Open Source Working Group Minutes RIPE 85

Wednesday, 26 October 2022, 10:30 - 11:30 (UTC+2)
Chairs: Marcos Sanz, Martin Winter, Ondrej Filip 
Scribe: Michel Stam
Status: Draft

Stenographer’s notes:

A. Administrative Matters

Marcos Sanz, Martin Winter, Ondrej Filip

The presentation is available at:

Ondrej and Martin opened the meeting. No new items were added to the agenda, and the minutes from RIPE 84 were accepted without comments. The election results did not cause any changes to the Working Group.

B. Cyber Resilience Act Effects on OSS

Maarten Aertsen, NLnet Labs

The presentation is available at

Maarten presented an initiative of the European Commission on improving cyber security by creating a “CE” mark for software and the concerns regarding the current proposal. Next, Maarten asked the audience to raise their hands if they use or contribute to open-source software. Several hands were raised in the audience on both questions. The “CE” certification mark would be self-declaration unless for critical products such as routers, switches and remote access software (Internet critical). On the other hand, open-source is excepted unless it is used for commercial activity. Marteen continued by asking the audience who pays for open-source support, and several responded. He then questioned if this would be challenging for open-source developers who would have to focus on compliance rather than code development, thus hindering the growth of open-source. He also raised whether this would cause developers to avoid the EU and why there is a distinction between open-source software written for a commercial purpose or not. Lastly, Maarten asked the audience how this legislation would affect them, financially or otherwise, and further indicated that he would encourage people to contact him after the session.

Benedikt Stockebrand, Stepladder IT Training+Consulting GmbH, wondered how regulation would keep up with developments within IT, given the IT sector develops very fast.

Vesna Marjonovic, speaking on her behalf, asked what the timeline for the legislation is. Maarten responded by indicating that this is a proposal and an open feedback period. The next step would be for countries and local parliaments to have their say. The timeline would be within the next one to two years.

Vesna further asked what the reason for the legislation would be; consumer protection or otherwise. Maarten commented that this legislation is about critical infrastructure and achieving a minimum level of security.

Peter Koch, DENIC eG, commented that the legislation is a response from the EC to IoT being regarded as unsafe because of unmaintained devices.

Niall O’Reilly, RIPE Community Vice-Chair, commented that it would be worth distinguishing between open-source and proprietary software, which is more challenging to analyse.

Vesna asked whether the governmental institution would contribute public money towards free software and open-source code. Maarten responded that accepting money might make it a commercial rather than open-source activity.

C. Infrastructure As Code: Managing IXP services Using Terraform and the IX-AP

Annika Hannig, IX-API

The presentation is available at:

Annika presented remotely on how to deploy to critical infrastructure using the open-source tools Terraform and IX API. Terraform is a tool for tracking infrastructure and applying changes, while the IX API is an open document with a client available through Gitlab. Annika demonstrated how to use these to manage changes, and links were shared on where to find the API documentation and code.

No questions were asked by participants.

D. ARTEMIS: Demo of BGP Prefix Hijacking Detection

Lefteris Manassakis, Code BGP

The presentation is available at:

Lefteris Manassakis presented ARTEMIS and how it can be used for real-time BGP prefix hijacking detection. His presentation started with ARTEMIS’ design goals, operation, and components. Next, Lefteris delivered a demo that involved announcing a prefix from a controlled router and comparing the prefixes announced against a preconfigured list inside ARTEMIS, alerting any discrepancies.  

Thomas Holterbach, University of Strasbourg, asked if the type 2 hijack detection mentioned in a paper by ARTEMIS was included in the implementation. Lefteris responded that they have developed a novel methodology and explained how it could be implemented, however, it is not implemented because it could produce false positives. For now, ARTEMIS has an implementation for type 1 hijacks.

Leandro Bertholo, University of Twente, commented that having worked with anycast, they have created oscillations on the network. In doing so, they have noticed that different AS peering with the RIPE NCC uses different timers. This may cause changes to appear in RIS up to 30 minutes later. He wondered if Lefteris also observed this. Lefteris responded that he observed this as well and successfully worked with RIS. He noticed some inconsistencies and indicated it would be good if the community could work together to resolve this.

E. Lightning Talks

The lightning talks were removed from the agenda due to a lack of time.