Host: Maria Häll, Executive Board Member, RIPE NCC
Attendees: 40 academics and NREN representatives
Minutes: Gergana Petrova
Maria welcomed all participants to the meeting and spoke of the importance of convening together as well as giving her, as a member of RIPE NCC's Executive Board, feedback on issues where RIPE NCC can get involved and help the research community.
Next, all attendees took turns to introduce themselves to the room.
Joanna Kulesza, University of Lodz, Poland, spoke about her research on cyber security. Whether and when a cyber attack is an act of war is a difficult question to answer. The EU has been regulating critical infrastructure for some time now. More recently, the EU agreed on a NIS directive that will come into force in the next few years. In it ISPs, IXPs and TLDs are declared critical infrastructure, similar to water supply, for example. Joanna's research focuses more specifically on ISP due diligence, with the goal to set up a due diligence cyber security standard. Standards rely heavily on expertise and best practices from the technical community. It would be down to them to identify and define this technical standard. A sign of the increased search for accountability is the increase in insurance take up for ISPs. Liability insurance is becoming more and more popular, and in some countries, for example France, it is now obligatory for ISPs.
A question was raised of the best way to find the responsible party or the attackers in a given incident, for example the DDoS attack on Dyn servers on 21 October 2016. One direction would be to search for the host or server where the malware originated. The hosts must have not been diligent enough to verify and make sure their servers are error or malware free. Therefore, a fridge manufacturer might not necessarily be the one accountable, rather the server from where the malware originally spread. Technical experts should be responsible for tracking down the vulnerable server. And then, by extension, accountability could be sought further down the chain. If good business practice means not accepting traffic from a certain server known for vulnerabilities or spreading malware, then a good business shouldn't. If enough people do this, operators of that server have the choice to clean up their act, or get out of business.
Existing standards (ISO, etc.) are a part of good business practice, but more can be done.
Dusan Vuckovic, University of Nis, Serbia, spoke about his experience with establishing an IXP in Nis, Serbia's third largest city. It all started from a disconnect between businesses and technical people. Soon after a talk with a local ISP, Dusan and a group of like-minded people realised that the city can benefit from interconnecting the local ISPs and keep the local traffic local. Since universities are seen as a neutral platform, open for suggestions, local providers immediately flocked to them. In addition, universities can count on vendors for the equipment, as happened in this case, when it took a quick 10-minute call for vendors to see the benefit of the project and agree to provide the equipment.
Dusan and the group copied the RIPE policy and made the new IXP open for everyone. When an ISP becomes a member they get a vote. Soon several local providers joined. It is important to mention that everyone involved in setting up this IXP were not experts and they were learning on the go. In retrospect, they would have been easy targets for an attack (which thankfully didn't happen).
At this point, the University of Nis students are one of the the biggest beneficiaries of the project, since they now have a great link that they would otherwise not have available, as well as access to a lot of data.
To the latter point, the room discussed that some IXPs have a policy to not look into traffic. They decide not to collect data, statistics and traffic streams, but only explore the routing layer information. It is difficult to draw the boundary around the amount of traffic snooping. Before you realise, a snooping IXP might become interesting for a number of entities – government, businesses.
Dusan shared that since the government was not very interested in their part of the country, they didn't get involved in the project. Dusan's team still needed to set up an affordable link with Belgrade, the capital.
Emile Aben, Romeo Zwart and Gergana Petrova gave an overview of the RIPE NCC initiatives for the Research and Education community. If you have interest or ideas, or your own data, then please discuss with us (emails are hyperlinked above).
These meetings are useful for us to see each other, but at the moment we do not come out with any concrete action points. Are academics and NRENs looking for something particular out of the RIPE community or the RIPE NCC? If so, then we can use this group to amplify this voice, the way we did when RACI was born. What is the next RACI?
Some general suggestions:
Some suggestion for the meeting: