and Qatar Foundation. He also introduced the RIPE NCC staff present at the meeting.
Welcome Address by ictQatar :
Dr. Hessa Al-Jaber, Secretary General ictQatar, welcomed the meeting attendees, RIPE Chair Rob Blokzijl and RIPE NCC Director Axel Pawlik. She gave a brief overview of ictQatar. She explained that ictQatar's mission and vision is to create a knowledge-based society in the Middle East as well as to advance social and economic development in the region.
Welcome Address by CMU, Qatar
John Leong, Executive Director Strategic and Technology Development CMU, Qatar, welcomed the meeting attendees and gave a short overview of the history of Internet development at CMU.
Speaker: Rob Blokzijl, RIPE and Axel Pawlik, RIPE NCC
Rob gave an overview of RIPE. He explained that RIPE is a forum where Internet Service Providers and others interested in the advancement of the Internet meet to discuss and work on problems common to all. He presented a short history of RIPE, described how it is organised, discussed some work in progress and told attendees how to get involved.
Axel explained that the RIPE NCC is an independent and not-for-profit membership organisation with 4,200 members in more than 65 countries. He described how the activities and services of the RIPE NCC are defined, discussed, evaluated and performed in an open manner.
There were no questions.
Presentation: RIPE NCC Activities Update
Speaker: Axel Pawlik, RIPE NCC
Axel's presentation gave an overview of RIPE NCC activities, including membership services, coordination activities and information services.
There were no questions.
Presentation: Current Policy Topics – A Worldwide View
Speaker: Filiz Yilmaz, RIPE NCC
Filiz presented on recent policies and discussions on Internet resources in the five Regional Internet Registry (RIR) regions. She provided an overview of recent policy-related developments on IPv4, IPv6 and AS Numbers. She also invited the meeting attendees to make appointments with her during the meeting to discuss any issues relating to IP resources and their own organisations.
There were no questions.
Presentation: RIPE Policy Development Process (PDP)
Speaker: Rob Blokzijl, RIPE
Rob gave an overview of the RIPE PDP. He explained the roles that RIPE, the RIPE NCC and the RIPE Working Groups play and how the attendees can get involved in making policy.
There were no questions.
Presentation: WSIS Review and the Way Forward
Speaker: Axel Pawlik, RIPE NCC
Axel gave an overview of the Number Resource Organization (NRO), its role and the RIRs' role within it. He explained the NRO's role in the World Summit on Information Society (WSIS) as well as its positioning, the future collaboration between the RIRs, industry partners and governments.
Question: Is Internet governance an ITU initiative and is the discussion leading to something definitive or will it go on for years?
Axel responded that it is widely understood that the International Telecommunication Union (ITU) has a stake in Internet governance. The ITU wants to have a say in Internet governance. It positions itself as an association of member states. It has a bottom-up process and a long history with the Internet.
The immediate threat from the WSIS, which was to advocate strong top-down regulation, has gone. The discussion on Internet governance gives a tool to reach out to a non-traditional audience.
There is a paper prepared by the ITU that states IPv6 needs to be fixed and we need to have a parallel structure of allocation mechanism run by the countries themselves, parallel to the RIRs. The NRO has commented on this, together with the community, saying that it is an interesting concept but has possible technology implications. The NRO needs to be careful in projecting what it thinks the outcome might be.
RIPE NCC members were asked to read the paper. Several hundred statements of support were received from our members, many of whom are members of the ITU as well. Most of the major European telecoms have commented through European Telecommunications Network Operators Association (ETNO) in our favour.
Presentation: IANA Update
Speaker: David Conrad, IANA
David gave an overview of the Inernet Assigned Numbers Authority (IANA) and explained why the Middle East region is of specific interest. He explained that the IANA does not make policy but implements policy made by others. He also stated that the IANA is working on improving its website and the speed of its service. He welcomed any feedback.
There were no questions.
Presentation: Security Issues in the Internet – An Overview
Speaker: Jaap Akkerhuis, NLnet labs
Jaap introduced NLnet Labs and gave an overview of current security issues in the Internet.
There were no questions.
Presentation: DNSSEC Deployment
Speaker: Olaf Kolkman, NLnet Labs
Olaf gave an introduction to DNSSEC and explained what changes in architecture are needed in order to deploy DNSSEC in an existing environment. He offered examples from his experiences with deployment of DNSSEC at the RIPE NCC and deployment research at NLnet Labs.
