From joao at psg.com Mon Sep 1 14:55:41 2003 From: joao at psg.com (Joao Damas) Date: Mon, 1 Sep 2003 14:55:41 +0200 Subject: [ncc-services-wg] Re: [db-wg] The New "organisation object" Proposal In-Reply-To: Message-ID: <977C97AA-DC7B-11D7-BA99-000A959B2120@psg.com> Given all the different possibilities regarding unique national identifiers for organisations in different places of the world, would it be an option to start by having a RIPE doc "The organisation object" with the current proposal, task the RIPE NCC with researching the field a bit more on the VAT, chamber of commerce, etc part, and then have a new RIPE doc "Extending the organisation object" in a few months? Experience with the use of the object is likely useful right now and would provide input for future fine tuning. Joao On Friday, Aug 29, 2003, at 19:17 Europe/Amsterdam, Hans Petter Holen wrote: >> I think that this is something too specific to have its own attribute. >> "remarks:" attribute can be used for this I guess, just like it can >> be used to point users to web pages etc. > > I dont agree: the point about the attribute would be to uniquely > identify > the organisation within a country. I am quite shure all countries > within > the EU has this concept of org-number/vat number or public registry > number. The good thing is that it stays unique and lives trough name > changes. > > Hans Petter > > From gert at space.net Mon Sep 1 16:33:06 2003 From: gert at space.net (Gert Doering) Date: Mon, 1 Sep 2003 16:33:06 +0200 Subject: [address-policy-wg] Re: [ncc-services-wg] IPv6 applications (was: Request Forms: updated and available on LIR Portal) In-Reply-To: <5.1.0.14.2.20030826125314.03befe68@mailhost.ripe.net>; from dominic@ripe.net on Tue, Aug 26, 2003 at 12:57:13PM +0200 References: <5.1.0.14.2.20030826125314.03befe68@mailhost.ripe.net> Message-ID: <20030901163306.K67740@Space.Net> Hi, On Tue, Aug 26, 2003 at 12:57:13PM +0200, Dominic Spratley wrote: > You both made several points and I hope I can explain our thinking on them > for you. We think these new forms represent a change in the way we provide > services to LIRs so we've addressed this answer to the NCC Services WG list. > We don't think they represent a change to the RIPE community's policy. Actually, I tend to disagree, at least for some parts. Which is why I've put the APWG list back into the CC: (sorry for duplicates). Some of the criticism voiced is that the NCC is asking questions and enforcing rules that are more strict than what the policy demands - and this is certainly relating to policy. [..] > You asked about the requirement for a network diagram to be supplied when > requesting an IPv6 allocation. There are two reasons for this. Firstly, the > RIPE NCC has not yet made yet 250 IPv6 allocations. Our experience with IPv6 > networks is limited and we need network operators to show us how they intend > to use IPv6 address space in their networks. I agree with the assessment that "more experience for the NCC is a good thing". On the other hand, many startup IPv6 deployments are extremely trivial ("one access server with 1000 DSL circuits, serving /48s to DSL end users" would certainly qualify for the policy requirements). So I don't think it's appropriate to enforce this "you send us an interesting picture, otherwise you won't get an IPv6 allocation" approach. Make it optional. > Secondly, the current IPv6 > policy does not allow stockpiling of IPv6 address space. One way of > distinguishing a genuine request from one that is intended for stockpiling > reasons is to request a diagram showing how the address space will be used. > It doesn't have to be a a fancy diagram. It's also fine to fax a hand-drawn > diagram instead of sending one by e-mail. When we have more experience with > IPv6 I expect we will make the diagram optional. This is "conservationism striking again", and this is BAD. The idea behind the current policy is "make IPv6 address blocks available to anybody who is asking for them" (and can reasonably claim 200 future IPv6 customers). For that, you don't *need* a fancy network, so why do you have to demonstrate it at all? What are you worrying about? Address wastage is really not a problem right now. Obstacles on the way to IPv6 deployments are a problem, and we don't want the NCC to be an obstacle. Now come and flame me :-) Gert Doering -- NetMaster -- Total number of prefixes smaller than registry allocations: 55575 (56535) SpaceNet AG Mail: netmaster at Space.Net Joseph-Dollinger-Bogen 14 Tel : +49-89-32356-0 80807 Muenchen Fax : +49-89-32356-299 From slz at baycix.de Tue Sep 2 07:56:42 2003 From: slz at baycix.de (Sascha Lenz) Date: Tue, 2 Sep 2003 07:56:42 +0200 Subject: [address-policy-wg] Re: [ncc-services-wg] IPv6 applications (was: Request Forms: updated and available on LIR Portal) In-Reply-To: <20030901163306.K67740@Space.Net>; from gert@space.net on Mon, Sep 01, 2003 at 04:33:06PM +0200 References: <5.1.0.14.2.20030826125314.03befe68@mailhost.ripe.net> <20030901163306.K67740@Space.Net> Message-ID: <20030902075642.F27955@mama.baycix.de> Hay, On Mon, Sep 01, 2003 at 04:33:06PM +0200, Gert Doering wrote: > Hi, > > On Tue, Aug 26, 2003 at 12:57:13PM +0200, Dominic Spratley wrote: > > You both made several points and I hope I can explain our thinking on them > > for you. We think these new forms represent a change in the way we provide > > services to LIRs so we've addressed this answer to the NCC Services WG list. > > We don't think they represent a change to the RIPE community's policy. > > Actually, I tend to disagree, at least for some parts. Which is why > I've put the APWG list back into the CC: (sorry for duplicates). > > Some of the criticism voiced is that the NCC is asking questions and > enforcing rules that are more strict than what the policy demands - and > this is certainly relating to policy. Yes, in the case of the requirement of a network topolocy map, it looks like it always was part of the request form for the initial IPv6 Allocation, but never part of the policy. Just that noone complained yet. > [..] > > You asked about the requirement for a network diagram to be supplied when > > requesting an IPv6 allocation. There are two reasons for this. Firstly, the > > RIPE NCC has not yet made yet 250 IPv6 allocations. Our experience with IPv6 > > networks is limited and we need network operators to show us how they intend > > to use IPv6 address space in their networks. > > I agree with the assessment that "more experience for the NCC is a good > thing". > > On the other hand, many startup IPv6 deployments are extremely trivial > ("one access server with 1000 DSL circuits, serving /48s to DSL end > users" would certainly qualify for the policy requirements). > > So I don't think it's appropriate to enforce this "you send us an > interesting picture, otherwise you won't get an IPv6 allocation" > approach. Make it optional. Full-ACK. The main reason i came up with the idea that i can save some time and not paint a pointless map was, that it's just not in the policy. So i didn't consider it a nescessary requirement. We almost have have such a trivial setup as you mention. We're still using an IPv6 overlay network, no joint IPv4+IPv6 backbone yet due to vendor limitations, i.e. many tunnels. It's subject to change at any time anyways, there's absolutely no way to tell how the final network will look like until all vendors support IPv6 in mainline firmware releases. So where is the point in doing so? What benefit has the RIPE NCC from a map which doesn't need to be a fancy diagram and even can be a handwritten drawing as Dominic suggest? And no, "overlay network" doesn't mean it's a test setup not qualifying for production IPv6 space either. The reason for requesting a production IPv6 Allocation is, that one wants to start to actually assign /48s to endusers and make sub-allocations to downstream organisations. I also consider the "have a plan for making at least 200 /48 assignments to other organisations within two years." requirement quite dim. But since it's in the policy and i initially supported a slow-start mechanism, i have no problems with that. It's not that hard to fulfill for most early adoptors anyways, not even for my LIR :) ("Tunnels, free Tunnels, Tunnels for all! Take two - get one for free!") Though... see below. > > Secondly, the current IPv6 > > policy does not allow stockpiling of IPv6 address space. One way of > > distinguishing a genuine request from one that is intended for stockpiling > > reasons is to request a diagram showing how the address space will be used. > > It doesn't have to be a a fancy diagram. It's also fine to fax a hand-drawn > > diagram instead of sending one by e-mail. When we have more experience with > > IPv6 I expect we will make the diagram optional. > > This is "conservationism striking again", and this is BAD. > > The idea behind the current policy is "make IPv6 address blocks available > to anybody who is asking for them" (and can reasonably claim 200 future > IPv6 customers). For that, you don't *need* a fancy network, so why > do you have to demonstrate it at all? > > What are you worrying about? Address wastage is really not a problem > right now. Obstacles on the way to IPv6 deployments are a problem, and > we don't want the NCC to be an obstacle. ? Full-ACK, again. But, even more generally speaking: Look at the current IPv4 policy discussion. It shows that more and more LIRs are very small LIRs, probably using only IP-space for themselves and very few customers. Even the initial allocation size is subject to be reduced again. What do those LIRs do if they want to start deloying IPv6? They probably can't show 200 potential /48 customers. And don't have the manpower or any interest in painting topology maps. They are cut off from IPv6 then and need to get a suballocation from another LIR? Why do they pay the full RIPE fee then? I guess the whole policy currently is a bit outdated. In my eyes it prevents IPv6 deployment. Not to a degree like the hardware/software support situation, but it adds obstacles for some organisations and they rather just don't care about IPv6, "too complicated". The main reason i supported the slow-start mechanism was, that there was no experience in first place, and for example not even the initial IPv6 Allocation size was settled. And as we know, it changed in the meantime. Currently there's still the discussion about weather to make reservations and fragment the 2001::/16 space or not, but most of the policy is quite final i think, so i'm not very positive about the need for RIPE to continue with that slow-start thing for much longer. On the other hand, just look who currently alrady got some IPv6 Allocation and how many of them are just unused. I only looked for de.* LIRs on my search for some IPv6 uplink who probably can offer IPv6 natively, but already was amazed about the results. For starters, i was quite happy that our main uplink got an IPv6 Allocation for almost a year now, just to notice that their Prefix is not in the BGP tables shortly afterwards, and there are no assignments yet. Asking our tech contacts there, the first one at least knew what IPv6 is, but then i got a "no, we don't have any IPv6 at all, not even via tunnel". Sales Department then even told me "IPv6? No, we don't even have plans for that at the moment, sorry." So, hm. Someone can tell me how they got the Allocation? Because they are a big IPv4 LIR and someone gave RIPE a high-gloss Network map which their Marketing people produce all the time? RIPE, do you really WANT to be lied to? (DISCLAIMER: I'm not accusing anyone of lying here, that's just a question as stylistic device :) ) Of course i can just comply with that and make up thousands of dial-customers who all want to have IPv6, i know that they do! And of course we have a BIIIIG IPv6 network in 2years, see my nice map? So my point is, one really should start thinking about a change. There is the idea of "One IPv6 Allocation for every LIR on request." on some mailinglists for quite a while. I'd support this now for the future (not nescessarily imemdiately). > Now come and flame me :-) Certainly not :) -- ========================================================================== = Sascha 'master' Lenz SLZ-RIPE slz at baycix.de = = NOC BayCIX GmbH = = http://www.noc.baycix.de/ * PGP public Key on demand * = ========================================================================== From engin at ripe.net Tue Sep 2 11:58:11 2003 From: engin at ripe.net (Engin Gunduz) Date: Tue, 2 Sep 2003 11:58:11 +0200 Subject: [ncc-services-wg] Re: [db-wg] The New "organisation object" Proposal In-Reply-To: References: <20030825124627.GA7986@x47.ripe.net> Message-ID: <20030902095811.GD15114@x47.ripe.net> Hi Joao, On 2003-08-25 14:58:47 +0200, Joao Damas wrote: [...] > > using the "org-name:" attribute of the object. The user can specify > >the > > letter combination he/she prefers. For example if the user wants > >TTR as the > > letter combination, in the organisation ID, then ORG-AUTO-1TTR > >should be > > put into "organisation:" attribute during the creation of the object. > > Yes, I read it, what I mean is whether you would consider eliminating > the part about choosing letters. This is only an identifier and it > would be good if people could think about it as just that, with no > naming implications. As the first thought, I liked the idea of eliminating the part about choosing letters. However there can be a valid use case for it: the user might want to have a specific letter combination other than the software assigns, because the latter might mean something "inappropriate" in some language by coincidence. -engin -- Engin Gunduz RIPE NCC Database Group From pdp+rwg.lir at nl.demon.net Tue Sep 2 17:00:35 2003 From: pdp+rwg.lir at nl.demon.net (Phil Pennock) Date: Tue, 2 Sep 2003 17:00:35 +0200 Subject: [ncc-services-wg] Proposal for easing keysigning at meetings Message-ID: <20030902150035.GA65955@samhain.noc.nl.demon.net> A little hallway conversation led to a concensus that NCC-Services is the correct place to suggest this idea; it's a minimal-cost suggestion for aiding crypto key-signing via the RIPE conference registration. The main issue with exchanging crypto keys (eg PGP) is verifying that all the information has been copied correctly and spending the actual time to do it. If the online registration form has an optional field to supply a key fingerprint, then those who supply this will have their fingerprint listed in the attendee list and shown on their registration badge (optionally with keyid if not embedded in fingerprint). Then, if you're interested in verifying keys at the level of "I've talked to this person and someone has paid a few hundred euros for him to attend a conference in his name" or greater trust, then you can glance over the fingerprint on the badge, versus that on the list, and just tick the item. Then, later, working through the list you can just retrieve/sign/upload those keys which you've ticked. Benefits: * makes valid key-signing friendlier to the lazy and those without a surface to easily write on (or a PDA or ...) * so web of trust more likely to be established at RIPE meetings Disadvantages: * minimal change to registration form, slightly longer printouts * it's not _entirely_ free, but it's once-off minimal development and probably some text in the booklets explaining the system (and why people shouldn't just sign every key on the list) Does anyone think that this is a good idea, or a violently stupid idea? Should RIPE be doing this? (I actually proposed this at LISA a couple of years ago and the staff-member liked it and thought they'd try this at a USENIX Security conference, but I heard nothing more about it) -- Phil Pennock, Senior Systems Administrator, Demon Internet Netherlands NL Sales: +31 20 422 20 00 Thus Plc NL Support: 0800 33 6666 8 From pim at bit.nl Tue Sep 2 17:08:24 2003 From: pim at bit.nl (Pim van Pelt) Date: Tue, 2 Sep 2003 17:08:24 +0200 Subject: [ncc-services-wg] Proposal for easing keysigning at meetings In-Reply-To: <20030902150035.GA65955@samhain.noc.nl.demon.net> References: <20030902150035.GA65955@samhain.noc.nl.demon.net> Message-ID: <20030902150824.GD21840@crow.bit.nl> Hi, | Then, if you're interested in verifying keys at the level of "I've | talked to this person and someone has paid a few hundred euros for him | to attend a conference in his name" or greater trust, then you can | glance over the fingerprint on the badge, versus that on the list, and | just tick the item. Good idea and I'm all for it. -- __________________ Met vriendelijke groet, /\ ___/ Pim van Pelt /- \ _/ Business Internet Trends BV PBVP1-RIPE /--- \/ __________________ From jorgen at hovland.cx Tue Sep 2 17:30:04 2003 From: jorgen at hovland.cx (=?iso-8859-1?Q?J=F8rgen_Hovland?=) Date: Tue, 2 Sep 2003 17:30:04 +0200 Subject: [ncc-services-wg] Proposal for easing keysigning at meetings References: <20030902150035.GA65955@samhain.noc.nl.demon.net> <20030902150824.GD21840@crow.bit.nl> Message-ID: <001101c37167$154c7bd0$1b29b3d5@klimax> ----- Original Message ----- From: "Pim van Pelt" > Hi, > > | Then, if you're interested in verifying keys at the level of "I've > | talked to this person and someone has paid a few hundred euros for him > | to attend a conference in his name" or greater trust, then you can > | glance over the fingerprint on the badge, versus that on the list, and > | just tick the item. > > Good idea and I'm all for it. I'm not. One reason is that I think it is a bit deprecated, and if I wanted to collect stamps I would go to a stampshop. The other is that RIPE is implementing X509 authentication. I think it would certainly be much better to do something that was related to this than doing something that was not... if possible. Joergen Hovland (ENK) From pdp+rwg.lir at nl.demon.net Tue Sep 2 22:47:39 2003 From: pdp+rwg.lir at nl.demon.net (Phil Pennock) Date: Tue, 2 Sep 2003 22:47:39 +0200 Subject: [ncc-services-wg] Proposal for easing keysigning at meetings In-Reply-To: <20030902164310.GH62215@sunet.se> References: <20030902150035.GA65955@samhain.noc.nl.demon.net> <20030902150824.GD21840@crow.bit.nl> <001101c37167$154c7bd0$1b29b3d5@klimax> <20030902164310.GH62215@sunet.se> Message-ID: <20030902204739.GA88317@samhain.noc.nl.demon.net> On 2003-09-02 at 18:43 +0200, Mans Nilsson wrote: > Quoting J?rgen Hovland (jorgen at hovland.cx): > > I'm not. One reason is that I think it is a bit deprecated, and if I > > wanted to collect stamps I would go to a stampshop. *ROTFL* These are a bit more useful than historical stamps, but the character description is a fair jab. :^) But those of us who collect signatures do so because it achieves something, not _just_ because it satisfies some boyish collector instinct (I've just realised that I don't think I've ever seen a woman at a keysigning). > > The other is that RIPE is implementing X509 authentication. I think it would certainly be much better to do something that was > > related to this than doing something that was not... if possible. > > I disagree -- but then again I do not understand this X509 stuff. I don't understand X509 sufficiently to make suggestions, but if it does allow for distributed trust, such as PGP/GPG/whatever's web-of-trust, then the proposal for RIPE doesn't exclude it. The proposal is for "crypto keys", not "PGP keys" even though they're the most obvious and likely beneficiary. As far as I'm concerned, the collected information should be treated as a blob of text. It can be PGP, X, or anything else. A bit like the early flexibility of the RIPE database -- don't prohibit content. The key (bad pun, sorry) is to reduce the potential for human error in transcription and reduce the work required per key/identity verification. Perhaps amend the original suggestion to explicitly collect a pair, "crypto system"/"crypto pub-key". Crypto: PGP / 6F99 1154 7B13 3294 F1FB 78A7 2622 C81A 9525 CBBA Another private reply suggested that I collect private replies and report tallies to the list. I'm willing to do this. -- Phil Pennock, Senior Systems Administrator, Demon Internet Netherlands NL Sales: +31 20 422 20 00 Thus Plc NL Support: 0800 33 6666 8 From sanjaya at apnic.net Wed Sep 3 09:41:02 2003 From: sanjaya at apnic.net (Sanjaya) Date: Wed, 3 Sep 2003 17:41:02 +1000 Subject: [ncc-services-wg] Re: [db-wg] The New "organisation object" Proposal In-Reply-To: <20030902095811.GD15114@x47.ripe.net> Message-ID: <000101c371ee$b9e95e60$8800a8c0@assanjaya> > As the first thought, I liked the idea of eliminating the part > about choosing letters. However there can be a valid use case for it: > the user might want to have a specific letter combination other than > the software assigns, because the latter might mean something > "inappropriate" in some language by coincidence. > -engin > > -- > Engin Gunduz > RIPE NCC Database Group I'd like to second this position. There are cultures that don't like certain numbers (witness the missing floor numbers in your hotel if you go to certain countries :-) Cheers, Sanjaya Sr. Project Mgr., APNIC Secretariat From mansaxel at sunet.se Tue Sep 2 18:43:10 2003 From: mansaxel at sunet.se (Mans Nilsson) Date: Tue, 2 Sep 2003 18:43:10 +0200 Subject: [ncc-services-wg] Proposal for easing keysigning at meetings In-Reply-To: <001101c37167$154c7bd0$1b29b3d5@klimax> References: <20030902150035.GA65955@samhain.noc.nl.demon.net> <20030902150824.GD21840@crow.bit.nl> <001101c37167$154c7bd0$1b29b3d5@klimax> Message-ID: <20030902164310.GH62215@sunet.se> Subject: Re: [ncc-services-wg] Proposal for easing keysigning at meetings Date: Tue, Sep 02, 2003 at 05:30:04PM +0200 Quoting J?rgen Hovland (jorgen at hovland.cx): > > I'm not. One reason is that I think it is a bit deprecated, and if I wanted to collect stamps I would go to a stampshop. > The other is that RIPE is implementing X509 authentication. I think it would certainly be much better to do something that was > related to this than doing something that was not... if possible. I disagree -- but then again I do not understand this X509 stuff. PGP works and I can decide how much I want to trust it. I have the highest regards for RIPE NCC, but I like to avoid pyramidal trust if I can. -- M?ns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE I'm EMOTIONAL now because I have MERCHANDISING CLOUT!! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available URL: From hank at att.net.il Fri Sep 5 10:09:54 2003 From: hank at att.net.il (Hank Nussbacher) Date: Fri, 05 Sep 2003 10:09:54 +0200 Subject: [ncc-services-wg] dnsmon - why? In-Reply-To: Message-ID: <5.1.0.14.2.20030905100519.00ac86e0@max.att.net.il> Continuing in my previous view of examining RIPE services and alternatives that are available: At the RIPE meeting, I saw http://dnsmon.ripe.net. How is this different than: http://www.caida.org/cgi-bin/dns_perf/main.pl and http://www.cymru.com/DNS/dns.html Wouldn't it make sense to use these services to monitor country roots rather than create yet another new RIPE service? -Hank From daniel.karrenberg at ripe.net Fri Sep 5 11:49:33 2003 From: daniel.karrenberg at ripe.net (Daniel Karrenberg) Date: Fri, 5 Sep 2003 11:49:33 +0200 Subject: [ncc-services-wg] dnsmon - why? In-Reply-To: <5.1.0.14.2.20030905100519.00ac86e0@max.att.net.il> References: <5.1.0.14.2.20030905100519.00ac86e0@max.att.net.il> Message-ID: <20030905094933.GA1151@dhcp-9-224.ripemtg.ripe.net> On 05.09 10:09, Hank Nussbacher wrote: > Continuing in my previous view of examining RIPE services and alternatives > that are available: > > At the RIPE meeting, I saw http://dnsmon.ripe.net. > > How is this different than: > http://www.caida.org/cgi-bin/dns_perf/main.pl > and > http://www.cymru.com/DNS/dns.html > > Wouldn't it make sense to use these services to monitor country roots > rather than create yet another new RIPE service? Hank, work on this started when we needed real data about the service quality of k.root-servers.net as seen from the users, e.g. from *a lot of* places. This was done as part of the RIPE NCC's responsibility to operate that server. Once we did it for one server the incremental work to do it for the other root servers as well was very small. We wanted to compare our service levels ;-). This was intended for the use by the k.root-servers.net operators, and other root name server operators. But why should we keep this data to ourselves? So we published it as alpha. Soon lots of people found it cool and suggested to monitor TLDs as well and again the additional effort involved was not very high. I immediately thought that it would very fair if tose responsible for the ccTLDs would contribute to the operating costs once this becomes a service. It turns out that a number of the European ccTLDs were not only prepared to pay a fair share but eager. So I expect that this will happen. This also sparked and influenced my thinking about measurements in general which I wrote up in ripe-271. This memo also explains why I think the RIPE NCC should do measurement and data collection activities, so I will not repeat it here. Henk might expand with more details. Daniel From pim at bit.nl Fri Sep 5 11:55:57 2003 From: pim at bit.nl (Pim van Pelt) Date: Fri, 5 Sep 2003 11:55:57 +0200 Subject: [ncc-services-wg] dnsmon - why? In-Reply-To: <5.1.0.14.2.20030905100519.00ac86e0@max.att.net.il> References: <5.1.0.14.2.20030905100519.00ac86e0@max.att.net.il> Message-ID: <20030905095556.GA96558@crow.bit.nl> Hoi Hank, On Fri, Sep 05, 2003 at 10:09:54AM +0200, Hank Nussbacher wrote: | Continuing in my previous view of examining RIPE services and alternatives | that are available: | | At the RIPE meeting, I saw http://dnsmon.ripe.net. I heard that the idea is not novell but comes originally from Caida who were seeking a broader measurement platform. | How is this different than: | http://www.caida.org/cgi-bin/dns_perf/main.pl is not a very widespread platform (4 probes?) | and | http://www.cymru.com/DNS/dns.html idem, and has a high smiley count. Actually I think the NCC should keep on running this and other services, because I have an explicit need to keep track of several large scale operational matters and we have an established trust and feedback mechanism in place from me (a LIR, RIPE member and TTM customer) to the folks at the NCC, eg it is a company that I fully trust to do these measurements in a proper manner. (I do not know anybody at Caida) -- __________________ Met vriendelijke groet, /\ ___/ Pim van Pelt /- \ _/ Business Internet Trends BV PBVP1-RIPE /--- \/ __________________ From henk at ripe.net Fri Sep 5 11:56:03 2003 From: henk at ripe.net (Henk Uijterwaal (RIPE-NCC)) Date: Fri, 5 Sep 2003 11:56:03 +0200 (CEST) Subject: [ncc-services-wg] dnsmon - why? Message-ID: Hank, > Continuing in my previous view of examining RIPE services and alternatives > that are available: > > At the RIPE meeting, I saw http://dnsmon.ripe.net. > > How is this different than: > http://www.caida.org/cgi-bin/dns_perf/main.pl and > http://www.cymru.com/DNS/dns.html First of all, the main difference is that dnsmon monitors root server and ccTLD server performance from approximately 60 different locations all over the world. The two projects you mention, only monitor performance from 1 or a few points (3 or 4, all in the Western US), in the world. With one measurement point, it is impossible to determine if any problem is caused near the measurement point, somewhere in between or near the root server. With 60 measurement points, one can easily determine if a non-responding root server is caused by problems near the monitoring point, the intermediate networks or near the root server. The measurements done around the time of the slammer worm confirm this. There is also the issue of support. One of the project you mention, is done by a University professor in his spare time, with very little funding, lots of other obligations and no guarantee that the project can continue for any time in the future. OTOH, members of the DN* WG have indicated interest in a service that monitors their services 24/7 on a professional basis. The RIPE NCC already has staff and a highly automated system, to maintain a measurement infrastructure. Adding dnsmon to their tasks, involves very little additional work or other resources. Related to this, several TLD's are prepared to provide a 'substantial share' of the costs because publishing the data by the NCC is in their interest as well as in the interest of the RIPE community. Henk ------------------------------------------------------------------------------ Henk Uijterwaal Email: henk.uijterwaal at ripe.net RIPE Network Coordination Centre WWW: http://www.ripe.net/home/henk P.O.Box 10096 Singel 258 Phone: +31.20.5354414 1001 EB Amsterdam 1016 AB Amsterdam Fax: +31.20.5354445 The Netherlands The Netherlands Mobile: +31.6.55861746 ------------------------------------------------------------------------------ That problem that we weren't having yesterday, is it better? (Big ISP NOC) From andre.koopal at nld.mci.com Fri Sep 5 10:24:49 2003 From: andre.koopal at nld.mci.com (Andre Koopal) Date: Fri, 5 Sep 2003 10:24:49 +0200 Subject: [ncc-services-wg] dnsmon - why? In-Reply-To: <5.1.0.14.2.20030905100519.00ac86e0@max.att.net.il> References: <5.1.0.14.2.20030905100519.00ac86e0@max.att.net.il> Message-ID: <20030905082448.GF28658@hermelijn.ams.ops.eu.uu.net> On Fri, Sep 05, 2003 at 10:09:54AM +0200, Hank Nussbacher wrote: > Continuing in my previous view of examining RIPE services and alternatives > that are available: > > At the RIPE meeting, I saw http://dnsmon.ripe.net. > > How is this different than: > http://www.caida.org/cgi-bin/dns_perf/main.pl > and > http://www.cymru.com/DNS/dns.html > > Wouldn't it make sense to use these services to monitor country roots > rather than create yet another new RIPE service? > > -Hank > If I have a quick look, and in my feeling the stats are quite different. First of all, RIPE NCC, as the operator of k.root-servers.net need some stats for there operations so why not make them public. Secondly the data is quite usefull, and once the infrastructure is in place it makes sense to use it for other nameservercomplexes as well. Regards, Andre Koopal MCI From randy at psg.com Fri Sep 5 17:39:22 2003 From: randy at psg.com (Randy Bush) Date: Fri, 5 Sep 2003 08:39:22 -0700 Subject: [ncc-services-wg] dnsmon - why? References: <5.1.0.14.2.20030905100519.00ac86e0@max.att.net.il> Message-ID: > Continuing in my previous view of examining RIPE services and alternatives > that are available: > > At the RIPE meeting, I saw http://dnsmon.ripe.net. > > How is this different than: > http://www.caida.org/cgi-bin/dns_perf/main.pl > and > http://www.cymru.com/DNS/dns.html > > Wouldn't it make sense to use these services to monitor country roots > rather than create yet another new RIPE service? at some ripe meeting or another, i presented a bit of research. in that research, we conducted an experiment using some "BGP Beacons." within weeks, ripe/ncc had set up a bunch of these beacons, in a fashion that was not usable for our experiments and with no clear goal other than ME TOO. to my knowledge, no researcher has used them to date. all i could figure out was "if we hear of it, we must do it too." randy From peter.galbavy at knowtion.net Fri Sep 5 20:37:28 2003 From: peter.galbavy at knowtion.net (Peter Galbavy) Date: Fri, 5 Sep 2003 19:37:28 +0100 Subject: [ncc-services-wg] dnsmon - why? References: <5.1.0.14.2.20030905100519.00ac86e0@max.att.net.il> Message-ID: <001601c373dc$c2ab9550$28e0a8c0@peteryw45760tp> Randy Bush wrote: > at some ripe meeting or another, i presented a bit of research. in > that research, we conducted an experiment using some "BGP Beacons." > within weeks, ripe/ncc had set up a bunch of these beacons, in a > fashion that was not usable for our experiments and with no clear > goal other than ME TOO. to my knowledge, no researcher > has used them to date. all i could figure out was "if we hear of > it, we must do it too." ... another handy thing to use some of that surplus budget and staff on again. What has DNSMON got to do with assignment of IP & ASes ? Peter From henk at ripe.net Fri Sep 5 21:11:45 2003 From: henk at ripe.net (Henk Uijterwaal (RIPE-NCC)) Date: Fri, 5 Sep 2003 21:11:45 +0200 (CEST) Subject: [ncc-services-wg] dnsmon - why? In-Reply-To: Message-ID: Randy, > at some ripe meeting or another, i presented a bit of research. in that > research, we conducted an experiment using some "BGP Beacons." within > weeks, ripe/ncc had set up a bunch of these beacons, You were one of the people asking for this, quoting from the minutes of the Rhodos meeting: Minutes Routing WG at RIPE43 [...] C. Route Flap Damping: Harmful? (Randy Bush) [...] Route flap damping parameters may have to be revised, but more data are needed; Randy asks for help, need more BGP beacons installed. > in a fashion that was not usable for our experiments There are, at the moment, 5 beacons (or sets of beacons) worldwide. All 5 are set up slightly differently, and thus show different behavior, that may or may not make them suitable for your specific experiment. And in the paper you submitted to IMW2003, you even question yourself whether the NCC beacon data is suitable for your studies or not. Then, our beacon setup has been published but is in no way cast in stone. If you want us to make chances, tell us WHAT you want changed. In fact, this is already about to happen, we are currently discussing changes in the beacon pattern with one of the co-authors of the 2 papers mentioned above, including a pattern that can only be done with the RIS. > and with no clear goal other than ME TOO. Besides responding to the question raised by you, we spoke to several BGP experts afterwards, and all seemed to agree that this was a good idea, so we did it. And before anybody complains that all this cost money, the beacons come essentially for free with the RIS infrastructure, setting them up was half an afternoon of work for 1 engineer, maintaining them is a matter of minutes per week. > to my knowledge, no researcher has used them to date. You are wrong here, 1 thesis has been published about the data http://www.net.informatik.tu-muenchen.de/~sara/thesis/ and I know for a fact that 2 papers to be submitted to refereed conferences are in the works. Henk ------------------------------------------------------------------------------ Henk Uijterwaal Email: henk.uijterwaal at ripe.net RIPE Network Coordination Centre WWW: http://www.ripe.net/home/henk P.O.Box 10096 Singel 258 Phone: +31.20.5354414 1001 EB Amsterdam 1016 AB Amsterdam Fax: +31.20.5354445 The Netherlands The Netherlands Mobile: +31.6.55861746 ------------------------------------------------------------------------------ That problem that we weren't having yesterday, is it better? (Big ISP NOC) From hank at att.net.il Sat Sep 6 22:08:13 2003 From: hank at att.net.il (Hank Nussbacher) Date: Sat, 06 Sep 2003 22:08:13 +0200 Subject: [ncc-services-wg] dnsmon - why? In-Reply-To: References: Message-ID: <5.1.0.14.2.20030906220343.05080750@max.att.net.il> At 09:11 PM 05-09-03 +0200, Henk Uijterwaal (RIPE-NCC) wrote: >Besides responding to the question raised by you, we spoke to several BGP >experts afterwards, and all seemed to agree that this was a good idea, so >we did it. > >And before anybody complains that all this cost money, the beacons come >essentially for free with the RIS infrastructure, setting them up was half >an afternoon of work for 1 engineer, maintaining them is a matter of >minutes per week. The dnsmon service might we wonderful and better than anything out there and I may even end up using it. My point is that now that there is an ncc-services list, that the RIPE NCC, whenever a new service is decided upon, that a message be sent to the ncc-services list, giving a short description of the service, the rationale for setting it up, and the estimated budget and manpower needed to run the service. This will save us all from having to monitor the 20 or so WG lists for new services being planned and then finding out about it when it is too late. >Henk -Hank From daniel.karrenberg at ripe.net Sun Sep 7 20:36:20 2003 From: daniel.karrenberg at ripe.net (Daniel Karrenberg) Date: Sun, 7 Sep 2003 20:36:20 +0200 Subject: [ncc-services-wg] dnsmon - why? In-Reply-To: References: Message-ID: <20030907183619.GA1220@reifa.karrenberg.net> On 05.09 21:11, Henk Uijterwaal (RIPE-NCC) wrote: > > ... > and I know for a fact that 2 papers to be submitted to refereed > conferences are in the works. .... not to mention operational uses such as my study of anycasting behavior before we deployed the first anycast instance of K; something only possible with both the RIS and customised beacons. Me too ;-) Daniel From axel.pawlik at ripe.net Mon Sep 8 07:49:20 2003 From: axel.pawlik at ripe.net (Axel Pawlik) Date: Mon, 08 Sep 2003 07:49:20 +0200 Subject: [ncc-services-wg] dnsmon - why? In-Reply-To: <5.1.0.14.2.20030906220343.05080750@max.att.net.il> References: Message-ID: <5.2.0.9.2.20030908074843.0261bcc0@localhost> At 06/09/2003 22:08 +0200, Hank Nussbacher wrote: >My point is that now that there is an ncc-services list, that the RIPE >NCC, whenever a new service is decided upon, that a message be sent to the >ncc-services list, giving a short description of the service, the >rationale for setting it up, and the estimated budget and manpower needed >to run the service. Hank, all, this is certainly something that I agree with. And have said so earlier. Axel From engin at ripe.net Mon Sep 8 15:59:23 2003 From: engin at ripe.net (Engin Gunduz) Date: Mon, 8 Sep 2003 15:59:23 +0200 Subject: [ncc-services-wg] summary of organisation object discussions Message-ID: <20030908135923.GE31695@x47.ripe.net> Dear Colleagues, [apologies for duplicate messages, and for having misspelled ncc-services-wg at ripe.net in the previous posting] I'd like to summarise the discussions took place in the last two weeks in the working group mailing lists after the publication of the organisation object proposal ( http://www.ripe.net/ripe/mail-archives/db-wg/2003/msg00159.html ) and after the presentation in the DB-WG session last week in RIPE 46 Meeting ( http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-db-organisation_object.pdf ). 1. "org:" attribute mandatory or optional in aut-num objects? The proposal mentioned above specified "org:" attribute in aut-num objects to be mandatory. However, often LIRs request an ASN for their customers and the RIPE NCC does not have enough information for them to fill in an organisation object completely. Rather than putting invalid information on the whois database, the RIPE NCC thinks it is better to make "org:" attribute optional in aut-nums. 2. "org:" attribute multi- or single-valued? The proposal specified "org:" attribute single-valued in all objects. During the discussions in the DB WG, commentors from the audience stated that in some cases a person object works for more than one companies, thus one might want to put multiple "org:" attributes in his/her person object. Similar reasoning could apply to other object types as well. However, the "org:" object specifies the holder of an Internet resource in inetnum, inet6num and aut-num objects, thus it must be single-valued in these objects. For the rest of the objects, we propose to modify the rule so it can be multi-valued. 3. addition of "mnt-ref:" attribute. The proposal suggested the use of "mnt-by:" attribute for both authorisation of modification of the organisation object and the authorisation of adding a reference to the organisation object from other objects. This has a shortcoming when the organisation object is protected by an entity other than the organisation itself (for example, an LIR, whose organisation object is protected by the RIPE NCC). We would propose to introduce mandatory "mnt-ref:" attribute to control the references to the organisation object, while "mnt-by:" protects the organisation object itself, as usual. 4. "org:" attribute in the organisation object itself. The proposal suggested the use of "org:" attribute in non-organisation objects. I think it could be used in organisation objects as well, to indicate business relations like being a dependent company to another one. 5. "business-id:" attribute. It was suggested to add an attribute to specify the national organisation number or VAT number or a similar ID of the organisation. While we see the point in this, we feel it needs some more discussion. It can be added to the organisation object after its introduction. 6. changing the meaning of '-r' flag. The proposal suggested that, when a query returns an object with an "org:" attribute, the organisation objects mentioned in this attribute be appended to the query results. This behaviour can be changed by using '-r' flag in the query. This idea was based on the fact that the "org:" attribute is at least as relevant to the resource as the "admin-c:", "tech-c:" and "zone-c:" attributes as contact information. Thus, if we return person/role objects mentioned in the query results, we should also return the organisation objects. Basically, the proposed behaviour maintains the consistency. During the discussions it was proposed to change the default behaviour of whois server, and change the meaning of '-r' flag, so that - the server does not 'expand' "admin-c:", "tech-c:" and "zone-c:" attributes, nor "org:" attribute by default, - and it expands them only when '-r' flag is used. This can separately be discussed, however, I think this is out of the scope of organisation object. I hope I did not miss any other issues. If these points are OK, we will prepare another proposal for organisation object and publish it. Best regards, -- Engin Gunduz RIPE NCC Database Group From kurtis at kurtis.pp.se Mon Sep 8 22:50:49 2003 From: kurtis at kurtis.pp.se (Kurt Erik Lindqvist) Date: Mon, 8 Sep 2003 22:50:49 +0200 Subject: [ncc-services-wg] dnsmon - why? In-Reply-To: <5.2.0.9.2.20030908074843.0261bcc0@localhost> Message-ID: <206D1A29-E23E-11D7-A6BA-000A95880ECC@kurtis.pp.se> On m?ndag, sep 8, 2003, at 07:49 Europe/Stockholm, Axel Pawlik wrote: > At 06/09/2003 22:08 +0200, Hank Nussbacher wrote: >> My point is that now that there is an ncc-services list, that the >> RIPE NCC, whenever a new service is decided upon, that a message be >> sent to the ncc-services list, giving a short description of the >> service, the rationale for setting it up, and the estimated budget >> and manpower needed to run the service. > > Hank, all, > > this is certainly something that I agree with. > And have said so earlier. This is to my knowledge one of the intents of the working group. As was also said in Amsterdam by both me and Axel. I took away two things from the WG meetings 1) We need to go through the activity plan in detail. At least then we might get the people awake to know about it - and _then_ we can have useful discussions (nothing intended to the people that _did_ talk. You where just very few....). 2) We need a more detailed financial walk-through matching the activity plan. I talked briefly to Axel in the hallway afterwards and he seemed positive to this. Best regards, - kurtis - From hank at att.net.il Wed Sep 10 10:19:22 2003 From: hank at att.net.il (Hank Nussbacher) Date: Wed, 10 Sep 2003 10:19:22 +0200 Subject: [ncc-services-wg] New service: ip2asn In-Reply-To: References: Message-ID: <5.1.0.14.2.20030910101427.00aaa3d8@max.att.net.il> Another new service I'd like to discuss is the TTM ip2asn service as presented at RIPE-46: http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-tt-as-traceroutes.pdf I know of 4 other methods for doing ip2asn conversions (permission received from each to supply this info): -------------------------------------- From: robt at cymru.com We have one that is somewhat quick and really very dirty. :) I've shared it with a few folks, so I'll share it with the full list now. It depends on the Perl Cisco Telnet module and access to a BGP-savvy router. You will find it at the following URL: It's not pretty, but it works. Feel free to modify it as you see fit, and you may share it with anyone. Comments welcome! Thanks, Rob, for Team Cymru. -- Rob Thomas -------------------------------------- From: j.green at ukerna.ac.uk First you need a source of routing information (http://archive.routeviews.org/) This then needs to be parsed. I either use parse_bgp_dump from CAIDA (and run "'sh ip bgp' format RIBs" through it), or use http://www.bugged.org/download/misc/bgpparser.c (after tweaking the defines to extract the correct fields) and pass "MRT format RIBs" through it. CAIDA merges multipleorigins into a generic entry, whereas bgpparser creates multiple entries. Either way you want a file with a.b.c.d/e AS ... a.b.c.d/e AS Then use something like Net::Patricia to lookup the AS for an IP address. The only slow thing seems to be reading in the file into memory (I guess you could daemonise it, or use a more parse efficient storage format it this matters). There is some scripts from a while back at http://kaizo.us/girona/bgp/ bgpparse.tar is the relevant bits out of CAIDA's larger package. aslookup.pl is very simple perl script route-table is a parsed version of the data from routeviews from June. Hope this helps John JANET-CERT ------------------------------------------- From: joe at oregon.uoregon.edu Because a number of people have expressed an interest in an IP->ASN DNS zone, if you're interested, the Routeviews project now has a test/static asn zone up that you can try, e.g.: % dig @archive.routeviews.org 13.142.223.128.asn.routeviews.org txt [snip] ;; ANSWER SECTION: 13.142.223.128.asn.routeviews.org. 86400 IN TXT "3582" [snip] % dig @archive.routeviews.org 109.131.229.169.asn.routeviews.org txt [snip] ;; ANSWER SECTION: 109.131.229.169.asn.routeviews.org. 86400 IN TXT "25" [snip] That was the original format. It now works as follows: % host -t txt 35.32.223.128.asn.routeviews.org 35.32.223.128.asn.routeviews.org text "3582" "128.223.0.0" "16" In addition to being able to get the stub ASN, a second zone will also let you get the AS path associated with a specific dotted quad. For example: % host -t txt 122.3.15.66.aspath.routeviews.org 122.3.15.66.aspath.routeviews.org text "2497 3356 1 189" "66.15.3.0" "24" 122.3.15.66.aspath.routeviews.org text "2497 3356 1" "66.15.0.0" "17" In parsing what's returned, be sure to plan to accomodate the possibility that you may get multiple records returned for a single query. Thanks, Joe St Sauver (joe at oregon.uoregon.edu) University of Oregon Computing Center ----------------------------------------------- From: gillsr at yahoo.com www.qorbit.net/code/ip2asn-v1.1.tar.gz ip2asn-coral.pl - very fast, uses Caida's Coral Reef package, requires route table dump. Initial load takes a bit to read route-file. ip2asn-server.pl - slower, requires a route-server, preferably one that supports 'show ip bgp $ip/32 shorter' syntax. --------------------------------------------- Can the RIPE NCC TTM group explain why such a service is needed when there are other packages available that do similar things? Slide #2 seems to state that you want a traceroute that includes the ASN. Slide #14 states "RIPE-NCC will set up an IP-AS mapping service with something like "traceroute -A". How will this be different than a standard traceroute from any Cisco router: TAU-gp1#trace www.cisco.com Translating "www.cisco.com"...domain server (128.139.6.1) [OK] Type escape sequence to abort. Tracing the route to www.cisco.com (198.133.219.25) 1 iucc.il1.il.geant.net (62.40.103.225) [AS 20965] 0 msec 0 msec 0 msec 2 il.nl1.nl.geant.net (62.40.96.117) [AS 20965] 68 msec 64 msec 68 msec 3 nl.de1.de.geant.net (62.40.96.101) [AS 20965] 72 msec 72 msec 72 msec 4 so-7-0-0.ar2.FRA2.gblx.net (208.48.23.145) [AS 3549] 72 msec 72 msec 72 msec 5 pos5-0-2488M.cr2.FRA2.gblx.net (67.17.65.53) [AS 3549] 72 msec 72 msec 72 msec 6 so0-0-0-2488M.cr2.LON3.gblx.net (67.17.64.38) [AS 3549] 84 msec 80 msec 80 msec 7 so7-0-0-2488M.ar2.LON3.gblx.net (67.17.66.30) [AS 3549] 88 msec 84 msec 80 msec 8 sl-bb21-lon-1-3.sprintlink.net (213.206.131.25) [AS 1239] 88 msec 88 msec 88 msec 9 sl-bb21-tuk-10-0.sprintlink.net (144.232.19.69) [AS 1239] 164 msec 164 msec 164 msec 10 sl-bb20-tuk-15-0.sprintlink.net (144.232.20.132) [AS 1239] 164 msec 164 msec 168 msec 11 sl-bb21-rly-15-1.sprintlink.net (144.232.20.120) [AS 1239] 168 msec 172 msec 164 msec 12 sl-bb23-rly-11-0.sprintlink.net (144.232.14.134) [AS 1239] 164 msec 176 msec 168 msec 13 sl-bb20-rly-9-0.sprintlink.net (144.232.14.117) [AS 1239] 176 msec 168 msec 172 msec 14 sl-bb25-sj-5-3.sprintlink.net (144.232.20.57) [AS 1239] 296 msec 228 msec 228 msec 15 sl-gw11-sj-10-0.sprintlink.net (144.232.3.134) [AS 1239] 232 msec 228 msec 232 msec 16 sl-ciscopsn2-11-0-0.sprintlink.net (144.228.44.14) [AS 1239] 220 msec 220 msec 224 msec 17 sjce-dirty-gw1.cisco.com (128.107.239.89) [AS 109] 228 msec 224 msec 224 msec 18 sjck-sdf-ciod-gw2.cisco.com (128.107.239.102) [AS 109] 228 msec 228 msec 228 msec 19 * www.cisco.com (198.133.219.25) [AS 109] 236 msec * Thanks, Hank From Michael.Dillon at radianz.com Wed Sep 10 11:10:56 2003 From: Michael.Dillon at radianz.com (Michael.Dillon at radianz.com) Date: Wed, 10 Sep 2003 10:10:56 +0100 Subject: [ncc-services-wg] RIPE tasks Message-ID: >> Indeed the board has been exploring how to allow as many members as possible >> to vote. I am afraid our legal counsel advised us that electronic voting is >> not legal in the Netherlands, and the current proxy mechanism is the only viable >> form. >- In Norway public votes on important questions (like joining the EU or >not) does not have a legal foundation - they are only advisory to the >parlament. This type of an advisory voting process is often called polling or "opinion polling". Imagine the following scenario. 