From julf at julf.com Wed Feb 1 10:45:39 2017 From: julf at julf.com (Johan Helsingius) Date: Wed, 1 Feb 2017 10:45:39 +0100 Subject: [cooperation-wg] CPDP 2017 - Computers, Privacy and Data Protection In-Reply-To: <8394274F-6907-498B-B813-5AEEA87E20BA@gmail.com> References: <8394274F-6907-498B-B813-5AEEA87E20BA@gmail.com> Message-ID: <0a41a1cd-e5a9-515a-d04a-5ba9db09b385@julf.com> On 31-01-17 22:56, Gordon Lennox wrote: > Last week we had the annual three-day CPDP event in Brussels. CPDP is a > fairly big stakeholder conference. The theme this year was 'The age of > intelligent machines?. Thanks, Gordon! Unfortunately I wasn't able to attend, so your links are really useful. > It would be good to see some RIPE people there next year. It would be > even better if NCC could also get involved in some way. Organising a > panel? Or sponsoring some nice coffee! Good point - the concern might be that the RIPE stuff is too "technical" (or rather "operational") for the usual CPDP crowd. Julf From jean-jacques.sahel at icann.org Wed Feb 1 12:19:07 2017 From: jean-jacques.sahel at icann.org (Jean-Jacques Sahel) Date: Wed, 1 Feb 2017 11:19:07 +0000 Subject: [cooperation-wg] [Ext] Re: CPDP 2017 - Computers, Privacy and Data Protection In-Reply-To: <0a41a1cd-e5a9-515a-d04a-5ba9db09b385@julf.com> References: <8394274F-6907-498B-B813-5AEEA87E20BA@gmail.com> <0a41a1cd-e5a9-515a-d04a-5ba9db09b385@julf.com> Message-ID: <2bf8f06a9ad14b588d6fe56cfba4f049@PMBX112-W1-CA-1.PEXCH112.ICANN.ORG> A number of community members were at CPDP. In particular, there was an ICANN-supported session, part of our outreach to civil society, on 'THE GDPR IMPACT ON THE DOMAIN NAME COMMUNITY'. It gathered a panel including ICANN GNSO Councillor Stefania Milan, ICANN NCSG member Stephanie Perrin, Professor Lee Bygrave, as well as my colleague Adam Peake, and Peter Kimpian of the Council of Europe (GAC observer). You can watch the session here: https://www.youtube.com/watch?v=5We1t1bClro (I haven't watched it all yet, so I hope you like it :-)) The panel was moderated by Professor Joanna Kulesza, University of Lodz, who I understand is now a member of the RIPE Accountability Task Force. Others I spotted on the CPDP programme included Bertrand de la Chapelle, on a panel related to cross-border law enforcement issues. Happy to discuss potential participation in future CPDPs with anyone interested. Jean-Jacques -----Original Message----- From: cooperation-wg [mailto:cooperation-wg-bounces at ripe.net] On Behalf Of Johan Helsingius Sent: 01 February 2017 09:46 To: cooperation-wg at ripe.net Subject: [Ext] Re: [cooperation-wg] CPDP 2017 - Computers, Privacy and Data Protection On 31-01-17 22:56, Gordon Lennox wrote: > Last week we had the annual three-day CPDP event in Brussels. CPDP is > a fairly big stakeholder conference. The theme this year was 'The age > of intelligent machines?. Thanks, Gordon! Unfortunately I wasn't able to attend, so your links are really useful. > It would be good to see some RIPE people there next year. It would be > even better if NCC could also get involved in some way. Organising a > panel? Or sponsoring some nice coffee! Good point - the concern might be that the RIPE stuff is too "technical" (or rather "operational") for the usual CPDP crowd. Julf From joannakulesza at gmail.com Wed Feb 1 12:32:54 2017 From: joannakulesza at gmail.com (Joanna Kulesza) Date: Wed, 1 Feb 2017 12:32:54 +0100 Subject: [cooperation-wg] ODP: cooperation-wg Digest, Vol 61, Issue 1 In-Reply-To: References: Message-ID: <5891c766.cee4190a.a8bba.cd20@mx.google.com> Thank you for the recap Gordon. Let me just briefly +1 your idea - CPDP might prove the perfect venue for the unfolding accountability discussion within the RIPE community. Best to all Joanna Kulesza _________________ This message was sent from a mobile device. Please excuse the brevity and errors. -----Wiadomo?? oryginalna----- Od: "cooperation-wg-request at ripe.net" Wys?ano: ?2017-?02-?01 12:00 Do: "cooperation-wg at ripe.net" Temat: cooperation-wg Digest, Vol 61, Issue 1 Send cooperation-wg mailing list submissions to cooperation-wg at ripe.net To subscribe or unsubscribe via the World Wide Web, visit https://lists.ripe.net/mailman/listinfo/cooperation-wg or, via email, send a message with subject or body 'help' to cooperation-wg-request at ripe.net You can reach the person managing the list at cooperation-wg-owner at ripe.net When replying, please edit your Subject line so it is more specific than "Re: Contents of cooperation-wg digest..." Today's Topics: 1. CPDP 2017 - Computers, Privacy and Data Protection (Gordon Lennox) 2. Re: CPDP 2017 - Computers, Privacy and Data Protection (Johan Helsingius) ---------------------------------------------------------------------- Message: 1 Date: Tue, 31 Jan 2017 22:56:40 +0100 From: Gordon Lennox To: Cooperation WG Subject: [cooperation-wg] CPDP 2017 - Computers, Privacy and Data Protection Message-ID: <8394274F-6907-498B-B813-5AEEA87E20BA at gmail.com> Content-Type: text/plain; charset="utf-8" Last week we had the annual three-day CPDP event in Brussels. CPDP is a fairly big stakeholder conference. The theme this year was 'The age of intelligent machines?. Not so long ago IEEE organised a one-day seminar on "AI and ethics? also in Brussels. So you can sense some common concerns. However you can find details of CPDP here: http://www.cpdpconferences.org Perhaps as CPDP is held in Brussels - even if not in a typical institutional setting - the organisers succeed in attracting a very varied crowd. There were of course folk from the various EU bodies - the parliament, the commission, EDPS and so on. But also regulators from various EU member states and elsewhere, including the US. And the Council of Europe. And of course many academics and folk from industry. And there were well-known names such as Simon Davies, Bertrand de la Chapelle, Gus Hosein, Paul Nemitz, Bart Preneel, Marc Rotenberg, Marietje Schaake, Phil Zimmerman and many, many more, For a sense of industry involvement see: http://www.cpdpconferences.org/sponsors.html But the event is by no means dominated by industry, far from it. Between the implementation of the GDPR and Brexit and the new US administration and concerns about AI, encryption policy, cyber-warfare, mass surveillance, the so-called Internet of Things - internets of things? - and cloudy computing the programme was very rich. You can find the various sessions on YouTube: search with ?CPDP 2017?. One that may be of immediate interest was the one organised by ICANN on: The GDPR impact on the domain name community. https://www.youtube.com/watch?v=5We1t1bClro This was not the first time I had participated. But I did sense this year was even better, if only because there was a bit more participation by technology-aware folk. I would hope to see that continue. It would be good to see some RIPE people there next year. It would be even better if NCC could also get involved in some way. Organising a panel? Or sponsoring some nice coffee! Gordon -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: anker1c.gif Type: image/gif Size: 42 bytes Desc: not available URL: ------------------------------ Message: 2 Date: Wed, 1 Feb 2017 10:45:39 +0100 From: Johan Helsingius To: cooperation-wg at ripe.net Subject: Re: [cooperation-wg] CPDP 2017 - Computers, Privacy and Data Protection Message-ID: <0a41a1cd-e5a9-515a-d04a-5ba9db09b385 at julf.com> Content-Type: text/plain; charset=utf-8 On 31-01-17 22:56, Gordon Lennox wrote: > Last week we had the annual three-day CPDP event in Brussels. CPDP is a > fairly big stakeholder conference. The theme this year was 'The age of > intelligent machines?. Thanks, Gordon! Unfortunately I wasn't able to attend, so your links are really useful. > It would be good to see some RIPE people there next year. It would be > even better if NCC could also get involved in some way. Organising a > panel? Or sponsoring some nice coffee! Good point - the concern might be that the RIPE stuff is too "technical" (or rather "operational") for the usual CPDP crowd. Julf End of cooperation-wg Digest, Vol 61, Issue 1 ********************************************* -------------- next part -------------- An HTML attachment was scrubbed... URL: From gordon.lennox.13 at gmail.com Wed Feb 1 21:34:46 2017 From: gordon.lennox.13 at gmail.com (Gordon Lennox) Date: Wed, 1 Feb 2017 21:34:46 +0100 Subject: [cooperation-wg] CPDP 2017 - Computers, Privacy and Data Protection In-Reply-To: <0a41a1cd-e5a9-515a-d04a-5ba9db09b385@julf.com> References: <8394274F-6907-498B-B813-5AEEA87E20BA@gmail.com> <0a41a1cd-e5a9-515a-d04a-5ba9db09b385@julf.com> Message-ID: <77BF4468-1F25-45E7-8181-45E4674913C7@gmail.com> The CPDP crowd is changing. They don?t use the term multi-stakeholder. But I think the discussions are being improved by having a little more technical - and operational! - expertise in the room. And that has to be good thing. They are the folk who make the rules for the rest of us.So even a little engagement from RIPE folk could be useful. By the way I listened to a very good presentation by Laurence Blisson the other evening on mass surveillance. One of the best presentations I have heard on the topic. As somebody legally trained she made the point that she had found it very