Question: What is the current status of DNS protocol standard?
Olaf responded that when RFC2535 was released, people thought agreement was reached. However, there is a problem between the ‘parent' and ‘child' due to too much data moving between them. These problems have been fixed. But there is no automatic way to rollover keys. Key management makes operation hard. DSNSEC as of now does not offer confidentially and privacy. This is a big issue for European Top Level Domains (TLDs).
If non-existent data is requested, an NSEC (Authenticated Denial-of-Existence) record is received. If the names do exist, the data can be signed in advance. This is authenticated denial of existence. By having a chain of names, the complete content of a zone can be seen and a full enumeration of a zone made. This is called the enumeration problem. This is something that is prohibitive to some who want to deploy DNSSEC and they say that, as long as people can enumerate over zones, we won't deploy DNSSEC.
For those who do not care about this problem, they can deploy DNSSEC and there is no change needed. The Internet Engineering Task Force (IETF) Working Group (WG) is actively looking at ways to deal with this problem. One way is to generate the name spans at the moment the query comes in, and then signing them. This will need an online key. People are not very happy about having keys online. This is a solution that is now going out to the higher levels of the IETF to be published as a proposed tender.
At the same time, the WG is working on a method that uses a hashed name space. This method has some ‘protocol trickiness' to it. The WG is looking into this, and there will be workshops to work it out. However, this is not something that will be finished in the next six months.
The basic requirement for those deploying today is not a new version of DNSSEC. If we solve that problem, the solution will need to hook in seamlessly into the current version of the protocol. The people who need to recognise this part of the protocol will need to upgrade, but those now using the protocol will not be affected by this. Do not expect completely new technology but improvement on the technology.
Question: What position does Microsoft take on this?
Jaap Akkerhuis, NLnet Labs, commented that he had spoken to a security strategist at Microsoft who confirmed that Microsoft is actively looking into it.
Olaf responded that it is a ‘chicken and egg' situation. The RIRs wonder why they should invest money into things that clients don't know about. It's important for people to realise that this technology is actually needed and can help to improve security. Unfortunately, there are no real economic incentives. The only incentive could be that, if you deploy DNSSEC on your infrastructure, you can put it in your brochure, showing your clients that the organisation is at the cutting edge of technology and are security conscious.
Jim Reid, RIPE NCC Executive Board member, commented that the Swedish TLD, .se, is signing delegations. To try to get DNSSEC deployed in substantial manner, there are drivers. One of these is the economical driver, and the support of software vendors, in particular Microsoft. But there is a potential role here for government and regulators. If there is a spoofing attack against some TLD registry, which is expected to happen at some point, governments might think that this is a matter of national security and want to sign up immediately, even though the RIRs are not ready.
Olaf responded that regulators might jump in, so DNSSEC should be ready for deployment. This sounds like a threat. A large-scale attack on the DNS will happen at some point. Those who run the Internet as a whole have to be ready, so when it happens they can act, and regulators do not have to step in.
Question: Are there any known issues with DNSSEC working with Internationalised Domain Names (IDN)?
Olaf responded that there are no known issues. IDNs are mapped into ASCII-like strings. For DNSSEC, everything is just data. It works on the bytes and the octets, not on strings.
Presentation: Overview of UAEnic
Speaker: Sultan Al Shamsi, UAEnic
Sultan gave an overview of United Arab Emirates Network Information Center's (UAEnic) establishment, objectives, goals, activities, plans and projects. He explained that UAEnic has invested a lot in promoting the Internet and (.ae) domains to the local and global Internet community. Sultan also encouraged the attendees to attend future RIPE Meetings and participate on mailing lists.
Question: Are there any other addressing authority in Abu Dhabi?
Sultan responded that there is only one authorities, UAEnic, which is part of the Emirates Telecommunication Corporation.
Question: In the Arabic domain name convention, why is the full word ‘Emirates' used?
Sultan responded that the word ‘Emirates' cannot be shortened into two letters, as is common in the English language, because it gives a different meaning to the word. It is shortened as much as possible. ‘El Emirates' is actually the correct form, but ‘El' is removed.