1. RIPE NCC publishes an omnibus plan that will be voted on at the AGM. This plan is composed of several distinct items that have been grouped together for the single approval vote. 2. RIPE NCC sets up a website which allows registered RIPE members to express their opinion of each of the distinct elements of the omnibus plan. Because this is an electronic opinion poll, the choices are more than simply yes or no. Probably it would be best to have 5 choices (Strongly Disagree, Disagree, Don't Care, Agree, Strongly Agree). And because it is an opinion poll, each registered RIPE member can change their entries any time up to the day before the AGM. 3. The day before the AGM, RIPE NCC compiles the results of the opinion poll into a short simple graphical presentation. 4. At the AGM, the poll results are presented early in the agenda as an information only item with no discussion. There should be at least an hour between the presentation of poll results and the vote on the omnibus plan to ensure that people do not confuse the two items. They are separate things. This accomplishes two things. First, it gives people an opportunity to express their opinions on planned actions and to see the opinions of other RIPE members. It isn't as detailed as the KPMG study, but it is better than nothing at all. Secondly, this satisfies the request for electronic/Internet participation in the decision-making process and should be acceptable under Netherlands law. It will also show how much real demand there is for member participation because if members don't use the opinion polling system then they really don't care what RIPE NCC does with their money. --Michael Dillon From daniel.karrenberg at ripe.net Wed Sep 10 11:17:46 2003 From: daniel.karrenberg at ripe.net (Daniel Karrenberg) Date: Wed, 10 Sep 2003 11:17:46 +0200 Subject: [ncc-services-wg] Re: dnsmon / .org In-Reply-To: <200309100258.h8A2w7JY014039@aunt.gaertner.de> References: <200309100258.h8A2w7JY014039@aunt.gaertner.de> Message-ID: <20030910091746.GA2737@reifa.karrenberg.net> [sorry about the useless re-post to dns-wg, finger trouble ....] On 10.09 04:58, Joerg Schumacher wrote: > ... > Mind adding the nameservers for .ORG to the monitoring? I'd be > interested in the effects of the recent change in the root zone. > Having only two nameservers for a tld and both of them in a single AS > makes me kind of nervous. > ... Weiteres Nachdenken ergab: While we so far have only monitored TLDs with whome we have some contact, we can certainly also monitor any TLD if there is an expressed interest from the RIPE community. Thechnically this is no problem at all. Configuring it takes all of 5 minutes and even the alpha version of the analysis web site on the development server box can easily take the load. However there is a more principle problem and that is why I copied ncc-services: Currently there is a heated debate about (new) NCC services and their cost. One question asked over and over again there is: Why should NCC members pay for this service? For dnsmon my answer is that they are interested in seeing the data, just like Joerg; they are also interested that the data is collected professionally and neutrally, so that they can point all sorts of people to it. Most importantly they can use it to take action if TLD service, a service vital to their business, should not be adawquate. So very generally this data helps to keep the DNS stable in a number of ways; that benefits the whole community in general and the RIPE NCC membership in particular. However, quite obviously, the TLD administrators concerned also benefit from this data. They can use it direcly to monitor their operations. They can also use it in the same way as the NCC membership: they can point third parties to it and say that independent and professional measurements show that they are doing a good job. So why should they not pay a fair share of the cost? So far the TLDs we monitor have agreed informally to do that, once the service becomes fully operational. I have had a number of questions like Joerg's already for all gTLDs besides .MIL. I see little chance that we can get them all to agree to pay a share of the cost. I also see that the overhead of making agreements with some of the organisations involoved can be prohibitive. If there is interest from the RIPE community it is easy to monitor these domains. However it is very difficult to do it for some for free and ask the others to pay. So doing that may lead to a situation where the RIPE NCC membership ends up paying the whole bill. I would actually like that because it makes the measurements even more independent and I would not have to invest time into making agreements with the TLD admins, billing, etc. pp. But is this acceptable to the RIPE NCC memebrship in the long run? Comments please! Daniel From hank at att.net.il Wed Sep 10 12:18:04 2003 From: hank at att.net.il (Hank Nussbacher) Date: Wed, 10 Sep 2003 12:18:04 +0200 Subject: [ncc-services-wg] Re: dnsmon / .org In-Reply-To: <20030910091746.GA2737@reifa.karrenberg.net> References: <200309100258.h8A2w7JY014039@aunt.gaertner.de> <200309100258.h8A2w7JY014039@aunt.gaertner.de> Message-ID: <5.1.0.14.2.20030910121619.00b2b148@max.att.net.il> At 11:17 AM 10-09-03 +0200, Daniel Karrenberg wrote: My view: RIPE NCC should only monitor those ccTLDs that are LIRs or that their LIR is willing to endorse. -Hank >[sorry about the useless re-post to dns-wg, finger trouble ....] > >On 10.09 04:58, Joerg Schumacher wrote: > > ... > > Mind adding the nameservers for .ORG to the monitoring? I'd be > > interested in the effects of the recent change in the root zone. > > Having only two nameservers for a tld and both of them in a single AS > > makes me kind of nervous. > > ... > >Weiteres Nachdenken ergab: > >While we so far have only monitored TLDs with whome we have some contact, >we can certainly also monitor any TLD if there is an expressed interest >from the RIPE community. Thechnically this is no problem at all. >Configuring it takes all of 5 minutes and even the alpha version >of the analysis web site on the development server box can easily take >the load. > >However there is a more principle problem and that is why I copied >ncc-services: > >Currently there is a heated debate about (new) NCC services and their >cost. One question asked over and over again there is: Why should NCC >members pay for this service? For dnsmon my answer is that they are >interested in seeing the data, just like Joerg; they are also interested >that the data is collected professionally and neutrally, so that they >can point all sorts of people to it. Most importantly they can use it >to take action if TLD service, a service vital to their business, should >not be adawquate. So very generally this data helps to keep the DNS >stable in a number of ways; that benefits the whole community in general >and the RIPE NCC membership in particular. > >However, quite obviously, the TLD administrators concerned also benefit >from this data. They can use it direcly to monitor their operations. >They can also use it in the same way as the NCC membership: they can >point third parties to it and say that independent and professional >measurements show that they are doing a good job. So why should they >not pay a fair share of the cost? So far the TLDs we monitor have >agreed informally to do that, once the service becomes fully operational. > >I have had a number of questions like Joerg's already for all gTLDs >besides .MIL. I see little chance that we can get them all to agree to >pay a share of the cost. I also see that the overhead of making >agreements with some of the organisations involoved can be prohibitive. >If there is interest from the RIPE community it is easy to monitor these >domains. However it is very difficult to do it for some for free and >ask the others to pay. So doing that may lead to a situation where the >RIPE NCC membership ends up paying the whole bill. I would actually >like that because it makes the measurements even more independent >and I would not have to invest time into making agreements with the TLD >admins, >billing, etc. pp. > >But is this acceptable to the RIPE NCC memebrship in the long run? > >Comments please! > >Daniel From daniel.karrenberg at ripe.net Wed Sep 10 11:36:04 2003 From: daniel.karrenberg at ripe.net (Daniel Karrenberg) Date: Wed, 10 Sep 2003 11:36:04 +0200 Subject: [ncc-services-wg] Re: dnsmon / .org In-Reply-To: <5.1.0.14.2.20030910121619.00b2b148@max.att.net.il> References: <200309100258.h8A2w7JY014039@aunt.gaertner.de> <200309100258.h8A2w7JY014039@aunt.gaertner.de> <5.1.0.14.2.20030910121619.00b2b148@max.att.net.il> Message-ID: <20030910093604.GC2737@reifa.karrenberg.net> On 10.09 12:18, Hank Nussbacher wrote: > RIPE NCC should only monitor those ccTLDs that are LIRs or that their LIR > is willing to endorse. -Hank I like the principle. However .... How would this endoresement be determined? Doing it simple-mindedly potentially leads to a *very* long list of domains to monitor, and not only (cc)TLDs. Daniel From daniel.karrenberg at ripe.net Wed Sep 10 11:46:59 2003 From: daniel.karrenberg at ripe.net (Daniel Karrenberg) Date: Wed, 10 Sep 2003 11:46:59 +0200 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: References: <200309100258.h8A2w7JY014039@aunt.gaertner.de> <20030910091746.GA2737@reifa.karrenberg.net> Message-ID: <20030910094658.GD2737@reifa.karrenberg.net> On 10.09 11:35, Brad Knowles wrote: > ... > If you are concerned about the cost, you could place a copyright > on the collected data so that re-use for RIPE NCC members does not > incur an additional charge, and perhaps allow academic re-use by > non-RIPE NCC members to likewise be without fee, but for-profit > non-RIPE NCC members would be required to contact you first and > arrange to pay a fee if they wanted to reuse the data or the results. The whole point is that a detaled analysis of the data published for all to see. I cannot see how to apply copyright in this environment. Daniel From ulrich.kiermayr at univie.ac.at Wed Sep 10 11:48:52 2003 From: ulrich.kiermayr at univie.ac.at (Ulrich Kiermayr) Date: Wed, 10 Sep 2003 11:48:52 +0200 Subject: [ncc-services-wg] Re: dnsmon / .org In-Reply-To: <20030910093604.GC2737@reifa.karrenberg.net> References: <200309100258.h8A2w7JY014039@aunt.gaertner.de> <200309100258.h8A2w7JY014039@aunt.gaertner.de> <5.1.0.14.2.20030910121619.00b2b148@max.att.net.il> <20030910093604.GC2737@reifa.karrenberg.net> Message-ID: <3F5EF384.2090807@univie.ac.at> Daniel Karrenberg wrote: > On 10.09 12:18, Hank Nussbacher wrote: > > >>RIPE NCC should only monitor those ccTLDs that are LIRs or that their LIR >>is willing to endorse. -Hank > > > I like the principle. However .... > > How would this endoresement be determined? > > Doing it simple-mindedly potentially leads to a *very* long list of > domains to monitor, and not only (cc)TLDs. my 0.02 EUR: So what about monitoring the (cc)TLDs as a Service paid by the Membership, since these are the most relevant for the stability of the net, and sell it for 2+ Level domains? lG uk -- ------------------------------------------------------------------------ Ulrich Kiermayr Zentraler Informatikdienst der Universitaet Wien Network Security Universitaetsstrasse 7, 1010 Wien, Austria ------------------------------------------------------------------------ eMail: ulrich.kiermayr at univie.ac.at Tel: (+43 1) 4277 / 14104 Hotline: security.zid at univie.ac.at Fax: (+43 1) 4277 / 9140 Web: http://www.univie.ac.at/zid/security.html ------------------------------------------------------------------------ GPG Key fingerprint = BF0D 5749 4DC1 ED74 AB67 7180 105F 491D A8D7 64D8 From brad.knowles at skynet.be Wed Sep 10 11:35:35 2003 From: brad.knowles at skynet.be (Brad Knowles) Date: Wed, 10 Sep 2003 11:35:35 +0200 Subject: [ncc-services-wg] [dns-wg] Re: dnsmon / .org In-Reply-To: <20030910091746.GA2737@reifa.karrenberg.net> References: <200309100258.h8A2w7JY014039@aunt.gaertner.de> <20030910091746.GA2737@reifa.karrenberg.net> Message-ID: At 11:17 AM +0200 2003/09/10, Daniel Karrenberg wrote: > So doing that may lead to a situation where the > RIPE NCC membership ends up paying the whole bill. I would actually > like that because it makes the measurements even more independent > and I would not have to invest time into making agreements with the > TLD admins, billing, etc. pp. > > But is this acceptable to the RIPE NCC memebrship in the long run? > > Comments please! I'm not a paying member of RIPE NCC, so my views don't count. However, I would like to see this sort of monitoring extended by RIPE NCC to all available TLDs, paid for by RIPE NCC. Indeed, I am moving closer to having my own co-lo, and once I do I plan on setting up my own monitoring tools for all TLDs, for my own purposes. I'll probably extend that to sharing lame delegation data with Rob Thomas, etc.... If you are concerned about the cost, you could place a copyright on the collected data so that re-use for RIPE NCC members does not incur an additional charge, and perhaps allow academic re-use by non-RIPE NCC members to likewise be without fee, but for-profit non-RIPE NCC members would be required to contact you first and arrange to pay a fee if they wanted to reuse the data or the results. At that point, it basically comes down to how much enforcement of the copyright you would want to participate in, and how you could make the fee payment scheme at least cover its own administrative costs. -- Brad Knowles, "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++) From daniel.karrenberg at ripe.net Wed Sep 10 11:55:53 2003 From: daniel.karrenberg at ripe.net (Daniel Karrenberg) Date: Wed, 10 Sep 2003 11:55:53 +0200 Subject: [ncc-services-wg] Re: dnsmon / .org In-Reply-To: <3F5EF384.2090807@univie.ac.at> References: <200309100258.h8A2w7JY014039@aunt.gaertner.de> <200309100258.h8A2w7JY014039@aunt.gaertner.de> <5.1.0.14.2.20030910121619.00b2b148@max.att.net.il> <20030910093604.GC2737@reifa.karrenberg.net> <3F5EF384.2090807@univie.ac.at> Message-ID: <20030910095553.GE2737@reifa.karrenberg.net> [I have pruned this to ncc-services] On 10.09 11:48, Ulrich Kiermayr wrote: > ... > So what about monitoring the (cc)TLDs as a Service paid by the > Membership, since these are the most relevant for the stability of the > net, and sell it for 2+ Level domains? Wow! The RIPE NCC doing a commercial service. That opens all sorts of snake pits like: - do we remain not-for-profit - independence - stability I think this is best done outside the NCC. Daniel From mike.norris at heanet.ie Wed Sep 10 12:47:42 2003 From: mike.norris at heanet.ie (Mike Norris) Date: Wed, 10 Sep 2003 11:47:42 +0100 Subject: [ncc-services-wg] Re: dnsmon / .org Message-ID: <1948D86456DFD511883900306E1C5B97608B28@exchange.heanet.ie> > I have had a number of questions like Joerg's already for all gTLDs > besides .MIL. I see little chance that we can get them all to agree to > pay a share of the cost. I also see that the overhead of making > agreements with some of the organisations involoved can be prohibitive. > If there is interest from the RIPE community it is easy to monitor these > domains. However it is very difficult to do it for some for free and > ask the others to pay. So doing that may lead to a situation where the > RIPE NCC membership ends up paying the whole bill. I would actually > like that because it makes the measurements even more independent > and I would not have to invest time into making agreements with the TLD admins, > billing, etc. pp. I agree; if people want accuracy and integrity, the measurements have to be taken independently. Mike Norris -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3099 bytes Desc: not available URL: From randy at psg.com Wed Sep 10 14:00:27 2003 From: randy at psg.com (Randy Bush) Date: Wed, 10 Sep 2003 05:00:27 -0700 Subject: [ncc-services-wg] Re: dnsmon / .org References: <200309100258.h8A2w7JY014039@aunt.gaertner.de> <5.1.0.14.2.20030910121619.00b2b148@max.att.net.il> Message-ID: > RIPE NCC should only monitor those ccTLDs that are LIRs or that > their LIR is willing to endorse. as a lot of folk, whose primary mission it is, monitor, it is not clear to me why the ncc monitors at all. the philosphy that the ncc should provide all the services that we use devolves into ncc making shoes and shirts for us all too. the net works on de- centralization and distributed cooperation and trust. time and again, centralization has been sub-optimal or failed. randy From clive at demon.net Wed Sep 10 12:05:02 2003 From: clive at demon.net (Clive D.W. Feather) Date: Wed, 10 Sep 2003 11:05:02 +0100 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <20030910094658.GD2737@reifa.karrenberg.net> References: <200309100258.h8A2w7JY014039@aunt.gaertner.de> <20030910091746.GA2737@reifa.karrenberg.net> <20030910094658.GD2737@reifa.karrenberg.net> Message-ID: <20030910100502.GP27212@finch-staff-1.thus.net> Daniel Karrenberg said: > > If you are concerned about the cost, you could place a copyright > > on the collected data so that re-use for RIPE NCC members does not > > incur an additional charge, and perhaps allow academic re-use by > > non-RIPE NCC members to likewise be without fee, but for-profit > > non-RIPE NCC members would be required to contact you first and > > arrange to pay a fee if they wanted to reuse the data or the results. > > The whole point is that a detaled analysis of the data published > for all to see. I cannot see how to apply copyright in this environment. Quite easily. Something like this: This data is the copyright of RIPE NCC. A non-exclusive licence is granted to RIPE NCC members for their internal use. A non-exclusive licence is granted for use by any person for non-commercial purposes. In both cases there is no charge for use of the data but it must not be re-published without separate agreement. This does not prevent publication of any other work done making use of this data but not including it. All other rights are reserved. [IANAL, but I understand the principles involved. A Dutch lawyer can no doubt make it formally correct.] -- Clive D.W. Feather | Work: | Tel: +44 20 8495 6138 Internet Expert | Home: | *** NOTE CHANGE *** Demon Internet | WWW: http://www.davros.org | Fax: +44 870 051 9937 Thus plc | | Mobile: +44 7973 377646 From brad.knowles at skynet.be Wed Sep 10 12:39:10 2003 From: brad.knowles at skynet.be (Brad Knowles) Date: Wed, 10 Sep 2003 12:39:10 +0200 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <20030910094658.GD2737@reifa.karrenberg.net> References: <200309100258.h8A2w7JY014039@aunt.gaertner.de> <20030910091746.GA2737@reifa.karrenberg.net> <20030910094658.GD2737@reifa.karrenberg.net> Message-ID: At 11:46 AM +0200 2003/09/10, Daniel Karrenberg wrote: >> If you are concerned about the cost, you could place a copyright >> on the collected data so that re-use for RIPE NCC members does not >> incur an additional charge, and perhaps allow academic re-use by >> non-RIPE NCC members to likewise be without fee, but for-profit >> non-RIPE NCC members would be required to contact you first and >> arrange to pay a fee if they wanted to reuse the data or the results. > > The whole point is that a detaled analysis of the data published > for all to see. I cannot see how to apply copyright in this environment. You can apply copyright both to the collection of the data, and to the compilation of the data. Telephone companies publish directories with a certain number of known false entries. If another telephone company comes along and wholesale copies the data, they get the false entries along with the good ones. The copyright owner can then look for the known false entries, and if they see them, then they can prove that the other company illegally copied the data. You wouldn't want to publish any known false entries, but you can still claim copyright on the compilation of the data, and the analysis you apply. That is, if you want to. You don't have to. But this would be one potential way to allow people who should have free access to the data to do so, while also requiring that those who can afford it to pay their fare share. -- Brad Knowles, "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++) From daniel.karrenberg at ripe.net Wed Sep 10 15:50:01 2003 From: daniel.karrenberg at ripe.net (Daniel Karrenberg) Date: Wed, 10 Sep 2003 15:50:01 +0200 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <25372.1063191695@gromit.rfc1035.com> References: <20030910091746.GA2737@reifa.karrenberg.net> <25372.1063191695@gromit.rfc1035.com> Message-ID: <20030910135001.GB3556@reifa.karrenberg.net> Jim, [I agree it would be better to have this discussion (again) in ncc-services. I have copied it there and encourage people to reply there only.] I could write a reply rant about the individual points in your rant but the main difference of opinion we have is about the mission of the RIPE NCC. This mission is broader than just being a RIR: "The mission of the RIPE NCC is to perform activities for the benefit of the membership, primarily activities that the members need to organise as a group, although they may be competing with each other in other areas. While an activity may result in services being provided to an individual member, performing the activity as a whole must benefit the RIPE NCC membership as a group. Membership is open to anyone using the RIPE NCC services. The activities and services of the RIPE NCC are defined, performed, discussed and evaluated in an open manner. In all of its activities, the RIPE NCC observes strict neutrality and impartiality in regard to individual members." Monitoring DNS and gathering Internet statistics has always been a part of these activities from the very first activity plan in 1991. See ftp://ftp.ripe.net/ripe/docs/ripe-035.txt Of course the activities themselves come and go and those that stay change shape. However the NCC is, and has always been, more than a place that just registers numbers. Daniel ------ Ah, well I'll rant back just for the heck of it. My main point is above. read on at your own risk. Rant-Warning: Moderate to Severe from Varying Directions On 10.09 12:01, Jim Reid wrote: > > To be honest Daniel, I think your mail indicates the way RIPE NCC > seems to have lost sight of its raison d'etre. Why is an RIR -- whose > main (only?) job is to hand out IP addresses and AS numbers -- getting > into other areas that are clearly outside its core business? See above. The NCC is not getting into them it has been there all the time. It is not the RIPE NCC that is changing but it is *you* proposing a change. > ARIN and > APNIC are providing that core service to their regions with a fraction > of the staff that the NCC has. Fraction yes, but not a very small one and not orders of magnitude. Also it appears to me after a quick glance at the ARIN and APNIC web sites that the RIPE NCC fees are very comparable to the fees of the other RIRs, actually slightly lower in many categories. > IMO, there must be complete transparency about non-core activities at > the NCC. I agree completely. > These things should be seen to be self-funding or else making > a profit to reduce the costs of the core services and/or membership > fees. If they're not, there will be a suspicion that it's the other > way round. ie Income from the NCC's monopoly operations are > cross-subsidising these non-core activities. For maximum independence the membership fees should cover all activities. > Now I know you'll say that NCC does these other things as "a benefit > to the community" and "the membership has approved them". I'm not so > sure that either of these things are really true. Has a majority of > the *membership* -- not those who turn up for the AGM or take the time > to vote -- ever approved the activity plan? I beg to disagree. Opener than RIPE NCC and RIPE is hardly possible. If people choose not to participate there is little one can do. One of my major frustrations, past and present. > Has the activity plan ever > said something like "non-core activity X costs Y. If it is dropped. > the membership fees can be reduced by Z. Do you want to pay for X?"