Minutes & Presentations
Tuesday, 2 October 2007
Scribes: Ischa Ropert, RIPE NCC
Rob Blokzijl (Chair, RIPE)
Rob thanked everyone for attending, gave a brief explanation of RIPE and explained how it is different from the RIPE NCC. This was followed by a short history of RIPE where he explained what RIPE is responsible for and what the Internet Engineering Task Force (IETF) does. He followed on with a more detailed description of the RIPE community and its function. He gave an overview of RIPE meetings, working groups and the policy development process. In his overview of the policy development process he explained the principles, the process itself and the address management policy in particular.
Axel Pawlik (Managing Director, RIPE NCC)
Axel welcomed the audience and provided a brief introduction to the RIPE NCC.
RIPE NCC Activities & Services Update
Axel began by discussing the Disaster Preparedness Emergency Plan, deploying the business continuity plan. He made a statement that the internal focus, which has been dominant in the company for the last year, is now shifting outwards again.
He then outlined the vision and strategy for 2008, highlighting IPv6 deployment, resource certification and the possible trading of IPv4 address space as the top issues. He expressed the view that there will be trading of IPv4 address space and that the RIPE NCC is making sure it is prepared for it. He also stated that there needs to be better data on who has what address space as there is increasing interest from law enforcement. He stated that the RIRs do not want to be involved in the detail of the workings of the market but that they should be able to support it if it occurs.
Axel then gave an update of current member numbers, announcing that the RIPE NCC now surpassed 5000 members. He introduced the subject of Enhanced Cooperation with governments and provided an update on external relations.
Axel concluded his presentation by explaining the following services: Customer Services, Information Services, Database, Training Services and the RIPE NCC Learning Centre. He then spoke about the outcomes from RIPE 54 in Tallinn and announced RIPE 55–57.
Q: I am responsible for security in one of our Internet companies. If an Internet resource is subject to a Distributed Denial of Service (DDoS) attack do I have a platform just to mail those addresses to LIRs that are responsible for those attacks?
Axel: In case of a DDoS attack can we do something to mail the originating addresses to a list so we can do something about it? This goes beyond what the RIPE NCC is supposed to do but we would be happy to support our members by doing something like this. I would be wary of taking action as in black listing addresses. That is dangerous. However, in terms of infrastructure we would be happy to do this.
Rob: I think one of the most crucial elements in this chain is having an up-to-date Whois Database, which is the RIPE NCC’s responsibility. I do not see an easy way for the RIPE NCC to take action as DDoS attacks are very complicated.
Q: I would like to say a few words about trading IP addresses. The direct Internet market is worth $135 million per year. About $28 to $30 million is black money in this market. I think the DDoS attacks and Internet trading are related.
A: I agree and that is why we should embrace the trading that will happen. We don’t like it but there will be a need in the community to trade IPv4 address space. The RIPE Database will be even more important if this trading occurs. I implore our community to set up the policies that we need to support this type of trading. We need to keep track of those records in the RIPE Database.
Dmitry Burkov (RIPE NCC Executive Board): Security is the responsibility of government and this goes beyond the responsibility of the RIPE NCC. The RIPE NCC as an information system is in wide use with our law enforcement authorities but only as a reference database. About a week ago we had a seminar between the largest operators and security services and discussed cooperation. First, it is the lack of financing against the background of the Internet boom. In Russia it is easier that in developed countries as we do not have so many crazy people. We will have as many problems as the USA where they already have such law enforcement in place. It is then that we can decide what people should and should not do. When we talk about IPv4 exhaustion then the RIPE NCC can only facilitate the changing of policy but cannot address the technical issues. I do not think IPv4 will phase out, no one will throw out billions of dollars of hardware, but we should be addressing interoperability between the two protocols. We should be looking at how these two co-exist and connect. We should be keeping an eye on the issues. You will start to have problems when your customers start having problems gaining access to resources. I do not believe that today we are in IPv4 and tomorrow in IPv6.
Q: Well Dmitry, my question was different. Is it possible for the RIPE NCC as a network coordinating centre to perform some functions because they have this Whois Database? Can they inform providers of networks that from their address space there is illegal activity going on? For example, some blacklisting and notification so this function can be performed. Let me just remind you it is like the border with the criminal code. Well we would not like to do that. We do not want to take on functions that we have no experience with. It will threaten the infrastructure and we will have to deal with governments and politics. We can not do this without government and if we do not have good relationships this will be impossible.
Axel: To add to that I think there is a role and I agree with you that this is a dangerous area, however, talking about certification of resources. Certification will make it more difficult to use other people’s address space. There is a small role through certification for us there.
Max Tuleyev: As a representative of the white IP address market I register several dozen blocks of IP addresses for various providers from Russia, Ukraine and sometimes from Europe, so I am aware of these IP address problems. In the current model you can just write a complaint about spam and give it to the owner of the IP address space through the RIPE Database, but if the owner is the bad guy then this situation is not regulated by the RIPE NCC and this is what I would like to discuss.
Axel: That is an interesting case of course and we have said many times in the past for instance that the RIPE NCC is not the routing police. We are not the police force, we can do what we can to maintain accurate records that we can use, you can use and others can use, that law enforcement agencies can use. That is what we are aiming to do, to keep that registry of records in top shape. Apart from that I cannot control what good or bad people do with those addresses. Certification would help with secure routing. Actually, that is an interesting point. If you guys decide that you will employ or deploy secure routing based on certification, that will enable us de facto to switch off address blocks, as in de-certifying them. That would enable us to do more but I am not sure if we want to be there in terms of liability.
Max: Well resource certification would help but what would help more is to remove those malicious objects from the RIPE Database. Today we do not even have any recommendations on how to behave when you suspect the network administrator is a bad guy. Maybe you could come up with recommendations on how to escalate these problems. Who will be the judges and what will be the applicable law. If you have precedent law then it is possible but then you have to deal with cross-borders, and which court will decide what. Well that has some side effects involved. Another thing is how to check the account data from the RIPE Database because some part of this question is related to the fact that in principal if the RIPE NCC decided to keep this data and have this database and could demand this information from the users then you should also have in place a mechanism to ensure this information is correct. If you need more time to do this then hire the people and do it. You are big and you can afford it but if I write to an operator who had several thousand net blocks registered and I do not get answers for months and for months and I keep getting attacks on me, then this is abnormal and this must be dealt with somehow. This operator comes once a year to pay you so you can do something about it, not me.
Axel: That does not solve the problem however. Just because someone tells me someone else is bad how do I confirm that? And that is something I do not want to do.
Statistics and Policy Update
Andrew de la Haye (Chief Operations Officer, RIPE NCC)
Andrew welcomed the attendees and began the session with a brief policy update. He noted that four policies had been accepted, seven were under discussion and one was withdrawn.
Q: This is not a question but it is information for the audience. Is it true from 1 January 2007, the RIPE NCC will be assigning 32-bit autonomous system numbers (ASN)? This will be your default configuration on a standard request. Do you still have this policy in place?
A: I do not think we only give out 32-bit ASN numbers. It is somewhere in the approach to shifting to it but there will no big changes from next year.
Q: But the default will be ASN 32-bits?
A: Yes the default will be, but on specific requests we can always go back and then shift over.
Q: Well just recently some policies were changed on what should be the assignment window given to LIRs and basically all the LIRs were involved in this activity for more than six months and they were given a chance to sign without any further confirmation from the RIPE NCC to give out up to 2000 addresses at one time and that the auditing process would change. How would the audit process change?
A: In essence the audit procedure will not change too much. We will not audit a company within the first six months but we will do an audit during the year on a random selection of LIRs to see whether all the objects are in place. We are not going to audit the /21 assignment window but we do audit during the year and that is the change.