Question: Have the other countries in the Gulf Cooperation Council (GCC) also agreed to carry the full name as well?
Sultan replied that all have agreed.
Speaker: Henk Uijterwaal, RIPE NCC
Henk gave a comprehensive overview of services provided by the RIPE NCC. He explained that the RIPE NCC offers more than address-based distribution and the RIR function and encouraged the attendees to use these services.
Question: What is the fee structure for the services that must be paid for and what other public tools can be used for things such as traffic monitoring?
Henk responded that, for Test Traffic Management (TTM), the machine needs to be purchased and costs around EUR 2000, plus an annual service fee of EUR 1000. DNSMON is free to TTM customers. ccTLD operators pay depending on their size. This varies between 2000-6000 EUR per year. RIS is free. There are hundreds of tools on the Internet, some are free, some are commercial, some are semi-commercial. It just depends on what is required.
Attendees were invited to talk to Henk after the session if they had more specific questions.
Wednesday 18 January, 2006
Presentation: Developments in Internet Routing
Speaker: Daniel Karrenberg, RIPE NCC
Daniel's presentation focused on the development of the Internet from 1990 to today and beyond. He used examples from his personal experiences as an Internet consumer to illustrate the changes and developments over the last 15 years. He encouraged the meeting attendees to draw their own conclusions from these.
Question: What do you think of IP multicast?
Daniel responded that from an engineer's point of view, it is the obvious solution, but not on a global scale. It is the solution for local distribution. The trend is for IP multicast point-to-point over local infrastructure because the local infrastructure can just bear it.
In the Netherlands, there is a service that enables you to see TV shows that you missed. It uses unicast streams on a national basis. The Netherlands is a small country with relatively high bandwidth. But there is not really any multicast stuff. Even for live events, the tendency is to use a large server with individual streams. This is easier to control as well as to know who is watching.
The organisations that provide these services say that, if unicast is used, which is the ubiquitous service, the way the streams are produced can be controlled locally, and then there is more control over service quality. If production has to be shared between the service provider and the bit-pusher, there is less control over quality.
Rob Blokzijl, RIPE Chair, commented that at the last RIPE Meeting, RIPE 51, the BBC gave a presentation and demonstration on multicasting. The BBC has firm plans to put all its TV and radio programs live on the Internet as of next year and they plan to use multicast. It was a very impressive demonstration. It is up to organisations like the BBC, who have a good reputation of using high quality content on the Internet, to give multicasting a push.
Paul Rendek, RIPE NCC, added that the BBC's multicast presentation at the last RIPE Meeting was webcast and is archived.
Question: Do you predict that spam and abuse will go up or down?
Daniel responded that he believed the Internet mirrors society wherever you are located. Spam and abuse is not going to go away. Real malicious attacks are going to increase. Getting into systems for the sake of it doesn't really happen anymore. People are doing it for profit now and they do it seriously. There is more serious criminal activity and it will increase. Defences against this need to be strengthened. Computing power and intelligent software can be used to mitigate spam. There are pretty good spam filters these days but the problem will not go away.
Presentation: IPv4 Exaustion and IPv6 Consumption
Speaker: Paul Wilson, APNIC
Paul's presentation asked: ‘How many years until no more IPv4 addresses are available to allocate to networks?' It reviewed some of the more recent studies into the projected date of IPv4 exhaustion and challenged some of the assumptions made. He also explained what the upcoming IPv4 exhaustion means for Local Internet Registries (LIRs). He added that the presentation is taken from the work of Geoff Huston, APNIC's Senior Researcher.
Question: IPv6 has been struggling for 10-12 years. Has anyone had a revolutionary idea to just kill it so we call all get on with something else?
Paul responded that there have been IPv6 sceptics around for a long time. If IPv6 gets a bad name and is written off, it's a situation that is hard to reverse. IPv4 Internet could continue to be evolved but this evolution won't accommodate the gradual shift to IPv6. It is just not happening that way. If we let IPv6 fall by the wayside, the network will still continue to operate.
Question: So should IPv6 continue forever or should we say IPv6 is going nowhere and move on to IPv7?
Paul responded that it's going to take a long time to get to that point. It's not good to abandon something without knowing why. We can't promise that IPv8 will come along and be better without understanding why. There is a pretty well understood problem set with IPv6 as well as a solution set and there aren't that many alternatives.