useful to talk to geeks. Apparently not easy at first. But very useful. And the result was a presentation I thought excellent! Anyway have a look at the ICANN session I pointed to - even just the intro - and see what you think. Gordon > On 1 Feb 2017, at 10:45, Johan Helsingius wrote: > > On 31-01-17 22:56, Gordon Lennox wrote: >> Last week we had the annual three-day CPDP event in Brussels. CPDP is a >> fairly big stakeholder conference. The theme this year was 'The age of >> intelligent machines?. > > Thanks, Gordon! Unfortunately I wasn't able to attend, so > your links are really useful. > >> It would be good to see some RIPE people there next year. It would be >> even better if NCC could also get involved in some way. Organising a >> panel? Or sponsoring some nice coffee! > > Good point - the concern might be that the RIPE stuff is too > "technical" (or rather "operational") for the usual CPDP crowd. > > Julf > > > From paf at frobbit.se Mon Feb 6 11:28:58 2017 From: paf at frobbit.se (Patrik =?utf-8?b?RsOkbHRzdHLDtm0=?=) Date: Mon, 06 Feb 2017 11:28:58 +0100 Subject: [cooperation-wg] SG20 and DONA etc Message-ID: All, I hear rumors SG20 is moving forward with ideas on prescribing DONA etc as The Directory and Naming System to use, and that it is a replacement for DNS. And that there is an upcoming SG20 meeting. I personally find it being very important ITU-T in this case do not "select" specific naming mechanisms at all. There are numerous different systems that after being bootstrapped with the help of DNS and routing can act on its own. And it would be a disaster if ITU-T prescribe something at this time, unless the usage is very very specific and that harmonization really really is needed. If we should spend time on new naming and lookup mechanisms, I would go for some completely new architectures that do not have any kind of root (neither technical, nor administrative) and instead use things like opportunistic encryption and randomization to find identifiers which globally get to know each other via some ad hoc routing mechanism. paf -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 203 bytes Desc: OpenPGP digital signature URL: From rhill at hill-a.ch Mon Feb 6 11:43:20 2017 From: rhill at hill-a.ch (Richard Hill) Date: Mon, 6 Feb 2017 11:43:20 +0100 Subject: [cooperation-wg] SG20 and DONA etc In-Reply-To: References: Message-ID: <008301d28065$d76e7bc0$864b7340$@ch> I agree with Patrik's comments below, except that I have not found any substantiation of the rumors (which is not to say that they are not correct). The list of inputs to the next SG20 meeting is at: https://www.itu.int/md/T17-SG20-170313-C/en I don't see anything that looks like a proposal to do what Patrik rightly criticizes, but I may have missed something, or there may be something in the pipeline that is not yet published. Best, Richard > -----Original Message----- > From: cooperation-wg [mailto:cooperation-wg-bounces at ripe.net] On Behalf > Of Patrik F?ltstr?m > Sent: lundi, 6. f?vrier 2017 11:29 > To: Cooperation WG > Subject: [cooperation-wg] SG20 and DONA etc > > All, > > I hear rumors SG20 is moving forward with ideas on prescribing DONA etc > as The Directory and Naming System to use, and that it is a replacement > for DNS. And that there is an upcoming SG20 meeting. > > I personally find it being very important ITU-T in this case do not > "select" specific naming mechanisms at all. There are numerous > different systems that after being bootstrapped with the help of DNS > and routing can act on its own. And it would be a disaster if ITU-T > prescribe something at this time, unless the usage is very very > specific and that harmonization really really is needed. > > If we should spend time on new naming and lookup mechanisms, I would go > for some completely new architectures that do not have any kind of root > (neither technical, nor administrative) and instead use things like > opportunistic encryption and randomization to find identifiers which > globally get to know each other via some ad hoc routing mechanism. > > paf From paf at frobbit.se Mon Feb 6 12:03:43 2017 From: paf at frobbit.se (Patrik =?utf-8?b?RsOkbHRzdHLDtm0=?