Draft Charging Scheme 2008 and Administrative Update
Jochem de Ruig (Chief Financial Officer, RIPE NCC)
Jochem presented the Draft Charging Scheme 2008 and Administration Update containing two main sections: the Draft RIPE NCC Charging Scheme 2007, including membership developments, and an update on billing and contract administration including the new Russian billing pages.
Q: You send us documents by mail and by e-mail but in Russia you normally pay on documents that have a signature and stamp on them. Is it possible to maybe publish such documents on your website or on your portal or maybe send them by fax so we do not have to wait for regular mail?
A: We are working on this with the new invoice system to actually have the invoice visible on the LIR system as a PDF. You can click on it, see it and print it out. We hope to make it available by the second quarter of 2008. If you need it by fax please let us know and we can fax it to you.
Q: I was just wondering on the previous slide you talked about document batches. So is it basically four sets of documents each quarter? How do we let you know that we want to use this option? Do you have a procedure on the LIR portal?
Q: This draft sheet for Russia, Kazakhstan and Ukraine. Is it possible to publish these as separate RIPE documents, because when you publish them on the LIR Portal very few people know about them but lots of people need them badly, especially general managers, accountants, etc.
A: What I can show you is what we have online – these are the pages we have. What you will see here is the template for an invoice, which we send to you with the act of acceptance and standard agreement. In addition, there are the documents for the Ukraine and the Russian Fact Book. Is this what you mean?
Q: Not quite, my point was different. I was talking about the document that explains the regulatory basis for dealing with the RIPE NCC. Why I am asking is for the new local registries it is very important because they want to make sure that they will really be able to have a clear regulatory framework before they sign a contract with the RIPE NCC. They should have some literature for information.
A: Yes that is a good idea and maybe we can send it directly to new Russian LIRs for their information.
Paul Rendek (Head of External Relations and Communications, RIPE NCC): When we get home we will take a look at all these areas you have mentioned where we have pieces that are translated and we can make sure that they are available somewhere public on the site. I don’t think we will have a problem producing a RIPE NCC document on how to find this – a step-by-step where everything is. I will get the Communications Department to produce something and we will send it to the mailing list.
We do understand the difficulties faced by registries in Russia and we encourage you to give us ideas on how to make things easier for you.
Information Services at the RIPE NCC
Mark Dranse (Information Services Manager, RIPE NCC)
Mark welcomed the audience and then gave an introduction to Information Services at the RIPE NCC. In his presentation he provided a brief overview of TTM, RIS, DNSMON and Hostcount for the uninitiated. He then gave the background history, as well as recent and upcoming developments.
I would like to ask the people could you raise your hands who ever has used the Information Services Mark has talked about and who uses them continuously in your everyday activities. Who would be interested in establishing a TTM probe in their network? Who uses them, who uses them continuously and who uses TTM?
Q: Can you give me an understanding of costs to install a TTM probe? As far as I understand you have to procure all the equipment by yourself. Is this correct?
Mark: There is an upfront cost if we provide the hardware which is 2,500 euro or you supply the hardware yourself and we supply you with the GPS equipment. I think it is 500 euro and there is an ongoing service fee each year of 1000 euro. We are looking at different payment options if the upfront payment does not suit your company. We would like suggestions on options that would suit you.
Russian IP-address Geographical DataBase
Sergey Zimin (RU-CENTER)
Sergey introduced himself as from the Engineering RU Centre. He talked about inquiries from his users and customers who asked where they can receive the distribution of IP addresses across Russian cities and other localities. At first they did not have an answer as they did not have the data. Later they saw that other organisations were running commercial databases, which covered these issues. Since they had a real-time mirror server they thought they should use the opportunity to create this geographical distribution. And they had to analyse the traffic of Russian DNS route servers and this task was also demanded by the RU Center.
He then explained how they provide the information and gave an overview of how they set up the database, how often they update it and how they use it.
Q: We are a hosting provider and I know many of our customers use your system. Your system, when you determine from which city that network is, is it just an information service or, for example, when an ISP thinks that the network is foreign but your system says this is a Russian network how can I prove to my ISP that I am receiving traffic from a Russian network? Is it data for credentials or is it just for information?