Question: In one of the slides, it says ‘be prepared'. If I were an ISP, what advice would you give me so I can prepare without spending so much money?
Paul responded that it differs per ISP. You will need to train your technical staff. It depends on the risk you want to take.
Question: In Daniel's presentation, he multihomed. You are multihomed because you have provider independent (PI) address space at home. Assuming there will be a drive for multihoming, it will imply that for every device, you need two or more IP addresses and for every cluster of devices. That is every home needs two routing table entries. Has anyone looked at the implications of the ubiquity of multihoming and highly reliable network usage on the consumption of the IPv6 address pool as well as the legacy IPv4 address space?
Daniel Karrenberg, RIPE NCC, responded that the next presentation, shim6, explains this. The question assumes that multihoming in IPv6 is the same as IPv4. IPv6 doesn't change the routing system and the routing system couldn't bear all the consumer connections. It is different in IPv6. The IETF is discussing this, and the presentation on shim6 addresses it.
Speaker: Daniel Karrenberg, RIPE NCC
Daniel explained that sites need to multihome for resilience against network outages and, in IPv4, this is done by injecting additional routes into the routing system. He explained that the IETF Shim6 Working Group developed one solution to support IPv6 end site configurations that have multiple external connections to support application-level session resiliency across connectivity failure events. He added that the presentation is by Geoff Huston. He also invited anyone interested to join the shim6 IETF Working Group.
There were no questions.
Presentation: Intrusion Revention/Data Security
Speaker: Cyndi Mills, CIO Carnegie Mellon University, Qatar
Cyndi explained that as Internet attacks are becoming more sophisticated, improvement of protection mechanisms is needed. She gave a brief overview of active intrusion prevention technologies in networks and hosts.
Question: There is an IETF ‘Best Current Practice' (BCP) document, BCP38, which says ‘filter, on ingress, certain prefixes', yet most ISPs do not do this. Is there any way to encourage ISPs to implement something as simple as ingress filters, or to use more elaborate mechanisms?
Cyndi responded that interchange points need to do some of that filtering and the intrusion prevention devices are now becoming fast enough to deal with multi-gig links. A problem has always been that network bandwidth grows faster than we can filter it. What does help is the protocol specific A6 and the fact that processors are now cheap enough to use several in a single intrusion prevention device to do some very specific pattern matching and store flows over a long period of time. These could be deployed in between ISPs, mostly in an attack mitigation mode. Primarily, this will be Denial of Service prevention.
Question: As a small ISP, what would the business model be to deploy most of these services?
Cyndi responded that a brand new firewall intrusion prevention device costs around $25,000 as a base price. And there are high availability configurations so you can use as many of them as you would like to put in parallel. This is why this is at the backbone level because it is for large providers who can afford to buy one or several $25,000 devices. In an attack mitigation mode, this preserves the bandwidth, which means providers should get a return on investment.
Question: How is the performance of a network affected by these methods?
Cyndi replied that the hardware devices that are doing this at gigabit speeds using A6 are very low latency. What becomes difficult in latent-sensitive applications is when packets can be flagged as ‘wrong' and need to be looked at using one of the processors. That can introduce a little bit of jitter and the latency is not as consistent. Good flows between known participants, such as a video-conference, do not need to be investigated in detail. It can be seen as legitimate traffic, the hardware can take care of it and keep a very low latency.
Speaker: Steve Huth, QCERT
Steve explained how the Internet continues to support improvements and advances in research, education, business and government operations and the risks associated with these. He outlined the ‘dark side' of the Internet and suggested actions that organisations and individuals can take to manage the growing risk . He touched on the benefits of having an incident response team within an organisation and how this can help regional and global security. He also explained how a partnership between QCERT and attendees' organisations could be beneficial to all parties.
There were no questions.
Presentation: Panel Discussion
Panelists: Bassem Shatila, Qatar Foundation, Malik Awan CMUQ, Timothy Chester TAMUQ and Joji Montelibano , RAND Corporation
Question: The network diagram does not show connections to other education institutes and Internet exchange points in the region. Is this something that is planned for the future?
Panel: We are open for connectivity and have already started with one entity here, which is the Qatar University. It is not located within Education City. There is interconnectivity and the same network is used to link to this university and other education institutions. We are interested in peering with any other institution in the region.