? This is very hard to do since activities are so interdependent. The budget gives a general idea of the relative sizes though. > Take DNS hosting for instance. RIPE NCC provides free service to any > TLD that asks. That's fine for poor countries with weak infrastructure. > Nobody should dispute that helping them is a good and noble thing and > that NCC should be doing that. But serving anyone else means those > TLDs are conditioned into getting something for nothing. They get into > a mindset that they shouldn't have to pay for DNS service or arrange > proper contracts, set up SLAs, put servers in decent IXPs, etc. In > short, they don't need to take their responsibilities seriously. That > has to be a Very Bad Thing in the long run. Then there's the issue > about having so much important DNS stuff on ns.ripe.net. That's a Very > Bad Thing too, though I know you disagree with me on this. I see your point and I actually agree, but you have to put it into historic perspective too. There were no commercial offerings when we started this and none were expected any time soon. This activity has helped DNS stability enormously over a long period. And what about our rescue of ns.eu.net? As a matter of fact most bigger TLDs are no longer using either. So the market works. We are not marketing or improving it. But does that mean we have to shut this down now? When? > Here's another example of how NCC crossed the line IMO. The NCC was > involved in the development of NSD. Fair enough, you might think. The > gene pool of DNS software is too small. So having another DNS > implementation is good, so this was/is a benefit to the community. > However one of the NCC's members -- my former employer, Nominum -- > was/is selling its own DNS implementation. So Nominum's money in > membership fees was and is used to fund the NCC to develop software > that competed with and undercut Nominum's product. This cannot be > right. [As it turns out Nominum doesn't consider NSD to be a credible > competitor or a revenue threat to its software, but that's another > story.] We needed this to responsibly operate k.root-servers.net in the light of extremely serious concerns about server software diversity combined with the requirement for open source. We have helped with the design because that is the best way to get one's requirements met. We have helped with the testing because we had to test thoroughly anyway before using it on K. So the additional effort was not that big and the Internet is now a safer place. And we have done all this *extremely* openly. You could say that I came close to bragging about it ;-). > There may well be further examples of this sort of thing in > the other non-core activities of RIPE NCC. Why would anyone pay for a > place on my DNSSEC training course (if I was selling one) when NCC is > offering their course for free? Who is selling DNSSEC courses? The whole point of DISI is to kick-start deployment of something that makes the Internet infrastructure more secure in the absence of clear economic drivers. We have done this before, remember CIDR? > I fear that your plans for DNS monitoring will similarly distort the > market. Firstly, potential customers -- TLDs, regulators, etc -- will > expect to get this type of service for free instead of paying for it > as they really should. Secondly, it will prevent commercial operators, > some of whom could well be NCC members, from providing this kind of > service. Who can compete with free? Yes, but is there a market? And can this be done independently and neutrally for a fee? Again we needed this for k.root-servers.net operations. > That brings up the concerns about > monopolies and cross-subsidies again. Thirdly, this service could > become a bottomless pit for NCC resources. What are the current and > projected costs and how are they covered? My estimate of the incremental cost of developing it so far are about 1-2 weeks of a network engineer, and 5 weeks of a chief scientist. However it is based on the network of test boxes and on the RIPE NCC web presence. How do you account for that? Difficult. We also needed something like this for operating k.root-servers.net responsibly. One could argue that the incremental cost to that is even less. But again: This helps DNS stability and Internet self-regulation. If there is another viable business model to do this at the required quality and neutrality I am all for it. I just do not see that. > of NCC extending itself well beyond its core function. Finally, > incrementally adding these sorts of non-core services doesn't just > entrench the NCC monopoly: it embraces and extends it. See above. DNS monitoring is an NCC activity since 1991. > Another point. The internet and telecommunications industry has been > suffering in the last few years. Budgets have been cut and companies > have downsized or gone bust. At this time NCC should be seen to be > tightening its belt, not adding new non-core activities. The RIPE NCC is another kettle of fish than a commercial company. You need stability and neutrality and that has its price! What if you lean it until it falls over at the most inconveient time? Talking about fairness: The RIPE NCC does not have stock options either. Yes I have a relatively secure job, but that's because I think the RIPE NCC is important for the Internet in Europe and I chose for it *in good times* when there were *a lot* more interesting offers in terms of remuneration. Daniel From hank at att.net.il Wed Sep 10 16:48:51 2003 From: hank at att.net.il (Hank Nussbacher) Date: Wed, 10 Sep 2003 16:48:51 +0200 Subject: [ncc-services-wg] Re: dnsmon / .org In-Reply-To: <20030910093604.GC2737@reifa.karrenberg.net> References: <5.1.0.14.2.20030910121619.00b2b148@max.att.net.il> <200309100258.h8A2w7JY014039@aunt.gaertner.de> <200309100258.h8A2w7JY014039@aunt.gaertner.de> <5.1.0.14.2.20030910121619.00b2b148@max.att.net.il> Message-ID: <5.1.0.14.2.20030910164634.00b19830@max.att.net.il> At 11:36 AM 10-09-03 +0200, Daniel Karrenberg wrote: >On 10.09 12:18, Hank Nussbacher wrote: > > > RIPE NCC should only monitor those ccTLDs that are LIRs or that their LIR > > is willing to endorse. -Hank > >I like the principle. However .... > >How would this endoresement be determined? Each LIR would be entitled to one ccTLD to be monitored. Most won't need it. Assuming there are about 50 countries in the RIPE area, and about 3500 LIRs, I am sure that one can find a LIR to support a ccTLD to be monitored. That means that the other countries in ARIN/APNIC/LACLIC would have to fund their own service. -Hank LIR: il.iucc >Doing it simple-mindedly potentially leads to a *very* long list of >domains to monitor, and not only (cc)TLDs. > > >Daniel From daniel.karrenberg at ripe.net Wed Sep 10 16:10:52 2003 From: daniel.karrenberg at ripe.net (Daniel Karrenberg) Date: Wed, 10 Sep 2003 16:10:52 +0200 Subject: [ncc-services-wg] Re: dnsmon / .org In-Reply-To: References: <200309100258.h8A2w7JY014039@aunt.gaertner.de> <5.1.0.14.2.20030910121619.00b2b148@max.att.net.il> Message-ID: <20030910141052.GD3556@reifa.karrenberg.net> [pruned to ncc-services] On 10.09 05:00, Randy Bush wrote: > > RIPE NCC should only monitor those ccTLDs that are LIRs or that > > their LIR is willing to endorse. > > as a lot of folk, whose primary mission it is, monitor, it is not > clear to me why the ncc monitors at all. Frankly: Because root zone data is needed for our operations, none of the people whose primary mission it is do an adaequate job, there is considerable interest in good measurements in the community including about other TLDs and it was relatively easy to do. > the philosphy that the > ncc should provide all the services that we use devolves into ncc > making shoes and shirts for us all too... I am not aware of that school. can you point me to it? Daniel From schneider at switch.ch Wed Sep 10 14:43:26 2003 From: schneider at switch.ch (Marcel Schneider) Date: Wed, 10 Sep 2003 14:43:26 +0200 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: Message from Daniel Karrenberg of "Wed, 10 Sep 2003 11:17:46 +0200." <20030910091746.GA2737@reifa.karrenberg.net> References: <20030910091746.GA2737@reifa.karrenberg.net> <200309100258.h8A2w7JY014039@aunt.gaertner.de> Message-ID: <6610.1063197806@switch.ch> On Wednesday, 10 Sep 2003, Daniel Karrenberg writes: Daniel > While we so far have only monitored TLDs with whome we have some contact, > we can certainly also monitor any TLD if there is an expressed interest > from the RIPE community. Thechnically this is no problem at all. > Configuring it takes all of 5 minutes and even the alpha version > of the analysis web site on the development server box can easily take > the load. Here the views of a (small) ccTLD (CH): 1. Monitoring TLD name servers from different points on earth in a, let's say 'standardized' way, and publish such data is welcome. The points to clarify here are: standardized and 'such', the later designating a subset of all possible measurements or everything. The standardization aspect is is IMO more interesting: we need an RFC for these measurements. 2. Since this kind of monitoring can be bought from e.g. UltraDNS, it may be wise not enter in any competition, meaning it should have a price tag. 3. If it has aprice tag, people will want to know what to get for the money, meaning an SLA is required. An SLA is a contract with technical, organizational, legal and administrative definitions. 4. It is to be determined if RIPE NCC is the appropriate org to offer such services. Good: neutral, professional, some hard- and software already in place and can be used; bad: not really RIPE's core business, the competition with commercial firms. How about a RIPE-spin-off, Netlabs, etc. ? Summary: desirable service, still much to be defined. Marcel From daniel.karrenberg at ripe.net Wed Sep 10 16:29:30 2003 From: daniel.karrenberg at ripe.net (Daniel Karrenberg) Date: Wed, 10 Sep 2003 16:29:30 +0200 Subject: [ncc-services-wg] Re: dnsmon / .org In-Reply-To: <5.1.0.14.2.20030910164634.00b19830@max.att.net.il> References: <5.1.0.14.2.20030910121619.00b2b148@max.att.net.il> <200309100258.h8A2w7JY014039@aunt.gaertner.de> <200309100258.h8A2w7JY014039@aunt.gaertner.de> <5.1.0.14.2.20030910121619.00b2b148@max.att.net.il> <5.1.0.14.2.20030910164634.00b19830@max.att.net.il> Message-ID: <20030910142930.GF3556@reifa.karrenberg.net> On 10.09 16:48, Hank Nussbacher wrote: > At 11:36 AM 10-09-03 +0200, Daniel Karrenberg wrote: > > ... > >How would this endoresement be determined? > > Each LIR would be entitled to one ccTLD to be monitored. Most won't need > it. Assuming there are about 50 countries in the RIPE area, and about 3500 > LIRs, I am sure that one can find a LIR to support a ccTLD to be > monitored. That means that the other countries in ARIN/APNIC/LACLIC would > have to fund their own service. Now this *is* simple-minded: The end-game is that we monitor all TLDs because there are less TLDs than RIPE NCC members and there will be some of them intereste in TLDs outside the RIPE region and many of them will be interested in some gTLDs. Next we will get questions about 2nd level domains. Try again. Hint: One might establish a ranking and set a monitoring capacity. Daniel From gillsr at yahoo.com Wed Sep 10 16:35:43 2003 From: gillsr at yahoo.com (Stephen Gill) Date: Wed, 10 Sep 2003 09:35:43 -0500 Subject: [ncc-services-wg] RE: New service: ip2asn In-Reply-To: <5.1.0.14.2.20030910101427.00aaa3d8@max.att.net.il> Message-ID: <002101c377a8$d15dc3a0$1efdfe0a@t23> Hi Hank, Just a quick word of clarification on the AS scripts: 1. getorgasn2.pl is included inside ip2asn-v1.1.tar.gz. The AS conversion scripts include an ONLINE (route-server) and an OFFLINE (bgp table dump) version. There are three scripts in the tar.gz. 2. RE: the e-mail From: j.green at ukerna.ac.uk, one of the scripts above does exactly this using Caida's CoralReef package. 3. RE: Slide #2, lft is a traceroute program for windows/unix that does exactly this: maps IPs to AS numbers. You can download it here: http://www.mainnerve.com/lft/ Ex: su-2.05b# lft -A 4.2.2.1 Tracing _____________________________________________________________________. TTL LFT trace to vnsc-pri.sys.gtei.net (4.2.2.1):80/tcp 1 [AS5102] gw-sbc.as23028.net (68.22.187.1) 20.4ms 2 [AS5102] 65.42.139.41 20.0ms 3 [AS5102] bb2-g5-0.chcgil.ameritech.net (67.38.101.116) 19.6ms 4 [ASN?] sl-gw38-chi-13-0.sprintlink.net (160.81.109.237) 19.7ms 5 [AS1239] sl-bb20-chi-4-0.sprintlink.net (144.232.26.129) 19.5ms 6 [AS1239] sl-bb21-chi-8-0.sprintlink.net (144.232.26.78) 59.6ms 7 [AS1239] sl-st20-chi-15-1.sprintlink.net (144.232.20.80) 19.4ms 8 [AS3356] so-2-1-0.edge1.Chicago1.Level3.net (209.0.225.21) 20.0ms 9 [AS3356] so-2-1-0.bbr1.Chicago1.level3.net (209.244.8.9) 20.0ms 10 [AS3356] so-1-0-0.bbr1.Atlanta1.level3.net (209.247.9.106) 40.4ms 11 [AS3356] pos8-0.hsa1.Atlanta1.Level3.net (209.247.9.166) 40.4ms 12 [AS3356] vlan521.public-msf1.Atlanta2.Level3.net (67.72.92.18) 40.4ms ** [neglected] no reply packets received from TTLs 13 through 25 26 [prohibited] [AS3356] vlan521.public-msf1.Atlanta2.Level3.net (67.72.92.18) 40.4/*ms Cheers, -- steve -----Original Message----- From: Hank Nussbacher [mailto:hank at att.net.il] Sent: Wednesday, September 10, 2003 3:19 AM To: ncc-services-wg at ripe.net Cc: robt at cymru.com; j.green at ukerna.ac.uk; joe at oregon.uoregon.edu; gillsr at yahoo.com Subject: New service: ip2asn Another new service I'd like to discuss is the TTM ip2asn service as presented at RIPE-46: http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-tt-as-tra ceroutes.pdf I know of 4 other methods for doing ip2asn conversions (permission received from each to supply this info): -------------------------------------- From: robt at cymru.com We have one that is somewhat quick and really very dirty. :) I've shared it with a few folks, so I'll share it with the full list now. It depends on the Perl Cisco Telnet module and access to a BGP-savvy router. You will find it at the following URL: It's not pretty, but it works. Feel free to modify it as you see fit, and you may share it with anyone. Comments welcome! Thanks, Rob, for Team Cymru. -- Rob Thomas -------------------------------------- From: j.green at ukerna.ac.uk First you need a source of routing information (http://archive.routeviews.org/) This then needs to be parsed. I either use parse_bgp_dump from CAIDA (and run "'sh ip bgp' format RIBs" through it), or use http://www.bugged.org/download/misc/bgpparser.c (after tweaking the defines to extract the correct fields) and pass "MRT format RIBs" through it. CAIDA merges multipleorigins into a generic entry, whereas bgpparser creates multiple entries. Either way you want a file with a.b.c.d/e AS ... a.b.c.d/e AS Then use something like Net::Patricia to lookup the AS for an IP address. The only slow thing seems to be reading in the file into memory (I guess you could daemonise it, or use a more parse efficient storage format it this matters). There is some scripts from a while back at http://kaizo.us/girona/bgp/ bgpparse.tar is the relevant bits out of CAIDA's larger package. aslookup.pl is very simple perl script route-table is a parsed version of the data from routeviews from June. Hope this helps John JANET-CERT ------------------------------------------- From: joe at oregon.uoregon.edu Because a number of people have expressed an interest in an IP->ASN DNS zone, if you're interested, the Routeviews project now has a test/static asn zone up that you can try, e.g.: % dig @archive.routeviews.org 13.142.223.128.asn.routeviews.org txt [snip] ;; ANSWER SECTION: 13.142.223.128.asn.routeviews.org. 86400 IN TXT "3582" [snip] % dig @archive.routeviews.org 109.131.229.169.asn.routeviews.org txt [snip] ;; ANSWER SECTION: 109.131.229.169.asn.routeviews.org. 86400 IN TXT "25" [snip] That was the original format. It now works as follows: % host -t txt 35.32.223.128.asn.routeviews.org 35.32.223.128.asn.routeviews.org text "3582" "128.223.0.0" "16" In addition to being able to get the stub ASN, a second zone will also let you get the AS path associated with a specific dotted quad. For example: % host -t txt 122.3.15.66.aspath.routeviews.org 122.3.15.66.aspath.routeviews.org text "2497 3356 1 189" "66.15.3.0" "24" 122.3.15.66.aspath.routeviews.org text "2497 3356 1" "66.15.0.0" "17" In parsing what's returned, be sure to plan to accomodate the possibility that you may get multiple records returned for a single query. Thanks, Joe St Sauver (joe at oregon.uoregon.edu) University of Oregon Computing Center ----------------------------------------------- From: gillsr at yahoo.com www.qorbit.net/code/ip2asn-v1.1.tar.gz ip2asn-coral.pl - very fast, uses Caida's Coral Reef package, requires route table dump. Initial load takes a bit to read route-file. ip2asn-server.pl - slower, requires a route-server, preferably one that supports 'show ip bgp $ip/32 shorter' syntax. --------------------------------------------- Can the RIPE NCC TTM group explain why such a service is needed when there are other packages available that do similar things? Slide #2 seems to state that you want a traceroute that includes the ASN. Slide #14 states "RIPE-NCC will set up an IP-AS mapping service with something like "traceroute -A". How will this be different than a standard traceroute from any Cisco router: TAU-gp1#trace www.cisco.com Translating "www.cisco.com"...domain server (128.139.6.1) [OK] Type escape sequence to abort. Tracing the route to www.cisco.com (198.133.219.25) 1 iucc.il1.il.geant.net (62.40.103.225) [AS 20965] 0 msec 0 msec 0 msec 2 il.nl1.nl.geant.net (62.40.96.117) [AS 20965] 68 msec 64 msec 68 msec 3 nl.de1.de.geant.net (62.40.96.101) [AS 20965] 72 msec 72 msec 72 msec 4 so-7-0-0.ar2.FRA2.gblx.net (208.48.23.145) [AS 3549] 72 msec 72 msec 72 msec 5 pos5-0-2488M.cr2.FRA2.gblx.net (67.17.65.53) [AS 3549] 72 msec 72 msec 72 msec 6 so0-0-0-2488M.cr2.LON3.gblx.net (67.17.64.38) [AS 3549] 84 msec 80 msec 80 msec 7 so7-0-0-2488M.ar2.LON3.gblx.net (67.17.66.30) [AS 3549] 88 msec 84 msec 80 msec 8 sl-bb21-lon-1-3.sprintlink.net (213.206.131.25) [AS 1239] 88 msec 88 msec 88 msec 9 sl-bb21-tuk-10-0.sprintlink.net (144.232.19.69) [AS 1239] 164 msec 164 msec 164 msec 10 sl-bb20-tuk-15-0.sprintlink.net (144.232.20.132) [AS 1239] 164 msec 164 msec 168 msec 11 sl-bb21-rly-15-1.sprintlink.net (144.232.20.120) [AS 1239] 168 msec 172 msec 164 msec 12 sl-bb23-rly-11-0.sprintlink.net (144.232.14.134) [AS 1239] 164 msec 176 msec 168 msec 13 sl-bb20-rly-9-0.sprintlink.net (144.232.14.117) [AS 1239] 176 msec 168 msec 172 msec 14 sl-bb25-sj-5-3.sprintlink.net (144.232.20.57) [AS 1239] 296 msec 228 msec 228 msec 15 sl-gw11-sj-10-0.sprintlink.net (144.232.3.134) [AS 1239] 232 msec 228 msec 232 msec 16 sl-ciscopsn2-11-0-0.sprintlink.net (144.228.44.14) [AS 1239] 220 msec 220 msec 224 msec 17 sjce-dirty-gw1.cisco.com (128.107.239.89) [AS 109] 228 msec 224 msec 224 msec 18 sjck-sdf-ciod-gw2.cisco.com (128.107.239.102) [AS 109] 228 msec 228 msec 228 msec 19 * www.cisco.com (198.133.219.25) [AS 109] 236 msec * Thanks, Hank From baess at denic.de Wed Sep 10 17:04:23 2003 From: baess at denic.de (Andreas =?ISO-8859-1?Q?B=E4=DF=2FDenic?