=) Date: Mon, 06 Feb 2017 12:03:43 +0100 Subject: [cooperation-wg] SG20 and DONA etc In-Reply-To: <008301d28065$d76e7bc0$864b7340$@ch> References: <008301d28065$d76e7bc0$864b7340$@ch> Message-ID: <4B83C8FC-49FD-4296-8B5E-6BA1601EC51B@frobbit.se> On 6 Feb 2017, at 11:43, Richard Hill wrote: > I agree with Patrik's comments below, except that I have not found any substantiation of the rumors (which is not to say that they are not correct). The list of inputs to the next SG20 meeting is at: > > https://www.itu.int/md/T17-SG20-170313-C/en > > I don't see anything that looks like a proposal to do what Patrik rightly criticizes, but I may have missed something, or there may be something in the pipeline that is not yet published. Thanks for the information! paf > Best, > Richard > >> -----Original Message----- >> From: cooperation-wg [mailto:cooperation-wg-bounces at ripe.net] On Behalf >> Of Patrik F?ltstr?m >> Sent: lundi, 6. f?vrier 2017 11:29 >> To: Cooperation WG >> Subject: [cooperation-wg] SG20 and DONA etc >> >> All, >> >> I hear rumors SG20 is moving forward with ideas on prescribing DONA etc >> as The Directory and Naming System to use, and that it is a replacement >> for DNS. And that there is an upcoming SG20 meeting. >> >> I personally find it being very important ITU-T in this case do not >> "select" specific naming mechanisms at all. There are numerous >> different systems that after being bootstrapped with the help of DNS >> and routing can act on its own. And it would be a disaster if ITU-T >> prescribe something at this time, unless the usage is very very >> specific and that harmonization really really is needed. >> >> If we should spend time on new naming and lookup mechanisms, I would go >> for some completely new architectures that do not have any kind of root >> (neither technical, nor administrative) and instead use things like >> opportunistic encryption and randomization to find identifiers which >> globally get to know each other via some ad hoc routing mechanism. >> >> paf -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 203 bytes Desc: OpenPGP digital signature URL: From jim at rfc1035.com Mon Feb 6 12:30:02 2017 From: jim at rfc1035.com (Jim Reid) Date: Mon, 6 Feb 2017 11:30:02 +0000 Subject: [cooperation-wg] SG20 and DONA etc In-Reply-To: <008301d28065$d76e7bc0$864b7340$@ch> References: <008301d28065$d76e7bc0$864b7340$@ch> Message-ID: <699EC727-6F47-4EB4-B933-BA9796F7036D@rfc1035.com> > On 6 Feb 2017, at 10:43, Richard Hill wrote: > > The list of inputs to the next SG20 meeting is at: > > https://www.itu.int/md/T17-SG20-170313-C/en Thanks for the link Richard. Do you know if there there other documents/contributions for this meeting which are only available to ITU members? > I don't see anything that looks like a proposal to do what Patrik rightly > criticizes, but I may have missed something, or there may be something in > the pipeline that is not yet published. Well there is a master framework agreement (MoU?) between the DONA Foundation and the ITU: https://www.itu.int/md/S15-CL-INF-0013/en That document does not appear to be in the public domain. Though I haven?t spent much time looking for it . The web page in the link above says "TSB has identified different uses of DOA for promoting and extending the benefits gained from telecommunications and ICTs, including safety, combating counterfeit devices and products and addressing environmental issues such as e-waste.?. Something does appear to be in the pipeline and ITU seems to be (sort of) endorsing DOA. Can anyone on this list provide more details? From rhill at hill-a.ch Mon Feb 6 13:23:00 2017 From: rhill at hill-a.ch (Richard Hill) Date: Mon, 6 Feb 2017 13:23:00 +0100 Subject: [cooperation-wg] SG20 and DONA etc In-Reply-To: <699EC727-6F47-4EB4-B933-BA9796F7036D@rfc1035.com> References: <008301d28065$d76e7bc0$864b7340$@ch> <699EC727-6F47-4EB4-B933-BA9796F7036D@rfc1035.com> Message-ID: <012e01d28073$c1f6b150$45e413f0$@ch> Please see below. Thanks and best, Richard > -----Original Message----- > From: Jim Reid [mailto:jim at rfc1035.com] > Sent: lundi, 6. f?vrier 2017 12:30 > To: Richard Hill > Cc: Cooperation WG > Subject: Re: [cooperation-wg] SG20 and DONA etc > > > > On 6 Feb 2017, at 10:43, Richard Hill wrote: > > > > The list of inputs to the next SG20 meeting is at: > > > > https://www.itu.int/md/T17-SG20-170313-C/en > > Thanks for the link Richard. Do you know if there there other > documents/contributions for this meeting which are only available to > ITU members? The inputs from the membership will be posted on the page referenced above. > > > I don't see anything that looks like a proposal to do what Patrik > > rightly criticizes, but I may have missed something, or there may be > > something in the pipeline that is not yet published. > > Well there is a master framework agreement (MoU?) between the DONA > Foundation and the ITU: > https://www.itu.int/md/S15-CL-INF-0013/en > > That document does not appear to be in the public domain. Though I > haven?t spent much time looking for it . It is not easy to find. I had to ask where it