Question: Is peering restricted to education institutes or is it Qatar-wide peering?
Panel: Full peering, not only in Qatar but also throughout the region. We have full peering in terms of the commercial Internet and a peering for the research and development backbones.
Question: Who is Education City peered with within the GCC?
Panel: Through the local service provider, Qtel, we peer with UAE and with Teleglobe in the USA.
We use the model that universities in other countries, such as the US, have adopted. They have a partnership between universities. There are certain regulations for general peering between countries, for example, every country has its own service provider.
We noticed that in the GCC, almost all the traffic exchanged leaves the GCC. Most off the traffic goes to other countries and then comes back. Here, we can see loss of revenue as well as performance degradation. We would like to see the model they have in other countries coming into force soon. As far as universities are concerned, we can have a network. We are already doing this in Qatar but we need to talk further to regulators.
Another aspect of the question is about corporate involvement rather than restricting the network to universities. RAND is not an educational institute although it does have a graduate school in the US. Its presence in Qatar is not strictly for education but more for research and development dealing mainly with public policy. RAND has reaped the benefit of its presence in Education City but also in being involved with all the other institutions. Qatar Foundation's vision is to involve corporate entities into Education City. There is a science and technology park where major corporations are setting up. It is not confined to educational institutions.
Comment: I appreciate the role of Education City, but Qataris want Education City not only to provide education but also to play an important role in the development of the quality of services that are provided in Qatar. Education City has so much knowledge of technology and Internet channels. The problem in the Middle East, not only Qatar, is that leaders will not approach you for support. You have to approach them. There is so much bureaucracy that it makes it difficult for IT and Internet services to be of good standard.
We will not get the benefit without Education City's approach. I am not satisfied with the Education City's role in the improvement of Internet quality and IT in Qatar. There is so much technology and no one wants to make the maximum use out of it. The websites for some government departments are not up to date and do not respond to requests. We want Education City to make more suggestions to leaders and decision makers. It is the only hope for Qataris. There is no other body related to the Internet to approach.
Panel: What you say is in line with ictQatar's initiatives. Education City and ictQatar are working very closely to achieve what you request. All these issues will be tackled by ictQatar itself, which is the higher information, communication and technology council.
Comment: I teach at Texas A&M University Qatar. The hope for this country is coming from the students at Education City. The depth of the knowledge that these students have, as well as their motivation and enthusiasm, is impressive. They are motivated to look at problems in a new way and to apply technology and to solve those problems. They are the next generation of Arab leaders and Qatar leaders. We are committed to laying the foundations. The students will build on these foundations and Qatar will the reap the benefits of this over the next 10-20 years.
Panel: Qatar Foundation is the foundation for education, science and community development. At the Education City there isTexas A&M University for engineering and social science, Georgetown University for foreign services, CMU for computer science and business and Cornell for medical and there are others still to come.
Comment: I did not know what Education City was until I came to this meeting. It is impressive. The standards of CMU, in IP in particular, are well known. That this education is available for nationals of GCC and that they can graduate with such a high standard of education is impressive.
My organisation would be very proud to peer with you. We are already peered with everyone in Bahrain and will be in discussion in the future to bring connectivity from Bahrain to Qatar and vice versa, bypassing Teleglobe and avoiding those international pops that increase latency and degrade the quality of the connectivity.
Question: Are you trying to attract inward investment from high-tech firms in the science and technology park at Education City, or is it going to serve as an incubator unit for business start-ups in Qatar or spin-outs from the academic research that is going on.
Panel: The science and technology park will serve mainly as an incubator model and anchor tenants to come here to engage in development and research to benefit the whole country.
We are fortunate enough to have all these universities under one umbrella as the Qatar Foundation. Even in the US, there isn't the level of collaboration that we are experiencing now in Qatar. We have a common network for Education City, even though each university has separate network.
We have the top experts in these fields and the students are also involved in the development to encourage them and provide them with the exposure and the solutions that are available currently and in the future.
Question: Is there cooperation between Education City and Q-cert on projects such as security awareness?
Panel: Q-cert will be hosted in the science and technology park. There will be close collaboration between Education City, Q-cert and ictQatar.
The RIPE NCC thanked the attendees, the speakers, the sponsor and the hosts. The meeting closed.