=) Date: Wed, 10 Sep 2003 17:04:23 +0200 Subject: [ncc-services-wg] Re: dnsmon / .org Message-ID: Daniel, > However it is very difficult to do it for some for free and > ask the others to pay. So doing that may lead to a situation where the > RIPE NCC membership ends up paying the whole bill. I would actually > like that because it makes the measurements even more independent > and I would not have to invest time into making agreements with the TLD > admins, billing, etc. pp. from our (DENIC) point of view an independant professional monitoring of our services has value and we certainly will pay a fair share to continue this service. Monitoring other parties that are not able to pay for that (maybe unwanted) service is nonetheless of value for us too, as we are often contacted to explain anomalies or to make judgements on explanations/justifications where independant monitoring is better than believe/rumors ;-) > But is this acceptable to the RIPE NCC memebrship in the long run? I think the system has enough options to provide to those who pay more and better service (realtime vs. delayed data access, access to single monitor point data vs. only overview, breakdown so single minute measurements vs. 15 minutes overviews or just events, maybe complex alarming conditions). Have a nice day Andreas From Niall.oReilly at ucd.ie Wed Sep 10 17:35:48 2003 From: Niall.oReilly at ucd.ie (Niall O'Reilly) Date: Wed, 10 Sep 2003 16:35:48 +0100 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <20030910135001.GB3556@reifa.karrenberg.net> Message-ID: <73D948E2-E3A4-11D7-8394-000393DA759C@ucd.ie> On Wednesday, Sep 10, 2003, at 14:50 Europe/Dublin, Daniel Karrenberg wrote: > This mission is broader than just being a RIR I agree. I hope and expect my ISP/LIR agrees. Niall From daniel.karrenberg at ripe.net Wed Sep 10 17:39:01 2003 From: daniel.karrenberg at ripe.net (Daniel Karrenberg) Date: Wed, 10 Sep 2003 17:39:01 +0200 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: References: <20030910091746.GA2737@reifa.karrenberg.net> <25372.1063191695@gromit.rfc1035.com> <20030910135001.GB3556@reifa.karrenberg.net> Message-ID: <20030910153901.GM3556@reifa.karrenberg.net> [pruned to ncc-services again] On 10.09 17:15, Johan Ihren wrote: > Daniel Karrenberg writes: > > Who is selling DNSSEC courses? The whole point of DISI is to kick-start > > We do. I was not aware of that. So given that, should we stop DISI and other kick-start like things. Or is the benefit to the membership as-a-whole and the community more important? > PS. With the Autonomica hat on: we also do DNS monitoring, quite > similar to dnsmon, and for exactly the same reasons, i.e. to monitor > our various DNS services, i.root-servers.net being one of them. To > offset our costs for this we are offering this service on some sort of > cost recovery basis to interested parties like TLDs. Interesting. I have never seen any of it or seen it quoted anywhere. > In the end this is all about education. Everyone needs to understand > that there is a cost associated with providing a service. If the > service is offered "for free" that is just a metaphor for "someone > else is paying for it". Yes. And that someone else whould do so willingly of course. Daneil From Niall.oReilly at ucd.ie Wed Sep 10 17:40:17 2003 From: Niall.oReilly at ucd.ie (Niall O'Reilly) Date: Wed, 10 Sep 2003 16:40:17 +0100 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <20030910135001.GB3556@reifa.karrenberg.net> Message-ID: <13EA874B-E3A5-11D7-8394-000393DA759C@ucd.ie> On Wednesday, Sep 10, 2003, at 14:50 Europe/Dublin, Daniel Karrenberg wrote: > Membership is open to anyone using the > RIPE NCC services. Does this mean a non-LIR can be a member? How does that work in practice? Niall From johani at autonomica.se Wed Sep 10 17:15:33 2003 From: johani at autonomica.se (Johan Ihren) Date: Wed, 10 Sep 2003 17:15:33 +0200 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <20030910135001.GB3556@reifa.karrenberg.net> (Daniel Karrenberg's message of "Wed, 10 Sep 2003 15:50:01 +0200") References: <20030910091746.GA2737@reifa.karrenberg.net> <25372.1063191695@gromit.rfc1035.com> <20030910135001.GB3556@reifa.karrenberg.net> Message-ID: Daniel Karrenberg writes: Hi Daniel, >> There may well be further examples of this sort of thing in the >> other non-core activities of RIPE NCC. Why would anyone pay for a >> place on my DNSSEC training course (if I was selling one) when NCC >> is offering their course for free? > > Who is selling DNSSEC courses? The whole point of DISI is to kick-start We do. I.e. not Autonomica, but Lars-Johan Liman, Patrik F?ltstr?m and myself privately teach DNS courses on all levels since years back, including a two day course on DNSSEC. And, yes, we have had students actually cancel their seats at a scheduled course because RIPE NCC staff came to Stockholm and taught DNSSEC for free. While I can personally live with that (at least as long as you don't turn up in Stockholm too often ;-) I do think it is a clear example of the difficulties with your position of being effectively a monopoly that wants to do the right thing for the Internet. Johan PS. With the Autonomica hat on: we also do DNS monitoring, quite similar to dnsmon, and for exactly the same reasons, i.e. to monitor our various DNS services, i.root-servers.net being one of them. To offset our costs for this we are offering this service on some sort of cost recovery basis to interested parties like TLDs. Obviously even a cheap service will never be able to compete with a free one, especially since the hassle of the billing process will make both parties walk away. And, yes, we are RIPE members, so just as in the Nominum case this is our membership fees working against us. In the end this is all about education. Everyone needs to understand that there is a cost associated with providing a service. If the service is offered "for free" that is just a metaphor for "someone else is paying for it". From joao at psg.com Wed Sep 10 17:59:09 2003 From: joao at psg.com (Joao Luis Silva Damas) Date: Wed, 10 Sep 2003 17:59:09 +0200 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <13EA874B-E3A5-11D7-8394-000393DA759C@ucd.ie> Message-ID: On Wednesday, September 10, 2003, at 05:40 PM, Niall O'Reilly wrote: > > On Wednesday, Sep 10, 2003, at 14:50 Europe/Dublin, Daniel Karrenberg > wrote: > >> Membership is open to anyone using the >> RIPE NCC services. > > Does this mean a non-LIR can be a member? Well, yes. You don't have to request addresses to be interested in RIPE NCC services. Maybe they are all called LIRs but it might be interesting to know how many members don't send any address requests to the NCC and therefore, maybe, are just interested in the availability of the public services. As Daniel said, from the beginning the RIPE NCC has been more than an RIR, it has been a Network Co-ordination Centre, remember the maps of the Internet? > How does that work in practice? > You sign and you pay => You benefit. Joao From daniel.karrenberg at ripe.net Wed Sep 10 18:06:40 2003 From: daniel.karrenberg at ripe.net (Daniel Karrenberg) Date: Wed, 10 Sep 2003 18:06:40 +0200 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <13EA874B-E3A5-11D7-8394-000393DA759C@ucd.ie> References: <20030910135001.GB3556@reifa.karrenberg.net> <13EA874B-E3A5-11D7-8394-000393DA759C@ucd.ie> Message-ID: <20030910160639.GP3556@reifa.karrenberg.net> On 10.09 16:40, Niall O'Reilly wrote: > > >Membership is open to anyone using the > >RIPE NCC services. > > Does this mean a non-LIR can be a member? > How does that work in practice? Touche! It used to be possible to become a LIR without getting an allocation. After having focusseed this discussion here really do not want to expand it again to address-policy ;-) I am sure this will be rationalised there eventually ;-(. Maybe we need a "sponsoring member" category where organisations like sympathetic ccTLDs could do their duty without contracts and SLAs. This would serve the purpose of fairness as explained in my original mail without the darn overhead of SLAs, liabilities and other such overhead. Maybe we could have them in several, self assessed sizes too. (deja-vu! ;-) Any takers? Daniel From gert at space.net Wed Sep 10 20:27:39 2003 From: gert at space.net (Gert Doering) Date: Wed, 10 Sep 2003 20:27:39 +0200 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <73D948E2-E3A4-11D7-8394-000393DA759C@ucd.ie>; from Niall.oReilly@ucd.ie on Wed, Sep 10, 2003 at 04:35:48PM +0100 References: <20030910135001.GB3556@reifa.karrenberg.net> <73D948E2-E3A4-11D7-8394-000393DA759C@ucd.ie> Message-ID: <20030910202739.O67740@Space.Net> Hi, On Wed, Sep 10, 2003 at 04:35:48PM +0100, Niall O'Reilly wrote: > > This mission is broader than just being a RIR > I agree. I hope and expect my ISP/LIR agrees. Same for me (speaking for my LIR). Nevertheless I think the new structure, with projects being discussed in the ncc-services WG and the AGM meeting 2 times a year and thus having more chances to influence projects, is a good approach. Gert Doering -- NetMaster -- Total number of prefixes smaller than registry allocations: 56833 (55575) SpaceNet AG Mail: netmaster at Space.Net Joseph-Dollinger-Bogen 14 Tel : +49-89-32356-0 80807 Muenchen Fax : +49-89-32356-299 From david at iprg.nokia.com Wed Sep 10 23:46:25 2003 From: david at iprg.nokia.com (David Kessens) Date: Wed, 10 Sep 2003 14:46:25 -0700 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <20030910135001.GB3556@reifa.karrenberg.net>; from Daniel Karrenberg on Wed, Sep 10, 2003 at 03:50:01PM +0200 References: <20030910091746.GA2737@reifa.karrenberg.net> <25372.1063191695@gromit.rfc1035.com> <20030910135001.GB3556@reifa.karrenberg.net> Message-ID: <20030910144625.A19332@iprg.nokia.com> Daniel, On Wed, Sep 10, 2003 at 03:50:01PM +0200, Daniel Karrenberg wrote: > > I could write a reply rant about the individual points in your rant but > the main difference of opinion we have is about the mission of the RIPE NCC. > This mission is broader than just being a RIR: While I would like to agree with you, I don't think it is all that simple. To me it sounds like this whole discussion is avoiding the real problem: The RIPE NCC's RIR function is a monopoly. People who need addresses cannot go anywhere else. They have the option to become a LIR and pay for all it's services or choose not to receive any ip addresses at all. Sooner or later this is going to draw unwanted attention from authorities. Isn't it better to take preventive action now and make sure that the monopoly function is sufficiently separate of the other activities of the NCC in order to avoid this kind of problems ?!? David K. --- From peter.galbavy at knowtion.net Thu Sep 11 08:41:42 2003 From: peter.galbavy at knowtion.net (Peter Galbavy) Date: Thu, 11 Sep 2003 07:41:42 +0100 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org References: <20030910091746.GA2737@reifa.karrenberg.net> <25372.1063191695@gromit.rfc1035.com> <20030910135001.GB3556@reifa.karrenberg.net> <20030910144625.A19332@iprg.nokia.com> Message-ID: <001301c3782f$c33544b0$28e0a8c0@peteryw45760tp> David Kessens wrote: > Sooner or later this is going to draw unwanted attention from > authorities. Isn't it better to take preventive action now and make > sure that the monopoly function is sufficiently separate of the other > activities of the NCC in order to avoid this kind of problems ?!? But then there would be so much less money to fritter away on personal projects and academic life. Why would you, if you were a comfortably secure manager at RIPE, want this ? Peter From pim at bit.nl Thu Sep 11 09:18:02 2003 From: pim at bit.nl (Pim van Pelt) Date: Thu, 11 Sep 2003 09:18:02 +0200 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <001301c3782f$c33544b0$28e0a8c0@peteryw45760tp> References: <20030910091746.GA2737@reifa.karrenberg.net> <25372.1063191695@gromit.rfc1035.com> <20030910135001.GB3556@reifa.karrenberg.net> <20030910144625.A19332@iprg.nokia.com> <001301c3782f$c33544b0$28e0a8c0@peteryw45760tp> Message-ID: <20030911071802.GD71526@crow.bit.nl> Peter, | > Sooner or later this is going to draw unwanted attention from | > authorities. Isn't it better to take preventive action now and make | > sure that the monopoly function is sufficiently separate of the other | > activities of the NCC in order to avoid this kind of problems ?!? | | But then there would be so much less money to fritter away on personal | projects and academic life. Why would you, if you were a comfortably secure | manager at RIPE, want this ? Undue sarcastic consipracy theory redetected ! Because the CSM is not an egocentric individual who puts his personal pleasure above what is good for his company. I work at an ISP too, with a gazillion nice toys to abuse for my own pleasure and you may not believe it but much the same as people at the NCC, I do not wish to abuse them in any way. It's called self-rightiousness and it based upon trust (from employer to employee, from member to CSM, ... ). -- __________________ Met vriendelijke groet, /\ ___/ Pim van Pelt /- \ _/ Business Internet Trends BV PBVP1-RIPE /--- \/ __________________ From johani at autonomica.se Wed Sep 10 19:12:20 2003 From: johani at autonomica.se (Johan Ihren) Date: Wed, 10 Sep 2003 19:12:20 +0200 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <20030910153901.GM3556@reifa.karrenberg.net> (Daniel Karrenberg's message of "Wed, 10 Sep 2003 17:39:01 +0200") References: <20030910091746.GA2737@reifa.karrenberg.net> <25372.1063191695@gromit.rfc1035.com> <20030910135001.GB3556@reifa.karrenberg.net> <20030910153901.GM3556@reifa.karrenberg.net> Message-ID: Daniel Karrenberg writes: Hi Daniel, > [pruned to ncc-services again] To which I'm not yet subscribed, so this will probably not reach anyone but you initially... >>> Who is selling DNSSEC courses? The whole point of DISI is to kick-start >> >> We do. > > I was not aware of that. So given that, should we stop DISI and > other kick-start like things. Or is the benefit to the membership > as-a-whole and the community more important? I'm not suggesting that. I'm merely giving a concrete example showing that Jim has a valid point. However, I think that in the spirit of kick-starting you need be careful about two things: 1. Make sure that you're kick-starting something that doesn't already exist or is already happening. 2. Be prepared to stop once there is to much interference with other alternatives. The problem here is that in an environment with a subsidized service, the growth of robust commercially-supported alternatives will always be retarded and constrained, and this damages the health and growth of the Internet as a whole. Both of these are close to impossible to fulfill in practice, of course. But you need to at least try hard enough to avoid complaints. >> PS. With the Autonomica hat on: we also do DNS monitoring, quite >> similar to dnsmon, and for exactly the same reasons, i.e. to monitor >> our various DNS services, i.root-servers.net being one of them. To >> offset our costs for this we are offering this service on some sort of >> cost recovery basis to interested parties like TLDs. > > Interesting. I have never seen any of it or seen it quoted anywhere. Marketing is not our strongest side ;-) RIPE NCC has much more resources for marketing than we have, but I'd rather spend our resources on doing DNS than trying to compete with that. >> In the end this is all about education. Everyone needs to understand >> that there is a cost associated with providing a service. If the >> service is offered "for free" that is just a metaphor for "someone >> else is paying for it". > > Yes. And that someone else whould do so willingly of course. Well, I think it is a bit more complicated than that. I believe that for a system to be stable there should be a trail of services performed that is matched by a reverse trail of revenues paid. That way everyone involved is both giving and receiving something and therefore they are presumably satisfied. When the costs don't follow the services performed you will have "winners" and "losers". The winners are the guys that get services without paying and the losers are those that pay without getting services. Such systems may work for a while, but long term this is bad, since you will not achieve a scalable system where increased consumption can finance increased production. But I think we're getting bogged down too deep into layman interpretation of market economics here. Johan From jim at rfc1035.com Wed Sep 10 23:52:34 2003 From: jim at rfc1035.com (Jim Reid) Date: Wed, 10 Sep 2003 22:52:34 +0100 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: Your message of "Wed, 10 Sep 2003 15:50:01 +0200." <20030910135001.GB3556@reifa.karrenberg.net> Message-ID: <26572.1063230754@gromit.rfc1035.com> >>>>> "Daniel" == Daniel Karrenberg writes: Daniel> Who is selling DNSSEC courses? I was thinking this might have been a way to keep me in very fine, rare malt whisky. :-) I have an Advanced DNS Admin course that could be used as the basis of a DNSSEC training course. However, there's not much point in trying to develop and sell such a course -- far less try to make a living from that -- when RIPE NCC is offering one "for free" that would attract most, if not all, potential customers. That's hardly fair or neutral, eh? >> I fear that your plans for DNS monitoring will similarly >> distort the market. Firstly, potential customers -- TLDs, >> regulators, etc -- will expect to get this type of service for >> free instead of paying for it as they really should. Secondly, >> it will prevent commercial operators, some of whom could well >> be NCC members, from providing this kind of service. Who can >> compete with free? Daniel> Yes, but is there a market? And can this be done Daniel> independently and neutrally for a fee? These questions can't be answered if NCC does this for free and therefore strangles at birth any attempts by someone else to offer these services and/or create a market for them. Daniel> Again we needed this for k.root-servers.net operations. Fine. So monitor K and ns.ripe.net and ns.eu.net: the servers directly under the NCC's responsibility. But stop there. There's a huge leap going from there to monitoring every TLD and root server on the planet "for free" and I just don't see the justification for that quite frankly. Monitor these other servers by all means. Provided the people running those servers pay at least the full costs of providing that service to them. This would of course require much more transparency in identifying the costs and overheads of providing these additional, non-core services. Daniel> The RIPE NCC is another kettle of fish than a commercial Daniel> company. You need stability and neutrality and that has Daniel> its price! Indeed. But where is the neutrality if NCC is raising the barriers to entry by offering additional, non-core services "for free" that are cross-subsidised from its core, monopoly services? I've given a couple of examples where NCC's actions/policies have far from neutral market consequences. Simply by their existence, these non-core services NCC offers have eliminated competition. Or prevented commercial players entering the market. What's worse, those additional services might have been provided by the NCC membership if they'd been given the chance. And that extra revenue could have helped them pay for NCC's recently increased fees. :-) I would also like to see the NCC's projects (such as DISI) subject to regular external review to ensure they are seen to be on track and meeting their objectives, deliverables, timelines and budgets. Perhaps this already happens and I as a non-member just don't know about that? Daniel> What if you lean it until it falls over at the Daniel> most inconveient time? This is less likely to happen if NCC sticks to its core job -- an RIR -- and makes sure it has enough cash to carry out that role. The further NCC moves from its absolutely critical RIR responsibility, the more likely that core function will be at risk. And the more likely the EU's anti-competition people will come knocking at the door.... Daniel> Talking about fairness: The RIPE NCC does not have stock Daniel> options either. Yes I have a relatively secure job, but Daniel> that's because I think the RIPE NCC is important for the Daniel> Internet in Europe and I chose for it *in good times* when Daniel> there were *a lot* more interesting offers in terms of Daniel> remuneration. Daniel, please don't take my earlier comments personally. This discussion has nothing to do with our respective career choices or money. It's about more important things. :-) FYI, I don't have stock options either. [These die when you get downsized you know.] I don't even have a job. Let alone a relatively secure one. And as I look for new things to do in the DNS arena, there's this 800 pound NCC gorilla in my backyard which is almost literally eating my lunch. It's giving away "for free" the services I might want to provide and try to earn a living from. Where's the fairness you speak of? The only consolation I have is that since I'm not an NCC member, I'm not paying for that gorilla to eat my lunch. From paf at paf.se Thu Sep 11 04:31:37 2003 From: paf at paf.se (=?ISO-8859-1?Q?Patrik_F=E4ltstr=F6m?=) Date: Wed, 10 Sep 2003 19:31:37 -0700 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: References: <20030910091746.GA2737@reifa.karrenberg.net> <25372.1063191695@gromit.rfc1035.com> <20030910135001.GB3556@reifa.karrenberg.net> Message-ID: <119EB430-E400-11D7-A062-000A959CF516@paf.se> On 10 sep 2003, at 08.15, Johan Ihren wrote: > I.e. not Autonomica, but Lars-Johan Liman, Patrik F?ltstr?m and myself > privately teach DNS courses on all levels since years back, including > a two day course on DNSSEC. > > And, yes, we have had students actually cancel their seats at a > scheduled course because RIPE NCC staff came to Stockholm and taught > DNSSEC for free. > > While I can personally live with that (at least as long as you don't > turn up in Stockholm too often ;-) I do think it is a clear example of > the difficulties with your position of being effectively a monopoly > that wants to do the right thing for the Internet. FWIW, as Johan explicitly say he _personally_ can live with it, let me also say I find this being ok, even though it feels a bit weird when RIPE NCC is competing on the market with a price we can not beat. So, don't come too often ;-) That said, totally in the world, I think there is not enough people teaching DNS. Or rather, there are enormous number of people which _should_ take a training course. paf From pdg at euroconnect.fr Thu Sep 11 10:56:32 2003 From: pdg at euroconnect.fr (Pascal Julienne) Date: Thu, 11 Sep 2003 10:56:32 +0200 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <20030910144625.A19332@iprg.nokia.com> Message-ID: <01f301c37842$99a38130$0a0710ac@pdg> David, You can't talk about monopoly when you refer to a non profit organisation. If I follow your line of thought then many other European organisations are also monopolies and should draw attention. In that case, we better all go to Cancun instead of the next RIPE meeting. I think the real question is how could the RIPE catter to ALL of its members. So say: 1) You have a basic fee for a basic service 2) You have options which you can subscribe to or not - for instance if you want informations on traffic then you have to participate financially. This would mean that as far as IP registering all members would pay a comon fee (which still could be separated in small, large, etc.) and that the money obtained from this would go to registery services and a bit of the overall RIPE structure. For the rest of the services, they would have to be financed by those who want them. Again what is paid by those would go into a separate slot and would finance their needs. However, if the RIPE is also recognized by EU institutions as THE central body then some grants should be obtainable from the EU to work on EU projects related to services the RIPE can offer. If such grants are obtained, then it is tax money from all EU citizens which finance some overall EU/RIPE activities which the RIPE is probably the best body in EU to do. So you'd have three things: - basic services paid by basic fees available to all - options paid by those interested available to those who pay the extra bit - overall EU/RIPE services available to all and paid by EU Pascal Julienne www.euroconnect.fr Daniel, On Wed, Sep 10, 2003 at 03:50:01PM +0200, Daniel Karrenberg wrote: > > I could write a reply rant about the individual points in your rant but > the main difference of opinion we have is about the mission of the RIPE NCC. > This mission is broader than just being a RIR: While I would like to agree with you, I don't think it is all that simple. To me it sounds like this whole discussion is avoiding the real problem: The RIPE NCC's RIR function is a monopoly. People who need addresses cannot go anywhere else. They have the option to become a LIR and pay for all it's services or choose not to receive any ip addresses at all. Sooner or later this is going to draw unwanted attention from authorities. Isn't it better to take preventive action now and make sure that the monopoly function is sufficiently separate of the other activities of the NCC in order to avoid this kind of problems ?!? David K. --- From lists at complx.LF.net Thu Sep 11 12:03:47 2003 From: lists at complx.LF.net (Kurt Jaeger) Date: Thu, 11 Sep 2003 12:03:47 +0200 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <26572.1063230754@gromit.rfc1035.com> References: <20030910135001.GB3556@reifa.karrenberg.net> <26572.1063230754@gromit.rfc1035.com> Message-ID: <20030911100347.GV5474@complx.LF.net> Hi! > Daniel> Who is selling DNSSEC courses? > > I was thinking this might have been a way to keep me in very fine, > rare malt whisky. :-) I have an Advanced DNS Admin course that could > be used as the basis of a DNSSEC training course. However, there's not > much point in trying to develop and sell such a course -- far less try > to make a living from that -- when RIPE NCC is offering one "for free" > that would attract most, if not all, potential customers. That's > hardly fair or neutral, eh? RIPE could buy courses wholesale from you and "give" it to their LIRs -- another way to start a market 8-} -- MfG/Best regards, Kurt Jaeger 17 years to go ! LF.net GmbH fon +49 711 90074-23 pi at LF.net Ruppmannstr. 