is. It is here: https://www.itu.int/md/S15-CL-C-0094/en > > The web page in the link above says "TSB has identified different uses > of DOA for promoting and extending the benefits gained from > telecommunications and ICTs, including safety, combating counterfeit > devices and products and addressing environmental issues such as e- > waste.?. Yes. That resulted in a lot of discussion in the ITU Council, following which the MoU remains in force. > > Something does appear to be in the pipeline There were various proposals at WTSA to endorse DONA. But they were not accepted. I suspect (but have no evidence to that effect) that the folks that proposed that WTSA endorse DONA will submit similar proposals to SG20. But it is likely that there will be opposition to those proposals, so it is far from certain that they would be accepted. > and ITU seems to be (sort > of) endorsing DOA. Can anyone on this list provide more details? The role of the ITU Secretariat is specified in the MoU referenced above. What the role of ITU as an institution should or will be is a matter that is still being discussed, see the comments above regarding proposals submitted to WTSA and that might be submitted to SG20. Best, Richard From jim at rfc1035.com Mon Feb 6 13:33:25 2017 From: jim at rfc1035.com (Jim Reid) Date: Mon, 6 Feb 2017 12:33:25 +0000 Subject: [cooperation-wg] SG20 and DONA etc In-Reply-To: <012e01d28073$c1f6b150$45e413f0$@ch> References: <008301d28065$d76e7bc0$864b7340$@ch> <699EC727-6F47-4EB4-B933-BA9796F7036D@rfc1035.com> <012e01d28073$c1f6b150$45e413f0$@ch> Message-ID: > On 6 Feb 2017, at 12:23, Richard Hill wrote: > >> Well there is a master framework agreement (MoU?) between the DONA >> Foundation and the ITU: >> https://www.itu.int/md/S15-CL-INF-0013/en >> >> That document does not appear to be in the public domain. Though I >> haven?t spent much time looking for it . > > It is not easy to find. I had to ask where it is. It is here: > > https://www.itu.int/md/S15-CL-C-0094/en Many thanks Richard. It?s good to have someone who knows who/where to ask those sorts of questions in Geneva. From chrisb at ripe.net Thu Feb 16 12:32:33 2017 From: chrisb at ripe.net (Chris Buckridge) Date: Thu, 16 Feb 2017 12:32:33 +0100 Subject: [cooperation-wg] Europol Communication on Carrier-Grade NAT In-Reply-To: <6349F64F-EEF7-4A07-A4C1-389FE0B58C05@ripe.net> References: <6349F64F-EEF7-4A07-A4C1-389FE0B58C05@ripe.net> Message-ID: <4C47D72B-8A25-4CFE-AF61-B7347F726579@ripe.net> Dear colleagues, Europol (the European Union?s law enforcement agency) last month sent a communication to the Council of the European Union (the group of government ministers from each EU country) regarding Carrier-Grade NAT (CGN), an issue of direct relevance to many RIPE NCC members and the RIPE community. The communication is available online at: http://www.statewatch.org/news/2017/jan/eu-europol-cgn-tech-going-dark-data-retention-note-5127-17.pdf Specifically, it notes that: > With CGN, law enforcement has lost its ability to associate and link a particular cyber criminal?s activity back to a particular IP address. The paper suggests greater regulatory coordination at the EU level regarding CGN, and also notes that: > On 31st January 2017 a European Network of law enforcement specialists in CGN will be established, the secretariat of which will be established [/provided by?] at Europol. The aim of this network is to: > > - document cases of non-attribution linked to CGN in EU, > - document existing best practices to overcome CGN-related attribution problems currently in place in some Member States, > - raise awareness of European policy-makers about the problem of attribution linked to CGN technologies, > - represent the voice of law enforcement developing a common narrative and advocating for a voluntary scheme at EU level to improve traceability by engaging in a coordinated fashion with ISPs and content providers. A press release was also issued by Europol regarding the formation of this new group: https://www.europol.europa.eu/newsroom/news/closing-online-crime-attribution-gap-european-law-enforcement-tackles-carrier-grade-nat-cgn LEA interest in reducing the use of CGN also came up for discussion at the recent RIPE NCC Roundtable Meeting for Governments and Regulators (held in Brussels on 24 January), where the strong uptake of IPv6 in Belgium was attributed (at least partially) to coordination between law enforcement, national regulators and operators to limit the number of customers that can concurrently share a single IPv4 address. As noted in a previous email, the RIPE NCC and Europol signed an MoU in December 2016 with