A: This service is just for information. We use the data from the RIPE Database and maybe you are receiving data from a Russian ISP but the route from which you receive the data is foreign so we cannot help you with this.
Q: I would like to comment on the previous question. Foreign networks can be sourced in Russia and there are enough purely Russian providers who are more expensive than others to the End User. How many inquiries do you receive for the correction of your database?
A: We are talking about two-digit numbers per day but there is a steady flow of correcting information.
Q: Did I get it right that your database is run manually? And so do you have any automated procedure to take contact material from the website?
A: All the data is taken from RIPE Database. By default we take data from RIPE Database, and if necessary we check with trace route.
Q: How many entries are there each week? Do you have any statistics?
A: I can give you an estimate – around 10, 20, 30 entries. Whatever the number you can see them within a year in the logs of our DNS servers.
Q: We're working with the Data Protection Task Force. We are looking at the near real-time streams from the database. Are you publishing personal information in the Database?
A: No, only work phone numbers, nothing else.
Prospects of DNSSEC use in Russia
Alexander Panov (Garant Park Telecom)
Alexander introduced himself and explained that he runs Garant Park Telecom, one of the largest registrars in domain names in the national registrar. He represents his company and the CCTAT.RU, the coordination centre of the Russian National Internet Section and He talked about the prospects of using the DNSSEC protocol in the Russian segment of the Internet.
He then presented on, the history of its creation, the plans for technological and administrative security measures and user identification in Russia. The DNSSEC RU has over 50,000 accounts right now in Russia.
Q: I have a question about the growth. So 50,000 is about 5% of all allocated domain names. When did it start and how many counts do you receive per month or per week? What is the growth rate?
A: If you have it as a graph, it will be a straight line just going up at a slight angle. At March 1996 we started this project and since then we have linear growth. Maybe together with those trends that we have seen in the past years as registrars we have seen applications from our users, we have seen complaints that someone has tried to grab their DNS information, so the awareness for DNSSEC is growing.
Q: You are receiving such complaints. Do you have statistics on the actual occurrence of DNS attacks or maybe to fake DNS information?
A: We have two court cases in which faking DNS data was involved. I am not authorised to tell you more about the names but there are some cases.
Q: And what about percentages?
A: We had two dozen complaints this year of which two of these were brought to court. One such complaint was about the attempt to grab all the inquiries which were targeted at the site of one of the banks. The path was redirecting traffic somewhere else and then the traffic went back to the target site so it was difficult to see that the data was grabbed at some point. It was hard to see that it actually happens, as the troublemakers are sophisticated.
Q: Your information about DNSSEC is very generic. Maybe you have some examples of international DNSSEC in real life.
A: There is a generic DNSSEC.net project and whatever I am talking about now you can access this site and see a detailed description of the development of this protocol across the world. The RIPE NCC was the first entity to start using it. This is an example from real life if you want.
Q: You say you have 50,000 accounts. Are they all assigned and on your DNS servers? How many of those are not your customers?
A: I think maybe 20 % are not our registrars.
Q: My question is about who uses that. Anyone can use it but do people actually use it? I do not know anyone who uses it.
A: What counts here is the general trend on how these domain names are being used. Over 50% of domain administrators registered in the .ru zone care about their domains only when they need to prolong the domain name and when you select the hosting provider or something. To increase awareness and usage of such protection schemes you can do the following. First thing we run is a joint project with the coordination centre when the entire domain zone receives a digital signature on the root server. For example, if you have a domain administrator who gets the trouble of course he will put such a signature, but we want to make this in a preventative manner for everyone to have a digital signature and this will clear up our domain zone.
