From ripe at rased.ir Mon Jan 12 13:48:39 2015 From: ripe at rased.ir (Shahin Gharghi) Date: Mon, 12 Jan 2015 16:18:39 +0330 Subject: [members-discuss] BGP peer requirement for new AS Number Message-ID: Hi When an LIR (new LIR or existed one) wants to have a new AS Number, RIPE NCC asks for their peers. At least two peer should be listed. I want to ask is it important for the RIPE NCC to know who are the peers? For example in Iran most of ISP's has only one peer and that is AS12880 or AS48159. And this company(TIC) won't confirm any request. Even if it is important for the RIPE NCC, they can search their database and ask the LIR contact of those LIR's to confirm the new peer's request. -- Shahin Gharghi -------------- next part -------------- An HTML attachment was scrubbed... URL: From ripe at rased.ir Mon Jan 12 13:58:27 2015 From: ripe at rased.ir (Shahin Gharghi) Date: Mon, 12 Jan 2015 16:28:27 +0330 Subject: [members-discuss] BGP peer requirement for new AS Number In-Reply-To: References: Message-ID: Dominik thank you for your reply I've asked from the registration service department. But this is a problem for members. So we can discuss about it. cheers On Mon, Jan 12, 2015 at 4:23 PM, Dominik Nowacki wrote: > Hi Shahin and welcome to the list, > > I don?t think it?s the question for the list members though. > > > > Get in touch with RIPE directly and ask them about their position: > > http://www.ripe.net/lir-services/resource-management/contact > > http://www.ripe.net/lir-services/ncc/contact/contact-information > > > > With Kind Regards, > > Dominik Nowacki > > > > Clouvider Limited is a limited company registered in England and Wales. > Registered number: 08750969. Registered office: 88 Wood Street, London, > United Kingdom, EC2V 7RS. Please note that Clouvider Limited may monitor > email traffic data and also the content of email for the purposes of > security and staff training. This message contains confidential information > and is intended only for the intended recipient. If you do not believe you > are the intended recipient you should not disseminate, distribute or copy > this e-mail. Please notify abuse at clouvider.net of this e-mail immediately > by e-mail if you have received this e-mail by mistake and delete this > e-mail from your system. E-mail transmission cannot be guaranteed to be > secure or error-free as information could be intercepted, corrupted, lost, > destroyed, arrive late or incomplete, or contain viruses. Clouvider Limited > nor any of its employees therefore does not accept liability for any errors > or omissions in the contents of this message, which arise as a result of > e-mail transmission. If verification is required please request a hard-copy > version. > > > > *From:* members-discuss [mailto:members-discuss-bounces at ripe.net] *On > Behalf Of *Shahin Gharghi > *Sent:* 12 January 2015 12:49 > *To:* members-discuss at ripe.net > *Subject:* [members-discuss] BGP peer requirement for new AS Number > > > > Hi > > > > When an LIR (new LIR or existed one) wants to have a new AS Number, RIPE > NCC asks for their peers. At least two peer should be listed. > > I want to ask is it important for the RIPE NCC to know who are the peers? > > For example in Iran most of ISP's has only one peer and that is AS12880 or > AS48159. And this company(TIC) won't confirm any request. > > Even if it is important for the RIPE NCC, they can search their database > and ask the LIR contact of those LIR's to confirm the new peer's request. > > > > -- > > Shahin Gharghi > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ripe at rased.ir Mon Jan 12 13:59:17 2015 From: ripe at rased.ir (Shahin Gharghi) Date: Mon, 12 Jan 2015 16:29:17 +0330 Subject: [members-discuss] BGP peer requirement for new AS Number In-Reply-To: References: Message-ID: If they won't check, why do they ask? On Mon, Jan 12, 2015 at 4:28 PM, Arjan van der Oest < arjan.vanderoest at voiceworks.com> wrote: > Just insert two peers that are available in Iran as upstream. They will > not actually check with those peers. > > -- > Met vriendelijke groet, > > Arjan van der Oest > Lead Mobile Engineer > > Voiceworks BV - Oplagestraat 1 - 1321 NK Almere > Mobile : +31 6 8686 0000 > Office : +31 36 7606656 > GPG key on http://keyserver.pgp.com/ > Key fingerprint = C58F 55CA C62A 5A49 15E0 2271 3481 6020 997E EE99 > > On 12 Jan 2015, at 13:48, Shahin Gharghi wrote: > > Hi > > When an LIR (new LIR or existed one) wants to have a new AS Number, RIPE > NCC asks for their peers. At least two peer should be listed. > I want to ask is it important for the RIPE NCC to know who are the peers? > For example in Iran most of ISP's has only one peer and that is AS12880 or > AS48159. And this company(TIC) won't confirm any request. > Even if it is important for the RIPE NCC, they can search their database > and ask the LIR contact of those LIR's to confirm the new peer's request. > > -- > Shahin Gharghi > ---- > If you don't want to receive emails from the RIPE NCC members-discuss > mailing list, please log in to your LIR Portal account and go to the > general page: > https://lirportal.ripe.net/general/ > > Click on "Edit my LIR details", under "Subscribed Mailing Lists". From > here, you can add or remove addresses. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dominik at clouvider.co.uk Mon Jan 12 13:54:08 2015 From: dominik at clouvider.co.uk (Dominik Nowacki) Date: Mon, 12 Jan 2015 12:54:08 +0000 Subject: [members-discuss] BGP peer requirement for new AS Number In-Reply-To: References: Message-ID: Hi Shahin and welcome to the list, I don?t think it?s the question for the list members though. Get in touch with RIPE directly and ask them about their position: http://www.ripe.net/lir-services/resource-management/contact http://www.ripe.net/lir-services/ncc/contact/contact-information With Kind Regards, Dominik Nowacki Clouvider Limited is a limited company registered in England and Wales. Registered number: 08750969. Registered office: 88 Wood Street, London, United Kingdom, EC2V 7RS. Please note that Clouvider Limited may monitor email traffic data and also the content of email for the purposes of security and staff training. This message contains confidential information and is intended only for the intended recipient. If you do not believe you are the intended recipient you should not disseminate, distribute or copy this e-mail. Please notify abuse at clouvider.net of this e-mail immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Clouvider Limited nor any of its employees therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. From: members-discuss [mailto:members-discuss-bounces at ripe.net] On Behalf Of Shahin Gharghi Sent: 12 January 2015 12:49 To: members-discuss at ripe.net Subject: [members-discuss] BGP peer requirement for new AS Number Hi When an LIR (new LIR or existed one) wants to have a new AS Number, RIPE NCC asks for their peers. At least two peer should be listed. I want to ask is it important for the RIPE NCC to know who are the peers? For example in Iran most of ISP's has only one peer and that is AS12880 or AS48159. And this company(TIC) won't confirm any request. Even if it is important for the RIPE NCC, they can search their database and ask the LIR contact of those LIR's to confirm the new peer's request. [https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif] -- Shahin Gharghi -------------- next part -------------- An HTML attachment was scrubbed... URL: From ripe at freethought-internet.co.uk Mon Jan 12 15:15:20 2015 From: ripe at freethought-internet.co.uk (Edward Dore) Date: Mon, 12 Jan 2015 14:15:20 +0000 Subject: [members-discuss] BGP peer requirement for new AS Number In-Reply-To: References: Message-ID: <9E9CCABB-BB7F-45F1-B5ED-42781CC41376@freethought-internet.co.uk> Hi Shahin, Currently section 2.0 of RIPE's Autonomous System (AS) Number Assignment Policies document (http://www.ripe.net/ripe/docs/ripe-525) says "A network must be multihomed in order to qualify for an AS Number", therefore under the currently policy you shouldn't be requesting an ASN if you only intend to peer with one other ASN. If you have a single upstream provider then you are deemed to have the same routing policy as them and as such not require an ASN. There is however a proposal to change this policy and remove the multihoming requirement: http://www.ripe.net/ripe/policies/proposals/2014-03 Edward Dore Freethought Internet On 12 Jan 2015, at 12:48, Shahin Gharghi wrote: > Hi > > When an LIR (new LIR or existed one) wants to have a new AS Number, RIPE NCC asks for their peers. At least two peer should be listed. > I want to ask is it important for the RIPE NCC to know who are the peers? > For example in Iran most of ISP's has only one peer and that is AS12880 or AS48159. And this company(TIC) won't confirm any request. > Even if it is important for the RIPE NCC, they can search their database and ask the LIR contact of those LIR's to confirm the new peer's request. > > > -- > Shahin Gharghi > ---- > If you don't want to receive emails from the RIPE NCC members-discuss > mailing list, please log in to your LIR Portal account and go to the general page: > https://lirportal.ripe.net/general/ > > Click on "Edit my LIR details", under "Subscribed Mailing Lists". From here, you can add or remove addresses. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ripe at rased.ir Mon Jan 12 15:23:40 2015 From: ripe at rased.ir (Shahin Gharghi) Date: Mon, 12 Jan 2015 17:53:40 +0330 Subject: [members-discuss] BGP peer requirement for new AS Number In-Reply-To: <9E9CCABB-BB7F-45F1-B5ED-42781CC41376@freethought-internet.co.uk> References: <9E9CCABB-BB7F-45F1-B5ED-42781CC41376@freethought-internet.co.uk> Message-ID: Dear Edward Let's imagine an LIR that has IPv4 & IPv6 allocation without AS Number. When they ask for an AS Number RIPE NCC says you have to have two peers. But this new LIR only has one peer. Is it impossible? So if RIPE NCC asks for our peer to confirm, why don't they contact them to confirm? And they can easily find the LIR contact of those AS Numbers and get confirm from them. Why should we tell the email and the phone number of our peer to RIPE NCC? This question just makes our process longer. On Mon, Jan 12, 2015 at 5:45 PM, Edward Dore < ripe at freethought-internet.co.uk> wrote: > Hi Shahin, > > Currently section 2.0 of RIPE's Autonomous System (AS) Number Assignment > Policies document (http://www.ripe.net/ripe/docs/ripe-525) says "A > network must be multihomed in order to qualify for an AS Number", therefore > under the currently policy you shouldn't be requesting an ASN if you only > intend to peer with one other ASN. > > If you have a single upstream provider then you are deemed to have the > same routing policy as them and as such not require an ASN. > > There is however a proposal to change this policy and remove the > multihoming requirement: > http://www.ripe.net/ripe/policies/proposals/2014-03 > > Edward Dore > Freethought Internet > > On 12 Jan 2015, at 12:48, Shahin Gharghi wrote: > > Hi > > When an LIR (new LIR or existed one) wants to have a new AS Number, RIPE > NCC asks for their peers. At least two peer should be listed. > I want to ask is it important for the RIPE NCC to know who are the peers? > For example in Iran most of ISP's has only one peer and that is AS12880 or > AS48159. And this company(TIC) won't confirm any request. > Even if it is important for the RIPE NCC, they can search their database > and ask the LIR contact of those LIR's to confirm the new peer's request. > > -- > Shahin Gharghi > ---- > If you don't want to receive emails from the RIPE NCC members-discuss > mailing list, please log in to your LIR Portal account and go to the > general page: > https://lirportal.ripe.net/general/ > > Click on "Edit my LIR details", under "Subscribed Mailing Lists". From > here, you can add or remove addresses. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From chrislist at de-punkt.de Mon Jan 12 15:34:00 2015 From: chrislist at de-punkt.de (Christopher Kunz) Date: Mon, 12 Jan 2015 15:34:00 +0100 Subject: [members-discuss] BGP peer requirement for new AS Number In-Reply-To: References: <9E9CCABB-BB7F-45F1-B5ED-42781CC41376@freethought-internet.co.uk> Message-ID: <54B3DB58.7080601@de-punkt.de> Am 12.01.15 um 15:23 schrieb Shahin Gharghi: > Dear Edward > > Let's imagine an LIR that has IPv4 & IPv6 allocation without AS Number. > When they ask for an AS Number RIPE NCC says you have to have two peers. > But this new LIR only has one peer. Is it impossible? > If the LIR has only one upstream (I think when you say "peer" you actually mean "upstream"), an ASN is not required and since the multihoming requirement is not fulfilled, will probably not be issued, but YMMV. > So if RIPE NCC asks for our peer to confirm, why don't they contact them > to confirm? > And they can easily find the LIR contact of those AS Numbers and get > confirm from them. Why should we tell the email and the phone number of > our peer to RIPE NCC? > This question just makes our process longer. > Your complaining on members-list certainly doesn't help speeding up your "process", so I suggest you either contact RIPE directly with your gripes or provide some other argument than "it bothers me" why you think the policy in effect should not apply to you. A discussion needs arguments. Regards, --ck From rob.golding at astutium.com Mon Jan 12 15:47:56 2015 From: rob.golding at astutium.com (rob.golding at astutium.com) Date: Mon, 12 Jan 2015 14:47:56 +0000 Subject: [members-discuss] BGP peer requirement for new AS Number In-Reply-To: <54B3DB58.7080601@de-punkt.de> References: <9E9CCABB-BB7F-45F1-B5ED-42781CC41376@freethought-internet.co.uk> <54B3DB58.7080601@de-punkt.de> Message-ID: <62363608e87b83b9e208e911b5139b87@astutium.com> >> Let's imagine an LIR that has IPv4 & IPv6 allocation without AS >> Number. >> When they ask for an AS Number RIPE NCC says you have to have two >> peers. >> But this new LIR only has one peer. Is it impossible? > > If the LIR has only one upstream (I think when you say "peer" you > actually mean "upstream"), an ASN is not required and since the > multihoming requirement is not fulfilled, will probably not be issued, > but YMMV. The requirement to multihome in order to get an ASN has been (or is being) removed - Nigel spoke about it at the last LINX meeting. Rob From sander at steffann.nl Wed Jan 14 01:30:13 2015 From: sander at steffann.nl (Sander Steffann) Date: Tue, 13 Jan 2015 16:30:13 -0800 Subject: [members-discuss] BGP peer requirement for new AS Number In-Reply-To: <62363608e87b83b9e208e911b5139b87@astutium.com> References: <9E9CCABB-BB7F-45F1-B5ED-42781CC41376@freethought-internet.co.uk> <54B3DB58.7080601@de-punkt.de> <62363608e87b83b9e208e911b5139b87@astutium.com> Message-ID: Hi, > Op 12 jan. 2015, om 06:47 heeft rob.golding at astutium.com het volgende geschreven: > > The requirement to multihome in order to get an ASN has been (or is being) removed - Nigel spoke about it at the last LINX meeting. There is a policy proposal on this subject (http://www.ripe.net/ripe/policies/proposals/2014-03) but it is still being discussed. Any input on this would be greatly appreciated in the RIPE address policy working group. And on how the RIPE NCC implements our policy: they do actually contact the peers/upstreams on occasion to verify the request. The reason that they ask for contact information is that with bigger ISPs the people who are listed in the RIPE database aren't always the people who know about the organisation who wants to get an ASN. For example when a company wants an ASN they usually are still talking to the sales department, and the people listed in the RIPE database are usually not the sales people. If anybody wants to discuss the policy: please join the address policy mailing list. Implementation details are probably best discussed in the NCC services working group. Cheers, Sander From nigel at titley.com Thu Jan 22 13:13:52 2015 From: nigel at titley.com (Nigel Titley) Date: Thu, 22 Jan 2015 12:13:52 +0000 Subject: [members-discuss] RIPE NCC Charging Scheme 2016 Discussion Message-ID: <54C0E980.9050404@titley.com> Dear Colleagues, The RIPE NCC Executive Board has closely followed the ASN discussion on the Address Policy Working Group mailing list. The issue of the RIPE NCC Charging Scheme has been raised, so I'd like to give you an idea of the Board's thinking on this. We hope this will inform the discussion and also give sufficient time for members to give their feedback, which we will take into account when making a Charging Scheme 2016 proposal to present to the General Meeting (GM) in May this year. The issue of reintroducing a charge for ASNs was raised at the last GM in November 2014. You can follow the details of that discussion in the GM minutes: https://www.ripe.net/lir-services/ncc/gm/november-2014/minutes-ripe-ncc-general-meeting-november-2014 This discussion, interesting though it was, did not result in a conclusive outcome on how the membership would like the Board to proceed with regard to ASNs. It also raised the issue of charging for PI address space. Another issue raised at the previous GM during the discussion on providing RIPE NCC services for Legacy Internet resource holders was that members can vote only to approve or reject the Charging Scheme as a whole and they cannot vote on individual aspects of the Charging Scheme. In trying to address the Charging Scheme-related issues raised, the Board would like to make two statements: Firstly, the Board would like to retain the current "one LIR, one fee" Charging Scheme model that was approved by the membership and which provides fairness, predictability and simplicity for RIPE NCC members. Secondly, the Board strongly believes that the Charging Scheme should be aligned with RIPE Policy. For this reason, there is a separate charge for PI resources that ensures alignment with ripe-452, "Contractual Requirements for Provider Independent Resource Holders in the RIPE NCC Service Region (2007-01)". With this in mind, the Board would like to offer two different proposals for the Charging Scheme 2016: 1. The Board can propose a Charging Scheme in advance of the May GM and have the membership discuss the