a focus on sharing expertise in the areas of cybercrime and Internet security. We will be liaising with Europol on this topic, and would appreciate any feedback from the RIPE community on this or related issues. Best regards, Chris Buckridge External Relations Manager RIPE NCC From gordon.lennox.13 at gmail.com Thu Feb 16 15:22:02 2017 From: gordon.lennox.13 at gmail.com (Gordon Lennox) Date: Thu, 16 Feb 2017 15:22:02 +0100 Subject: [cooperation-wg] Europol Communication on Carrier-Grade NAT In-Reply-To: <4C47D72B-8A25-4CFE-AF61-B7347F726579@ripe.net> References: <6349F64F-EEF7-4A07-A4C1-389FE0B58C05@ripe.net> <4C47D72B-8A25-4CFE-AF61-B7347F726579@ripe.net> Message-ID: <36945109-9889-4FC6-AD8B-9ED4F8BD9573@gmail.com> It is funny how things progress. Not that long ago we had various LEAs complaining about IPv6. Google << IPv6 FBI >> for examples, including this: "The FBI, DEA, and Royal Canadian Mounted Police say IPv6 may erode their ability to trace Internet addresses -- and warn new laws may be necessary if industry doesn't do more." https://www.cnet.com/news/fbi-dea-warn-ipv6-could-shield-criminals-from-police/ Anyway while I think outreach and "enhanced cooperation? by NCC can be a good thing I also think that transparency is important to maintain the trust of the community. I believe more reporting of the detail of meetings and contacts between NCC and LEAs and regulators would be helpful. For starters, I might ask if there will be reports on the recent Round Table in Brussels and on NCC?s involvement with the European Parliament?s EIF? (Sorry Chris!) Gordon From chrisb at ripe.net Thu Feb 16 17:32:37 2017 From: chrisb at ripe.net (Chris Buckridge) Date: Thu, 16 Feb 2017 17:32:37 +0100 Subject: [cooperation-wg] Europol Communication on Carrier-Grade NAT In-Reply-To: <36945109-9889-4FC6-AD8B-9ED4F8BD9573@gmail.com> References: <6349F64F-EEF7-4A07-A4C1-389FE0B58C05@ripe.net> <4C47D72B-8A25-4CFE-AF61-B7347F726579@ripe.net> <36945109-9889-4FC6-AD8B-9ED4F8BD9573@gmail.com> Message-ID: > On 16 Feb 2017, at 15:22, Gordon Lennox wrote: > > Anyway while I think outreach and "enhanced cooperation? by NCC can be a good thing I also think that transparency is important to maintain the trust of the community. I believe more reporting of the detail of meetings and contacts between NCC and LEAs and regulators would be helpful. > > For starters, I might ask if there will be reports on the recent Round Table in Brussels and on NCC?s involvement with the European Parliament?s EIF? (Sorry Chris!) Not at all, Gordon, and a useful reminder to share with this group a link to the report from our recent Roundtable Meeting: https://www.ripe.net/publications/news/about-ripe-ncc-and-ripe/ripe-ncc-holds-meeting-for-governments-and-regulators (The report includes a link to presentations given on the day, and the discussion mentioned in my earlier email about Belgian IPv6 adoption sprang from RIPE NCC report and its section on IPv6 adoption trends). Cheers Chris From michele at blacknight.com Thu Feb 16 21:35:52 2017 From: michele at blacknight.com (Michele Neylon - Blacknight) Date: Thu, 16 Feb 2017 20:35:52 +0000 Subject: [cooperation-wg] Europol Communication on Carrier-Grade NAT In-Reply-To: <36945109-9889-4FC6-AD8B-9ED4F8BD9573@gmail.com> References: <6349F64F-EEF7-4A07-A4C1-389FE0B58C05@ripe.net> <4C47D72B-8A25-4CFE-AF61-B7347F726579@ripe.net> <36945109-9889-4FC6-AD8B-9ED4F8BD9573@gmail.com> Message-ID: Chris 100% agree with Gordon on this. Transparency => trust And while I appreciate that the NCC isn?t trying to obfuscate anything, sharing information as widely as possible to members is helpful and appreciated Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains http://www.blacknight.host/ http://blacknight.blog / http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 On 16/02/2017, 14:22, "cooperation-wg on behalf of Gordon Lennox" wrote: It is funny how things progress. Not that long ago we had various LEAs complaining about IPv6. Google << IPv6 FBI >> for examples, including this: "The FBI, DEA, and Royal Canadian Mounted Police say IPv6 may erode their ability to trace Internet addresses -- and warn new laws may be necessary if industry doesn't do more." https://www.cnet.com/news/fbi-dea-warn-ipv6-could-shield-criminals-from-police/ Anyway while I think outreach and "enhanced cooperation? by NCC can be a good thing I also think that transparency is important to maintain the trust of the community. I believe more reporting of the detail of meetings and contacts between NCC and LEAs and regulators would be helpful. For starters, I might ask if there will be reports on the recent Round Table in Brussels and on NCC?s involvement with the European Parliament?s EIF? (Sorry Chris!) Gordon From roland at internetpolicyagency.com Wed Feb 22 21:57:34 2017 From: roland at internetpolicyagency.com (Roland Perry) Date: Wed, 22 Feb 2017 20:57:34 +0000 Subject: [cooperation-wg] Europol Communication on Carrier-Grade NAT In-Reply-To: <4C47D72B-8A25-4CFE-AF61-B7347F726579@ripe.net> References: <6349F64F-EEF7-4A07-A4C1-389FE0B58C05@ripe.net> <4C47D72B-8A25-4CFE-AF61-B7347F726579@ripe.net> Message-ID: In message <4C47D72B-8A25-4CFE-AF61-B7347F726579 at ripe.net>, at 12:32:33 on Thu, 16 Feb 2017, Chris Buckridge writes >LEA interest in reducing the use of CGN also came up for discussion at >the recent RIPE NCC Roundtable Meeting for Governments and Regulators >(held in Brussels on 24 January) The UK's approach, as expressed in the 2016 IP[1] Act, is not to prohibit CGN, but require operators to log who was using which IP, when. This is exactly the same as when Internet access was primarily by dial-up to banks of modems, and customers shared the IP Address of the modem. The ISPs were expected to log who had been online at a specific IP address at a specific time. [1] Investigatory Powers, not Internet Protocol. -- Roland Perry From shane at time-travellers.org Thu Feb 23 00:11:28 2017 From: shane at time-travellers.org (Shane Kerr) Date: Thu, 23 Feb 2017 00:11:28 +0100 Subject: [cooperation-wg] Europol Communication on Carrier-Grade NAT In-Reply-To: References: <6349F64F-EEF7-4A07-A4C1-389FE0B58C05@ripe.net> <4C47D72B-8A25-4CFE-AF61-B7347F726579@ripe.net> Message-ID: <20170223001128.1027432e@pallas.home.time-travellers.org> Roland, At 2017-02-22 20:57:34 +0000 Roland Perry wrote: > In message <4C47D72B-8A25-4CFE-AF61-B7347F726579 at ripe.net>, at 12:32:33 > on Thu, 16 Feb 2017, Chris Buckridge writes > > >LEA interest in reducing the use of CGN also came up for discussion at > >the recent RIPE NCC Roundtable Meeting for Governments and Regulators > >(held in Brussels on 24 January) > > The UK's approach, as expressed in the 2016 IP[1] Act, is not to > prohibit CGN, but require operators to log who was using which IP, when. IP+port, right? > This is exactly the same as when Internet access was primarily by > dial-up to banks of modems, and customers shared the IP Address of the > modem. The ISPs were expected to log who had been online at a specific > IP address at a specific time. It's not exactly the same, because a dial-up session was expected to be several minutes or even hours. A single IP+port may be used for less than a second. Plus there is likely an extra layer of indirection. A NAT device may know the customer private IP address and the public IP address, but might not necessarily have access to the database which assigned the customer to the private IP address. So that data also needs to be logged & correlated. If LEA are expected to pay for all of this extra storage and processing - or even if it just makes investigations slower - then I can easily understand why they would want to reduce the use of CGN. (If that cost gets eaten by ISP, then the push will naturally go towards fewer CGN without any encouragement by the LEA.) Cheers, -- Shane -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From lear at cisco.com Thu Feb 23 09:17:23 2017 From: lear at cisco.com (Eliot Lear) Date: Thu, 23 Feb 2017 09:17:23 +0100 Subject: [cooperation-wg] Europol Communication on Carrier-Grade NAT In-Reply-To: <20170223001128.1027432e@pallas.home.time-travellers.org> References: <6349F64F-EEF7-4A07-A4C1-389FE0B58C05@ripe.net> <4C47D72B-8A25-4CFE-AF61-B7347F726579@ripe.net> <20170223001128.1027432e@pallas.home.time-travellers.org> Message-ID: Hi, On 2/23/17 12:11 AM, Shane Kerr wrote: > Roland, > > At 2017-02-22 20:57:34 +0000 > Roland Perry wrote: > >> In message <4C47D72B-8A25-4CFE-AF61-B7347F726579 at ripe.net>, at 12:32:33 >> on Thu, 16 Feb 2017, Chris Buckridge writes >> >>> LEA interest in reducing the use of CGN also came up for discussion at >>> the recent RIPE NCC Roundtable Meeting for Governments and Regulators >>> (held in Brussels on 24 January) >> The UK's approach, as expressed in the 2016 IP[1] Act, is not to >> prohibit CGN, but require operators to log who was using which IP, when. > IP+port, right? Right. And the big issue in this report *isn't* how it impacts the telco/routing aspects of an ISP, but how it may impact *any* content provider by requiring logging changes to include at least src IP+port and possibly the entire 5-tuple. Here's the relevant content from that document: > * > > In order to be able to trace back an individual end-user to an IP > address on a network using CGN, law enforcement must request > additional information3 from content providers via legal process: > > o Source and Destination IP addresses; > o Exact time of the connection (within a second); o Source port > number. > > However, the lack of harmonized data retention standard > requirements in Europe4 means that content service, Internet > service and data hosting providers are under no legal obligation > to retain this type of information, meaning that even a more > elaborate request from LEA would not yield useable information > from the provider. > > Regulatory/legislative changes would be helpful to ensure that > content service providers systematically retain the necessary > additional data (source port) information to allow law enforcement > and judicial authorities to identify one specific end-user among > the thousands of users sharing the same public IP address. > > * > > As some content providers in Europe do store the relevant > information but some others do not practical solutions can be > sought through collaboration between the electronic/Internet? > service providers and law enforcement using already established > channels for cooperation such as the EU Internet Forum. > Note that [3] refers to RFC 6302 from June of 2011, and the abstract of that document makes plain the problem: > In the wake of IPv4 exhaustion and deployment of IP address sharing > techniques, this document recommends that Internet-facing servers log > port number and accurate timestamps in addition to the incoming IP > address. But here's your bog standard apache log line: *10.11.12.13* - - [23/Feb/2017:08:50:18 +0100] "GET / HTTP/1.1" 200 67442 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" Note what is *NOT* there. It is easy enough to change this with the LogFormat statement in Apache. However, you do so at your peril if you have any tools consuming those logs. The risk is probably *not* to the Akamais of the world, but to any small business that decided to a server on their own, and probably has NO idea as to what the legal requirements are. > >> This is exactly the same as when Internet access was primarily by >> dial-up to banks of modems, and customers shared the IP Address of the >> modem. The ISPs were expected to log who had been online at a specific >> IP address at a specific time. > It's not exactly the same, because a dial-up session was expected to be > several minutes or even hours. A single IP+port may be used for less > than a second. > > Plus there is likely an extra layer of indirection. A NAT device may > know the customer private IP address and the public IP address, but > might not necessarily have access to the database which assigned the > customer to the private IP address. So that data also needs to be > logged & correlated. > > If LEA are expected to pay for all of this extra storage and > processing - or even if it just makes investigations slower - then I > can easily understand why they would want to reduce the use of CGN. (If > that cost gets eaten by ISP, then the push will naturally go towards > fewer CGN without any encouragement by the LEA.) > Many operators using CGN are *already* required to retain this mapping. There are some tools out there to reduce the data requirement, such as bulk assignment. The problem here is that the ISP using CGN actually changes the game for the end site. Eliot -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 481 bytes Desc: OpenPGP digital signature URL: From marcoh at ripe.net Thu Feb 23 10:29:56 2017 From: marcoh at ripe.net (Marco Hogewoning) Date: Thu, 23 Feb 2017 10:29:56 +0100 Subject: [cooperation-wg] Europol Communication on Carrier-Grade NAT In-Reply-To: <20170223001128.1027432e@pallas.home.time-travellers.org> References: <6349F64F-EEF7-4A07-A4C1-389FE0B58C05@ripe.net> <4C47D72B-8A25-4CFE-AF61-B7347F726579@ripe.net> <20170223001128.1027432e@pallas.home.time-travellers.org> Message-ID: <7E45973B-C835-49A3-80CE-6B652ED63E7C@ripe.net> > On 23 Feb 2017, at 00:11, Shane Kerr wrote: > > IP+port, right? Hope it is the full 5-tuple + timestamp synced to a known (and accurate) source. And then still wonder what kinda of surprises you?ll find, with the other peer (not in UK) not logging ports or having a system clock that is significantly off from what is considered standard time. Mind you, a few decades in and my (big corp) calendar application sometimes still struggles with timezones and occasionally plans meetings +/- 1 hour. I still see some opportunity for outreach there; time, timezones and clocks on the Internet and how those may effect the timestamps in logs. MarcoH