Q: How does it work in real life? For example, you put an inquiry to the DNS and if you don’t have some module or something well you will not see that this is not a visual thing. We have an instruction on our website what you should do to your domain to get a digital signature. There is nothing complicated in what you should do and any user can do that really. Some DNS traffic goes through us and in this case it is for free and then everything just starts working. What we are doing is making it harder for troublemakers who want to fake your site and want to divert your traffic from the target site. Maybe I will add a comment abut DNSSEC as a technology – if you do not have global DNSSEC there is no motivation for the application developers to use DNSSEC and vice versa so this is a global issue. Right now very few applications support DNSSEC and the only thing you can do is check the validity of the zone on your local DNS server but the big question is what to do next. For example, if the DNSSEC is not applied on the route server of the .ru zone there is no motivation to support this on your local domain so we need the comprehensive approach to make it work.
A: Anyway I did not want to get into the technical details side because we have a very detailed description of all technical things on the website and what I was talking about is a political issue in that we have a great task of clearing up the Russian domain zone from any possibility to perform any illegal actions. If we fail to do that in the near future we may start having grave problems in the near future from the criminals and from security services who will restrict us even more in the fight against cybercrime.
Q: I am not talking about technical details. My question involves how the check is being performed and how can you see that I am who I say I am? For example, how can you verify my domain for my customers?
A: What we sign is not the information on the domain. The information about the site holder is signed and you can see the signature in Internet Explorer. What we sign is DNS information. DNS information verifies that this resource uses this and this serves as its DNS server and it shows that the DNS server is the right one and prevents the diversion.
Q: I can see the danger that the fake name might look more reliable to End Users than the real one.
A: No one can prevent the criminal making the site look like the original site, but those criminals will receive only the users who mistype the site name. What we prevent here is the diversion of the traffic from the users who just go to the original site.
Q: Who is classed as the criminal? If I am a troublemaker and I use only IPC running on Windows how can you verify to the site which is original. If you have all inquiries to the DNS server running through the insecure protocol there are ways to interfere in this process. It does not involve the DNS server – there are ways you can divert the good inquiry and you re-route it to another place. For example, if my ISP is a criminal or I use someone else’s DNS server, which provides fake information, who is the criminal in this case.
A: The criminal is the third party who is not involved with me or with the DNS holder. The criminal is someone who holds the DNS server elsewhere who fakes the DNS response of the authentic server. So this third party fools the user and fools the DNS holder. So the holder of the authentic DNS is not to blame; it is always the third party who fakes the information on the way from the user to the DNS – this is how it works. If you use DNSSEC you will see that your traffic is being diverted or fake and DNSSEC will work on it
Q: This digital signature, is it distributed within the domain, within sub-domains or in a unique way?
A: It is distributed through your account.
Q: For example, if a criminal redistributes me to one of his sub-domains what can I do here?
A: Your inquiry will remain in the framework of the same account. So you sign the domain but the sub-domain just inherits all these signatures, so technologically everything goes fine here.
Q: Did you think about the following scenario? A criminal is your customer. He signs a zone and then launches a DOS attack on another zone under your control. If you compare the costs between the unsigned and signed zone well the costs for the signed zone are much harder.
A: Well a DOS attack is a bad thing but it does not fail your operation.
Q: But it will deny service to all zones that are hosted on your servers.
A: Well this may be true but, for example, this will just be a DOS for a while. Of course there are some precautions, for example if you launch a DOS attack on all the ten route servers. I mean technologically to launch such an attack on such a server is much easier than in the case of an unsigned server.
Q: So if I make the load on your server a lot higher, it will make problems for everyone?
A: We have enough resources for that and we can respond to that technologically.
Q: I would like to ask the RIPE NCC do they have the technological means to handle such a situation. Suppose I use DNSSEC on a server. This means that the response to any inquiry is heavier than in an unsigned server. If a criminal makes a zone on your sever and launches a DOS attack this means that the DOS attack will be more efficient than in an unsigned server.
A: Of course you are right and there is always the probability that a DOS attack will take place. You can try and mitigate. By having more servers or when such an attack is really dangerous it is when DNS servers work as reflectors. In a normal situation the heavier response because of DNSSEC will not be used as a malfunction. If you misconfigure the servers as reflectors you can launch a very efficient DNSSEC attack by launching heavier inquiries.
Q: How many resources does it require?
A: Generally the extra load that DNSSEC poses does not bring the servers to their knees; it is not a real attack vector.
Q: With most of those signature requests is it single domain users or is it generated by registrars or big organsiations that have a lot of subscribers?
A: Well if you look at the facts and statistics it is like everywhere else – it is around 50/50.
Internet Governance Forum Update Panel Discussion
Dmitry Burkov, Axel Pawlik
Dmitry Burkov began the presentation by describing the World Summit on the Information Society (WSIS) process, the Working Group on Internet Governance (WGIG) and the forthcoming Internet Governance Forum (IGF) in Rio. He then outlined the history of the WGIG and WSIS processes including the WGIG Report and Tunis Agenda.
Axel then followed on with an update on the outcomes of the IGF in Athens and the preparations taking place for Rio. He included a brief overview of the RIPE position, which supports a self-regulated environment. He also discussed Paragraph 38 in the Tunis Agreement and the difficulty in defining enhanced cooperation.
In the presentation he also mentioned proposals that the Russian ministry needs to consider in order to decide the position of the Russian delegation at the IGF.
Igor Kokoshin talked about finalising proposals for the Russian delegation planning to attend the IGF. Igor represents the radio research institute and he wanted to talk about the proposals that articulate the position of the Russian delegation. He hoped the chance to discuss with the audience would give the delegation a better chance to represent the Russian people. He saw two positions on governance – one is technical and the other is broader covering social and legal issues. He talked about Russia’s position on these two viewpoints in more detail. He included in this some comments about ICANN. He suggested that the Internet is managed by a US-based organisation and how it should keep some of its existing functions but maybe not all.
Rob Blokzijl then remarked that the IETF is not a part of ICANN and that Russian people are happy to join the IETF.
Dmitry added that there might be a mistake in the translation. Nia proposed participating in the Government Advisory committee (GAC).
Q: Well I have the same attitude to the Internet too and I was a little bit surprised that we are talking about one of those projects. Why not Gloria for example?
A: Well we would be glad to be involved in all the projects that Russians are involved in not to feel isolated. I think it is just our internal position to support science and to provide financing to international projects. Maybe we need to talk about international collaboration and coordination in science and technology. But if we are talking about one specific project that has a weird financing scheme we cannot use, so maybe that is not quite correct.
Q: The question was if there is no anonymity on the Internet will people still be willing to use it?
A: Well I don’t think we have 100 percent anonymity on the Internet except in special circumstances. So it would not really be different.
Now I give the floor to Mikhail Yakushev to give an expert view on the IGF process
Mikhail talked about the activities he is involved in as an expert at the IGF and then he commented on the proposal from the Russian delegation. He commented on what he thinks is the right position for the Russian Delegation to take. The consolidated position on Internet Governance was that it always involved three groups: Government, Business and Civil Society. Russia has unique way of regulating telephony but you cannot do this with the Internet. The geographical positioning does not work with the Internet. It is agreed that the Internet needs to be dealt with at an international level but how to do it is the question. Perhaps the IGF is not the right place.
Mikhail presented an example of where international negotiation has worked for business with civil aviation. He stated that the international civil aviation organisation plays a central role in making this industry work globally.
He said that we need to look at what is happening in other countries, such as what has happened in UK where health institutions can access private details on the Internet. If anonymity is lost on the Internet it will change the structure of the Internet as it exists today.
He then talked about which issues should be discussed at the IGF and those that should not.
Q: What goals or objectives should we be trying to address at the IGF?
A: Well I think the only goal is to organise a comprehensive international cooperation to prevent the usage of the Internet for malicious purposes. I am talking about spam, Malware, etc. – real problems service providers are dealing with. Once we know how to address those then we can start to know how to address other problems. We need lo look at the local issues.
Q: You mentioned Internet affordability in Russia and you said it was a legal problem. Well I think it is an economic issue primarily. If we still have little villages and towns with only three telephone lines and you want wireless for schools then this is impossible. This is not about legislation but just the fact that there is no infrastructure. This is a comment rather than a statement.
A: Well sometimes Russia makes administrative decisions that hinder the ability for access and increases the cost. We need to look at that more closely.
Vladimir from the Russian Government makes a short presentation
He discussed how the Internet has transcended from a tool to something more important. Now there is e-government. He explained that there are many towns that do not have Internet access but it is happening. It just takes time and he gave an example of a programme that will see lots of schools having the Internet by the end of the year. He sees the Internet as the cornerstone of modern society so stability, access and security are priorities. The question is where we find solutions to the issues that are arising. He praised the Americans for inventing ICANN but sees the need to re-address this as the Internet grows. He believes not a single government or stakeholder can set the rules for the Internet but only together can they manage the process. The IGF is seen to begin this process. He finished the presentation talking about the areas they see as a governance issue, mainly fighting crime and protecting their citizens.
Q: Why not have information support on the Internet like it is done on the IGF website. We have papers with discussions on these issues but nowhere to publish them. If we had this we could give you feedback on what we think about the Russian proposals?
A: Well we have this domain RU Coordination Centre and they perform many functions and you can work with that. We can find a way of cooperating to move forward. As this paper is not a secret we can make it available so we can involve everyone in this process. It is a difficult issue so we need to set the parameters.
Q: In communication law, the Internet is not defined, which makes it hard to regulate – what are your thoughts?
A: We are talking about Internet regulation in the government. It will be in your interest that this gets done well – it will make it easier for your business. We need to find a balance in fighting terror and advancing the Internet. If it is done badly then it becomes your problem because it will affect your business. It is finding the balance that makes it so challenging and we do not have ready-to-use experience or solutions to these issues. The Internet is still being born and it requires very new ways of thinking to address it.
Vladimir apologises and leaves
Q: I looked at Russian regulations related to the Internet and I found it striking that they try to use the same enforcement as they have in telephony. Telephony is hierarchical, the Internet is flat, which means that the regulations do not have the same effect. Has anything changed?
A: Well I do not know if there are any changes. People write documents based on what they think they know and their understanding on what they regulate. They cannot do anything good about things they do not know. The have no idea about what they are writing about – so they try to build a sewing machine and instead end up with a machine gun.
Q: Would the ministry open a forum like RIPE where everyone can voice their opinion?
A: Well we have no one from the ministry here now so I cannot say. I can say it has been proposed, but the processes are very slow, so we'll see.
Q: I am sorry to see the official has left but I'll ask the question to the people here. RIPE has its own working groups regulating their own issues so why isn't the Russian Government involved in that? Why should we have another government-based forum to talk to other governments?
A: The Swedish and British Governments are active in our working groups, so there is nothing stopping the Russian Government from participating. The question in the end is to the Russian Government: why does it not participate?
Comment from Boris about ICANN: The radio institute does not see ICANN as a CIA organisation. We suggest that the existing governance structure should not be touched and we will publish this opinion in written form. First, the existing ICANN functions shouldn't be touched; secondly, for new governance functions for new networks such as Next Generation Networking (NGN) we would not be happy for ICANN to do this. We would like to do this locally through our own processes. Our position is also that you cannot cancel anonymity on the Internet as it will change the ways it exists. We think that we should encourage signing on messages to increase protection.
Axel: I want to add that for the type of work the RIPE NCC does, ICANN does not rule the Internet, the RIPE community does. For example, there are many more than 13 root servers, there are now over 200, most of which are outside the US. We are also looking into certification, as I mentioned before. This is where we certify that we allocated address space to you, you can certify that you assigned or sub-allocated to another entity, and so on. These are examples where the industry is doing things that will help governments.
Dmitry: You are proposing to change the existing the system that RIPE has now, but not with ICANN. I can't see exactly what you are proposing to change. What kind of NGN networks are you talking about?