27 fax +49 711 90074-33 D-70565 Stuttgart mob +49 171 3101372 From joao at psg.com Thu Sep 11 12:56:00 2003 From: joao at psg.com (Joao Luis Silva Damas) Date: Thu, 11 Sep 2003 12:56:00 +0200 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <01f301c37842$99a38130$0a0710ac@pdg> Message-ID: <876ECBE8-E446-11D7-B9B3-003065521028@psg.com> On Thursday, September 11, 2003, at 10:56 AM, Pascal Julienne wrote: > David, > > You can't talk about monopoly when you refer to a non profit > organisation. > If I follow your line of thought then many other European > organisations are > also monopolies and should draw attention. In that case, we better > all go > to Cancun instead of the next RIPE meeting. > > I think the real question is how could the RIPE catter to ALL of its > members. > > So say: > > 1) You have a basic fee for a basic service > 2) You have options which you can subscribe to or not - for instance > if you > want informations on traffic then you have to participate financially. > > This would mean that as far as IP registering all members would pay a > comon > fee (which still could be separated in small, large, etc.) and that the > money obtained from this would go to registery services and a bit of > the > overall RIPE structure. > Under this suggestion, would one be able to pay only for the co-ordination services and not the registration ones? Suppose I want to support the RIPE Routing Registry, plus dnsmon and possibly attend a dnssec course but I am not interested in registration services (because, for instance, the current policy does not allow me to get addresses from the RIR function of the NCC). The NCC has more to offer than just registration services, in the area of co-ordination. Co-ordination usually requires a party that is not one of the co-ordinated ones. > For the rest of the services, they would have to be financed by those > who > want them. Again what is paid by those would go into a separate slot > and > would finance their needs. > > However, if the RIPE is also recognized by EU institutions as THE > central > body then some grants should be obtainable from the EU to work on EU > projects related to services the RIPE can offer. If such grants are > obtained, then it is tax money from all EU citizens which finance some > overall EU/RIPE activities which the RIPE is probably the best body in > EU to > do. > In general, EU money tends to come with EU conditions. Careful consideration should be given to something like this. In addition, the RIPE NCC service region is broader than just the EU, something that sometimes is forgotten by all involved. Joao From kurtis at kurtis.pp.se Thu Sep 11 14:25:14 2003 From: kurtis at kurtis.pp.se (Kurt Erik Lindqvist) Date: Thu, 11 Sep 2003 14:25:14 +0200 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <20030910135001.GB3556@reifa.karrenberg.net> Message-ID: Daniel, >> Another point. The internet and telecommunications industry has been >> suffering in the last few years. Budgets have been cut and companies >> have downsized or gone bust. At this time NCC should be seen to be >> tightening its belt, not adding new non-core activities. > > The RIPE NCC is another kettle of fish than a commercial company. > You need stability and neutrality and that has its price! > What if you lean it until it falls over at the most inconveient time? > There is a big danger in what you say above. Stability yes - but not at any price. The stability is there for the core service of the NCC, to act as a RIR. The rest is benefits that we get on the side. What most people have been asking for is transparency and accountability on why, and to what costs certain projects are done. Saying that this has always been part of the NCCs tasks is not an answer to those questions. Best regards, - kurtis - From kurtis at kurtis.pp.se Thu Sep 11 14:31:17 2003 From: kurtis at kurtis.pp.se (Kurt Erik Lindqvist) Date: Thu, 11 Sep 2003 14:31:17 +0200 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <20030910153901.GM3556@reifa.karrenberg.net> Message-ID: >>> Who is selling DNSSEC courses? The whole point of DISI is to >>> kick-start >> >> We do. > > I was not aware of that. > So given that, should we stop DISI and other kick-start like things. > Or is the benefit to the membership as-a-whole and the community more > important? I read this as if you are asking for a blank check. It's not that easy. In certain cases and most certainly in certain countries, training for free (well, it's not actually for free. Subsidized is probably a better word) is good and needed. Doing a certain basic amount of education will also help cut costs for all of us. But that is not the same as realizing that you are competing with commercial interests. So far I don't think this has been a big deal, just as Johan says, but it does highlight the fact that the NCC needs to be aware of the issues. - kurtis - From kurtis at kurtis.pp.se Thu Sep 11 14:32:31 2003 From: kurtis at kurtis.pp.se (Kurt Erik Lindqvist) Date: Thu, 11 Sep 2003 14:32:31 +0200 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <13EA874B-E3A5-11D7-8394-000393DA759C@ucd.ie> Message-ID: <03357B36-E454-11D7-B08B-000A95880ECC@kurtis.pp.se> >> Membership is open to anyone using the >> RIPE NCC services. > > Does this mean a non-LIR can be a member? You are on the mailinglist, right? > How does that work in practice? You just subscribe to the mailing-list or pay the attendance free for the RIPE meeting. Note that the NCC Services WG have no formal say in how the budget of the RIPE NCC is used. That is an issue for the NCC AGM. Best regards, - kurtis - From kurtis at kurtis.pp.se Thu Sep 11 14:49:55 2003 From: kurtis at kurtis.pp.se (Kurt Erik Lindqvist) Date: Thu, 11 Sep 2003 14:49:55 +0200 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <03357B36-E454-11D7-B08B-000A95880ECC@kurtis.pp.se> Message-ID: <71AC4700-E456-11D7-B08B-000A95880ECC@kurtis.pp.se> I noticed that I mixed up this thread with another. Ignore this thread. - kurtis - On torsdag, sep 11, 2003, at 14:32 Europe/Stockholm, Kurt Erik Lindqvist wrote: >>> Membership is open to anyone using the >>> RIPE NCC services. >> >> Does this mean a non-LIR can be a member? > > You are on the mailinglist, right? > >> How does that work in practice? > > You just subscribe to the mailing-list or pay the attendance free for > the RIPE meeting. Note that the NCC Services WG have no formal say in > how the budget of the RIPE NCC is used. That is an issue for the NCC > AGM. > > Best regards, > > - kurtis - > From kurtis at kurtis.pp.se Thu Sep 11 14:50:30 2003 From: kurtis at kurtis.pp.se (Kurt Erik Lindqvist) Date: Thu, 11 Sep 2003 14:50:30 +0200 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <71AC4700-E456-11D7-B08B-000A95880ECC@kurtis.pp.se> Message-ID: <863C37EA-E456-11D7-B08B-000A95880ECC@kurtis.pp.se> On torsdag, sep 11, 2003, at 14:49 Europe/Stockholm, Kurt Erik Lindqvist wrote: > > > I noticed that I mixed up this thread with another. Ignore this thread. ....I meant mail... - kurtis - > > - kurtis - > > On torsdag, sep 11, 2003, at 14:32 Europe/Stockholm, Kurt Erik > Lindqvist wrote: > >>>> Membership is open to anyone using the >>>> RIPE NCC services. >>> >>> Does this mean a non-LIR can be a member? >> >> You are on the mailinglist, right? >> >>> How does that work in practice? >> >> You just subscribe to the mailing-list or pay the attendance free for >> the RIPE meeting. Note that the NCC Services WG have no formal say in >> how the budget of the RIPE NCC is used. That is an issue for the NCC >> AGM. >> >> Best regards, >> >> - kurtis - >> > From Niall.oReilly at ucd.ie Thu Sep 11 16:40:54 2003 From: Niall.oReilly at ucd.ie (Niall O'Reilly) Date: Thu, 11 Sep 2003 15:40:54 +0100 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <03357B36-E454-11D7-B08B-000A95880ECC@kurtis.pp.se> Message-ID: Kurtis, The membership I mean is the one which has voting rights at the AGM. The mission of the NCC mentions making "services" available to "members". On paper, this would seem to be a reference to a broader community than the "LIR community in the RIPE (operational) area". I think Daniel and Jo?o understood what I meant. Niall On Thursday, Sep 11, 2003, at 13:32 Europe/Dublin, Kurt Erik Lindqvist wrote: >> >> Does this mean a non-LIR can be a member? > > You are on the mailinglist, right? > >> How does that work in practice? > > You just subscribe to the mailing-list or pay the attendance free for > the RIPE meeting. Note that the NCC Services WG have no formal say in > how the budget of the RIPE NCC is used. That is an issue for the NCC > AGM. From randy at psg.com Thu Sep 11 17:54:20 2003 From: randy at psg.com (Randy Bush) Date: Thu, 11 Sep 2003 08:54:20 -0700 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org References: <20030910091746.GA2737@reifa.karrenberg.net> <25372.1063191695@gromit.rfc1035.com> <20030910135001.GB3556@reifa.karrenberg.net> <20030910144625.A19332@iprg.nokia.com> Message-ID: > The RIPE NCC's RIR function is a monopoly. and a lot of the rest seems to descend in what we call NIH fashion from there. HIH is idiomatic for Not Invented Here, a syndrome where no one else does as well as we can, represents 'our' members (as if we were owned and not members of any other sets), ... so we must do everything ourselves because it is soooo much better. it is hard to sort out what is actually needed and appropriate for the registry and what is NIH. as i said some weeks ago > an interesting question, to which i have no answer. i > would note the contrast between the four current rirs, > with arin being very bare-bones address allocation, lacnic > adding more educational outreach as they perceive a need > in their region, apnic which does more infrastructure and > more outreach work, and ripe/ncc which has major branches > into representing isps in policy fora, doing r&d, etc. but your and johan's points about an organization with one foot standing on a monopolistic position and the other foot competing with the open market may be important. randy From hpholen at tiscali.no Fri Sep 12 18:00:56 2003 From: hpholen at tiscali.no (Hans Petter Holen) Date: Fri, 12 Sep 2003 18:00:56 +0200 (CEST) Subject: [ncc-services-wg] Re: dnsmon / .org In-Reply-To: <20030910093604.GC2737@reifa.karrenberg.net> Message-ID: > On 10.09 12:18, Hank Nussbacher wrote: > > > RIPE NCC should only monitor those ccTLDs that are LIRs or that their LIR > > is willing to endorse. -Hank > > I like the principle. However .... > > How would this endoresement be determined? You offer the service only to members, so if a names server operator wants this service they sign up as a member. You probably should add a new billig category for this. But that should be simple following the last AGM. > Doing it simple-mindedly potentially leads to a *very* long list of > domains to monitor, and not only (cc)TLDs. Doing it this way the list will never be longer than your membership list. -hph From hpholen at tiscali.no Fri Sep 12 18:10:53 2003 From: hpholen at tiscali.no (Hans Petter Holen) Date: Fri, 12 Sep 2003 18:10:53 +0200 (CEST) Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: Message-ID: > And, yes, we have had students actually cancel their seats at a > scheduled course because RIPE NCC staff came to Stockholm and taught > DNSSEC for free. This is, in mu personal oppinion very unforunate. While I agree bootstraping new fundamental internet infrastrucure services is a good thing (tm), I think it is very unfortunate that the result of RIPE NCC providing such training for free is that comercial enterprises do not develop this area into a sound business. It is clearer to me that the matter of charging for training should be reconcidered. -hph From hpholen at tiscali.no Fri Sep 12 18:20:41 2003 From: hpholen at tiscali.no (Hans Petter Holen) Date: Fri, 12 Sep 2003 18:20:41 +0200 (CEST) Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: Message-ID: Another way of doing bootstrapping would be: - start with free training - offer others to "advertize" the same cources trough the same mechanisms as RIPE NCC -- may need some "minimum standard" for the courses --- do we want RIPE NCCC certified trainers perhaps -- RIPE ncc charges average of the courses on the list + 20 % -hph From woeber at cc.univie.ac.at Thu Sep 11 18:35:20 2003 From: woeber at cc.univie.ac.at (Wilfried Woeber, UniVie/ACOnet) Date: Thu, 11 Sep 2003 18:35:20 +0200 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org Message-ID: <00A25C1B.EB01F0E4.15@cc.univie.ac.at> Hi Niall, >Kurtis, > >The membership I mean is the one which has voting rights at the AGM. > >The mission of the NCC mentions making "services" available to >"members". >On paper, this would seem to be a reference to a broader community than >the "LIR community in the RIPE (operational) area". In principle this does exist already (although it's being reworked ;-): The TTM is a separate contract (+invoice); although this doesn't seem to give me more votes in the AGM :-) And there's the Enterprise registry thing, which is not meant to get (additional) address space allocated/assinged by the NCC. (Again, I _think_ this type doesn't give you voting rights, but I may be wrong). >I think Daniel and Jo?o understood what I meant. Probably :-) >Niall Wilfried. From gert at space.net Thu Sep 11 18:41:06 2003 From: gert at space.net (Gert Doering) Date: Thu, 11 Sep 2003 18:41:06 +0200 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <00A25C1B.EB01F0E4.15@cc.univie.ac.at>; from woeber@cc.univie.ac.at on Thu, Sep 11, 2003 at 06:35:20PM +0200 References: <00A25C1B.EB01F0E4.15@cc.univie.ac.at> Message-ID: <20030911184106.N67740@Space.Net> Hi, On Thu, Sep 11, 2003 at 06:35:20PM +0200, Wilfried Woeber, UniVie/ACOnet wrote: > And there's the Enterprise registry thing, which is not meant to get > (additional) address space allocated/assinged by the NCC. (Again, I > _think_ this type doesn't give you voting rights, but I may be wrong). Dunno about last time's AGM, but in the next AGM with voting, Enterprise LIRs will be "extra small", and have one vote - one member, one vote. Gert Doering -- NetMaster -- Total number of prefixes smaller than registry allocations: 56833 (55575) SpaceNet AG Mail: netmaster at Space.Net Joseph-Dollinger-Bogen 14 Tel : +49-89-32356-0 80807 Muenchen Fax : +49-89-32356-299 From jochem at ripe.net Fri Sep 12 10:23:38 2003 From: jochem at ripe.net (Jochem de Ruig) Date: Fri, 12 Sep 2003 10:23:38 +0200 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <20030911184106.N67740@Space.Net> References: <00A25C1B.EB01F0E4.15@cc.univie.ac.at> <00A25C1B.EB01F0E4.15@cc.univie.ac.at> Message-ID: <5.2.1.1.2.20030912081409.02fe0388@mailhost.ripe.net> Dear Gert/Wilfried, For clarification. The Enterprise membership will cease to exist in 2004. The current Enterprise members will therefore be treated exactly the way the other members are treated. We will calculate the score for each member on the basis of the approved algorithm and they will fall into a billing category depending on the number of allocations/assignments and on the age of the allocation/assignment. Current Enterprise members will like all other members get 1 vote with the new articles of association. Kind regards, Jochem de Ruig RIPE NCC At 06:41 PM 9/11/2003 +0200, Gert Doering wrote: >Hi, > >On Thu, Sep 11, 2003 at 06:35:20PM +0200, Wilfried Woeber, UniVie/ACOnet >wrote: > > And there's the Enterprise registry thing, which is not meant to get > > (additional) address space allocated/assinged by the NCC. (Again, I > > _think_ this type doesn't give you voting rights, but I may be wrong). > >Dunno about last time's AGM, but in the next AGM with voting, Enterprise >LIRs will be "extra small", and have one vote - one member, one vote. > >Gert Doering > -- NetMaster >-- >Total number of prefixes smaller than registry allocations: 56833 (55575) > >SpaceNet AG Mail: netmaster at Space.Net >Joseph-Dollinger-Bogen 14 Tel : +49-89-32356-0 >80807 Muenchen Fax : +49-89-32356-299 From woeber at cc.univie.ac.at Fri Sep 12 15:31:54 2003 From: woeber at cc.univie.ac.at (Wilfried Woeber, UniVie/ACOnet) Date: Fri, 12 Sep 2003 15:31:54 +0200 Subject: [ncc-services-wg] Re: dnsmon / .org Message-ID: <00A25CCB.757541F4.30@cc.univie.ac.at> I fail to see an "obvious", structural relationship between a LIR and the parties responsible for the reliable operation of a ccTLD name service? Wilfried. ______________________________________________________________________ >At 11:36 AM 10-09-03 +0200, Daniel Karrenberg wrote: >>On 10.09 12:18, Hank Nussbacher wrote: >> >> > RIPE NCC should only monitor those ccTLDs that are LIRs or that their LIR >> > is willing to endorse. -Hank >> >>I like the principle. However .... >> >>How would this endoresement be determined? > >Each LIR would be entitled to one ccTLD to be monitored. Most won't need >it. Assuming there are about 50 countries in the RIPE area, and about 3500 >LIRs, I am sure that one can find a LIR to support a ccTLD to be >monitored. That means that the other countries in ARIN/APNIC/LACLIC would >have to fund their own service. > >-Hank >LIR: il.iucc From pdg at euroconnect.fr Mon Sep 15 12:09:38 2003 From: pdg at euroconnect.fr (Pascal Julienne) Date: Mon, 15 Sep 2003 12:09:38 +0200 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <876ECBE8-E446-11D7-B9B3-003065521028@psg.com> Message-ID: <030b01c37b71$79a95fd0$0a0710ac@pdg> I haven't meant to establish the fee schedule. I just gave an example of how this could work. The pricing formula and the different services one might want to offer would have to be studied more. To me it is just good economic principle to offer different rates and different services and that the money gotten goes toward these services. As far as EU is concerned, yes I am aware that RIPE takes care of more than EU but I don't think it is an obstacle. In fact I think EU has to spend money for Africa for instance and a non profit organisation should be a good candidate for grant. I also think that EU conditions are not something to be worried about. Being blind about what their conditions are would be crazy but it is just as crazy to be an EU wide organisation dealing with a subject that is one of the factor of economic growth and not have a financial support from it. EU spends zillions on things which to me are much less important than what the RIPE can do and which surely aren't a key component of growth. And even if we forget about growth but only talk about social activities, the internet is also a factor of social welfare. Lately on the different mailing lists there has been a lot of talks about RIPE costs, Fees, economics, internet being more and more a factor in the economy, etc yet at the same time I see little discussion on marketing aspects, sales, normal accounting practices (analyzing what income comes in, for what and what are the real costs). I sure don't mean to be over critical because I appreciate the RIPE and what it does but it seems to me that non-profit is viewed as non-business. That is not the case, one can be non-profit yet deal in costs and pricing issues, marketing, etc and ALSO financial relationship with government institution. In short be a full fledge business which makes money that is reinvested in its operating and not distributed as profit. Pascal Julienne EURO CONNECT SA 130, rue du Bourg-Bele - BP 21099 - 72001 LE MANS Cedex 1 - FRANCE Tel : (33) 02 43 14 12 76 - Fax : (33) 02 43 14 12 77 http://www.euroconnect.fr -----Message d'origine----- De : ncc-services-wg-admin at ripe.net [mailto:ncc-services-wg-admin at ripe.net]De la part de Joao Luis Silva Damas Envoye : jeudi 11 septembre 2003 12:56 A : Pascal Julienne Cc : 'RIPE NCC Services WG'; Marlene COUILLEAUX (E-mail) Objet : Re: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org On Thursday, September 11, 2003, at 10:56 AM, Pascal Julienne wrote: > David, > > You can't talk about monopoly when you refer to a non profit > organisation. > If I follow your line of thought then many other European > organisations are > also monopolies and should draw attention. In that case, we better > all go > to Cancun instead of the next RIPE meeting. > > I think the real question is how could the RIPE catter to ALL of its > members. > > So say: > > 1) You have a basic fee for a basic service > 2) You have options which you can subscribe to or not - for instance > if you > want informations on traffic then you have to participate financially. > > This would mean that as far as IP registering all members would pay a > comon > fee (which still could be separated in small, large, etc.) and that the > money obtained from this would go to registery services and a bit of > the > overall RIPE structure. > Under this suggestion, would one be able to pay only for the co-ordination services and not the registration ones? Suppose I want to support the RIPE Routing Registry, plus dnsmon and possibly attend a dnssec course but I am not interested in registration services (because, for instance, the current policy does not allow me to get addresses from the RIR function of the NCC). The NCC has more to offer than just registration services, in the area of co-ordination. Co-ordination usually requires a party that is not one of the co-ordinated ones. > For the rest of the services, they would have to be financed by those > who > want