proposal. The Board would take the discussion into account before proposing a final Charging Scheme to be voted on by the membership in May. or 2. The Board could take a two-step approach to the Charging Scheme. In May, members would vote on individual issues such as charging for ASNs. The result of the voting would then be used to create a Charging Scheme that would be voted on in the usual way by members at the November GM. The RIPE NCC Executive Board is appointed to represent the interests of the membership. For this reason, we encourage you to give us your feedback on these proposals so that the RIPE NCC Charging Scheme 2016 can come as close as possible to reflecting the wishes of the membership. You can discuss the proposal and related Charging Scheme issues on the Members Discuss mailing list (members-discuss at ripe.net ) or you can contact the Board directly at exec-board at ripe.net . The next Executive Board meeting takes place on 19 March, so we would appreciate your feedback before that date. I will also copy this mail to the Address Policy Working Group mailing list to ensure all interested parties are aware of the Board's thinking. Best regards, Nigel Titley RIPE NCC Executive Board Chairman -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at racksense.com Thu Jan 22 16:48:01 2015 From: paul at racksense.com (Paul Civati) Date: Thu, 22 Jan 2015 15:48:01 +0000 Subject: [members-discuss] [ncc-announce] [news] RIPE NCC website becoming HTTPS-only In-Reply-To: <54C10B35.7010507@ripe.net> References: <54C10B35.7010507@ripe.net> Message-ID: <60446.1421941681@xciv.org> (cc members-discuss) Mihnea-Costin Grigore wrote: > Dear colleagues, > > We plan to make the www.ripe.net website available over HTTPS only as > of 5 February 2015. We believe this change will provide a more secure, > efficient website for our users. > > The www.ripe.net website has been available over HTTPS for some time > already, and we are now making it HTTPS-only for two reasons: to improve > the website's security, and because we plan to integrate RIPE NCC Access > (our single sign-on system) with www.ripe.net as part of our larger > website redesign project, which requires us to use HTTPS throughout the > site. Some observations spring to mind. 1. www.ripe.net is (as far as I can see - and I could be wrong - please correct me) primarily an information site, that is it provides publically available information to everyone/anyone. Therefore it does not largely transmit anything that needs to be secure and encrypted over SSL. 2. There have been far more security holes in https/TLS/SSL of recent than plain HTTP as far as I can tell. Therefore I would say that https is less secure unless you have sensitive information to transport. If my assertion (1) is correct then it would not seem beneficial to SSL proect www.ripe.net - indeed it may make it less secure. 3. Whilst I agree wholeheartedly that SSO is a good plan, in this case separation of the two different entities (information ie. www.ripe.net and admin ie. LIR portal) seems like a good idea. Of course (3) may break the desire for SSO. Or this may not really matter and no-one may really care. :) Regards, -Paul- -- Paul Civati 0870 321 2855 Rack Sense Ltd - Managed Service Provider - www.racksense.com From ripe at rased.ir Thu Jan 22 17:24:13 2015 From: ripe at rased.ir (Shahin Gharghi) Date: Thu, 22 Jan 2015 19:54:13 +0330 Subject: [members-discuss] [ncc-announce] [news] RIPE NCC website becoming HTTPS-only In-Reply-To: <60446.1421941681@xciv.org> References: <54C10B35.7010507@ripe.net> <60446.1421941681@xciv.org> Message-ID: Dear colleagues I agree with Paul and we have a problem with HTTPS in Iran. That's too slow here. But because of this: " because we plan to integrate RIPE NCC Access" They have to switch into HTTPS. On Thu, Jan 22, 2015 at 7:18 PM, Paul Civati wrote: > (cc members-discuss) > > Mihnea-Costin Grigore wrote: > > > Dear colleagues, > > > > We plan to make the www.ripe.net website available over HTTPS only as > > of 5 February 2015. We believe this change will provide a more secure, > > efficient website for our users. > > > > The www.ripe.net website has been available over HTTPS for some time > > already, and we are now making it HTTPS-only for two reasons: to improve > > the website's security, and because we plan to integrate RIPE NCC Access > > (our single sign-on system) with www.ripe.net as part of our larger > > website redesign project, which requires us to use HTTPS throughout the > > site. > > Some observations spring to mind. > > 1. www.ripe.net is (as far as I can see - and I could be wrong - please > correct me) primarily an information site, that is it provides publically > available information to everyone/anyone. Therefore it does not largely > transmit anything that needs to be secure and encrypted over SSL. > > 2. There have been far more security holes in https/TLS/SSL of recent > than plain HTTP as far as I can tell. Therefore I would say that https > is less secure unless you have sensitive information to transport. > If my assertion (1) is correct then it would not seem beneficial > to SSL proect www.ripe.net - indeed it may make it less secure. > > 3. Whilst I agree wholeheartedly that SSO is a good plan, in this > case separation of the two different entities (information ie. > www.ripe.net and admin ie. LIR portal) seems like a good idea. > > Of course (3) may break the desire for SSO. > > Or this may not really matter and no-one may really care. :) > > Regards, > > -Paul- > > -- > Paul Civati 0870 321 2855 > Rack Sense Ltd - Managed Service Provider - www.racksense.com > > ---- > If you don't want to receive emails from the RIPE NCC members-discuss > mailing list, please log in to your LIR Portal account and go to the > general page: > https://lirportal.ripe.net/general/ > > Click on "Edit my LIR details", under "Subscribed Mailing Lists". From > here, you can add or remove addresses. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From h.lu at anytimechinese.com Thu Jan 22 18:19:14 2015 From: h.lu at anytimechinese.com (Lu) Date: Thu, 22 Jan 2015 18:19:14 +0100 Subject: [members-discuss] [ncc-announce] [news] RIPE NCC website becoming HTTPS-only In-Reply-To: References: <54C10B35.7010507@ripe.net> <60446.1421941681@xciv.org> Message-ID: Hi: Ripe website are quite slow in some remote areas, I had quite bad experience of loading time in some area of Africa, Asian, and Middle East. But as not sure if it has to do with any specific technology or just a general routing issue. Lu > On 2015?1?22?, at ??5:24, Shahin Gharghi wrote: > > Dear colleagues > > I agree with Paul and we have a problem with HTTPS in Iran. > That's too slow here. > But because of this: " because we plan to integrate RIPE NCC Access" They have to switch into HTTPS. > >> On Thu, Jan 22, 2015 at 7:18 PM, Paul Civati wrote: >> (cc members-discuss) >> >> Mihnea-Costin Grigore wrote: >> >> > Dear colleagues, >> > >> > We plan to make the www.ripe.net website available over HTTPS only as >> > of 5 February 2015. We believe this change will provide a more secure, >> > efficient website for our users. >> > >> > The www.ripe.net website has been available over HTTPS for some time >> > already, and we are now making it HTTPS-only for two reasons: to improve >> > the website's security, and because we plan to integrate RIPE NCC Access >> > (our single sign-on system) with www.ripe.net as part of our larger >> > website redesign project, which requires us to use HTTPS throughout the >> > site. >> >> Some observations spring to mind. >> >> 1. www.ripe.net is (as far as I can see - and I could be wrong - please >> correct me) primarily an information site, that is it provides publically >> available information to everyone/anyone. Therefore it does not largely >> transmit anything that needs to be secure and encrypted over SSL. >> >> 2. There have been far more security holes in https/TLS/SSL of recent >> than plain HTTP as far as I can tell. Therefore I would say that https >> is less secure unless you have sensitive information to transport. >> If my assertion (1) is correct then it would not seem beneficial >> to SSL proect www.ripe.net - indeed it may make it less secure. >> >> 3. Whilst I agree wholeheartedly that SSO is a good plan, in this >> case separation of the two different entities (information ie. >> www.ripe.net and admin ie. LIR portal) seems like a good idea. >> >> Of course (3) may break the desire for SSO. >> >> Or this may not really matter and no-one may really care. :) >> >> Regards, >> >> -Paul- >> >> -- >> Paul Civati 0870 321 2855 >> Rack Sense Ltd - Managed Service Provider - www.racksense.com >> >> ---- >> If you don't want to receive emails from the RIPE NCC members-discuss >> mailing list, please log in to your LIR Portal account and go to the general page: >> https://lirportal.ripe.net/general/ >> >> Click on "Edit my LIR details", under "Subscribed Mailing Lists". From here, you can add or remove addresses. > > ---- > If you don't want to receive emails from the RIPE NCC members-discuss > mailing list, please log in to your LIR Portal account and go to the general page: > https://lirportal.ripe.net/general/ > > Click on "Edit my LIR details", under "Subscribed Mailing Lists". From here, you can add or remove addresses. -------------- next part -------------- An HTML attachment was scrubbed... URL: From members-discuss at nepustil.net Thu Jan 22 18:47:54 2015 From: members-discuss at nepustil.net (Kurt Jaeger) Date: Thu, 22 Jan 2015 18:47:54 +0100 Subject: [members-discuss] [ncc-announce] [news] RIPE NCC website becoming HTTPS-only In-Reply-To: <60446.1421941681@xciv.org> References: <54C10B35.7010507@ripe.net> <60446.1421941681@xciv.org> Message-ID: <20150122174754.GM39423@complx.nepustil.net> Hi! > > We plan to make the www.ripe.net website available over HTTPS only as > > of 5 February 2015. We believe this change will provide a more secure, > > efficient website for our users. > 1. www.ripe.net is (as far as I can see - and I could be wrong - please > correct me) primarily an information site, that is it provides publically > available information to everyone/anyone. Therefore it does not largely > transmit anything that needs to be secure and encrypted over SSL. In recent month there was debate (and published papers from certain three-letter-agencies) on real attacks which where done by hi-jacking unencrypted surf traffic to inject infection code. The goal is to attack the clients surfing to a certain site. Clients like desktop systems of system and network admins. Belgacom case etc. This and the very recent discussion on key escrow that pops up in Europe after 'Charlie Hebdo' makes the case to basically 'encrypt everything'. If this causes issues with some service regions, it's useful that we learn more about those issues. Maybe afterwards HTTPS can be disabled for certain geo-located IP ranges. I applaud RIPE to go this extra step with HTTPS-only. -- MfG/Best regards, Kurt Jaeger 5 years to go ! Dr.-Ing. Nepustil & Co. GmbH fon +49 7123 93006-0 pi at nepustil.net Rathausstr. 3 fax +49 7123 93006-99 72658 Bempflingen mob +49 171 3101372 From nick at netability.ie Thu Jan 22 20:07:04 2015 From: nick at netability.ie (Nick Hilliard) Date: Thu, 22 Jan 2015 19:07:04 +0000 Subject: [members-discuss] [ncc-announce] [news] RIPE NCC website becoming HTTPS-only In-Reply-To: <20150122174754.GM39423@complx.nepustil.net> References: <54C10B35.7010507@ripe.net> <60446.1421941681@xciv.org> <20150122174754.GM39423@complx.nepustil.net> Message-ID: <54C14A58.5080801@netability.ie> On 22/01/2015 17:47, Kurt Jaeger wrote: > I applaud RIPE to go this extra step with HTTPS-only. yep, good move. approve. Nick From ripe-md at c4inet.net Thu Jan 22 22:36:05 2015 From: ripe-md at c4inet.net (Sascha Luck [ml]) Date: Thu, 22 Jan 2015 21:36:05 +0000 Subject: [members-discuss] [ncc-announce] [news] RIPE NCC website becoming HTTPS-only In-Reply-To: <54C10B35.7010507@ripe.net> References: <54C10B35.7010507@ripe.net> Message-ID: <20150122213605.GI1012@cilantro.c4inet.net> On Thu, Jan 22, 2015 at 03:37:41PM +0100, Mihnea-Costin Grigore wrote: >We plan to make the www.ripe.net website available over HTTPS only as I like the idea, everyone should do it. Would the NCC consider publishing a report on any unreachability issues encountered, once it's been https-only for a bit? This would be useful info for anyone else considering this move. rgds, Sascha Luck From sander at steffann.nl Thu Jan 22 23:03:51 2015 From: sander at steffann.nl (Sander Steffann) Date: Thu, 22 Jan 2015 14:03:51 -0800 Subject: [members-discuss] RIPE NCC Charging Scheme 2016 Discussion In-Reply-To: <54C0E980.9050404@titley.com> References: <54C0E980.9050404@titley.com> Message-ID: Hi Nigel, > 1. The Board can propose a Charging Scheme in advance of the May GM and > have the membership discuss the proposal. The Board would take the > discussion into account before proposing a final Charging Scheme to be > voted on by the membership in May. I would go for this option. Let's discuss what we (the members) want and let the board make the final proposal that we then vote on. If we are going to vote on individual issues the result might be an inconsistent charging scheme and it would prevent members from suggesting something that doesn't fit in the list of issues that are voted upon. I think having an open discussion and then trusting the board to come up with a good proposal will produce better results. Cheers, Sander From kaa at net-art.cz Fri Jan 23 00:36:03 2015 From: kaa at net-art.cz (sergey myasoedov) Date: Fri, 23 Jan 2015 00:36:03 +0100 Subject: [members-discuss] RIPE NCC Charging Scheme 2016 Discussion In-Reply-To: References: <54C0E980.9050404@titley.com> Message-ID: <439171846.20150123003603@net-art.cz> Nigel, Sander, I would rather prefer option 2: > 2. The Board could take a two-step approach to the Charging Scheme. In > May, members would vote on individual issues such as charging for ASNs. > The result of the voting would then be used to create a Charging Scheme > that would be voted on in the usual way by members at the November GM. This approach is more balanced as for me and it allows to produce the charging scheme proposal that is better reflect the expectation of members. By the way, does the Board have any financial appraisal of proposed amendment of the Charging Scheme? -- Kind regards, Sergey Myasoedov You wrote Thursday, January 22, 2015, 11:03:51 PM: >> 1. The Board can propose a Charging Scheme in advance of the May GM and >> have the membership discuss the proposal. The Board would take the >> discussion into account before proposing a final Charging Scheme to be >> voted on by the membership in May. > I would go for this option. Let's discuss what we (the members) want and let the board > make the final proposal that we then vote on. If we are going to vote on individual > issues the result might be an inconsistent charging scheme and it would prevent members > from suggesting something that doesn't fit in the list of issues that are voted upon. I > think having an open discussion and then trusting the board to come up with a good proposal will produce better results. From Ondrej.Caletka at cesnet.cz Fri Jan 23 09:24:26 2015 From: Ondrej.Caletka at cesnet.cz (=?UTF-8?B?T25kxZllaiBDYWxldGth?=) Date: Fri, 23 Jan 2015 09:24:26 +0100 Subject: [members-discuss] [ncc-announce] [news] RIPE NCC website becoming HTTPS-only In-Reply-To: <60446.1421941681@xciv.org> References: <54C10B35.7010507@ripe.net> <60446.1421941681@xciv.org> Message-ID: <54C2053A.209@cesnet.cz> Hello Paul, Dne 22.1.2015 v 16:48 Paul Civati napsal(a): > 2. There have been far more security holes in https/TLS/SSL of recent > than plain HTTP as far as I can tell. Therefore I would say that https > is less secure unless you have sensitive information to transport. Do you have any citation on this? Given the fact that HTTPS is plain HTTP with added TLS encryption layer, I cannot see any _technical_* way it could be less secure than plain HTTP. All recent security holes discovered in TLS could have been used only to view the plaintext, ie. the same text that HTTP transmits openly. *) OK there may be a social part of the problem that some well educated users could share some confidental information using HTTPS but not HTTP. But it's not the case here since as you pointed out, www.ripe.net is mainly informational website with almost no personal or confidental data. Best regards, Ond?ej Caletka CESNET -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5580 bytes Desc: Elektronicky podpis S/MIME URL: From jorgen at ssc.net Fri Jan 23 10:24:18 2015 From: jorgen at ssc.net (=?UTF-8?B?SsO4cmdlbiBIb3ZsYW5k?=) Date: Fri, 23 Jan 2015 10:24:18 +0100 Subject: [members-discuss] [ncc-announce] [news] RIPE NCC websitebecoming HTTPS-only In-Reply-To: <54C2053A.209@cesnet.cz> References: <54C10B35.7010507@ripe.net> <60446.1421941681@xciv.org> <54C2053A.209@cesnet.cz> Message-ID: <54C21342.9050203@ssc.net> Den 23.01.2015 09:24, skrev Ond?ej Caletka: > Hello Paul, > > Dne 22.1.2015 v 16:48 Paul Civati napsal(a): >> 2. There have been far more security holes in https/TLS/SSL of recent >> than plain HTTP as far as I can tell. Therefore I would say that https >> is less secure unless you have sensitive information to transport. > Do you have any citation on this? Not trying to start an off-topic discussion, but: If you browse the web for security vulnerabilities in TLS/encryption-software you will clearly find a lot of matches. Some even extremely critical. Therefore, any service imlementing encryption will have more security holes than if it did not implement encryption. This is unquestionable. When it comes to being less secure, I agree that it would be correct to state that a non-sensitive site will be less secure with encryption enabled simply because there is no security gain in supporting encryption - but you do however get added security holes. In the mail from RIPE they say that they are adding SSO, so the site will eventually become sensitive and therefore need TLS. From nick at netability.ie Fri Jan 23 23:31:48 2015 From: nick at netability.ie (Nick Hilliard) Date: Fri, 23 Jan 2015 22:31:48 +0000 Subject: [members-discuss] [address-policy-wg] RIPE NCC Charging Scheme 2016 Discussion In-Reply-To: References: <54C0E980.9050404@titley.com> Message-ID: <54C2CBD4.9090307@netability.ie> On 22/01/2015 22:03, Sander Steffann wrote: >> 1. The Board can propose a Charging Scheme in advance of the May GM and >> have the membership discuss the proposal. The Board would take the >> discussion into account before proposing a final Charging Scheme to be >> voted on by the membership in May. > > I would go for this option. looks like the better approach to me. Nick From nigel at titley.com Sat Jan 24 23:53:52 2015 From: nigel at titley.com (Nigel Titley) Date: Sat, 24 Jan 2015 22:53:52 +0000 Subject: [members-discuss] [address-policy-wg] RIPE NCC Charging Scheme 2016 Discussion In-Reply-To: <439171846.20150123003603@net-art.cz> References: <54C0E980.9050404@titley.com> <439171846.20150123003603@net-art.cz> Message-ID: <54C42280.9030204@titley.com> Sergey On 22/01/15 23:36, sergey myasoedov wrote: > Nigel, Sander, > > I would rather prefer option 2: > >> 2. The Board could take a two-step approach to the Charging Scheme. In >> May, members would vote on individual issues such as charging for ASNs. >> The result of the voting would then be used to create a Charging Scheme >> that would be voted on in the usual way by members at the November GM. > This approach is more balanced as for me and it allows to produce the charging scheme > proposal that is better reflect the expectation of members. > > By the way, does the Board have any financial appraisal of proposed amendment of the > Charging Scheme? Not entirely sure I understand what you mean here. We always, of course, do a financial appraisal of any action, including the charging scheme. Nigel From gert at space.net Sun Jan 25 20:56:34 2015 From: gert at space.net (Gert Doering) Date: Sun, 25 Jan 2015 20:56:34 +0100 Subject: [members-discuss] [address-policy-wg] RIPE NCC Charging Scheme 2016 Discussion In-Reply-To: <20150123085311.5f1839ba@echo.ms.redpill-linpro.com> References: <54C0E980.9050404@titley.com> <20150123085311.5f1839ba@echo.ms.redpill-linpro.com> Message-ID: <20150125195634.GY34798@Space.Net> Hi, On Fri, Jan 23, 2015 at 08:53:11AM +0100, Tore Anderson wrote: > One way I believe this could be accomplished is that if you already > pay the NCC membership fee or a PI fee, then you automatically get a > reasonable quota of gratis ASNs. (Not automatic assignment of those > ASNs, but that you won't get a separate charge until you have requested > enough ASNs to exceed your quota.) This would work for me. Agreeing with Tore that this is not supposed to bring in additional revenue, and also not supposed to punish/hurt LIRs that make good use of their ASNs - but to be an incentive to return (or trade away) unused ASNs to make them used again, and to prevent useless hoarding which would burn NCC resources. Gert Doering -- RIPE member, and interested in good resource management -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 811 bytes Desc: not available URL: From nick at netability.ie Sun Jan 25 23:08:27 2015 From: nick at netability.ie (Nick Hilliard) Date: Sun, 25 Jan 2015 22:08:27 +0000 Subject: [members-discuss] [address-policy-wg] RIPE NCC Charging Scheme 2016 Discussion In-Reply-To: <20150125195634.GY34798@Space.Net> References: <54C0E980.9050404@titley.com> <20150123085311.5f1839ba@echo.ms.redpill-linpro.com> <20150125195634.GY34798@Space.Net> Message-ID: <54C5695B.7050007@netability.ie> On 25/01/2015 19:56, Gert Doering wrote: > On Fri, Jan 23, 2015 at 08:53:11AM +0100, Tore Anderson wrote: >> One way I believe this could be accomplished is that if you already >> pay the NCC membership fee or a PI fee, then you automatically get a >> reasonable quota of gratis ASNs. (Not automatic assignment of those >> ASNs, but that you won't get a separate charge until you have requested >> enough ASNs to exceed your quota.) > > This would work for me. > > Agreeing with Tore that this is not supposed to bring in additional > revenue, and also not supposed to punish/hurt LIRs that make good use > of their ASNs - but to be an incentive to return (or trade away) > unused ASNs to make them used again, and to prevent useless hoarding > which would burn NCC resources. I see why this looks attractive, but I don't think it's a good idea. Today's figures from delegated-ripencc-latest and the ripedb show: - 26768 ASNs assigned - 7165 LIRs with ASNs - 6245 with a single ASN assigned - 649 with 2 ASNs Looking at these numbers, even if a quota figure were set as low as 2 ASNs per LIR, that's still over 25% of all ASNs for which there is no reason to return if they're unused. This is not going to encourage efficient garbage collection. As a separate issue, free asn quotas for LIRs are not really within the spirit of RIPE community policy for PI resource assignment. Nick From ripe-md at c4inet.net Mon Jan 26 12:48:41 2015 From: ripe-md at c4inet.net (Sascha Luck [ml]) Date: Mon, 26 Jan 2015 11:48:41 +0000 Subject: [members-discuss] [address-policy-wg] RIPE NCC Charging Scheme 2016 Discussion In-Reply-To: <54C5695B.7050007@netability.ie> References: <54C0E980.9050404@titley.com> <20150123085311.5f1839ba@echo.ms.redpill-linpro.com> <20150125195634.GY34798@Space.Net> <54C5695B.7050007@netability.ie> Message-ID: <20150126114841.GJ1012@cilantro.c4inet.net> On Sun, Jan 25, 2015 at 10:08:27PM +0000, Nick Hilliard wrote: >Today's figures from delegated-ripencc-latest and the ripedb show: > > - 26768 ASNs assigned > - 7165 LIRs with ASNs > - 6245 with a single ASN assigned > - 649 with 2 ASNs > >Looking at these numbers, even if a quota figure were set as low as 2 ASNs >per LIR, that's still over 25% of all ASNs for which there is no reason to >return if they're unused. This is not going to encourage >efficient garbage collection. Erm. 25% of all *currently assigned* ASNs, whatever that may signify. 2ASN/LIR is ~0.0007% of *all* ASNs (assuming 9k LIRs) >As a separate issue, free asn quotas for LIRs are not really >within the spirit of RIPE community policy for PI resource >assignment. Currently all ASN are "free", so how does this proposal make it worse? rgds, Sascha Luck From ripe-md at c4inet.net Mon Jan 26 12:54:27 2015 From: ripe-md at c4inet.net (Sascha Luck [ml]) Date: Mon, 26 Jan 2015 11:54:27 +0000 Subject: [members-discuss] [address-policy-wg] RIPE NCC Charging Scheme 2016 Discussion In-Reply-To: <20150126114841.GJ1012@cilantro.c4inet.net> References: <54C0E980.9050404@titley.com> <20150123085311.5f1839ba@echo.ms.redpill-linpro.com> <20150125195634.GY34798@Space.Net> <54C5695B.7050007@netability.ie> <20150126114841.GJ1012@cilantro.c4inet.net> Message-ID: <20150126115427.GK1012@cilantro.c4inet.net> On Mon, Jan 26, 2015 at 11:48:41AM +0000, Sascha Luck [ml] wrote: >Erm. 25% of all *currently assigned* ASNs, whatever that may >signify. 2ASN/LIR is ~0.0007% of *all* ASNs (assuming 9k LIRs) Actually my math sucks too. If it's unsigned 32bit, the percentage is ~ 0.0004 rgds, s. From gert at space.net Mon Jan 26 13:01:46 2015 From: gert at space.net (Gert Doering) Date: Mon, 26 Jan 2015 13:01:46 +0100 Subject: [members-discuss] [address-policy-wg] RIPE NCC Charging Scheme 2016 Discussion In-Reply-To: <20150126114841.GJ1012@cilantro.c4inet.net> References: <54C0E980.9050404@titley.com> <20150123085311.5f1839ba@echo.ms.redpill-linpro.com> <20150125195634.GY34798@Space.Net> <54C5695B.7050007@netability.ie> <20150126114841.GJ1012@cilantro.c4inet.net> Message-ID: <20150126120146.GK34798@Space.Net> Hi, On Mon, Jan 26, 2015 at 11:48:41AM +0000, Sascha Luck [ml] wrote: > Currently all ASN are "free", so how does this proposal make it > worse? ASNs are not free, their cost is hidden in the LIR fee. So, LIRs with few ASes sponsor LIRs with many ASes. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 811 bytes Desc: not available URL: From ripe-md at c4inet.net Mon Jan 26 13:29:34 2015 From: ripe-md at c4inet.net (Sascha Luck [ml]) Date: Mon, 26 Jan 2015 12:29:34 +0000 Subject: [members-discuss] [address-policy-wg] RIPE NCC Charging Scheme 2016 Discussion In-Reply-To: <20150126120146.GK34798@Space.Net> References: <54C0E980.9050404@titley.com> <20150123085311.5f1839ba@echo.ms.redpill-linpro.com> <20150125195634.GY34798@Space.Net> <54C5695B.7050007@netability.ie> <20150126114841.GJ1012@cilantro.c4inet.net> <20150126120146.GK34798@Space.Net> Message-ID: <20150126122934.GL1012@cilantro.c4inet.net> On Mon, Jan 26, 2015 at 01:01:46PM +0100, Gert Doering wrote: >So, LIRs with few ASes sponsor LIRs with many ASes. In the same way that LIRs with one /22 sponsor those with multiple /12. Charging piddly sums for ASN will not fundamentally change this "unfairness". If all this is about is "garbage collection", a possible solution would be to "audit" independent resources yearly - as simple as asking "are these resources still in use and by whom" and reclaim negatives/unreachables. If it is about someone getting something for free, the whole one-LIR-one fee debate needs to be reopened. rgds, Sascha Luck From nick at netability.ie Mon Jan 26 14:14:37 2015 From: nick at netability.ie (Nick Hilliard) Date: Mon, 26 Jan 2015 13:14:37 +0000 Subject: [members-discuss] [address-policy-wg] RIPE NCC Charging Scheme 2016 Discussion In-Reply-To: <20150126122934.GL1012@cilantro.c4inet.net> References: <54C0E980.9050404@titley.com> <20150123085311.5f1839ba@echo.ms.redpill-linpro.com> <20150125195634.GY34798@Space.Net> <54C5695B.7050007@netability.ie> <20150126114841.GJ1012@cilantro.c4inet.net> <20150126120146.GK34798@Space.Net> <20150126122934.GL1012@cilantro.c4inet.net> Message-ID: <54C63DBD.7090901@netability.ie> On 26/01/2015 12:29, Sascha Luck [ml] wrote: > If all this is about is "garbage collection", a possible solution > would be to "audit" independent resources yearly Sasha, this isn't just about GC; it's about a lot of things, including: - allowing the ASN assignment process to become far simpler and more transparent than it currently is - creating a mechanism to help prevent hoarding of resources - aligning RIPE NCC policy with existing RIPE community policy - ensuring that end users of PI resources cover the costs of running their share of the registry - ensuring that there is a mechanism to encourage end users to return unused ASNs to the RIPE NCC. Nick From ripe-md at c4inet.net Mon Jan 26 14:45:51 2015 From: ripe-md at c4inet.net (Sascha Luck [ml]) Date: Mon, 26 Jan 2015 13:45:51 +0000 Subject: [members-discuss] [address-policy-wg] RIPE NCC Charging Scheme 2016 Discussion In-Reply-To: <54C63DBD.7090901@netability.ie> References: <54C0E980.9050404@titley.com> <20150123085311.5f1839ba@echo.ms.redpill-linpro.com> <20150125195634.GY34798@Space.Net> <54C5695B.7050007@netability.ie> <20150126114841.GJ1012@cilantro.c4inet.net> <20150126120146.GK34798@Space.Net> <20150126122934.GL1012@cilantro.c4inet.net> <54C63DBD.7090901@netability.ie> Message-ID: <20150126134551.GM1012@cilantro.c4inet.net> Please note I'm only addressing the matter of ASN charges here, the merit of 2014-03 itself are probably better discussed in address-policy. On Mon, Jan 26, 2015 at 01:14:37PM +0000, Nick Hilliard wrote: >this isn't just about GC; it's about a lot of things, including: > >- allowing the ASN assignment process to become far simpler and more >transparent than it currently is IME, as soon as money is involved, things get more complicated (at least for a LIR) and less automatable. >- creating a mechanism to help prevent hoarding of resources A numerical or time-based limit would provide that and would be automatable. >- aligning RIPE NCC policy with existing RIPE community policy 2007-01 applies and, IIRC, it does not demand that money change hands. >- ensuring that end users of PI resources cover the costs of running their >share of the registry End Users don't have a share. They don't have a vote. No taxation without representation. >- ensuring that there is a mechanism to encourage end users to return >unused ASNs to the RIPE NCC. Is there any data on how effective the EUR50 charge for PI has been in that? I think an annual (automated) "audit" of independent resources would be better in providing this function... rgds, Sascha Luck