A: Well I will argue on terminology: if you do not like NGNs let us talk about networks of the future, especially routing – there will be one system that everything will be based on. It will be on a packet level. Probably IPv6 (or some other version) or the system of telecommunications of the future will be based on IP. In this situation with the current DNS, future subscribers will have not just telephone numbers, but also DNS names. I think the telecommunications industry will not be happy. Let's face it, the Internet is not critical to the security of the country. If the Internet breaks today, things will still work, not everything of course. If the root can be hacked and it has major repercussions for the country, it will not be good. We should base telecommunications networks on the same principal: if you can hack into this and it collapses, the administration will not be happy. It is my opinion is that IP addressing should be regulated.
ccTLD SU Current State
Pavel Khramtsov (RU-CENTER)
Q: When will DNSSEC be introduced in .su?
A: Last time Max you asked the same question but there is no discussion yet. Much like the answer last time when asked for .ru.
A: We analyse the DNS traffic on the servers, we analyse the number of inquiries then we rank the domains by the TTL.
Taiwan earthquake BGP analysis
Steve Wilcox (Renesys Corp)
Steve began his presentation by giving details on a major earthquake that took place in Taiwan on 26 December 2006 where seven of nine cables were severed. His presentation reviewed the incident from the perspective of its effect on the routing table.
Q: I think the issue is more administrative, not technical. I know there are several fibre channels from China through Asia to Ukraine and Europe and this is not used because they do not offer a good price for Internet-only phone calls. In Asia they use it to deal with each other.
A: You are absolutely right. There are many cables that exist but are they are not used mainly for political reasons, especially with the land cables. We are cheap people on the Internet so we do not invest in things as much as we should do.
Frank Orlowski (DE-CIX)
Konstantin gave a brief update on the Moscow Internet Exchange.
Q: Last year you mentioned that you are doing a test operation of IPv6. Did you get members that peered with IPv6 and do you have traffic stats?
A: We don't publish the traffic stats for IPv6 so I cannot say there was an explosion of IPv6 but the infrastructure is ready. If anyone is ready they can start using IPv6.
Testbed ENUM with RIPN resources
Elena Voronina (MSK-IX)
Elena gave a presentation on ENUM test bed using Russian Institute for Public Networks (RIPN) resources. She represents the technological centre of RIPN and her presentation aimed to promote the ENUM test bed. She discussed the first attempt to create a global directory in the 1990s. She then gave an overview of what is occurring in the world of ENUM delegation, what is happening in the ENUM working group and how the processes work. She gave an example of where the delegation was delayed in Kazakhstan, so due to the refusal they began to make the test bed at RIPE using the technological resources available. She presented a flowchart on how it should happen in a generic sense. She is looking for carriers interested in working with them to test the technology.
Q: So there are two ENUM models – user-based and operator-based – which are you?
A: We are operator-based.
Q: So far you don't have regulatory issues about how to interact with the carriers?
A: Correct. We are working on figuring it out, but we think it will come when we complete the test bed.
Q: Can you clear up what happened in this situation with Kazakhstan? It seems that they have taken two numbers and Russia will take the other eight?
A: Well Kazakhstan will take the two digits. So far to have that domain delegated we needed to verify that they would get the two digits and we did not know that then.
Q: What will be the procedure for membership?
A: We do not have any administrative regulations so everything will be done on an individual basis.
Q: Who directs the RU coordination centre?
A: If you want to be established as a member of the test we have prepared a document in a generic form. This defines your rights and responsibilities and the role you will play in the role of testing. If you sign this document it is confirmation of your involvement but we start with a conversation on a technical level.
Q: How does ENUM work with our long distance telecommunication? You don't have a license, right?
A: ENUM protocol options are not banned. Technologically, you can work in any way you want if you can make it work. If you go commercial, things change. We don't have any issues with the law in that regards.
Paul thanks Elena and calls meeting to an end.