them. Again what is paid by those would go into a separate slot > and > would finance their needs. > > However, if the RIPE is also recognized by EU institutions as THE > central > body then some grants should be obtainable from the EU to work on EU > projects related to services the RIPE can offer. If such grants are > obtained, then it is tax money from all EU citizens which finance some > overall EU/RIPE activities which the RIPE is probably the best body in > EU to > do. > In general, EU money tends to come with EU conditions. Careful consideration should be given to something like this. In addition, the RIPE NCC service region is broader than just the EU, something that sometimes is forgotten by all involved. Joao From joao at isc.org Mon Sep 15 13:49:23 2003 From: joao at isc.org (Joao Damas) Date: Mon, 15 Sep 2003 13:49:23 +0200 Subject: [ncc-services-wg] Re: [dns-wg] Re: dnsmon / .org In-Reply-To: <030b01c37b71$79a95fd0$0a0710ac@pdg> Message-ID: On Monday, September 15, 2003, at 12:09 PM, Pascal Julienne wrote: > I haven't meant to establish the fee schedule. I just gave an example > of > how this could work. The pricing formula and the different services one > might want to offer would have to be studied more. To me it is just > good > economic principle to offer different rates and different services and > that > the money gotten goes toward these services. The point I was trying to make is that if you really want to have packages, not everyone will be interested in access to registration services. There are organisations interested in coordination activities carried out by the RIPE NCC while at the same time not wanting to become an LIR. This just illustrates the fact that the RIPE NCC, while performing the RIR function for the RIPE region, is more than an LIR. Perhaps it is worth spending some time looking at the feasibility (or not) of service packages in the context of the RIPE NCC, keeping in mind some basics needs such as the need for stability already expressed by Daniel. > > As far as EU is concerned, yes I am aware that RIPE takes care of more > than > EU but I don't think it is an obstacle. In fact I think EU has to spend > money for Africa for instance and a non profit organisation should be > a good > candidate for grant. > Certainly, the EU could spend some money in Africa. I am sure a lot of European citizens would agree with that statement. > > Lately on the different mailing lists there has been a lot of talks > about > RIPE costs, Fees, economics, internet being more and more a factor in > the > economy, etc yet at the same time I see little discussion on marketing > aspects, sales, normal accounting practices (analyzing what income > comes in, > for what and what are the real costs). I agree, though perhaps sales is not the best word to describe activities in this context and marketing is what has frequently been called outreach. > > I sure don't mean to be over critical because I appreciate the RIPE > and what > it does but it seems to me that non-profit is viewed as non-business. > That > is not the case, one can be non-profit yet deal in costs and pricing > issues, > marketing, etc and ALSO financial relationship with government > institution. > In short be a full fledge business which makes money that is > reinvested in > its operating and not distributed as profit. From my personal point of view, it is quite OK to be critical about RIPE and the RIPE NCC, as long as the criticism is constructive. I don't personally appreciate the responses of people who seem to take any sort of opinion expressed about RIPE requesting improvement as a direct attack. Cheers, Joao From katie at ripe.net Thu Sep 18 09:36:26 2003 From: katie at ripe.net (Katie Petrusha) Date: Thu, 18 Sep 2003 09:36:26 +0200 Subject: [ncc-services-wg] Proposed change of "mnt-lower:" behaviour: procedure and timelines Message-ID: <20030918073626.GA3832@ripe.net> [Apologies for duplicate messages] Dear colleagues, In March 2003, the RIPE NCC circulated the proposal to change the behaviour of the "mnt-lower:" attribute in inetnum, inet6num and domain objects. Currently, if the "mnt-lower" attribute of a parent object is absent, anybody can create more-specific objects. The goal is to change this behaviour to a more secure Routing Policy System Security (RPSS) style scheme. In RPSS, objects use "mnt-lower:" to specify a maintainer which has the ability to authorise the creation of more-specific objects. If a "mnt-lower:" attribute is not present, then the "mnt-by:" of the less-specific object is used. A similar scheme is already used for route object creation ("mnt-routes:" attribute). As inetnum objects representing allocations are maintained by the RIPE NCC, deployment of this scheme may not allow LIRs to create assignments from their allocation if the LIR does not have a "mnt-lower:" attribute pointing to the LIR's maintainer. To solve this problem, allocation objects have to be modified to include a "mnt-lower" attribute. We have applied certain heuristics to determine the most suitable maintainer for an allocation. If there is no maintainer, a new maintainer will be generated. Details about project assumptions and heuristics were presented at RIPE 46: http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-db-allocations-and-mnt-lower.pdf The initial proposal was sent in March 2003: http://www.ripe.net/ripe/mail-archives/db-wg/2003/msg00033.html The RIPE NCC suggests the following implementation plan: Step 1. Distribute this plan for approval. Time: 2 weeks Step 2. Notify contacts whose allocations need to be modified Wait for feedback and people making updates themselves Time: 1 month Step 3. RIPE NCC will check all affected allocations again and update the ones still requiring modification, generating necessary maintainers and notifying contacts. Time: 1 day Step 4. Passwords for generated maintainers made available through the LIR Portal. Wrong modifications can be corrected through the LIR Portal as well. Time: 1 day Step 5. Deploy the change in the RIPE Whois Database Software to support new scheme. Time: to be announced Any suggestions or comments on this plan are welcome. If your allocation doesn't have a "mnt-lower:" attribute, we encourage you to update it as soon as possible through the LIR portal. If you don't have a "mnt-lower:" after this proposal has been implemented, you won't be able to create any new assignments for your allocations. We believe that this change will be beneficial for all RIPE Whois Database users and we hope the migration will go as smoothly as possible. Thanks for your co-operation. Katie Petrusha Database Group RIPE NCC From db-news at ripe.net Mon Sep 22 12:02:47 2003 From: db-news at ripe.net (DB-News) Date: Mon, 22 Sep 2003 12:02:47 +0200 Subject: [ncc-services-wg] Organisation Object Proposal, version 3 Message-ID: <200309221002.h8MA2lJO021505@birch.ripe.net> Dear Colleagues, [apologies for duplicate messages] After the discussions we had in the RIPE 46 Meeting and in the WG mailing lists, we have incorporated agreed modifications into organisation object proposal, which you can find below. This is the Version 3 of the proposal. You can find the first version at http://www.ripe.net/ripe/mail-archives/db-wg/2003/msg00013.html the second version at http://www.ripe.net/ripe/mail-archives/db-wg/2003/msg00159.html and a summary of discussions on the second version at http://www.ripe.net/ripe/mail-archives/db-wg/2003/msg00213.html Thank you very much for your input on the issue. Best regards, -- Engin Gunduz RIPE NCC Database Group ============================================================ An organisation object in the RIPE Database -------------------------------------------- 1. Motivation ------------------- Currently the RIPE Database stores two main types of contact information: person and role objects. The person and role objects provide a way to contact people responsible for operations or usage of the resources represented in the RIPE Database (IP blocks, autonomous systems, and domain names). However, none of these provide an easy way of mapping resources to a particular organisation. A user must first find an object containing contact information for that organisation. Then, assuming all of the organisation's objects refer to this contact information, the user must perform an inverse query to obtain a list of objects referencing the specified person or role. This indirect process can be somewhat obscure and therefore a request for a more direct way of attaching an object to an organisation is seen as a useful addition to the RIPE Database. This document is a proposal for an organisation object in the RIPE Database and the necessary database functionality. 2. The organisation object ----------------------- The organisation object provides information identifying an organisation such as a company, charity or university, that is a holder of a network resource whose data is stored in the RIPE Database. The organisation object is identified by a unique ID specified in the "organisation:" attribute which is the primary key. An organisation object can be referenced from other objects using an "org:" attribute. All objects associated with a particular organisation ID can be retrieved by performing an "inverse query" for this ID used in the "org:" attribute of database objects. Following is a template for the proposed organisation object and an example. All attributes except the "ref-nfy:", "mnt-ref:", "organisation:", "org-name:", "org-type:" and "org:" have their usual meanings. organisation: [mandatory] [single] [primary/look-up key] org-name: [mandatory] [single] [look-up key] org-type: [mandatory] [single] [ ] descr: [optional] [multiple] [ ] remarks: [optional] [multiple] [ ] address: [mandatory] [multiple] [ ] country: [mandatory] [single] [ ] phone: [optional] [multiple] [ ] fax-no: [optional] [multiple] [ ] e-mail: [mandatory] [multiple] [look-up key] org: [optional] [multiple] [inverse key] admin-c: [mandatory] [multiple] [inverse key] tech-c: [mandatory] [multiple] [inverse key] ref-nfy: [optional] [multiple] [inverse key] mnt-ref: [mandatory] [multiple] [inverse key] notify: [optional] [multiple] [inverse key] mnt-by: [mandatory] [multiple] [inverse key] changed: [mandatory] [multiple] [ ] source: [mandatory] [single] [ ] 3. New attributes ---------------------- "organisation:" Specifies the ID of an organisation object. An organisation ID is made up of 'ORG-' prefix, followed by 2 to 4 letters, digits, a dash and is followed by the database source (in the RIPE Whois Database this is 'RIPE'). For example: ORG-RT34-RIPE Note that all parts are mandatory, thus ORG-RT-RIPE would be an invalid ID as it is missing the numeric part. Organisation object IDs are auto-generated similar to the way person/role "nic-hdl:" attributes are auto-generated. The user has to specify the ID of an organisation object as ORG-AUTO- during creation of the object, then it will be assigned an appropriate ID. The organisation ID is assigned using the "org-name:" attribute of the object. The user can specify the letter combination he/she prefers. For example if the user wants TTR as the letter combination, in the organisation ID, then ORG-AUTO-1TTR should be put into "organisation:" attribute during the creation of the object. The organisation ID cannot be reused. If an organisation ID was used in the past by an organisation object and then deleted, this ID cannot be used in new organisation objects. The auto-generation of organisation IDs and preventing reuse of them simplifies the external references. Note that when an organisation changes name, the "org-name:" can be modified accordingly. There is no need to change the organisation ID. "org-name:" Specifies the name of the organisation that this organisation object represents in the whois database. This is an ASCII-only text attribute. The restriction is because this attribute is a look-up key and the whois protocol does not allow specifying character sets in queries. The user can put the name of the organisation in non-ASCII character sets in the "descr:" attribute if required. "org-type:" Specifies the type of the organisation. The possible values are 'IANA' for Internet Assigned Numbers Authority, 'RIR' for Regional Internet Registries, 'NIR' for National Internet Registries, 'LIR' for Local Internet Registries, and 'NON-REGISTRY' for all other organisations. "ref-nfy:" Specifies the e-mail address to be notified when a reference to the organisation object is added or removed. An e-mail address as defined in RFC 2822. "mnt-ref:" Specifies the maintainer objects that are entitled to add references to the organisation object from other objects. "country:" Specifies the two-letter ISO3166 country code of the country where this organisation resides. "address:" Specifies the address of the organisation. This is a free-text attribute. "org:" May be included in any object type. It points to an existing organisation object representing the entity that holds the resource, in the cases where the whois DB object represents an Internet resource. In other objects, it can be used to specify the business relations. The value of this attribute is the ID of the organisation object. It is mandatory in the inetnum and inet6num objects with "ALLOCATED-BY-IANA", "ALLOCATED-BY-RIR", "ALLOCATED-BY-RIR NON-PORTABLE", "ALLOCATED-BY-RIR PORTABLE" and "ALLOCATED-BY-RIR UNSPECIFIED" values. It is optional in all other objects. "org:" attribute is single-valued in the inetnum, inet6num and aut-num objects, and it is multi-valued all other objects. The "org:" attribute is used to specify the holder of a resource in inetnum, inet6num and aut-num objects, thus it must be single-valued in them. In other objects, it specifies business relations (like in a person object, where it can be used to specify whom the person works for) it can be multiple (in the person object example, a person might work for several companies). 4. Authorisation checks ---------------------------------- When modifying an organisation object the update must pass authorisation checks specified by one of the mntners listed in the "mnt-by:" attributes of the organisation object. When adding an "org:" attribute to an object, the update of the object should pass the following authorisation checks: - from one of the maintainers in the "mnt-ref:" attributes of the organisation object - from one of the maintainers in the "mnt-by:" attributes of the object being updated 5. Query changes ---------------- If a whois query returns an object with an "org:" attribute, the organisation object mentioned in this attribute is also appended to the query results. This behaviour can be disabled by using the '-r' flag in the query. 6. Examples ------------ A basic organisation object: organisation: ORG-RSIS54-RIPE org-name: Random Street Internet Services org-type: LIR descr: An example organisation address: Random St. country: NL phone: +31 123 4567 fax-no: +31 123 4568 e-mail: contact at example-org.net admin-c: EXAM1-RIPE tech-c: EXAM2-RIPE notify: ripe-mailbox at example-org.net ref-nfy: ripe-mailbox at example-org.net mnt-ref: EXAMPLE-MNT mnt-by: EXAMPLE-MNT changed: someguy at example-org.net 20030121 source: RIPE A network that references an organisation object: inetnum: 192.168.86.0 - 192.168.86.255 netname: EXAMPLE-NET-86 descr: Sample network org: ORG-RSIS54-RIPE country: NL admin-c: JE1-RIPE tech-c: JE2-RIPE status: ALLOCATED-BY-RIR PORTABLE mnt-by: EXAMPLE-MNT mnt-lower: EXAMPLE-MNT changed: someguy at example-org.net 20030122 source: RIPE A query for this inetnum object: % whois 192.168.86.251 inetnum: 192.168.86.0 - 192.168.86.255 netname: EXAMPLE-NET-86 descr: Sample network org: ORG-RSIS54-RIPE country: NL admin-c: JE1-RIPE tech-c: JE2-RIPE [...] source: RIPE organisation: ORG-RSIS54-RIPE org-name: Random Street Internet Services org-type: LIR descr: An example organisation address: Random St. address: The Netherlands phone: +31 123 4567 fax-no: +31 123 4568 e-mail: contact at example-org.net admin-c: EXAM1-RIPE tech-c: EXAM2-RIPE [...] source: RIPE person: John Example nic-hdl: JE1-RIPE [...] source: RIPE person: John Example Jr nic-hdl: JE2-RIPE [...] source: RIPE From henk at ripe.net Thu Sep 25 11:14:36 2003 From: henk at ripe.net (Henk Uijterwaal (RIPE-NCC)) Date: Thu, 25 Sep 2003 11:14:36 +0200 (CEST) Subject: [ncc-services-wg] New service: ip2asn In-Reply-To: <5.1.0.14.2.20030910101427.00aaa3d8@max.att.net.il> Message-ID: Dear Hank, On Wed, 10 Sep 2003, Hank Nussbacher wrote: > Can the RIPE NCC TTM group explain why such a service is needed when > there are other packages available that do similar things? Short summary. ============== Ip2asn is built as an internal tool in response to requirements raised inside the TTM WG. It is used to put ASN information into TTM products. Making this mapping function available externally is not much work at all. We know of no similar service that meets this particular need. Long version: ============= For starters, I disagree with the statement that this is a new service that was not approved by anybody beforehand. The TT-WG was set up for various reasons. One of them was to provide a forum where (paying) customers of the TTM service can learn about the development plans for the project and provide feedback. The issue of IP-AS mappings has been discussed several times in the last years, our plans have been presented at previous meetings, and the presentation that you are referring to, was in fact the outcome of a specific question raised in the WG. For those who haven't followed the TT-WG, let me briefly summarize what happened in the past: Since the start of the service, TTM has provided the IP-level path that a packet takes when traveling from source to destination based on traceroute-like probes. One frequently see changes in these paths. These changes can be caused by many things, but amongst the most common are: 1. Traffic is routed through different routers of the same upstream provider. (For example, when load balancing schemes are in use). 2. Traffic is routed through a different upstream provider. In order to quickly distinguish between #1 and #2, one can look at which AS the IP-addresses in the path belong to. This requires a mapping of IP-addresses to AS-numbers, at the time that the IP-trace was taken (as IP blocks may move from one AS to another over time). Sometime in 2002, we therefor added a column in the output showing the AS that every IP address belonged to. This mapping was based on whois queries. When this was presented to the TT-WG, the (valid) question was raised how accurate this mapping was and if it wouldn't be better to use a routing-table based approach. As we, nor anybody in the audience, knew the answer, we (the RIPE NCC TTM-group) agreed with the TT-WG to study this. The talk you are referring to is the direct result of this question. >From your previous postings, I have understood that you do not like the current model where every WG can ask the RIPE NCC for specific actions. However, this was the procedure at the time. Even with the advent of the NCC-services WG it appears to us as the correct procedure for something like this, because it is germane to the TT-WG and does not involve a significant amount of resources. Anyway, the conclusion from this study was that the IRR only produces the correct mapping in about 80%, switching to an approach based on routing tables (i.e. the RIS) increases that percentage to about 99%. Obviously, the more accurate the results, the more useful the output, and the conclusion looked simple: the TTM service should switch to a routing table based approach for IP to AS mappings. Implementation ============== Besides being accurate, the implementation also has to be fast, as we have to process 4000 to 5000 different IP addresses in a relatively short time. We also believe that we should use routing tables that we are already collecting for the RIS, this in order to ensure that data from one RIPE NCC service (TTM) is consistent with another. This will also give a performance boost, as all data resides on 1 local network. The best way to accomplish this, appears to be a daemon that loads all information into memory. serves queries and refreshes itself at regular intervals. Other tools =========== We were fully aware that other tools existed to do this job, but we believe that none of them meets our requirements. For the ones that you list: 0) Both NANOG traceroute and lft have a -A switch but get the prefix data from a routing registry (whois.ra.net) which has been shown to be incomplete, out of date, not maintained 1) http://www.cymru.com/Tools/getorgasn2.pl Relies on access to a router. comments: one router does not necessarily see all prefixes and origins one needs to combine data collected from various vantage points (RIS collectors, route-view peers) performance: each lookup is done with a 'sh ip bgp $prefix' command on the router, won't scale to thousands of lookups (or hurt router performance) 2) Net::Patricia Create ASCII prefix/AS table from a source of routing information (route-views quoted), use Net::Patricia to lookup. Comments: the idea is good, but the ASCII data and perl make it too slow. An ip2asn server at RIPE NCC could parse the data from RIS, keep everything in memory and refresh info daily. 3) "Routeviews project now has a test/static asn zone up that you can try" % dig @archive.routeviews.org 13.142.223.128.asn.routeviews.org txt comments: interesting idea but at the time it was still under development. strange replies on non-matched IPs, e.g. try host -t txt 7.227.290.195.asn.routeviews.org This could be a solution for traceroute, but in TTM we skip time consuming dns lookups on the testboxes and do offline processing; performing thousands of dns lookups for ip2as there will likely take too long too. 4) ip2asn scripts from Stephen Gill - starting from BGP table dump - contacting route server comments: BGP table dump covered above (good start, but not complete and ASCII is slow), route server is slow, won't scale to thousands of queries Why make this a service? ======================== Mapping IP to AS can be used in many tools, both that are published in the public domain as in tools used inside LIR's only. All these tools will benefit from more accurate data. To use a routing based IP-AS mapping for TTM, we need to develop and maintain some amount of code. Adding an interface to access the same data from the outside, requires very little additional work. In fact, I think that we'd be doing the community a dis-service if we would not make this tool available to everybody. Henk (with the help of Rene, Daniel and the rest of the TTM group) ------------------------------------------------------------------------------ Henk Uijterwaal Email: henk.uijterwaal at ripe.net RIPE Network Coordination Centre WWW: http://www.ripe.net/home/henk P.O.Box 10096 Singel 258 Phone: +31.20.5354414 1001 EB Amsterdam 1016 AB Amsterdam Fax: +31.20.5354445 The Netherlands The Netherlands Mobile: +31.6.55861746 ------------------------------------------------------------------------------ That problem that we weren't having yesterday, is it better? (Big ISP NOC) From peter.galbavy at knowtion.net Thu Sep 25 13:29:16 2003 From: peter.galbavy at knowtion.net (Peter Galbavy) Date: Thu, 25 Sep 2003 12:29:16 +0100 Subject: [ncc-services-wg] New service: ip2asn References: Message-ID: <016401c38358$40fd7920$2f28a8c0@cblan.mblox.com> Henk Uijterwaal (RIPE-NCC) wrote: > Why make this a service? > ======================== > > Mapping IP to AS can be used in many tools, both that are published > in the public domain as in tools used inside LIR's only. All these > tools will benefit from more accurate data. > > To use a routing based IP-AS mapping for TTM, we need to develop and > maintain some amount of code. Adding an interface to access the same > data from the outside, requires very little additional work. In > fact, I think that we'd be doing the community a dis-service if we > would not make this > tool available to everybody. I *assume* that the development of this service will be funded 100% by the paying customers of the TTM and that any benefit that RIPE members will gain will be as a pleasant and cost-free side effect ? If not, why not ? Peter From woeber at cc.univie.ac.at Thu Sep 25 14:10:55 2003 From: woeber at cc.univie.ac.at (Wilfried Woeber, UniVie/ACOnet) Date: Thu, 25 Sep 2003 14:10:55 +0200 Subject: [ncc-services-wg] New service: ip2asn Message-ID: <00A266F7.4C75ABB4.6@cc.univie.ac.at> >I *assume* that the development of this service will be funded 100% by the >paying customers of the TTM and that any benefit that RIPE members will gain >will be as a pleasant and cost-free side effect ? > >If not, why not ? > >Peter As this is talking money, benefits (or not) and activities of the NCC again, could we/you please try to use the proper terms?! Otherwise we get more confusion that we can handle. - RIPE does not have members. RIPE is the vehicle to support participation of the community in actvities related to the Internet in our region. - the individuals participating in RIPE do _not_ pay anything (other than in relation to attending RIPE meetings). - the RIPE _NCC_ is a membership organisation. Members do have a service contract with the NCC and pay for _all_ services rendered by the NCC; i.e. including those which are available to the users and organisations on the Internet. Thanks for your consideration. Regards, _________________________________:_____________________________________ Wilfried Woeber : e-mail: Woeber at CC.UniVie.ac.at UniVie Computer Center - ACOnet : Tel: +43 1 4277 - 140 33 Universitaetsstrasse 7 : Fax: +43 1 4277 - 9 140 A-1010 Vienna, Austria, Europe : RIPE-DB: WW144, PGP keyID 0xF0ACB369 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From hank at att.net.il Thu Sep 25 15:19:22 2003 From: hank at att.net.il (Hank Nussbacher) Date: Thu, 25 Sep 2003 15:19:22 +0200 Subject: [ncc-services-wg] New service: ip2asn In-Reply-To: References: <5.1.0.14.2.20030910101427.00aaa3d8@max.att.net.il> Message-ID: <5.1.0.14.2.20030925150855.00acc708@max.att.net.il> At 11:14 AM 25-09-03 +0200, Henk Uijterwaal (RIPE-NCC) wrote: >For starters, I disagree with the statement that this is a new service >that was not approved by anybody beforehand. The TT-WG was set up for Huh? I made that statement? I said "Another new service I'd like to discuss is the TTM ip2asn service as presented at RIPE-46: http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-tt-as-traceroutes.pdf" I think you are reading things that are not quite there. > >From your previous postings, I have understood that you do not like the >current model where every WG can ask the RIPE NCC for specific actions. >However, this was the procedure at the time. Even with the advent of the >NCC-services WG it appears to us as the correct procedure for something >like this, because it is germane to the TT-WG and does not involve >a significant amount of resources. From: http://www.ripe.net/ripe/wg/ncc-services/index.html#charter The aim of this WG would be to discuss at least the following: ? performance of existing services ? introduction of new services, new tools ? an ongoing evaluation of the RIPE NCC Activity Plan Is it the RIPE NCC's view that this charter is no longer valid and the text for bullet #2 should instead be "introduction of new services, new tools that involve a significant amount of resources"? >------------------------------------------------------------------------------ >Henk Uijterwaal Email: henk.uijterwaal at ripe.net >RIPE Network Coordination Centre WWW: http://www.ripe.net/home/henk >P.O.Box 10096 Singel 258 Phone: +31.20.5354414 >1001 EB Amsterdam 1016 AB Amsterdam Fax: +31.20.5354445 >The Netherlands The Netherlands Mobile: +31.6.55861746 >------------------------------------------------------------------------------ > >That problem that we weren't having yesterday, is it better? (Big ISP NOC) -Hank From peter.galbavy at knowtion.net Thu Sep 25 15:36:55 2003 From: peter.galbavy at knowtion.net (Peter Galbavy) Date: Thu, 25 Sep 2003 14:36:55 +0100 Subject: [ncc-services-wg] New service: ip2asn References: <00A266F7.4C75ABB4.6@cc.univie.ac.at> Message-ID: <020101c3836a$15e1d6c0$2f28a8c0@cblan.mblox.com> Wilfried Woeber, UniVie/ACOnet wrote: > As this is talking money, benefits (or not) and activities of the > NCC again, could we/you please try to use the proper terms?! > Otherwise we get more confusion that we can handle. Please see previous threads where my pointed comments about the "management" and self-interes at RIPE use these distinctions to hide monetary and other activities from those who pay for them - i.e. us. I see no real life, day to day, distinction between RIPE and RIPE NCC. Peter From cfriacas at fccn.pt Mon Sep 29 09:23:16 2003 From: cfriacas at fccn.pt (Carlos Friacas) Date: Mon, 29 Sep 2003 08:23:16 +0100 (WEST) Subject: [ncc-services-wg] New service: ip2asn In-Reply-To: <020101c3836a$15e1d6c0$2f28a8c0@cblan.mblox.com> References: <00A266F7.4C75ABB4.6@cc.univie.ac.at> <020101c3836a$15e1d6c0$2f28a8c0@cblan.mblox.com> Message-ID: On Thu, 25 Sep 2003, Peter Galbavy wrote: (...) > I see no real life, day to day, distinction between RIPE and RIPE NCC. > > Peter As far as i read it: RIPE = People using/managing/whatever IP networks in "Europe Service Region" (and also some people with their own opinions from outside the region) RIPE NCC = People working in Singel, 258, Amsterdam. They carry out the guidelines issued by "RIPE". Example: You and me belong on the first definition. If we think a policy (or the way it is being carried out) is wrong, we can raise the discussion, and eventually get it changed. If you cant change peoples minds (those in RIPE, not RIPE/NCC) you will not be able to change policies (because RIPE works in the meetings as a "raise-your-hand" democracy). Regards, ./Carlos "Upgrade the Internet! -- Now!" -------------- [http://www.ip6.fccn.pt] http://www.fccn.pt , CMF8-RIPE, CF596-ARIN, Wide Area Network Workgroup FCCN - Fundacao para a Computacao Cientifica Nacional fax:+351 218472167 "Internet is just routes (125953/461), naming (millions) and... people!" From JOE at OREGON.UOREGON.EDU Sat Sep 27 02:51:23 2003 From: JOE at OREGON.UOREGON.EDU (Joe St Sauver) Date: Fri, 26 Sep 2003 17:51:23 -0700 (PDT) Subject: [ncc-services-wg] New service: ip2asn Message-ID: <01L14NDJHPQ88WX40K@OREGON.UOREGON.EDU> Hi, #3) "Routeviews project now has a test/static asn zone up that you can try" # # % dig @archive.routeviews.org 13.142.223.128.asn.routeviews.org txt # # comments: interesting idea but at the time it was still under # development. It's a production service now, and gets rebuilt and reloaded twice a day; DMM announced it on NANOG, for example. The comment was also offered: # strange replies on non-matched IPs, e.g. try # host -t txt 7.227.290.195.asn.routeviews.org Zen-like question: for dotted quads not in the routing table, what *should* be returned? One postulated answer: 4294967295 ==> "route not in table" You could pick some other "magic" number, but I think this one should serve the purpose just fine. :-) Regarding the other ip2asn methods, I'm happy having a thousand methods bloom, so long as they enhance the ability of folks to tie dotted quads to a relevant responsible entity. :-) Regards, Joe P.S. Also note that in addition to the asn zone, an aspath zone is also available, provided in part to deal with any attempt to interpose "throw away" stub ASNs to shelter "real" ASNs; it is available by querying host -t txt $revip.aspath.routeviews.org Be sure to anticipate and plan for the possibility of multiple aspath txt records being returned in response to a query. From kurtis at kurtis.pp.se Tue Sep 30 22:04:31 2003 From: kurtis at kurtis.pp.se (Kurt Erik Lindqvist) Date: Tue, 30 Sep 2003 22:04:31 +0200 Subject: [ncc-services-wg] Fwd: RIPE 46 - Minutes of Ripe NCC Services WG Message-ID: <4E053664-F381-11D7-B967-0003936663F8@kurtis.pp.se> Please send corrections / comments. Best regards, - kurtis - Begin forwarded message: > From: Sabrina Wilmot > Date: m?n sep 29, 2003 13:06:11 Europe/Stockholm > To: Kurt Erik Lindqvist > Subject: RIPE 46 - Minutes of Ripe NCC Services WG > > Hi Kurtis, > > Please find below the minutes of the Ripe NCC Services WG at RIPE 46. > > Regards, > Sabrina > RIPE NCC > > >> RIPE 46, Amsterdam >> >> Working Group: Ripe NCC Services >> Chair: Kurt Erik Lindqvist >> Scribe: Isabel Pinto Coelho Sena >> >> Agenda: >> >> Slot 1, Tuesday 2/9 14.00-15.30 >> >> 1. NCC Services WG Charter (Kurtis) >> 2. RIPE NCC Services Direction (Axel Pawlik) >> Service level and activities 2004 >> 3. RIPE NCC Information Services >> 4. Discussion & input time / Open Mic session >> >> Slot 2, Thursday 4/9 11.00-12.30 >> >> 5. Presentation on X.509 and certificates (Dirk-Willem van >> Gulik). >> Discussions around the x.509 implementation of the RIPE NCC >> and what other RIRs have done. >> 6. DNS Services - Modification Plans >> 7. Proposals from the community >> 8. Discussion & input time / Open Mic session >> X. AOB >> Z. Close >> ________________________________________________________________ >> >> 1. NCC Services WG Charter >> >> WG Charter presented. No objections were made to it's content. >> >> 2. RIPE NCC Services Direction (Axel Pawlik, Managing Director >> RIPE >> NCC) >> Service level and activities 2004 >> >> See Axel's presentation at >> >> http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46- >> nccserv-ncc-services.pdf >> >> Kurtis Lindqvist : Who has read/seen the Member Update? >> [~20 people raised their hands] >> Kurtis Lindqvist : Who here are Members? >> [~60 people raised their hands] >> >> 3. RIPE NCC Information Services >> >> See Axel's previous presentation from slide 27 onwards >> >> http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46- >> nccserv-ncc-services.pdf >> >> 4. Discussion & input time / Open Mic session >> >> >> Kurtis Lindqvist : Are there any questions for Axel? >> [No one had questions] >> >> Kurtis Lindqvist : I have one myself: You spoke of the data you have >> that can be used to educate journalists, where do you want to push >> them, just as a general awareness? >> >> Axel Pawlik (MD RIPE NCC): We want them to know that we are working >> well, we want the industry to tell them "do not interfere, they work >> well". As an example: name servers >> >> Kurtis Lindqvist: Any other questions? >> [None were raised] >> >> Kurtis Lindqvist : please register for the GM >> >> Axel Pawlik : there was a heated discussion on the mailing lists? >> None now? >> [None responded] >> >> Rob Blokzijl (RIPE Chairman): I'm surprised that there is no one that >> is willing to discuss the issues off the mailing-list, so I will bring >> up 2 issues that were often discussed. First one is: Whether all these >> services that the RIPE NCC offers are needed? I would like also to >> point that there was no discussion on whether they are _useful_ >> however. Then there was the issue of a flat free financial >> contribution versus a supermarket scenario? Meaning that one could >> pick and choose the services one is willing to pay and have use for. >> >> Wilfried Woeber (Vienna University - ACOnet): I've observed through >> the years another organization where the same discussion was going on >> for years, started out as a flat free and then some started to object >> to this model. In the end, they found the most reasonable solution: >> you buy all or nothing. It is difficult to find out which activities >> are optional and which mandatory. Individual amount, increasing the >> administration overhead that goes along with keeping up with this >> supermarket model, this will not come for free... The complexity that >> we might inject into the subject is not going to be easy. It also >> splits the RIPE Community into 2 / 3 / 4 camps. Copyrighting on >> certain Services, making people pay for copies. It will de-stabilise >> the RIPE NCC and the Community. >> >> Kurtis Lindqvist: Well, a number of people are questioning the order >> and priority of the activities. >> >> Rob Blockzijl (RIPE Chair): I hope that one of the results of having >> this WG is to make people remember why certain services were created >> in the past, as the NCC did not just came up on a idle afternoon with: >> "let's create an activity". The NCC has always listened to the >> Community's input. It might not have been clear as to where and when >> the decisions were taken, that's why I'm glad we have this WG. Having >> it, it is possible to revisit the past and re-evaluate current >> services, although it might be more constructive to look at the future >> and we can improve. >> >> Kurtis Lindqvist : How many of you have read the Activity Plan? >> [~10 max raised their hands] >> I'm concerned because some people on the mailing list indicated that >> they can not influence the AP, but most here have not read it. >> >> Kurtis Lindqvist : If there are no other questions I'll see you all on >> Thursday. >> >> FINISH >> >> NO ACTIONS >> >> _______________________________________________________________ >> >> Slot 2, Thursday 4/9 11.00-12.30 >> >> 5. Presentation on X.509 and certificates (by >> Dirk-Willem van Gulik - apache) >> Discussions around the x.509 implementation of the RIPE NCC >> and what other RIRs have done. >> 6. DNS Services - Modification Plans (Olaf Kolkman) >> 7. Proposals from the community >> 8. Discussion & input time / Open Mic session >> X. AOB >> Z. Close >> >> ________________________________________________________________ >> >> 5. Presentation on X.509 and certificates (by >> Dirk-Willem van Gulik - apache) >> Discussions around the x.509 implementation of the RIPE NCC >> and what other RIRs have done. >> >> Kurtis Lindqvist: As there were quite a lot of questions on the >> mailing list about X.509, we will have a presentation about it and >> also invite the other RIRs to explain what they are doing in their >> region. Also, at the last session I forgot to mention that we might >> require a co-chair, as it is mentioned in the charter. >> >> Dirk-Willem van Gulik: This presentation focuses mainly on the issue >> of trust, not as much on the technical aspects of X.509 >> >> http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46- >> nccserv-pki-x509.pdf >> >> Kurtis Lindqvist : any questions ? >> [None] >> >> Presentation by Andrei Robachevsky, Chief Technical Officer, Ripe NCC >> >> "PKI development at the RIPE NCC" >> http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46- >> nccserv-pki.pdf >> >> Kurtis Lindqvist: any questions? >> >> Taiji Kimura from JPNIC: are there plans for non-repudiation of the >> query, validate queries to the DB? >> >> Andrei Robachevsky : no, this is not about the DB itself, but more >> about correspondence with the NCC. >> >> Wilfried Woeber (DB WG Chair): We have been discussing whether we want >> to introduce a system to tag objects in the DB with the auth method >> that was used for the last update of the object. This is an idea that >> we have been playing with, if the community wants this, then please >> come forward with a plan. >> >> Wilfried Woeber: About integrating a Certification Authority across >> RIRs, I would recommend to first try it in our region, find out if it >> works well. I'm not a fan of having hierarchy in the trust >> model. Individual registries should do it in their region, then we >> find out what we need to cross the borders. I would not like RIRs to >> all go to Verisign for instance. >> >> Janos Zsako (RIPE NCC Executive Board): about message signing, we live >> with the assumptions that the db is in a secure server, so whether >> after the modification/update with PKI the data is still stable is >> questionable. We can store the update method, again assuming that the >> db cannot be corrupted in the mean time. So we need a system that >> verifies that the db has not been corrupted. >> >> Kurtis Lindqvist: in conclusion, issue is if queries and/or DB entries >> must be signed, and whether the content of the DB is secure, but this >> is maybe more a topic for the DB WG. >> >> ARIN - Ginny Listman: >> >> http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46- >> nccserv-arin-x509.pdf >> >> APNIC - Anne Lord: we are doing the same as Ripe NCC, issuing >> certificates for our equivalent of the LIR Portal, MyApnic. We have >> issued 500 certificates so far. >> >> LACNIC Raul Echeberria: we would like to implement a certification >> system before 2004. Right now we are still working on the budget that >> would be needed for it. >> >> Kurtis Lindqvist: Thank you all. >> >> 6. DNS Services - Modification Plans (Olaf Kolkman) >> >> http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46- >> nccserv-rdns.pdf >> >> Kurtis Lindqvist : I like the idea, any questions ? >> [None] >> >> 7. Proposals from the community >> 8. Discussion & input time / Open Mic session >> >> Kurtis Lindqvist: Now we have the open mike session: floor is open. In >> future sessions I would like to have people's presentations or >> proposals in writing on the mailing list before they are presented at >> RIPE Meetings >> >> Hank Nussbacher (IUCC): I have been asked by many people to speak up >> during this WG as I have sent some emails to the mailing list. My view >> is that a lot of the members had their budget cut and the NNC has not >> had their budget cut in the same fashion. We are apathetic, 2250 euro >> is not that much to warrant that people can spend 250 euro/1 hour of >> their time on the mailing list. There are many good things in the NCC: >> DB group is the world leader. But to evaluate how the NCC is spending >> their money we need a more transparent Activity Plan. For instance for >> the trainings, they are free of charge. I would like to know the >> budget and man-power needed for these free trainings. Instead, it's >> budget is incorporated in the RS budget, there is no way to know how >> much of that is used for the trainings, there is no break-down of the >> costs. The TTM group, IRT - there has been nothing mentioned about it >> at this meeting BTW - there is nothing about it in the AP, therefore >> we do not know the manpower and budget it needs, the only way to know >> for the membership is to have a break-down and it does not exist. 10 >> to 20 people have responded to my mails, which is not really enough to >> know what the majority of the community thinks about these issues. >> >> Kurtis Lindqvist : yes, people do not care, like we saw at the last >> session on Tuesday, that only a handful read the AP. I guess the >> majority is happy, but that is difficult to double-check, people do >> not go on the mailing list only to say that they are happy. Next year >> at the RIPE Meeting in May, the NCC will give more insight on the >> budget & AP and there will be more time for comment before the Annual >> Meeting 3 months later. >> >> Axel Pawlik: The level of detail we give in the financial report, >> question is: how deep should we go into detail? For the trainings yes, >> not so difficult. I will work together with the Board to see what we >> can adapt. And I would like to clarify that the IRT is not really an >> incident response team, it is not a separate team as such. It is an >> activity. >> >> Hank Nussbacher : let's say that the TTM group costs a 300.000 >> euros/year, but we can get the same service from a commercial >> company. Why not do a market survey before introducing a new activity? >> >> Axel Pawlik: About the TTM, there is a lot of info about it in the AP. >> >> Daniel Karrenberg: I worry because of economic problems. Training, if >> the membership wants more transparency, OK, but whether it is really >> necessary? Why train New LIRs, what do I care? As one of the persons >> who started with these trainings, I would like to clarify that they >> are not done only for the benefit of the trainee, but to the whole >> community as well. Creating a well oiled community. The better things >> work, the less interaction at the NCC. Also, the NCC would not be as >> accepted without trainings. For many people, it is only by attending >> the courses that they understand and accept the NCC's role. Just >> looking at it from a financial point of view, if you do that too much, >> you might risk the NCC as a whole organisation. You want and need the >> NCC to be more stable than the rest of the members. The impact of the >> NCC crumbling is a whole lot different. I also would like to remind >> people that one of the ways for us to ensure impartiality and >> neutrality is by hiring international staff, this is expensive. Were >> we to be driven only by financials, we would not hire from Turkey or >> Africa. Yes, lets have a look at the financials, but lets us not be >> driven by it. Because it might be good for today, but not for >> tomorrow. >> >> Kurtis Lindqvist: I agree, but showing the members the budget is not >> saying that you are doing things bad. There are 2 issues: >> 1) transparency on costs and >> 2) evaluation of activities and how they benefit the community. >> >> Hank Nussbacher: Some services are excellent. But whether it benefits >> the community that someone goes to all the ICANN Meetings, it is >> needed, but the members might think it is not. In the same way that >> the Membership would live, accept to still have mail-from auth, but we >> have it better. >> >> Kurt Kayser (N-IX Nurnberg Internet eXchange) : About the trainings, a >> while back I proposed to find partners in countries, we could offer >> the service to train people in German, since we are very familiar with >> all the policies & procedures. But I never heard anything about this >> from the NCC. >> >> Axel Pawlik : We are looking at better ways of doing our >> trainings. People like our trainings but it does not scale, your >> proposal does scale. But how do we do it, how is that training >> standardised, do we need to certify trainers ??? But we are definitely >> looking at it. >> >> Daniel Bovio (RIPE NCC Board): Hank said that the "silent majority" do >> not care to show up at meetings, or communicate on the >> mailing-list. This is a problem, they do not know what the activities >> are. We, the RIPE Community, have always been the main source for >> ideas to the NCC and their activities. The Board needs to go on with >> these activities anyway, try to involve members, find out what they >> want, the survey was good in this respect. This group is the main >> source of the main ideas, there is a vast group that don't care, >> others do and those end up leading were the ship is going. We do not >> get enough feedback. >> >> Kurtis: Thank you all for coming >> >> FINISH >> >> NO ACTIONS >> -------------- next part -------------- A non-text attachment was scrubbed... Name: RIPE 46 -minutes NCC Services.doc Type: application/msword Size: 64512 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 174 bytes Desc: not available URL: