From kurtis at kurtis.pp.se Wed May 1 21:14:56 2013 From: kurtis at kurtis.pp.se (Lindqvist Kurt Erik) Date: Wed, 1 May 2013 21:14:56 +0200 Subject: [ncc-services-wg] NCC Services WG Draft Agenda - RIPE 66 In-Reply-To: References: <9CB9C668-B967-42DC-A35B-78D12FEBD98B@euro-ix.net> <725E2825-FFA2-49B6-BA85-A18F1C2C765A@steffann.nl> <413A2102-1150-4E5C-8B5A-71D6945499F8@euro-ix.net> Message-ID: <14F31CB1-DE92-47B1-B6F6-B29D402C85CC@kurtis.pp.se> Hi Randy! On 30 apr 2013, at 19:31, Randy Bush wrote: > hi bijal, > >> F. Policy Update: >> 2012-07 - RIPE NCC Services to Legacy Internet Resource Holders >> 2012-08 - Publication of Sponsoring LIR for Independent Number Resources >> - Emilio Madaio, RIPE NCC (20 minutes) > > is there not a services to PI holders proposal? > is there not a rpki to non-members proposal? Emilio has just returned from vacation and us Europeans are mostly of on April 30th and May 1 so I am waiting for him to catch-up in case proposals have been submitted while he was away. Otherwise I have to admit that I am not clear which proposals you are asking about. There was the NCC board decision on RPKI certification to PI holders, but that is not a policy proposal per say, and noone has asked for slot time to discuss this (although I agree that would be good). > and are the collection of proposals not significant enough to be give > more discussion time? Just to explain a bit of rational behind the agenda to you and others. We have the allocated slot on the agenda and I believe it's to late to shuffle around. In hind sight perhaps we should have expected this and asked for more time. The RIPE NCC presentations used to be given in both the AGM and NCC-Services. It was decided by the WG Chairs (all of us, and if I remember correctly the NCC board as well) that it was redundant and time consuming and as long as the NCC-Services WG is held before the AGM, we will only give the updates ones and in the NCC-Services WG. Hence the time allocated to them. Now, this was before we started having policy proposal in NCC-Services and agenda time allocations (not to say assignments ;-) didn't have to take this into account. However, building on what Emilio tells us from the APWG experience, the updates of ongoing policies normally don't take that long or have that much discussion. We might be wrong of course, but we have to guess at something. We have shortened time allocated to the NCC presentations and I'd be happy to go back and look over that if the WG think we need more discussion time for these proposals. But me and Bijal can't take them of the agenda and I think we have to (at least for now) also respect there is enough time to give those presentations before the AGM. Best regards, - kurtis - From randy at psg.com Thu May 2 01:16:53 2013 From: randy at psg.com (Randy Bush) Date: Wed, 01 May 2013 16:16:53 -0700 Subject: [ncc-services-wg] NCC Services WG Draft Agenda - RIPE 66 In-Reply-To: <14F31CB1-DE92-47B1-B6F6-B29D402C85CC@kurtis.pp.se> References: <9CB9C668-B967-42DC-A35B-78D12FEBD98B@euro-ix.net> <725E2825-FFA2-49B6-BA85-A18F1C2C765A@steffann.nl> <413A2102-1150-4E5C-8B5A-71D6945499F8@euro-ix.net> <14F31CB1-DE92-47B1-B6F6-B29D402C85CC@kurtis.pp.se> Message-ID: last meeting, at the okura, axel and i took on board the pi issue. there is a proposal. i would like the agenda time to discuss it. as pi holders represent a very large number of holders, this is not a trivial issue. as this is supposed to be a bottom-up community, i am willing to lead, with axel's help, of course. randy From sbras at ripe.net Thu May 2 10:25:08 2013 From: sbras at ripe.net (Sandra Bras) Date: Thu, 2 May 2013 10:25:08 +0200 Subject: [ncc-services-wg] [training] New RIPE NCC IPv6 E-Learning tutorials Message-ID: [Apologies for duplicates] Dear colleagues, We are pleased to announce the launch of four new videos on IPv6 Transition Mechanisms as part of our online training. The topics include: - 6in4 - 6RD - NAT64 - DS-Lite You can watch them online at: https://www.ripe.net/lir-services/training/e-learning/ipv6/transition-mechanisms Stay tuned! We plan to announce more exciting E-Learning news in the coming months. RIPE NCC E-Learning tutorials are provided as a free service available to everyone. If you have any questions, please feel free to contact us at: e-learning at ripe.net. Happy learning, Sandra Br?s Trainer / E-Learning Project Manager -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2357 bytes Desc: not available URL: From randy at psg.com Thu May 2 16:33:33 2013 From: randy at psg.com (Randy Bush) Date: Thu, 02 May 2013 07:33:33 -0700 Subject: [ncc-services-wg] [training] New RIPE NCC IPv6 E-Learning tutorials In-Reply-To: References: Message-ID: > We are pleased to announce the launch of four new videos on IPv6 > Transition Mechanisms as part of our online training. only 293 to go > The topics include: > - DS-Lite ahh yes. all the benefits of nat in the core plus fork-lift of all cpe. a brilliant scheme. randy From job.snijders at atrato.com Thu May 2 16:36:51 2013 From: job.snijders at atrato.com (Job Snijders) Date: Thu, 2 May 2013 16:36:51 +0200 Subject: [ncc-services-wg] [training] New RIPE NCC IPv6 E-Learning tutorials In-Reply-To: References: Message-ID: <7A795710-CB8F-4AB9-A69B-6E4690D15F77@atrato.com> On May 2, 2013, at 4:33 PM, Randy Bush wrote: >> We are pleased to announce the launch of four new videos on IPv6 >> Transition Mechanisms as part of our online training. > > only 293 to go > >> The topics include: >> - DS-Lite > > ahh yes. all the benefits of nat in the core plus fork-lift of all > cpe. a brilliant scheme. Hey monkey boy, after people learn how DS-Lite works, they'll appreciate A+P all the more, which hopefully will be included in the next iteration of training video's ;-) - Job From randy at psg.com Thu May 2 17:28:33 2013 From: randy at psg.com (Randy Bush) Date: Thu, 02 May 2013 08:28:33 -0700 Subject: [ncc-services-wg] [training] New RIPE NCC IPv6 E-Learning tutorials In-Reply-To: <7A795710-CB8F-4AB9-A69B-6E4690D15F77@atrato.com> References: <7A795710-CB8F-4AB9-A69B-6E4690D15F77@atrato.com> Message-ID: >>> - DS-Lite >> ahh yes. all the benefits of nat in the core plus fork-lift of all >> cpe. a brilliant scheme. > Hey monkey boy, after people learn how DS-Lite works, they'll > appreciate A+P all the more if ncc edu department did not 'get it', i am less optimistic > which hopefully will be included in the next iteration of training > video's ;-) being an engineer, i judge by results. but a+p is a wide architecture. i would suggest the concentrate on map-e. randy From niall.oreilly at ucd.ie Fri May 3 12:35:19 2013 From: niall.oreilly at ucd.ie (Niall O'Reilly) Date: Fri, 3 May 2013 11:35:19 +0100 Subject: [ncc-services-wg] NCC Services WG Draft Agenda - RIPE 66 In-Reply-To: <14F31CB1-DE92-47B1-B6F6-B29D402C85CC@kurtis.pp.se> References: <9CB9C668-B967-42DC-A35B-78D12FEBD98B@euro-ix.net> <725E2825-FFA2-49B6-BA85-A18F1C2C765A@steffann.nl> <413A2102-1150-4E5C-8B5A-71D6945499F8@euro-ix.net> <14F31CB1-DE92-47B1-B6F6-B29D402C85CC@kurtis.pp.se> Message-ID: <213C8670-56E7-4250-9B41-E1779C4281F4@ucd.ie> On 1 May 2013, at 20:14, Lindqvist Kurt Erik wrote: > Just to explain a bit of rational behind the agenda to you and others. Thanks, Kurtis. > We have the allocated slot on the agenda and I believe it's to late to shuffle around. > In hind sight perhaps we should have expected this and asked for more time. Right (x2), but we are where we are, and need to make pragmatic use of the time available for this WG at RIPE 66, of the meeting web site, and of this mailing list. In the present circumstances, I would suggest that material for which presentation time is not available, but which nevertheless needs to be noted at the meeting, be sent either to the WG mailing list or to the meeting archive and be drawn to the participants' attention by mention from the chair during the meeting. If people find this idea useful, I'ld also suggest "Items to be noted, for which no meeting time could be made available" as an additional agenda item, allocated a very few minutes. I'ld also suggest that proposers and Emilio take the opportunity to do some behind-the-scenes homework early in the week of RIPE 66 in order to minimize the risk of having to spend scarce meeting time resolving any confusion which may arise. > The RIPE NCC presentations used to be given in both the AGM and NCC-Services. It was decided by the WG Chairs (all of us, and if I remember correctly the NCC board as well) that it was redundant and time consuming and as long as the NCC-Services WG is held before the AGM, we will only give the updates ones and in the NCC-Services WG. Hence the time allocated to them. I think the reasons for that decision are still good ones. I believe that allocating time in the WG for the "public shop-window" of the GM has the advantages of added transparency and improved efficiency. > Now, this was before we started having policy proposal in NCC-Services and agenda time allocations (not to say assignments ;-) didn't have to take this into account. The allocations may need some more re-balancing. The current draft allows 70 minutes for the NCC and 20 minutes for the activity in progress in the WG. That's a data point, and neither an argument nor a criticism. > However, building on what Emilio tells us from the APWG experience, the updates of ongoing policies normally don't take that long or have that much discussion. We might be wrong of course, but we have to guess at something. Absolutely. You have to guess at something, and I expect Sander and Gert have used just this method over the years to reach their current level of expertise on shepherding policy proposals through the process. AA-WG is in a similar position to NCCS-WG as a newcomer to the policy development process, and will also have a learning curve to climb. > We have shortened time allocated to the NCC presentations and I'd be happy to go back and look over that if the WG think we need more discussion time for these proposals. But me and Bijal can't take them of the agenda and I think we have to (at least for now) also respect there is enough time to give those presentations before the AGM. Right again. Do let me know if you think it will be helpful for me to prepare an update on 2012-07 from the proposers' POV and send it either to the list or to the meeting archive as such an "Item to be noted" as I suggested above. See you in just over a week. Best regards, Niall From niall.oreilly at ucd.ie Fri May 3 18:05:18 2013 From: niall.oreilly at ucd.ie (Niall O'Reilly) Date: Fri, 3 May 2013 17:05:18 +0100 Subject: [ncc-services-wg] 2012-07 New Draft Document and Impact Analysis Published (RIPE NCC Services to Legacy Internet Resource Holders) In-Reply-To: <0MLT00FO4CPU7340@staffmail3.ucd.ie> References: <0MLT00FO4CPU7340@staffmail3.ucd.ie> Message-ID: <3157F903-8CAF-4E8C-991E-E9E8FB1511DC@ucd.ie> Hello. I went to read the Impact Analysis just this afternoon, and was shocked at the incomplete and confusing state of the relevant pages on the RIPE NCC web site. I feel it's appropriate to call "false start" on the current Review Phase, and to have the clock re-started when these pages have been put right. Three versions of the proposal have been announced: v1.0 on 27 Aug 2012, v2.0 on 24 Jan 2013, and v3.0 on 25 Apr 2013 (by Marco's message quoted and commented on below). On 25 Apr 2013, at 14:38, Marco Schmidt wrote: > Dear Colleagues, > > The draft document for the proposal described in 2012-07, > "RIPE NCC Services to Legacy Internet Resource Holders" > has been published. The impact analysis that was conducted for this > proposal has also been published > > You can find the full proposal and the impact analysis at: > > https://www.ripe.net/ripe/policies/proposals/2012-07 This is dated 27 Aug 2012. The status panel to the right identifies it as v1.0. Under "all versions", only version 1.0 of 27 Aug 2012 is listed. The text shown is that of v2.0, anounced 24 Jan 2013. The Impact Analysis is also shown here, dated "March 2013" (without a specific day). This analysis does not identify which version of the proposal was used as its basis. > and the draft document at: > > https://www.ripe.net/ripe/policies/proposals/2012-07/draft This is still dated 27 Aug 2012. The status panel shows the same version information and date as mentioned above. The text shown here is that of v3.0, submitted on 08 Mar 2013 and (as agreed: see http://www.ripe.net/ripe/mail/archives/ncc-services-wg/2013-April/002289.html) held for publication until the NCC's Impact Analysis would be ready. The Impact Analysis is not shown here. > We encourage you to read the draft document text and send any comments > to ncc-services-wg at ripe.net before 23 May 2013. I encourage people to wait until the supporting material is arranged so as to facilitate their efforts, and look to the RIPE NCC to give this urgent attention. Best regards, Niall O'Reilly From sander at steffann.nl Fri May 3 20:47:31 2013 From: sander at steffann.nl (Sander Steffann) Date: Fri, 3 May 2013 21:47:31 +0300 Subject: [ncc-services-wg] NCC Services WG Draft Agenda - RIPE 66 In-Reply-To: <213C8670-56E7-4250-9B41-E1779C4281F4@ucd.ie> References: <9CB9C668-B967-42DC-A35B-78D12FEBD98B@euro-ix.net> <725E2825-FFA2-49B6-BA85-A18F1C2C765A@steffann.nl> <413A2102-1150-4E5C-8B5A-71D6945499F8@euro-ix.net> <14F31CB1-DE92-47B1-B6F6-B29D402C85CC@kurtis.pp.se> <213C8670-56E7-4250-9B41-E1779C4281F4@ucd.ie> Message-ID: Hi, >> Just to explain a bit of rational behind the agenda to you and others. > > Thanks, Kurtis. +1 >> We have the allocated slot on the agenda and I believe it's to late to shuffle around. >> In hind sight perhaps we should have expected this and asked for more time. > > [...] > > I'ld also suggest that proposers and Emilio take the opportunity to do > some behind-the-scenes homework early in the week of RIPE 66 in order > to minimize the risk of having to spend scarce meeting time resolving > any confusion which may arise. +1 >> However, building on what Emilio tells us from the APWG experience, the updates of ongoing policies normally don't take that long or have that much discussion. We might be wrong of course, but we have to guess at something. > > Absolutely. You have to guess at something, and I expect > Sander and Gert have used just this method over the years to > reach their current level of expertise on shepherding policy > proposals through the process. Absolutely. Lots of guessing is involved, and sometimes we guess wrong. In APWG we have the benefit of usually having so many proposals on the table that it tends to balance out :-) Cheers, Sander From emadaio at ripe.net Mon May 6 13:59:34 2013 From: emadaio at ripe.net (Emilio Madaio) Date: Mon, 6 May 2013 13:59:34 +0200 Subject: [ncc-services-wg] 2012-07 New Draft Document and Impact Analysis Published (RIPE NCC Services to Legacy Internet Resource Holders) In-Reply-To: <3157F903-8CAF-4E8C-991E-E9E8FB1511DC@ucd.ie> References: <0MLT00FO4CPU7340@staffmail3.ucd.ie> <3157F903-8CAF-4E8C-991E-E9E8FB1511DC@ucd.ie> Message-ID: Dear Niall, Thank you for the notification. As you point out, the publication of version 3.0 resulted in an incorrect update. We apologise for the error and the confusion this caused. We are working to resolve this as soon as possible. We are also investigating the reasons this happened to ensure nothing similar happens again. In order to allow a complete and proper policy proposal discussion, we will publish the correct policy proposal version and the additional documentation (draft policy and impact analysis). We will shortly announce the beginning of a new Review Phase. If you have any other questions, please do not hesitate to ask. Best regards, Emilio Madaio Policy Development Officer RIPE NCC On May 3, 2013, at 6:05 PM, Niall O'Reilly wrote: > Hello. > > I went to read the Impact Analysis just this afternoon, and was shocked > at the incomplete and confusing state of the relevant pages on the RIPE > NCC web site. > > I feel it's appropriate to call "false start" on the current Review Phase, > and to have the clock re-started when these pages have been put right. > > Three versions of the proposal have been announced: > > v1.0 on 27 Aug 2012, > v2.0 on 24 Jan 2013, and > v3.0 on 25 Apr 2013 (by Marco's message quoted and commented on below). > > On 25 Apr 2013, at 14:38, Marco Schmidt wrote: > >> Dear Colleagues, >> >> The draft document for the proposal described in 2012-07, >> "RIPE NCC Services to Legacy Internet Resource Holders" >> has been published. The impact analysis that was conducted for this >> proposal has also been published >> >> You can find the full proposal and the impact analysis at: >> >> https://www.ripe.net/ripe/policies/proposals/2012-07 > > This is dated 27 Aug 2012. The status panel to the right identifies > it as v1.0. Under "all versions", only version 1.0 of 27 Aug 2012 > is listed. > > The text shown is that of v2.0, anounced 24 Jan 2013. > > The Impact Analysis is also shown here, dated "March 2013" (without > a specific day). This analysis does not identify which version of > the proposal was used as its basis. > >> and the draft document at: >> >> https://www.ripe.net/ripe/policies/proposals/2012-07/draft > > This is still dated 27 Aug 2012. The status panel shows the same > version information and date as mentioned above. > > The text shown here is that of v3.0, submitted on 08 Mar 2013 and > (as agreed: see http://www.ripe.net/ripe/mail/archives/ncc-services-wg/2013-April/002289.html) > held for publication until the NCC's Impact Analysis would be ready. > > The Impact Analysis is not shown here. > >> We encourage you to read the draft document text and send any comments >> to ncc-services-wg at ripe.net before 23 May 2013. > > I encourage people to wait until the supporting material is arranged > so as to facilitate their efforts, and look to the RIPE NCC to give this > urgent attention. > > > Best regards, > Niall O'Reilly > > From emadaio at ripe.net Mon May 6 14:19:03 2013 From: emadaio at ripe.net (Emilio Madaio) Date: Mon, 06 May 2013 14:19:03 +0200 Subject: [ncc-services-wg] 2012-07 New Draft Document and Impact Analysis Published (RIPE NCC Services to Legacy Internet Resource Holders) Message-ID: Dear Colleagues, The draft document for the version 3.0 of the proposal described in 2012-07, "RIPE NCC Services to Legacy Internet Resource Holders", has been published. The impact analysis that was conducted for this proposal has also been published. Highlight of the main differences from version 2.0 -rewording of the first paragraph of the Introduction into two new paragraphs -new definition of Legacy Internet Resources -added definition of Registry Service Element -additional text in the Scope section -rewording and new text in sections 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 5.0 -removed the reference section 6.0 You can find the full proposal and the impact analysis at: https://www.ripe.net/ripe/policies/proposals/2012-07 and the draft document at: https://www.ripe.net/ripe/policies/proposals/2012-07/draft We encourage you to read the draft document text and send any comments to before 3 June 2013. Regards Emilio Madaio Policy Development Officer RIPE NCC From kurtis at kurtis.pp.se Mon May 6 16:30:34 2013 From: kurtis at kurtis.pp.se (Lindqvist Kurt Erik) Date: Mon, 6 May 2013 16:30:34 +0200 Subject: [ncc-services-wg] NCC Services WG Draft Agenda - RIPE 66 In-Reply-To: <213C8670-56E7-4250-9B41-E1779C4281F4@ucd.ie> References: <9CB9C668-B967-42DC-A35B-78D12FEBD98B@euro-ix.net> <725E2825-FFA2-49B6-BA85-A18F1C2C765A@steffann.nl> <413A2102-1150-4E5C-8B5A-71D6945499F8@euro-ix.net> <14F31CB1-DE92-47B1-B6F6-B29D402C85CC@kurtis.pp.se> <213C8670-56E7-4250-9B41-E1779C4281F4@ucd.ie> Message-ID: On 3 maj 2013, at 12:35, Niall O'Reilly wrote: > > Right (x2), but we are where we are, and need to make pragmatic use > of the time available for this WG at RIPE 66, of the meeting web site, > and of this mailing list. In the present circumstances, I would suggest > that material for which presentation time is not available, but which > nevertheless needs to be noted at the meeting, be sent either to the > WG mailing list or to the meeting archive and be drawn to the > participants' attention by mention from the chair during the meeting. > > If people find this idea useful, I'ld also suggest "Items to be noted, > for which no meeting time could be made available" as an additional > agenda item, allocated a very few minutes. > > I'ld also suggest that proposers and Emilio take the opportunity to do > some behind-the-scenes homework early in the week of RIPE 66 in order > to minimize the risk of having to spend scarce meeting time resolving > any confusion which may arise. Agreed. >> Now, this was before we started having policy proposal in NCC-Services and agenda time allocations (not to say assignments ;-) didn't have to take this into account. > > The allocations may need some more re-balancing. The current > draft allows 70 minutes for the NCC and 20 minutes for the > activity in progress in the WG. That's a data point, and neither > an argument nor a criticism. Fully agree, it's just that this time it became a bit last minute and we are working on rebalancing it... >> We have shortened time allocated to the NCC presentations and I'd be happy to go back and look over that if the WG think we need more discussion time for these proposals. But me and Bijal can't take them of the agenda and I think we have to (at least for now) also respect there is enough time to give those presentations before the AGM. > > Right again. > > Do let me know if you think it will be helpful for me to prepare > an update on 2012-07 from the proposers' POV and send it either to > the list or to the meeting archive as such an "Item to be noted" as > I suggested above. I think that would be useful! Thanks! > See you in just over a week. Looking forward to proper Guinness! Best regards, - kurtis - From niall.oreilly at ucd.ie Tue May 7 10:42:12 2013 From: niall.oreilly at ucd.ie (Niall O'Reilly) Date: Tue, 7 May 2013 09:42:12 +0100 Subject: [ncc-services-wg] 2012-07 New Draft Document and Impact Analysis Published (RIPE NCC Services to Legacy Internet Resource Holders) In-Reply-To: References: <0MLT00FO4CPU7340@staffmail3.ucd.ie> <3157F903-8CAF-4E8C-991E-E9E8FB1511DC@ucd.ie> Message-ID: On 6 May 2013, at 12:59, Emilio Madaio wrote: > Thank you for the notification. > > As you point out, the publication of version 3.0 resulted in an > incorrect update. > > We apologise for the error and the confusion this caused. We are working > to resolve this as soon as possible. We are also investigating the > reasons this happened to ensure nothing similar happens again. > > In order to allow a complete and proper policy proposal discussion, we > will publish the correct policy proposal version and the additional > documentation (draft policy and impact analysis). > > We will shortly announce the beginning of a new Review Phase. > > If you have any other questions, please do not hesitate to ask. Thanks, Emilio, for the prompt and appropriate remedial action. Best regards, Niall From mir at ripe.net Tue May 7 12:29:41 2013 From: mir at ripe.net (Mirjam Kuehne) Date: Tue, 07 May 2013 12:29:41 +0200 Subject: [ncc-services-wg] New on RIPE Labs: Introduction of RIPE Atlas Quick Looks Message-ID: <5188D795.1060908@ripe.net> Dear colleagues, A new RIPE Atlas feature is now available to RIPE NCC members: Quick Look measurements. Members can use this service for a quick, real-time assessment of connectivity without hosting a RIPE Atlas probe. This feature is based on one-off measurements that are available to all RIPE Atlas probe hosts. Please find more information on RIPE Labs: https://labs.ripe.net/Members/kistel/ripe-atlas-quick-look-for-members Kind Regards, Mirjam Kuehne RIPE NCC From kurtis at kurtis.pp.se Tue May 7 14:40:55 2013 From: kurtis at kurtis.pp.se (Lindqvist Kurt Erik) Date: Tue, 7 May 2013 14:40:55 +0200 Subject: [ncc-services-wg] NCC Services WG Draft Agenda - RIPE 66 In-Reply-To: References: <9CB9C668-B967-42DC-A35B-78D12FEBD98B@euro-ix.net> <725E2825-FFA2-49B6-BA85-A18F1C2C765A@steffann.nl> <413A2102-1150-4E5C-8B5A-71D6945499F8@euro-ix.net> <14F31CB1-DE92-47B1-B6F6-B29D402C85CC@kurtis.pp.se> Message-ID: On 2 maj 2013, at 01:16, Randy Bush wrote: > last meeting, at the okura, axel and i took on board the pi issue. > there is a proposal. i would like the agenda time to discuss it. > as pi holders represent a very large number of holders, this is not > a trivial issue. > > as this is supposed to be a bottom-up community, i am willing to > lead, with axel's help, of course. We are reworking the agenda and some slots. How much time do you guess you need? 20-30 mins? What title do you want? Best regards, - kurtis - From gert at space.net Tue May 7 15:01:51 2013 From: gert at space.net (Gert Doering) Date: Tue, 7 May 2013 15:01:51 +0200 Subject: [ncc-services-wg] time slot reshuffling Message-ID: <20130507130151.GW55541@Space.Net> Dear AP and NCC Service WG members, dear RIPE meeting team, the original plan for this RIPE meeting was to have two timeslots for the AP WG meeting (Wednesday 09:00-10:30 and 11:00-12:30) and one timeslot for the NCC services WG meeting (Wed 16:00-17:30). Somewhat unexpected, APWG has a very light agenda due to a number of proposals having reached consensus or having been withdrawn, while NCC Services has a much heavier agenda than usual, with lots of proposals needing proper time for discussion. So the APWG chairs and NCC Services WG chairs have agreed to use the "Wednesday 11:00-12:30" time slot not for AP but for the NCC Services working group (overlapping with the DNS working group). That is, APWG will only meet between 09:00 and 10:30, while NCC services will meet twice, 11:00-12:30 and 16:00-17:30. The RIPE meeting team will update the meeting plan on the web ASAP, and you'll see new agenda drafts for both working groups shortly. Sorry for the late change in planning, and apologies for any confusion caused by this... Gert Doering, for the AP WG and NCC Services Chairs -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 ----- End forwarded message ----- Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available URL: From randy at psg.com Tue May 7 15:17:52 2013 From: randy at psg.com (Randy Bush) Date: Tue, 07 May 2013 15:17:52 +0200 Subject: [ncc-services-wg] NCC Services WG Draft Agenda - RIPE 66 In-Reply-To: References: <9CB9C668-B967-42DC-A35B-78D12FEBD98B@euro-ix.net> <725E2825-FFA2-49B6-BA85-A18F1C2C765A@steffann.nl> <413A2102-1150-4E5C-8B5A-71D6945499F8@euro-ix.net> <14F31CB1-DE92-47B1-B6F6-B29D402C85CC@kurtis.pp.se> Message-ID: >> last meeting, at the okura, axel and i took on board the pi issue. >> there is a proposal. i would like the agenda time to discuss it. >> as pi holders represent a very large number of holders, this is not >> a trivial issue. >> >> as this is supposed to be a bottom-up community, i am willing to >> lead, with axel's help, of course. > > We are reworking the agenda and some slots. How much time do you guess > you need? 20-30 mins? What title do you want? pi and legacy are probably worth 30 minutes each. though, as very similar choices of mechanisms are proposed for both, whichver with discuss first will probably have the discussion of the mechanisms, saving a bit of time on the second. randy, being unusually optimistic :) From emadaio at ripe.net Wed May 8 15:19:48 2013 From: emadaio at ripe.net (Emilio Madaio) Date: Wed, 08 May 2013 15:19:48 +0200 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) Message-ID: Dear Colleagues, A new RIPE Policy Proposal has been made and is now available for discussion. You can find the full proposal at: https://www.ripe.net/ripe/policies/proposals/2013-04 We encourage you to review this proposal and send your comments to before 5 June 2013. Regards Emilio Madaio Policy Development Officer RIPE NCC From bijal.sanghani at euro-ix.net Wed May 8 19:02:07 2013 From: bijal.sanghani at euro-ix.net (Bijal Sanghani) Date: Wed, 8 May 2013 12:02:07 -0500 Subject: [ncc-services-wg] Updated Draft Agenda NCC Services WG - RIPE 66 Message-ID: <8A3AC848-27D3-4943-871B-6CE27CAE58EB@euro-ix.net> Dear All, Please see below the updated agenda for the NCC Services WG, thanks to the Address Policy chairs for kindly offering the second AP session to NCC Services: Date: Wednesday 15 May 2013 Chair: Kurtis Lindqvist Co-Chair: Bijal Sanghani Time: 11:00 - 12:30 A. Administrative Matters Welcome Select a scribe Finalise agenda Approve minutes from RIPE 65 B. Policy summary of where we are, Chairs C. Status of 2012-07 - RIPE NCC Services to Legacy Internet Resource Holders - Niall O'Reilly, University College Dublin D. 2012-08 - Publication of Sponsoring LIR for Independent Number Resources - Nick Hilliard, INEX E. Services to PI holders - 2013-04 Name Resource Certification for non-RIPE NCC members, Erik Bais, A2B Internet BV - New proposal, Randy Bush F. Straw Poll on following Pre-Policy Discussions: - All PDP emails, documents and websites should come with unified diff - PDPs should be renamed from YYYY-NN to RIPE-PDP-YYYY-NN-vN - All published documents and PDPs are maintained with git - All RIPE documents should be plain text Date: Wednesday 15 May 2013 Time: 16.00 - 17.45 G. Administrative Matters Welcome Select a scribe Finalise agenda H. Report from RIPE NCC - Axel Pawlik, RIPE NCC I. RIPE NCC Survey 2013 - Serge Radovcic, RIPE NCC J. Internet Governance update - Paul Rendek, RIPE NCC K. Registration Services update - Andrew de la Haye, RIPE NCC L. Open Microphone Session Z. AOB Kind regards, Kurtis and Bijal NCC Services WG Chairs From randy at psg.com Wed May 8 21:58:00 2013 From: randy at psg.com (Randy Bush) Date: Wed, 08 May 2013 21:58:00 +0200 Subject: [ncc-services-wg] Updated Draft Agenda NCC Services WG - RIPE 66 In-Reply-To: <8A3AC848-27D3-4943-871B-6CE27CAE58EB@euro-ix.net> References: <8A3AC848-27D3-4943-871B-6CE27CAE58EB@euro-ix.net> Message-ID: > E. Services to PI holders > > - 2013-04 Name Resource Certification for non-RIPE NCC > members, Erik Bais, A2B Internet BV that one is for all non-members, pi, legacy, whatever > - New proposal, Randy Bush it is actually axel's proposal, but i did offer to co-present it with him randy From kurtis at kurtis.pp.se Thu May 9 19:22:15 2013 From: kurtis at kurtis.pp.se (Lindqvist Kurt Erik) Date: Thu, 9 May 2013 19:22:15 +0200 Subject: [ncc-services-wg] Updated Draft Agenda NCC Services WG - RIPE 66 In-Reply-To: References: <8A3AC848-27D3-4943-871B-6CE27CAE58EB@euro-ix.net> Message-ID: <17ECF7AE-C440-407D-B47D-D236A643CDFA@kurtis.pp.se> Randy, On 8 maj 2013, at 21:58, Randy Bush wrote: >> E. Services to PI holders >> >> - 2013-04 Name Resource Certification for non-RIPE NCC >> members, Erik Bais, A2B Internet BV > > that one is for all non-members, pi, legacy, whatever > >> - New proposal, Randy Bush > > it is actually axel's proposal, but i did offer to co-present it with him neither you nor Axel responded to the call for agenda items, you said that me and Bijal missed this for the agenda, I asked for a title and you said you where happy to lead. I am lost as to what to label this as and I am still not clear if there is even a presentation. So is there a presentation and if so what is the title? Best regards, - kurtis - From randy at psg.com Thu May 9 21:07:37 2013 From: randy at psg.com (Randy Bush) Date: Thu, 09 May 2013 21:07:37 +0200 Subject: [ncc-services-wg] Updated Draft Agenda NCC Services WG - RIPE 66 In-Reply-To: <17ECF7AE-C440-407D-B47D-D236A643CDFA@kurtis.pp.se> References: <8A3AC848-27D3-4943-871B-6CE27CAE58EB@euro-ix.net> <17ECF7AE-C440-407D-B47D-D236A643CDFA@kurtis.pp.se> Message-ID: you are correct. axel did not make a proper proposal of it. see https://www.ripe.net/ripe/mail/archives/ncc-services-wg/2013-February/002051.html how about using ? $subject, "RPKI and PI End Users Proposal" randy From niall.oreilly at ucd.ie Fri May 10 14:27:43 2013 From: niall.oreilly at ucd.ie (Niall O'Reilly) Date: Fri, 10 May 2013 13:27:43 +0100 Subject: [ncc-services-wg] 2012-07 New Draft Document and Impact Analysis Published (RIPE NCC Services to Legacy Internet Resource Holders) In-Reply-To: References: Message-ID: <2A5EC166-E2ED-43C8-AA07-8D819DC05097@ucd.ie> On 6 May 2013, at 13:19, Emilio Madaio wrote: > You can find the full proposal and the impact analysis at: > > https://www.ripe.net/ripe/policies/proposals/2012-07 > > and the draft document at: > > https://www.ripe.net/ripe/policies/proposals/2012-07/draft > > We encourage you to read the draft document text and send any comments > to before 3 June 2013. I'm pleased to see the RIPE NCC's Impact Analysis, which seems clear, thorough, cautious, and mostly helpful. I've used the "Executive Summary" section as a framework for my comments, in context below. This approach means that the more detailed text in the Impact Assessment is, for the time being, out of sight for me. Because of this, I may ask for clarification which is already available to me. My comments are made in a personal capacity, without any claim to represent any of the following: my employer, the other co-authors of the proposal, or legacy resource holders. > 1. The proposal refers to the terms and conditions under which the > Legacy Internet Resources were originally granted. The RIPE NCC will > need to be informed as to the content of these original terms and > conditions to properly determine their impact. This need seems to be overstated. Beyond what is necessary to determine whether the party involved is indeed the legitimate holder of the resource in question, what need can the RIPE NCC have for the information mentioned? > 2. The RIPE NCC often receives requests from Legacy Resource Holders > wanting their resources to be considered as space allocated by the > RIPE NCC. If this proposal is accepted, the RIPE NCC will have to > decline these requests. This is information of which I was not previously aware. I appreciate being made aware of this and intend to ensure that it is taken into account during the proposal's next revision cycle. > 3. Due diligence checks will be required to verify the legitimacy > of Legacy Resource Holders. If the correct documentation cannot be > provided, the RIPE NCC will be unable to enter into a contractual > relationship with the Legacy Resource Holder. To the extent the the diligence applied is indeed "due", and conforms with reality rather than with some conventional concept or recipe, this seems reasonable. Due diligence needs to be informed by both Balance of Probability and Balance of Convenience. It seems to me that a test which the RIPE NCC might reasonably use would be whether sufficient trust exists for a good-faith belief in the legitimacy of the claim to hold the resources in question. I expect that the issue here is whether the RIPE NCC can safely offer registration services (possibly including certification) in each specific case. > 4. Section 2.1 of the proposal allows Legacy Internet Resources > to be covered by the RIPE NCC Standard Service Agreement (SSA). > Modifications to the SSA will require approval by the General > Meeting (GM). The GM has the necessary power. I expect that it will be for a member with some interest in legacy resources to bring forward a proposal that the GM exercise this power. > 5. Section 2.4 of the proposal allows the Legacy Resource Holder > to engage directly with the RIPE NCC through a special contract > if they cannot find a sponsoring LIR. The RIPE NCC cannot think of > any circumstances where this might be the case. Also, the creation > of such a special class of contract would require approval by the GM. My remark to point 4 applies also to point 5. > 6. Similarly, section 2.5 allows the Legacy Resource Holder to > conclude no contact due to special enduring circumstances. The RIPE > NCC cannot think of what these circumstances might be, and some > Registration Services cannot be performed without a contract in > place. Additionally, the RIPE NCC will be unable to enforce these > resource holders to maintain accurate data in the registry. [s/contact/contract/] The proposal mentions "special enduring or temporary circumstances" and also that these be "recognised by the RIPE NCC as being outside the resource holder's control". As I understand it, the intent here is fourfold: - that the RIPE NCC have the freedom to deal appropriately with unforeseen adverse circumstances on a case-by-case basis; - that awareness of this freedom be available to every reader of the policy; - that the RIPE NCC is protected from vexatious or mischievous invocation of this section by the requirement for recognition by the RIPE NCC of the nature of the circumstances; and - that the resource holder has a remedy against unreasonable refusal of this recognition by recourse to the arbitration procedure. It is of the nature of unforeseen circumstances that it may be difficult to think in advance of what they might be. It is not possible, and therefore not necessary, either for the proposers or for the RIPE NCC to itemize in a (final or proposed) policy an exhaustive list of such circumstances. It will be useful to have a list of the Registration Services for which a contract is required. > 7. In cases where the Legacy Resource Holder is unknown or > unresponsive, the proposal allows for the RIPE NCC to update > entries in the RIPE Database but does not specify the scope of > these updates. The fact that a resource holder is unknown or unresponsive should not be an obstacle to the RIPE NCC's exercise of its responsibility for the data it holds. Circumstances may arise in which there is a compelling reason for the RIPE NCC to make an update. The RIPE NCC is empowered and trusted to act responsibly. > 8. The provision of some RIPE NCC services is dependent on whether > the resources are PA or PI. The RIPE NCC will require clear > guidelines on the terms under which Legacy Internet Resources > would be offered these services. Only Registration Services are within scope for this proposal. Legacy resources are neither PA nor PI, but LEGACY, and need to be supported by Registration Services. If the policy proposal is unclear, it will be helpful to have this indicated, either by reference to more detailed text in the current Impact Assessment, or by further clarification. Otherwise, the preparation of operational guidelines consistent with RIPE policy as developed from time to time, seems to me to be the responsibility of the RIPE NCC, subject to due oversight and confirmation from the community. > 9. Currently arbitration does not apply to Legacy Internet > Resources. Amendments to the arbitration procedure are subject > to approval by the GM. Please see my comment to point 4. > 10. If the proposal is accepted, the RIPE NCC will have to contact > Legacy Resource Holders that have their resources registered under > the umbrella of an LIR and offer them the contractual options of > the accepted proposal. The RIPE NCC will consider any requests for > this since 1992 as having never been submitted. If such a LIR is acting as an ad-hoc registration intermediary, the situation may be seen as sufficiently irregular as to require attention whether or not the proposal is accepted. Otherwise, a variation to a Sponsoring-LIR agreement will be needed, which is the responsibility of each LIR involved. I'ld like to have further explanation of the last sentence, referring to 1993, as I don't understand it. > 11. If the community decides that this proposal should allow for > the certification of Legacy Internet Resources, the RIPE NCC will > need to create a certification system specific to these resources. Probably. I understand that another current proposal aims to allow certification of PI resources. It may be opportune to create a multivalent certification system supporting different kinds of resources. > 12. The RIPE NCC is seeking guidance from the community on who > should be considered the legitimate holder of Legacy Internet > Resources that have been distributed through several layers > of hierarchy. This is a significant problem, which arises whether or not the current policy proposal is accepted. I'm not sure what specific impact this policy proposal has on the problem. I can see that it changes the context, but neither that it makes the problem either more or less intractable nor that it affects the nature of the work to be done. > 13. RIPE Database objects referring to Legacy Internet Resources > currently have several different "status:" attribute values. > The RIPE NCC proposes changing these to 'LEGACY'. This seems reasonable. > 14. The RIPE NCC also proposes introducing a mandatory "status:" > attribute for all AUT-NUM objects which would take the value > 'LEGACY' for all legacy AS numbers. For all other AS numbers > the values would either be set to 'ASSIGNED' (assigned by the > RIPE NCC) or 'OTHER' (assigned by other RIRs). This also seems reasonable. Best regards, Niall O'Reilly From sander at steffann.nl Fri May 10 15:14:59 2013 From: sander at steffann.nl (Sander Steffann) Date: Fri, 10 May 2013 15:14:59 +0200 Subject: [ncc-services-wg] 2012-07 New Draft Document and Impact Analysis Published (RIPE NCC Services to Legacy Internet Resource Holders) In-Reply-To: <2A5EC166-E2ED-43C8-AA07-8D819DC05097@ucd.ie> References: <2A5EC166-E2ED-43C8-AA07-8D819DC05097@ucd.ie> Message-ID: <0047CC9E-B91C-4213-BE4B-4C6A0A89B48D@steffann.nl> Hi Niall, Replying as an individual as well: >> 1. The proposal refers to the terms and conditions under which the >> Legacy Internet Resources were originally granted. The RIPE NCC will >> need to be informed as to the content of these original terms and >> conditions to properly determine their impact. > > This need seems to be overstated. Beyond what is necessary > to determine whether the party involved is indeed the > legitimate holder of the resource in question, what need can > the RIPE NCC have for the information mentioned? Indeed. The NCC needs to know who is the holder to keep the database up to date and to provide services. The terms and conditions are not going to be enforced by the NCC, so why would they need them? >> 2. The RIPE NCC often receives requests from Legacy Resource Holders >> wanting their resources to be considered as space allocated by the >> RIPE NCC. If this proposal is accepted, the RIPE NCC will have to >> decline these requests. > > This is information of which I was not previously aware. > I appreciate being made aware of this and intend to ensure > that it is taken into account during the proposal's next > revision cycle. As long as those Legacy Resource Holders know that they don't *have* to do this to get services from the NCC then that should indeed be up to them. >> 3. Due diligence checks will be required to verify the legitimacy >> of Legacy Resource Holders. If the correct documentation cannot be >> provided, the RIPE NCC will be unable to enter into a contractual >> relationship with the Legacy Resource Holder. > > To the extent the the diligence applied is indeed "due", > and conforms with reality rather than with some conventional > concept or recipe, this seems reasonable. Due diligence > needs to be informed by both Balance of Probability and > Balance of Convenience. > > It seems to me that a test which the RIPE NCC might > reasonably use would be whether sufficient trust exists > for a good-faith belief in the legitimacy of the claim > to hold the resources in question. > > I expect that the issue here is whether the RIPE NCC can > safely offer registration services (possibly including > certification) in each specific case. This is a very hard thing to define in policy. Looking back at the previous item: "The RIPE NCC often receives requests from Legacy Resource Holders wanting their resources to be considered as space allocated by the RIPE NCC.". I assume that for this even stricter checks are in place. That should be the upper limit of the due diligence. I don't want to define in policy how the NCC should handle this though. >> 4. Section 2.1 of the proposal allows Legacy Internet Resources >> to be covered by the RIPE NCC Standard Service Agreement (SSA). >> Modifications to the SSA will require approval by the General >> Meeting (GM). > > The GM has the necessary power. > > I expect that it will be for a member with some interest > in legacy resources to bring forward a proposal that the > GM exercise this power. +1 >> 5. Section 2.4 of the proposal allows the Legacy Resource Holder >> to engage directly with the RIPE NCC through a special contract >> if they cannot find a sponsoring LIR. The RIPE NCC cannot think of >> any circumstances where this might be the case. Also, the creation >> of such a special class of contract would require approval by the GM. > > My remark to point 4 applies also to point 5. +1 >> 6. Similarly, section 2.5 allows the Legacy Resource Holder to >> conclude no contact due to special enduring circumstances. The RIPE >> NCC cannot think of what these circumstances might be, and some >> Registration Services cannot be performed without a contract in >> place. Additionally, the RIPE NCC will be unable to enforce these >> resource holders to maintain accurate data in the registry. > > [s/contact/contract/] > > The proposal mentions "special enduring or temporary > circumstances" and also that these be "recognised by the > RIPE NCC as being outside the resource holder's control". > > As I understand it, the intent here is fourfold: > > - that the RIPE NCC have the freedom to deal appropriately > with unforeseen adverse circumstances on a case-by-case > basis; > > - that awareness of this freedom be available to every > reader of the policy; > > - that the RIPE NCC is protected from vexatious or > mischievous invocation of this section by the requirement > for recognition by the RIPE NCC of the nature of the > circumstances; and > > - that the resource holder has a remedy against unreasonable > refusal of this recognition by recourse to the arbitration > procedure. > > It is of the nature of unforeseen circumstances that it > may be difficult to think in advance of what they might be. > It is not possible, and therefore not necessary, either for > the proposers or for the RIPE NCC to itemize in a (final > or proposed) policy an exhaustive list of such circumstances. Making such a list would be a very bad idea. It will provide opportunities to be abused ("but according to this list I ...") and it will exclude cases that we haven't thought of. The policy should set the framework for the NCC to be able to deal with these cases. > It will be useful to have a list of the Registration Services > for which a contract is required. Make that a maintained and published list. >> 7. In cases where the Legacy Resource Holder is unknown or >> unresponsive, the proposal allows for the RIPE NCC to update >> entries in the RIPE Database but does not specify the scope of >> these updates. > > The fact that a resource holder is unknown or unresponsive > should not be an obstacle to the RIPE NCC's exercise of > its responsibility for the data it holds. Circumstances > may arise in which there is a compelling reason for the > RIPE NCC to make an update. The RIPE NCC is empowered > and trusted to act responsibly. Same as before: the NCC is the caretaker of our RIPE Database. If the NCC needs to update the database to improve accuracy then I don't see why we would limit that to a smaller scope than 'the RIPE database'. >> 8. The provision of some RIPE NCC services is dependent on whether >> the resources are PA or PI. The RIPE NCC will require clear >> guidelines on the terms under which Legacy Internet Resources >> would be offered these services. > > Only Registration Services are within scope for this > proposal. > > Legacy resources are neither PA nor PI, but LEGACY, > and need to be supported by Registration Services. > > If the policy proposal is unclear, it will be helpful > to have this indicated, either by reference to more > detailed text in the current Impact Assessment, or by > further clarification. > > Otherwise, the preparation of operational guidelines > consistent with RIPE policy as developed from time to > time, seems to me to be the responsibility of the RIPE > NCC, subject to due oversight and confirmation from > the community. Saying that "resources are PA or PI" is indeed too limiting here. If this policy is accepted then the NCC needs to be able to handle LEGACY resources as well. >> 9. Currently arbitration does not apply to Legacy Internet >> Resources. Amendments to the arbitration procedure are subject >> to approval by the GM. > > Please see my comment to point 4. +1 >> 10. If the proposal is accepted, the RIPE NCC will have to contact >> Legacy Resource Holders that have their resources registered under >> the umbrella of an LIR and offer them the contractual options of >> the accepted proposal. The RIPE NCC will consider any requests for >> this since 1992 as having never been submitted. > > If such a LIR is acting as an ad-hoc registration intermediary, > the situation may be seen as sufficiently irregular as to > require attention whether or not the proposal is accepted. > > Otherwise, a variation to a Sponsoring-LIR agreement will > be needed, which is the responsibility of each LIR involved. > > I'ld like to have further explanation of the last sentence, > referring to 1993, as I don't understand it. I guess that was when the NCC started. Explicitly saying that instead of mentioning a specific year would be better if I'm right. Otherwise: NCC: please explain the intention. >> 11. If the community decides that this proposal should allow for >> the certification of Legacy Internet Resources, the RIPE NCC will >> need to create a certification system specific to these resources. > > Probably. > > I understand that another current proposal aims to allow > certification of PI resources. It may be opportune to > create a multivalent certification system supporting > different kinds of resources. As both PI and LEGACY resources allow the use of a Sponsoring LIR I would imagine the implementation to be roughly the same. What would be so special about legacy resources that it would need a certification system specific to those resources? >> 12. The RIPE NCC is seeking guidance from the community on who >> should be considered the legitimate holder of Legacy Internet >> Resources that have been distributed through several layers >> of hierarchy. > > This is a significant problem, which arises whether or > not the current policy proposal is accepted. > > I'm not sure what specific impact this policy proposal > has on the problem. I can see that it changes the context, > but neither that it makes the problem either more or less > intractable nor that it affects the nature of the work to > be done. The NCC already handles Legacy Resource Holders who want their resources to be treated as resources allocated by the RIPE NCC (see item 3). The procedures that are used for that would be a good starting point I guess. I think this guidance should not be put into policy at this point in time. For further guidance it might be useful to discuss this at a future RIPE meeting. >> 13. RIPE Database objects referring to Legacy Internet Resources >> currently have several different "status:" attribute values. >> The RIPE NCC proposes changing these to 'LEGACY'. > > This seems reasonable. +1 >> 14. The RIPE NCC also proposes introducing a mandatory "status:" >> attribute for all AUT-NUM objects which would take the value >> 'LEGACY' for all legacy AS numbers. For all other AS numbers >> the values would either be set to 'ASSIGNED' (assigned by the >> RIPE NCC) or 'OTHER' (assigned by other RIRs). > > This also seems reasonable. +1 Thank you! Sander From hank at efes.iucc.ac.il Fri May 10 15:39:41 2013 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Fri, 10 May 2013 16:39:41 +0300 Subject: [ncc-services-wg] 2012-07 New Draft Document and Impact Analysis Published (RIPE NCC Services to Legacy Internet Resource Holders) In-Reply-To: <2A5EC166-E2ED-43C8-AA07-8D819DC05097@ucd.ie> References: Message-ID: <5.1.1.6.2.20130510163237.0030a8a8@efes.iucc.ac.il> At 13:27 10/05/2013 +0100, Niall O'Reilly wrote: > > 2. The RIPE NCC often receives requests from Legacy Resource Holders > > wanting their resources to be considered as space allocated by the > > RIPE NCC. If this proposal is accepted, the RIPE NCC will have to > > decline these requests. > > This is information of which I was not previously aware. > I appreciate being made aware of this and intend to ensure > that it is taken into account during the proposal's next > revision cycle. To what benefit would one receive to have the resource considered as space allocated by RIPE NCC? Perhaps the RIPE NCC can provide some examples so we can understand this. > > 8. The provision of some RIPE NCC services is dependent on whether > > the resources are PA or PI. The RIPE NCC will require clear > > guidelines on the terms under which Legacy Internet Resources > > would be offered these services. > > Only Registration Services are within scope for this > proposal. > > Legacy resources are neither PA nor PI, but LEGACY, > and need to be supported by Registration Services. +1. -Hank From niall.oreilly at ucd.ie Fri May 10 16:00:09 2013 From: niall.oreilly at ucd.ie (Niall O'Reilly) Date: Fri, 10 May 2013 15:00:09 +0100 Subject: [ncc-services-wg] 2012-07 New Draft Document and Impact Analysis Published (RIPE NCC Services to Legacy Internet Resource Holders) In-Reply-To: <5.1.1.6.2.20130510163237.0030a8a8@efes.iucc.ac.il> References: <5.1.1.6.2.20130510163237.0030a8a8@efes.iucc.ac.il> Message-ID: <44243C60-3918-4EE9-878F-D598A81E86E8@ucd.ie> On 10 May 2013, at 14:39, Hank Nussbacher wrote: > At 13:27 10/05/2013 +0100, Niall O'Reilly wrote: > >> > 2. The RIPE NCC often receives requests from Legacy Resource Holders >> > wanting their resources to be considered as space allocated by the >> > RIPE NCC. If this proposal is accepted, the RIPE NCC will have to >> > decline these requests. >> >> This is information of which I was not previously aware. >> I appreciate being made aware of this and intend to ensure >> that it is taken into account during the proposal's next >> revision cycle. > > To what benefit would one receive to have the resource considered as space allocated by RIPE NCC? Perhaps the RIPE NCC can provide some examples so we can understand this. +1 OTOH, if a resource holder, fully aware of the consequences, chooses to make such a request, we should perhaps not propose policy which would force the NCC to decline it. Whether the choice were an informed one might be a concern. /Niall From randy at psg.com Fri May 10 17:35:16 2013 From: randy at psg.com (Randy Bush) Date: Fri, 10 May 2013 17:35:16 +0200 Subject: [ncc-services-wg] 2012-07 New Draft Document and Impact Analysis Published (RIPE NCC Services to Legacy Internet Resource Holders) In-Reply-To: <2A5EC166-E2ED-43C8-AA07-8D819DC05097@ucd.ie> References: <2A5EC166-E2ED-43C8-AA07-8D819DC05097@ucd.ie> Message-ID: >> 8. The provision of some RIPE NCC services is dependent on whether >> the resources are PA or PI. The RIPE NCC will require clear >> guidelines on the terms under which Legacy Internet Resources >> would be offered these services. > > Legacy resources are neither PA nor PI, but LEGACY, and need to be > supported by Registration Services. how about PR, Pre RIR :) in trying to understand the impact statement, it was hard for me to separate concerns about any insufficiently precise semantics of the proposal from any actual impact it might have. the above is a case in point. i was expecting "a third class of address space may need the following changes in database, processes, ..." randy From randy at psg.com Fri May 10 17:37:15 2013 From: randy at psg.com (Randy Bush) Date: Fri, 10 May 2013 17:37:15 +0200 Subject: [ncc-services-wg] 2012-07 New Draft Document and Impact Analysis Published (RIPE NCC Services to Legacy Internet Resource Holders) In-Reply-To: <44243C60-3918-4EE9-878F-D598A81E86E8@ucd.ie> References: <5.1.1.6.2.20130510163237.0030a8a8@efes.iucc.ac.il> <44243C60-3918-4EE9-878F-D598A81E86E8@ucd.ie> Message-ID: >>>> 2. The RIPE NCC often receives requests from Legacy Resource Holders >>>> wanting their resources to be considered as space allocated by the >>>> RIPE NCC. If this proposal is accepted, the RIPE NCC will have to >>>> decline these requests. >>> This is information of which I was not previously aware. I >>> appreciate being made aware of this and intend to ensure that it is >>> taken into account during the proposal's next revision cycle. >> To what benefit would one receive to have the resource considered as >> space allocated by RIPE NCC? Perhaps the RIPE NCC can provide some >> examples so we can understand this. > +1 if such a case existed, would they not just become a member? randy From sander at steffann.nl Fri May 10 18:47:56 2013 From: sander at steffann.nl (Sander Steffann) Date: Fri, 10 May 2013 18:47:56 +0200 Subject: [ncc-services-wg] 2012-07 New Draft Document and Impact Analysis Published (RIPE NCC Services to Legacy Internet Resource Holders) In-Reply-To: References: <5.1.1.6.2.20130510163237.0030a8a8@efes.iucc.ac.il> <44243C60-3918-4EE9-878F-D598A81E86E8@ucd.ie> Message-ID: Hi Randy, >>> To what benefit would one receive to have the resource considered as >>> space allocated by RIPE NCC? Perhaps the RIPE NCC can provide some >>> examples so we can understand this. >> +1 > > if such a case existed, would they not just become a member? If I understand correctly they do become a member and have their legacy address space re-labeled as PA space. NCC: please correct me if I'm wrong! Sander From nick at netability.ie Fri May 10 18:51:39 2013 From: nick at netability.ie (Nick Hilliard) Date: Fri, 10 May 2013 17:51:39 +0100 Subject: [ncc-services-wg] 2012-07 New Draft Document and Impact Analysis Published (RIPE NCC Services to Legacy Internet Resource Holders) In-Reply-To: References: <5.1.1.6.2.20130510163237.0030a8a8@efes.iucc.ac.il> <44243C60-3918-4EE9-878F-D598A81E86E8@ucd.ie> Message-ID: <518D259B.2080103@netability.ie> On 10/05/2013 17:47, Sander Steffann wrote: > If I understand correctly they do become a member and have their legacy > address space re-labeled as PA space. > > NCC: please correct me if I'm wrong! There's no facility in this proposal to get your legacy address space relabelled as PA. This is probably an omission and it would be good to put the practice of doing this on a formal policy basis. Nick From sander at steffann.nl Sat May 11 14:17:13 2013 From: sander at steffann.nl (Sander Steffann) Date: Sat, 11 May 2013 14:17:13 +0200 Subject: [ncc-services-wg] 2012-07 New Draft Document and Impact Analysis Published (RIPE NCC Services to Legacy Internet Resource Holders) In-Reply-To: <518D259B.2080103@netability.ie> References: <5.1.1.6.2.20130510163237.0030a8a8@efes.iucc.ac.il> <44243C60-3918-4EE9-878F-D598A81E86E8@ucd.ie> <518D259B.2080103@netability.ie> Message-ID: <4CC3201B-D1BF-43F7-9C35-4D8E56AE7F90@steffann.nl> Hi Nick, > There's no facility in this proposal to get your legacy address space > relabelled as PA. This is probably an omission and it would be good to put > the practice of doing this on a formal policy basis. Niall already responded to that: >> 2. The RIPE NCC often receives requests from Legacy Resource Holders >> wanting their resources to be considered as space allocated by the >> RIPE NCC. If this proposal is accepted, the RIPE NCC will have to >> decline these requests. > > This is information of which I was not previously aware. > I appreciate being made aware of this and intend to ensure > that it is taken into account during the proposal's next > revision cycle. Cheers, See you in Dublin! Sander From lists-ripe at c4inet.net Sat May 11 15:37:13 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Sat, 11 May 2013 14:37:13 +0100 Subject: [ncc-services-wg] 2012-07 New Draft Document and Impact Analysis Published (RIPE NCC Services to Legacy Internet Resource Holders) In-Reply-To: <0047CC9E-B91C-4213-BE4B-4C6A0A89B48D@steffann.nl> References: <2A5EC166-E2ED-43C8-AA07-8D819DC05097@ucd.ie> <0047CC9E-B91C-4213-BE4B-4C6A0A89B48D@steffann.nl> Message-ID: <20130511133713.GA60051@cilantro.c4inet.net> On Fri, May 10, 2013 at 03:14:59PM +0200, Sander Steffann wrote: >> This need seems to be overstated. Beyond what is necessary >> to determine whether the party involved is indeed the >> legitimate holder of the resource in question, what need can >> the RIPE NCC have for the information mentioned? >Indeed. The NCC needs to know who is the holder to keep the database up >to date and to provide services. The terms and conditions are not going >to be enforced by the NCC, so why would they need them? +1 The T&C of the original assignment are not relevant to the provision of services by the NCC and may, after all the years, not even be available anymore. Thus, the requirement is unneccessary and onerous. >>> 3. Due diligence checks will be required to verify the legitimacy of >>> Legacy Resource Holders. If the correct documentation cannot be >>> provided, the RIPE NCC will be unable to enter into a contractual >>> relationship with the Legacy Resource Holder. [...] >checks are in place. That should be the upper limit of the due >diligence. I don't want to define in policy how the NCC should handle >this though. +1 I'm also in favour of setting limits on how much verification the NCC can require (and to have some kind of oversight by the membership) My nightmare scenario here is requiring legal proof of the entire chain of M&A that led to the current entity being the holder of a resource. [Exhaustive list of circumstances where 2.6 applies] >Making such a list would be a very bad idea. It will provide >opportunities to be abused ("but according to this list I ...") and it >will exclude cases that we haven't thought of. The policy should set >the framework for the NCC to be able to deal with these cases. +1 It may well be the case that this list would have as many entries as there are legacy holders. This would be pretty pointless. Every such case must be decided on its own merits and, most importantly, there MUST be an appeals process, possibly via the arbitration procedure. >> It will be useful to have a list of the Registration Services >> for which a contract is required. > >Make that a maintained and published list. +1 rgds, Sascha Luck From lists-ripe at c4inet.net Sat May 11 15:53:58 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Sat, 11 May 2013 14:53:58 +0100 Subject: [ncc-services-wg] 2012-07 New Draft Document and Impact Analysis Published (RIPE NCC Services to Legacy Internet Resource Holders) In-Reply-To: <2A5EC166-E2ED-43C8-AA07-8D819DC05097@ucd.ie> References: <2A5EC166-E2ED-43C8-AA07-8D819DC05097@ucd.ie> Message-ID: <20130511135358.GB60051@cilantro.c4inet.net> On Fri, May 10, 2013 at 01:27:43PM +0100, Niall O'Reilly wrote: >> 4. Section 2.1 of the proposal allows Legacy Internet Resources >> to be covered by the RIPE NCC Standard Service Agreement (SSA). >> Modifications to the SSA will require approval by the General >> Meeting (GM). > > The GM has the necessary power. > > I expect that it will be for a member with some interest > in legacy resources to bring forward a proposal that the > GM exercise this power. +1 >> 7. In cases where the Legacy Resource Holder is unknown or >> unresponsive, the proposal allows for the RIPE NCC to update >> entries in the RIPE Database but does not specify the scope of >> these updates. > > The fact that a resource holder is unknown or unresponsive > should not be an obstacle to the RIPE NCC's exercise of > its responsibility for the data it holds. Circumstances > may arise in which there is a compelling reason for the > RIPE NCC to make an update. The RIPE NCC is empowered > and trusted to act responsibly. This would appear to empower the NCC to unilaterally, de-register or even re-register such resources. (which is, IIRC, what the NCC originally proposed and what triggered this proposal) Maybe we should limit this to changing the relevant objects to "Unknown" or similar... >> 8. The provision of some RIPE NCC services is dependent on whether >> the resources are PA or PI. The RIPE NCC will require clear >> guidelines on the terms under which Legacy Internet Resources >> would be offered these services. > > Only Registration Services are within scope for this > proposal. > > Legacy resources are neither PA nor PI, but LEGACY, > and need to be supported by Registration Services. +1 >> 10. If the proposal is accepted, the RIPE NCC will have to contact >> Legacy Resource Holders that have their resources registered under >> the umbrella of an LIR and offer them the contractual options of >> the accepted proposal. The RIPE NCC will consider any requests for >> this since 1992 as having never been submitted. > > If such a LIR is acting as an ad-hoc registration intermediary, > the situation may be seen as sufficiently irregular as to > require attention whether or not the proposal is accepted. > > Otherwise, a variation to a Sponsoring-LIR agreement will > be needed, which is the responsibility of each LIR involved. If such registrations have been previously accepted by the NCC they should be considered valid (subject to the above mentioned agreement variation) This shouldn't preclude offering the resource holder the other contractual options, but should give them the option to continue their existing relationship without going through another full registration process. >> 13. RIPE Database objects referring to Legacy Internet Resources >> currently have several different "status:" attribute values. >> The RIPE NCC proposes changing these to 'LEGACY'. > > This seems reasonable. +1 >> 14. The RIPE NCC also proposes introducing a mandatory "status:" >> attribute for all AUT-NUM objects which would take the value >> 'LEGACY' for all legacy AS numbers. For all other AS numbers >> the values would either be set to 'ASSIGNED' (assigned by the >> RIPE NCC) or 'OTHER' (assigned by other RIRs). > > This also seems reasonable. +1 rgds, Sascha Luck From sander at steffann.nl Sun May 12 10:25:49 2013 From: sander at steffann.nl (Sander Steffann) Date: Sun, 12 May 2013 09:25:49 +0100 Subject: [ncc-services-wg] 2012-07 New Draft Document and Impact Analysis Published (RIPE NCC Services to Legacy Internet Resource Holders) In-Reply-To: <20130511135358.GB60051@cilantro.c4inet.net> References: <2A5EC166-E2ED-43C8-AA07-8D819DC05097@ucd.ie> <20130511135358.GB60051@cilantro.c4inet.net> Message-ID: <8FD7B571-C540-409E-A889-8BA6A274ABF0@steffann.nl> Hi Sasha, > This would appear to empower the NCC to unilaterally, de-register or > even re-register such resources. (which is, IIRC, what the NCC > originally proposed and what triggered this proposal) > Maybe we should limit this to changing the relevant objects to "Unknown" > or similar... I think that is too limiting. We should limit the NCC to putting in accurate information. Deregistration would then only be possible if the NCC *knows* nobody is using that resource anymore, and I see no problem with that. (the problem will be finding proof, not the deregistration itself) Cheers, Sander From kurtis at kurtis.pp.se Sun May 12 21:28:48 2013 From: kurtis at kurtis.pp.se (Lindqvist Kurt Erik) Date: Sun, 12 May 2013 21:28:48 +0200 Subject: [ncc-services-wg] Updated Draft Agenda NCC Services WG - RIPE 66 In-Reply-To: References: <8A3AC848-27D3-4943-871B-6CE27CAE58EB@euro-ix.net> <17ECF7AE-C440-407D-B47D-D236A643CDFA@kurtis.pp.se> Message-ID: <670A5992-A205-40C4-9E35-8FEDAB13E42B@kurtis.pp.se> On 9 maj 2013, at 21:07, Randy Bush wrote: > you are correct. axel did not make a proper proposal of it. see > > https://www.ripe.net/ripe/mail/archives/ncc-services-wg/2013-February/002051.html > > how about using ? $subject, "RPKI and PI End Users Proposal" Ok, will take that as title and let you and Axel sort out presenting it... Best regards, - kurtis - From kurtis at kurtis.pp.se Sun May 12 21:34:04 2013 From: kurtis at kurtis.pp.se (Lindqvist Kurt Erik) Date: Sun, 12 May 2013 21:34:04 +0200 Subject: [ncc-services-wg] RIPE66 NCC-Servcies WG Agenda version 3 Message-ID: <44CCF7B5-81E0-4C09-9EB9-EDF1124B430A@kurtis.pp.se> Date: Wednesday 15 May 2013 Chair: Kurtis Lindqvist Co-Chair: Bijal Sanghani Time: 11:00 - 12:30 A. Administrative Matters Welcome Select a scribe Finalise agenda Approve minutes from RIPE 65 B. Policy summary of where we are, Chairs C. Status of 2012-07 - RIPE NCC Services to Legacy Internet Resource Holders - Niall O'Reilly, University College Dublin D. 2012-08 - Publication of Sponsoring LIR for Independent Number Resources - Nick Hilliard, INEX E. Resource certification - 2013-04 Name Resource Certification for non-RIPE NCC members, Erik Bais, A2B Internet BV - RPKI and PI End Users Proposal (https://www.ripe.net/ripe/mail/archives/ncc-services-wg/2013-February/002051.html), Randy Bush F. Straw Poll on following Pre-Policy Discussions: - All PDP emails, documents and websites should come with unified diff - PDPs should be renamed from YYYY-NN to RIPE-PDP-YYYY-NN-vN - All published documents and PDPs are maintained with git - All RIPE documents should be plain text Date: Wednesday 15 May 2013 Time: 16.00 - 17.45 G. Administrative Matters Welcome Select a scribe Finalise agenda H. Report from RIPE NCC - Axel Pawlik, RIPE NCC I. RIPE NCC Survey 2013 - Serge Radovcic, RIPE NCC J. Internet Governance update - Paul Rendek, RIPE NCC K. Registration Services update - Andrew de la Haye, RIPE NCC L. Open Microphone Session Z. AOB Kind regards, Kurtis and Bijal NCC Services WG Chairs From kurtis at kurtis.pp.se Mon May 13 11:20:19 2013 From: kurtis at kurtis.pp.se (Lindqvist Kurt Erik) Date: Mon, 13 May 2013 11:20:19 +0200 Subject: [ncc-services-wg] 2012-07 New Draft Document and Impact Analysis Published (RIPE NCC Services to Legacy Internet Resource Holders) In-Reply-To: <2A5EC166-E2ED-43C8-AA07-8D819DC05097@ucd.ie> References: <2A5EC166-E2ED-43C8-AA07-8D819DC05097@ucd.ie> Message-ID: On 10 maj 2013, at 14:27, Niall O'Reilly wrote: >> 4. Section 2.1 of the proposal allows Legacy Internet Resources >> to be covered by the RIPE NCC Standard Service Agreement (SSA). >> Modifications to the SSA will require approval by the General >> Meeting (GM). > > The GM has the necessary power. > > I expect that it will be for a member with some interest > in legacy resources to bring forward a proposal that the > GM exercise this power. I'll just make the observation that this though makes the implementation of the policy dependent on action that is not under the control of the neither the PDP or the RIPE NCC staff. Best regards, - kurtis - From sander at steffann.nl Mon May 13 15:25:37 2013 From: sander at steffann.nl (Sander Steffann) Date: Mon, 13 May 2013 14:25:37 +0100 Subject: [ncc-services-wg] 2012-07 New Draft Document and Impact Analysis Published (RIPE NCC Services to Legacy Internet Resource Holders) In-Reply-To: References: <2A5EC166-E2ED-43C8-AA07-8D819DC05097@ucd.ie> Message-ID: Hi, >>> 4. Section 2.1 of the proposal allows Legacy Internet Resources >>> to be covered by the RIPE NCC Standard Service Agreement (SSA). >>> Modifications to the SSA will require approval by the General >>> Meeting (GM). >> >> The GM has the necessary power. >> >> I expect that it will be for a member with some interest >> in legacy resources to bring forward a proposal that the >> GM exercise this power. > > I'll just make the observation that this though makes the implementation of the policy dependent on action that is not under the control of the neither the PDP or the RIPE NCC staff. Yeah, difficult, but that's how it works. We had the same issue with 2007-01 in APWG, and it worked out in the end. The best way forward is to work with the NCC Board once the wishes of the community are clear. The board can then let the NCC members vote on whatever is necessary at an AGM. Met vriendelijke groet, Sander Steffann From kurtis at kurtis.pp.se Mon May 13 17:35:25 2013 From: kurtis at kurtis.pp.se (Lindqvist Kurt Erik) Date: Mon, 13 May 2013 17:35:25 +0200 Subject: [ncc-services-wg] 2012-07 New Draft Document and Impact Analysis Published (RIPE NCC Services to Legacy Internet Resource Holders) In-Reply-To: References: <2A5EC166-E2ED-43C8-AA07-8D819DC05097@ucd.ie> Message-ID: On 13 maj 2013, at 15:25, Sander Steffann wrote: >>>> >>>> 4. Section 2.1 of the proposal allows Legacy Internet Resources >>>> to be covered by the RIPE NCC Standard Service Agreement (SSA). >>>> Modifications to the SSA will require approval by the General >>>> Meeting (GM). >>> >>> The GM has the necessary power. >>> >>> I expect that it will be for a member with some interest >>> in legacy resources to bring forward a proposal that the >>> GM exercise this power. >> >> I'll just make the observation that this though makes the implementation of the policy dependent on action that is not under the control of the neither the PDP or the RIPE NCC staff. > > > Yeah, difficult, but that's how it works. We had the same issue with 2007-01 in APWG, and it worked out in the end. The best way forward is to work with the NCC Board once the wishes of the community are clear. The board can then let the NCC members vote on whatever is necessary at an AGM. Absolutely, I just wanted to highlight the process, nothing else. Best regards, - kurtis - From kurtis at kurtis.pp.se Tue May 14 18:25:21 2013 From: kurtis at kurtis.pp.se (Lindqvist Kurt Erik) Date: Tue, 14 May 2013 18:25:21 +0200 Subject: [ncc-services-wg] Agenda version 4 Message-ID: <52C46222-4F69-47B0-8236-A7E6F00F4B18@kurtis.pp.se> The presenters of some of the proposals in the first session tomorrow has asked for a bit of reordering which the chairs agreed with. Updated agenda is Date: Wednesday 15 May 2013 Chair: Kurtis Lindqvist Co-Chair: Bijal Sanghani Time: 11:00 - 12:30 A. Administrative Matters Welcome Select a scribe Finalise agenda Approve minutes from RIPE 65 B. Policy summary of where we are, Chairs C. 2012-08 - Publication of Sponsoring LIR for Independent Number Resources - Nick Hilliard, INEX D. Introduction to 2012-07, 2013-04, and RPKI for PI, Axel Pawlik and Randy Bush E. 2012-07 - RIPE NCC Services to Legacy Internet Resource Holders - Niall O'Reilly, University College Dublin F. 2013-04 Name Resource Certification for non-RIPE NCC members, Erik Bais, A2B Internet BV G. Straw Poll on following Pre-Policy Discussions: - All PDP emails, documents and websites should come with unified diff - PDPs should be renamed from YYYY-NN to RIPE-PDP-YYYY-NN-vN - All published documents and PDPs are maintained with git - All RIPE documents should be plain text Date: Wednesday 15 May 2013 Time: 16.00 - 17.45 H. Administrative Matters Welcome Select a scribe I. Report from RIPE NCC - Axel Pawlik, RIPE NCC J. RIPE NCC Survey 2013 - Serge Radovcic, RIPE NCC K. Internet Governance update - Paul Rendek, RIPE NCC L. Registration Services update - Andrew de la Haye, RIPE NCC M. Open Microphone Session Z. AOB Best regards, - kurtis - -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 203 bytes Desc: Message signed with OpenPGP using GPGMail URL: From stolpe at resilans.se Wed May 15 12:51:55 2013 From: stolpe at resilans.se (Daniel Stolpe) Date: Wed, 15 May 2013 12:51:55 +0200 (CEST) Subject: [ncc-services-wg] 2012-08 New Draft Document and Impact Analysis Published (Publication of Sponsoring LIR for Independent Number Resources) Message-ID: I think Kurtis was right about not having that many comments om the maling list this time (even though there were a few earlier on). First I want to say "Well done" to David. I support this proposal. Yes, there will be an increased risk for abuse. But as my LIR already handles a big chunk of legacy PI space (yes it has PI status) and all those abuse spammers always think we are the ISP just because we have mnt-by, we are already familiar with the situation. On some occations we think the NCC has put as as sponsor for some resources and then a year or two later we realise the holder is aked byt the NCC to ge a sponsor... So to conclude, yes probably more abuse but nevertheless, the right path forward. Best Regards, Daniel Stolpe _________________________________________________________________________________ Daniel Stolpe Tel: 08 - 688 11 81 stolpe at resilans.se Resilans AB Fax: 08 - 55 00 21 63 http://www.resilans.se/ Box 13 054 556741-1193 103 02 Stockholm From niall.oreilly at ucd.ie Wed May 15 16:05:00 2013 From: niall.oreilly at ucd.ie (Niall O'Reilly) Date: Wed, 15 May 2013 15:05:00 +0100 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: References: Message-ID: On 8 May 2013, at 14:19, Emilio Madaio wrote: > You can find the full proposal at: > > https://www.ripe.net/ripe/policies/proposals/2013-04 > > We encourage you to review this proposal and send your comments to > before 5 June 2013. This seems to me a useful and elegantly simple proposal. I support it. Niall O'Reilly From niall.oreilly at ucd.ie Thu May 16 19:13:05 2013 From: niall.oreilly at ucd.ie (Niall O'Reilly) Date: Thu, 16 May 2013 18:13:05 +0100 Subject: [ncc-services-wg] Policy proposal 2012-07: next steps Message-ID: Hello. As I said at the meeting (https://ripe66.ripe.net/archives/steno/13/), CHAIR: I have a question for you then. The review phase hasn't ended yet. But I suspect that you have some new text to put into the document after your ?? NIALL O'REILLY: I expect there'll be new text. I expect there'll be a version 4. CHAIR: Do you want to wait for the current one to end and then additional comments I guess ?? NIALL O'REILLY: I guess we'll start on the homework sooner rather than later. CHAIR: Okay. We're aiming to have a new version ready in time to start a fresh Review or Discussion Phase at the end of May or thereabouts. We've begun the homework already by meeting with NCC staff again this afternoon, when we had a friendly and productive meeting. NCC people are aware of our target and, if I've understood correctly, seem ready to have a revised Impact Assessment available promptly. Best regards, Niall O'Reilly From kurtis at kurtis.pp.se Thu May 16 19:45:12 2013 From: kurtis at kurtis.pp.se (Lindqvist Kurt Erik) Date: Thu, 16 May 2013 19:45:12 +0200 Subject: [ncc-services-wg] Policy proposal 2012-07: next steps In-Reply-To: References: Message-ID: <78049389-1878-4E97-BBC8-72B2A3C07DA9@kurtis.pp.se> On 16 maj 2013, at 19:13, Niall O'Reilly wrote: > As I said at the meeting (https://ripe66.ripe.net/archives/steno/13/), > > CHAIR: I have a question for you then. The review phase hasn't ended yet. > But I suspect that you have some new text to put into the document after your ?? > > NIALL O'REILLY: I expect there'll be new text. I expect there'll be a version 4. > > CHAIR: Do you want to wait for the current one to end and then additional comments I guess ?? > > NIALL O'REILLY: I guess we'll start on the homework sooner rather than later. > > CHAIR: Okay. > > We're aiming to have a new version ready in time to start a fresh > Review or Discussion Phase at the end of May or thereabouts. > > We've begun the homework already by meeting with NCC staff again > this afternoon, when we had a friendly and productive meeting. > NCC people are aware of our target and, if I've understood correctly, > seem ready to have a revised Impact Assessment available promptly. > Thanks! Best regards, - kurtis - From lists-ripe at c4inet.net Sat May 18 15:24:53 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Sat, 18 May 2013 14:24:53 +0100 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: References: Message-ID: <20130518132453.GA92411@cilantro.c4inet.net> All, On Wed, May 08, 2013 at 03:19:48PM +0200, Emilio Madaio wrote: >You can find the full proposal at: > > https://www.ripe.net/ripe/policies/proposals/2013-04 I'm afraid that every objection made to 2008-08 (which proposal failed to achieve consensus) applies exactly the same to this proposal. Rather than re-iterating every argument here again, I refer to the original thread re. 2008-08: http://www.ripe.net/ripe/mail/archives/address-policy-wg/2011-May/005737.html For this reason alone, I oppose this proposal. >We encourage you to review this proposal and send your comments to > before 5 June 2013. Hereby done. :) Kind Regards, Sascha Luck From tim at haitabu.net Sat May 18 20:14:41 2013 From: tim at haitabu.net (Tim Kleefass) Date: Sat, 18 May 2013 20:14:41 +0200 Subject: [ncc-services-wg] 2012-08 New Draft Document and Impact Analysis Published (Publication of Sponsoring LIR for Independent Number Resources) In-Reply-To: References: Message-ID: <5197C511.1060201@haitabu.net> On 15.05.2013 12:51 PM, Daniel Stolpe wrote: > I support this proposal. +1 -tim From andreas.larsen at ip-only.se Sun May 19 11:00:03 2013 From: andreas.larsen at ip-only.se (Andreas Larsen) Date: Sun, 19 May 2013 11:00:03 +0200 Subject: [ncc-services-wg] 2012-08 New Draft Document and Impact Analysis Published (Publication of Sponsoring LIR for Independent Number Resources) In-Reply-To: Message-ID: +1 I support this proposal. // Andreas Med v?nlig h?lsning Andreas Larsen IP-Only Telecommunication AB| Postadress: 753 81 UPPSALA | Bes?ksadress: S:t Persgatan 6, Uppsala | Telefon: +46 (0)18 843 10 00 | Direkt: +46 (0)18 843 10 56 www.ip-only.se Den 2013-05-15 11:51 skrev Daniel Stolpe : > >I think Kurtis was right about not having that many comments om the >maling >list this time (even though there were a few earlier on). > >First I want to say "Well done" to David. > >I support this proposal. > >Yes, there will be an increased risk for abuse. But as my LIR already >handles a big chunk of legacy PI space (yes it has PI status) and all >those abuse spammers always think we are the ISP just because we have >mnt-by, we are already familiar with the situation. > >On some occations we think the NCC has put as as sponsor for some >resources and then a year or two later we realise the holder is aked >byt the NCC to ge a sponsor... > >So to conclude, yes probably more abuse but nevertheless, the right path >forward. > >Best Regards, > >Daniel Stolpe > >__________________________________________________________________________ >_______ >Daniel Stolpe Tel: 08 - 688 11 81 >stolpe at resilans.se >Resilans AB Fax: 08 - 55 00 21 63 >http://www.resilans.se/ >Box 13 054 556741-1193 >103 02 Stockholm > From sander at steffann.nl Mon May 20 15:57:47 2013 From: sander at steffann.nl (Sander Steffann) Date: Mon, 20 May 2013 15:57:47 +0200 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <20130518132453.GA92411@cilantro.c4inet.net> References: <20130518132453.GA92411@cilantro.c4inet.net> Message-ID: Hi Sasha, > I'm afraid that every objection made to 2008-08 (which proposal failed > to achieve consensus) applies exactly the same to this proposal. Rather than re-iterating every argument here again, I refer to the > original thread re. 2008-08: > > http://www.ripe.net/ripe/mail/archives/address-policy-wg/2011-May/005737.html > > For this reason alone, I oppose this proposal. Then let me counter by answering to the message you refer to: > I believe that before this policy is adopted the community should > consider in depth: > > i) whether these concerns are at least potentially valid (I am convinced > they are); The concerns are based on: a) the majority of network operators using rPKI and dropping unsigned or invalid routes b) legislators giving power to law enforcement so that they can force a Dutch entity (the RIPE NCC) to withdraw resources from its members c) legislators forcing network operators all over the world to keep doing (a) even in the event of abuse by law enforcement The usage of rPKI in (a) depends a lot on the policy that the network operators use. Everything is possible there. The examples at http://www.ripe.net/lir-services/resource-management/certification/router-configuration show how to adjust local-pref based on rPKI while still accepting all routes. This is the network operator's choice! On (b) see http://www.ripe.net/ripe/docs/ripe-588: """ The RIPE NCC may be asked by LEAs to perform a specific action, for example a modification in the registration of specific Internet number resources. The RIPE NCC will not voluntarily comply with such requests. The RIPE NCC will only comply with such requests if a Dutch Court order is served by a Dutch LEA, as well as a binding order from law-enforcement or regulatory authorities that are operating as required under Dutch criminal and administrative law (such as the Public Prosecution Department, the Police, the Fiscal Intelligence and Investigation Service). Both law enforcement and other national authorities operating outside the Netherlands must follow the applicable mutual legal assistance treaties (MLAT) procedures. Each order will be evaluated on its own merits. If an order is considered illegal or of a non-obligatory nature, the RIPE NCC will not comply with it and will challenge it either before the authority giving the order or before a civil or criminal court, depending on the specific circumstances. """ If the Dutch legal system gets so bad that they require disproportional measures to be taken by the RIPE NCC then I think we have bigger issues and should move the RIPE NCC to a different country. And (c) would require laws to be changed all over the world to force network operators to use rPKI *and* to force them to use it in a certain way. If that happens then they can as easily make laws that result in the same operational effect without using rPKI. Network operators have to follow the rules/laws of the country/countries they operate in, with or without rPKI. > ii) If so, whether the problem that this policy addresses is > sufficiently serious to warrant accepting these new risks [1]; and Considering that rPKI prevents mistakes and highjacks of address space happen today, compared to a unlikely future situation where operators are forced to use rPKI in a certain way and where law enforcement becomes capable of controlling the RIPE NCC, yes I think we should accept this policy. Considering the increasing pain caused by lack of IPv4 addresses and the resulting growth of incentive for highjacking I expect we need the features that rPKI provides sooner rather than later. > iii) Even if the problem is serious enough, whether alternative means to > address it could be found that would mitigate these risks [2]. (For > example, if the problem could be 80% solved using a model that does not > give RIRs a power to revoke and expire certificates "needed" for > routing, is the residual 20% of the problem really serious enough to > warrant creating the risks I describe). Alternative means have been used for years, and still aren't good enough. Yes, securing routing is desperately needed. > iv) Even if the problem still justifies adopting the approach taken in > this policy proposal, what other steps should be taken simultaineously > to mitigate these risks. I see no need at this point to take other steps, as I don't see (a), (b) and (c) happen simultaneously. If your concerns should approach reality (laws enabling remote control of the RIPE NCC, laws enforcing a very specific usage of rPKI, etc) then we should take steps. Until there is evidence that those concerns are more than fear, uncertainty and doubt we should not act on them. And for the WG chairs: I support this proposal Cheers, Sander From tore at fud.no Mon May 20 16:42:35 2013 From: tore at fud.no (Tore Anderson) Date: Mon, 20 May 2013 16:42:35 +0200 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <20130518132453.GA92411@cilantro.c4inet.net> References: <20130518132453.GA92411@cilantro.c4inet.net> Message-ID: <519A365B.3060304@fud.no> * Sascha Luck > I'm afraid that every objection made to 2008-08 (which proposal failed > to achieve consensus) applies exactly the same to this proposal. Rather > than re-iterating every argument here again, I refer to the > original thread re. 2008-08: > > http://www.ripe.net/ripe/mail/archives/address-policy-wg/2011-May/005737.html If I read it correctly, the linked to argument is against RPKI as a whole. However, 2013-04 isn't a question on whether we should do RPKI or not, but whether or not our *existing* RPKI stuff should be extended to include non-members. I think it should. If we're doing something to begin with, we shouldn't be doing it half-arsed. So I support the policy. I've got one question though. What is the rationale for the requirement that ?the Internet resources reside within the RIPE NCC service region?? I don't see the reason for this. IMHO, any PI/legacy space issued/maintained by the RIPE NCC should be eligible for certification under this policy, no matter where on (or off!) the planet it's being used. Tore From lists-ripe at c4inet.net Mon May 20 16:48:51 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Mon, 20 May 2013 15:48:51 +0100 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: References: <20130518132453.GA92411@cilantro.c4inet.net> Message-ID: <20130520144851.GA1122@cilantro.c4inet.net> Sander, On Mon, May 20, 2013 at 03:57:47PM +0200, Sander Steffann wrote: >> i) whether these concerns are at least potentially valid (I am >> convinced they are); >The concerns are based on: >a) the majority of network operators using >rPKI and dropping unsigned or invalid routes If this is not the case, rpki serves no useful (security) purpose and its implementation is pointless. >b) legislators giving power to law enforcement so that they can >force a Dutch entity (the RIPE NCC) to withdraw resources from >its members Wrong. The NCC must (and will, see Axel's recent message) comply with a court order or injunction. Possibly any court order from an EU member state, these are enforceable across borders, TTBOMK. Neither legislation nor law enforcement need be involved, it could be anyone (BREIN, GEMA, a pissed-off individual with money and lawyers) and the right judge. This does not even consider an attack from a non-legal actor, such as a compromised CA. >c) legislators forcing network operators all over the world to keep >doing (a) even in the event of abuse by law enforcement Nobody needs to *force* operators to do anything, they will probably not even notice a route missing from a few hundred thousand or, indeed, care that TPB is no longer reachable unless someone complains loudly. >show how to adjust local-pref based on rPKI while still accepting all >routes. This is the network operator's choice! True, but the security gain is nil to low if routes with invalid/ non-existing ROAs aren't dropped. While some operators may use ROAs to adjust localpref, IMO the "lazy default" and most-widely used implementation will be "drop invalid/missing" and this is the case I base my argument on. >The RIPE NCC will only comply with such requests if a Dutch Court order >is served by a Dutch LEA, as well as a binding order from >law-enforcement or regulatory authorities that are operating as >required under Dutch criminal and administrative law (such as the >Public Prosecution Department, the Police, the Fiscal Intelligence and >Investigation Service). The NCC will comply with a valid court order as prescribed by law, or the officers will go to jail for contempt until it does. >If the Dutch legal system gets so bad that they require disproportional >measures to be taken by the RIPE NCC then I think we have bigger issues >and should move the RIPE NCC to a different country. It already is (not just in .nl), please remember the various TPB-blocking orders served to ISPs in .nl, .ie, .uk and so on. Moving the NCC would have little effect unless it'd be to a non-EU jurisdiction. The only way to solve this would be to have a distributed trust-anchor in multiple jurisdictions, so that a single point of failure/attack does not exist. I've already indicated that I would support a RPKI policy if this requirement was met, but not until then. >I see no need at this point to take other steps, as I don't see (a), >(b) and (c) happen simultaneously. If your concerns should approach >reality (laws enabling remote control of the RIPE NCC, laws enforcing a >very specific usage of rPKI, etc) then we should take steps. Until >there is evidence that those concerns are more than fear, uncertainty >and doubt we should not act on them. And unless you deign to take these concerns seriously and even *consider* steps to mitigate them, I will remain, in opposition, your, Sascha Luck From sander at steffann.nl Mon May 20 16:57:33 2013 From: sander at steffann.nl (Sander Steffann) Date: Mon, 20 May 2013 16:57:33 +0200 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <20130520144851.GA1122@cilantro.c4inet.net> References: <20130518132453.GA92411@cilantro.c4inet.net> <20130520144851.GA1122@cilantro.c4inet.net> Message-ID: Hi, >>> i) whether these concerns are at least potentially valid (I am >>> convinced they are); >> The concerns are based on: a) the majority of network operators using >> rPKI and dropping unsigned or invalid routes > > If this is not the case, rpki serves no useful (security) purpose and > its implementation is pointless. Incorrect: rPKI can serve as a warning system, it can be used to adjust local-prefs and other local policy decisions. Not just for dropping or ignoring routes. >> b) legislators giving power to law enforcement so that they can force a Dutch entity (the RIPE NCC) to withdraw resources from its members > > Wrong. The NCC must (and will, see Axel's recent message) comply with a > court order or injunction. Possibly any court order from an EU member > state, these are enforceable across borders, TTBOMK. > Neither legislation nor law enforcement need be involved, it could be > anyone (BREIN, GEMA, a pissed-off individual with money and lawyers) > and the right judge. > This does not even consider an attack from a non-legal actor, such as a > compromised CA. Please read the legal statement from the NCC I linked to. You are contradicting it. If you have better legal advice than the RIPE NCC's own lawyers then please contact the NCC. >> c) legislators forcing network operators all over the world to keep doing (a) even in the event of abuse by law enforcement > > Nobody needs to *force* operators to do anything, they will probably not > even notice a route missing from a few hundred thousand or, indeed, care > that TPB is no longer reachable unless someone complains loudly. Operators not caring about their routing tables is a problem out of scope for this policy. There are thousands of other factors besides rPKI, so this is not specific to this policy. >> show how to adjust local-pref based on rPKI while still accepting all >> routes. This is the network operator's choice! > > True, but the security gain is nil to low if routes with invalid/ > non-existing ROAs aren't dropped. Not true, see above > While some operators may use ROAs to adjust localpref, IMO the "lazy > default" and most-widely used implementation will be "drop > invalid/missing" and this is the case I base my argument on. Ah, ok. But since your assumption is invalid (there is no default, and the quick-start examples which would probably be used for such a "lazy default" are completely different from what you assume) then your case isn't very interesting to discuss any further. Cheers, Sander From sander at steffann.nl Mon May 20 16:59:01 2013 From: sander at steffann.nl (Sander Steffann) Date: Mon, 20 May 2013 16:59:01 +0200 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <519A365B.3060304@fud.no> References: <20130518132453.GA92411@cilantro.c4inet.net> <519A365B.3060304@fud.no> Message-ID: <0974D5A8-C474-4CBD-9D4C-CDB8EFDF016F@steffann.nl> Hi Tore, > I've got one question though. What is the rationale for the requirement that ?the Internet resources reside within the RIPE NCC service region?? I don't see the reason for this. IMHO, any PI/legacy space issued/maintained by the RIPE NCC should be eligible for certification under this policy, no matter where on (or off!) the planet it's being used. Good point! Sander From sander at steffann.nl Mon May 20 17:15:06 2013 From: sander at steffann.nl (Sander Steffann) Date: Mon, 20 May 2013 17:15:06 +0200 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <20130520144851.GA1122@cilantro.c4inet.net> References: <20130518132453.GA92411@cilantro.c4inet.net> <20130520144851.GA1122@cilantro.c4inet.net> Message-ID: Hi, > And unless you deign to take these concerns seriously and even *consider* steps to mitigate them, I will remain, in opposition, PS: Why do you think I take so much time to write an elaborate reply to you? Of course I take your concerns seriously! I just don't agree with them, and I don't consider any steps until I see that there is something worth mitigating. Cheers, Sander From dave.wilson at heanet.ie Mon May 20 17:31:47 2013 From: dave.wilson at heanet.ie (Dave Wilson) Date: Mon, 20 May 2013 16:31:47 +0100 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <20130518132453.GA92411@cilantro.c4inet.net> References: <20130518132453.GA92411@cilantro.c4inet.net> Message-ID: > http://www.ripe.net/ripe/mail/archives/address-policy-wg/2011-May/005737.html I still don't understand how what this message describes is a change. The concerns also apply to the status quo. I have to use a central database in order to get my prefixes routed by my upstreams. All the best, Dave -- Dave Wilson, Project Manager HEAnet Limited, Ireland's Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin 1 Registered in Ireland, no 275301 tel: +353-1-660 9040 web: http://www.heanet.ie/ fax: +353-1-660 3666 -------------- next part -------------- An HTML attachment was scrubbed... URL: From randy at psg.com Mon May 20 18:02:20 2013 From: randy at psg.com (Randy Bush) Date: Mon, 20 May 2013 23:02:20 +0700 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <20130520144851.GA1122@cilantro.c4inet.net> References: <20130518132453.GA92411@cilantro.c4inet.net> <20130520144851.GA1122@cilantro.c4inet.net> Message-ID: From http://en.wikipedia.org/wiki/Terrorism Common definitions of terrorism refer only to those violent acts which are intended to create fear (terror); are perpetrated for a religious, political or, ideological goal; and deliberately target or disregard the safety of non-combatants (civilians). ... The concept of terrorism may be controversial as it is often used by state authorities (and individuals with access to state support) to delegitimize political or other opponents. In this sense, the American (and other) press have become non-violent terrorists, creating and maintaining public fear for profit. It has been said that the last decade++ of the US Government has done so to further enrich the top 0.001. Analogously, fear is being used to prevent me, as an operator, from protecting my network in a manner that I choose and which only affects my network. Mis-origination occurs daily, and there have been no known abuses of ROAs. Yet there are those who would use unrealistic fear to prevent you and me from using them to improve protection of our networks. Yes, the 'Dutch Court attack' could be used against me. But it is far more likely that some net black hat or idiot will mis-originate my prefix. And yes, like everything else on the Internet, some perp will figure out how to abuse it. But it should be *my* choice whether or not to use a ROA to protect it. When the people with guns and lawyers want to take you off the net, they will, and they have. Two weeks ago, the USG took 7,000 Syrian domains out. The other year 120,000! Ask MegaDownload if they had problems with ROAs. Can we please try to be somewhat realistic about how vulnerable we are to black helicopters? And I am aware of the issues in issuing a ROA. It was I who presented the issues in http://archive.psg.com/110502.ripe-bgpsec-policy.pdf in the RIPE meeting in May 2011, which started all this anti-RPKI noise. The costs for me to issue and maintain a ROA are negligible, and the costs for others to validate my announcements are impressively small. The system was designed with incremental deployment, various levels of reliance, many flavors of disabling in routers, etc. If I wish to trust it, that is *my* prerogative. Please do not place a complicated bureaucracy of fear in my way. Please do not tell me how I must run my network. randy From lists-ripe at c4inet.net Mon May 20 18:05:36 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Mon, 20 May 2013 17:05:36 +0100 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: References: <20130518132453.GA92411@cilantro.c4inet.net> <20130520144851.GA1122@cilantro.c4inet.net> Message-ID: <20130520160536.GB1122@cilantro.c4inet.net> Sander, On Mon, May 20, 2013 at 04:57:33PM +0200, Sander Steffann wrote: >Please read the legal statement from the NCC I linked to. You are >contradicting it. If you have better legal advice than the RIPE NCC's >own lawyers then please contact the NCC. I *have* taken legal advice and it does not contradict the NCC statement at all. According to Regulation 44/2001 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32001R0044:EN:NOT a judgment from a member state must be declared enforceable in the member state where it applies. This is pretty automatic, certainly not very complicated. Once the declaration of exequatur is issued, it'll have the same force as a dutch judgment which the NCC will (must) comply with. Note this is civil law, not criminal. >Ah, ok. But since your assumption is invalid (there is no default, and >the quick-start examples which would probably be used for such a "lazy >default" are completely different from what you assume) then your case >isn't very interesting to discuss any further. There may not be a default *yet*, but there will be and it will be "drop if invalid/missing" because that is much easier to understand ifor the decision-makers than localprefs, metrics, etc. rgds, Sascha Luck From sander at steffann.nl Mon May 20 18:23:16 2013 From: sander at steffann.nl (Sander Steffann) Date: Mon, 20 May 2013 18:23:16 +0200 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <20130520160536.GB1122@cilantro.c4inet.net> References: <20130518132453.GA92411@cilantro.c4inet.net> <20130520144851.GA1122@cilantro.c4inet.net> <20130520160536.GB1122@cilantro.c4inet.net> Message-ID: <81FFA408-2E17-4DCC-A47D-46D53EE1B31F@steffann.nl> > On Mon, May 20, 2013 at 04:57:33PM +0200, Sander Steffann wrote: >> Please read the legal statement from the NCC I linked to. You are >> contradicting it. If you have better legal advice than the RIPE NCC's >> own lawyers then please contact the NCC. > > I *have* taken legal advice and it does not contradict the NCC statement > at all. > According to Regulation 44/2001 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32001R0044:EN:NOT > a judgment from a member state must be declared enforceable in the > member state where it applies. This is pretty automatic, certainly not > very complicated. Once the declaration of exequatur is issued, it'll > have the same force as a dutch judgment which the NCC will (must) comply with. > Note this is civil law, not criminal. I just read the Regulation you mentioned but I fail to see how this would even apply to anything mentioned in this discussion... >> Ah, ok. But since your assumption is invalid (there is no default, and >> the quick-start examples which would probably be used for such a "lazy >> default" are completely different from what you assume) then your case >> isn't very interesting to discuss any further. > > There may not be a default *yet*, but there will be and it will be "drop > if invalid/missing" because that is much easier to understand ifor the > decision-makers than localprefs, metrics, etc. Ok, now you are making even more unfounded assumptions. Please stop that. Sander From sander at steffann.nl Mon May 20 18:25:18 2013 From: sander at steffann.nl (Sander Steffann) Date: Mon, 20 May 2013 18:25:18 +0200 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: References: <20130518132453.GA92411@cilantro.c4inet.net> <20130520144851.GA1122@cilantro.c4inet.net> Message-ID: <80624502-D7B0-4345-B168-426884C20D82@steffann.nl> Hi, > If I wish to trust it, that is *my* prerogative. Please do not place a complicated bureaucracy of fear in my way. > > Please do not tell me how I must run my network. +1 Sander From lists-ripe at c4inet.net Mon May 20 18:25:41 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Mon, 20 May 2013 17:25:41 +0100 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: References: <20130518132453.GA92411@cilantro.c4inet.net> <20130520144851.GA1122@cilantro.c4inet.net> Message-ID: <20130520162541.GC1122@cilantro.c4inet.net> On Mon, May 20, 2013 at 11:02:20PM +0700, Randy Bush wrote: >Analogously, fear is being used to prevent me, as an operator, from >protecting my network in a manner that I choose and which only affects >my network. Mis-origination occurs daily, and there have been no known >abuses of ROAs. Yet there are those who would use unrealistic fear to >prevent you and me from using them to improve protection of our >networks. It doesn't affect just *your* network. I affects *all* networks, and some of them I care more about than yours. Note that I don't propose to delete the source code and to burn the standard docs. Nobody stops you from certifying your own resources and advertising any ROAs you want. >Please do not tell me how I must run my network. Please don't tell me that I must place the responsibility for the reachability of *my* network into the hands of a vulnerable SPOF. And as for calling me a terrorist - that is a compliment these days, from your lot. best, Sascha Luck From gert at space.net Mon May 20 18:27:39 2013 From: gert at space.net (Gert Doering) Date: Mon, 20 May 2013 18:27:39 +0200 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: References: <20130518132453.GA92411@cilantro.c4inet.net> Message-ID: <20130520162739.GH2504@Space.Net> Hi, On Mon, May 20, 2013 at 04:31:47PM +0100, Dave Wilson wrote: > > http://www.ripe.net/ripe/mail/archives/address-policy-wg/2011-May/005737.html > > I still don't understand how what this message describes is a > change. The concerns also apply to the status quo. I have to use a > central database in order to get my prefixes routed by my upstreams. Indeed. The main change RPKI brings is that you can store a local copy of the database *and validate that local copy* against unauthorized tampering (in-transit or local). If the black helicopters force the RIPE NCC to remove a route6: object, the (former) owner of this object will have issues with his prefix as well... Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available URL: From randy at psg.com Mon May 20 18:32:11 2013 From: randy at psg.com (Randy Bush) Date: Mon, 20 May 2013 23:32:11 +0700 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <20130520162541.GC1122@cilantro.c4inet.net> References: <20130518132453.GA92411@cilantro.c4inet.net> <20130520144851.GA1122@cilantro.c4inet.net> <20130520162541.GC1122@cilantro.c4inet.net> Message-ID: > Please don't tell me that I must place the responsibility for the > reachability of *my* network into the hands of a vulnerable SPOF. you don't. don't use it. ospf can be attacked from off-link, is-is not. do i tell you not to run ospf? well, do not tell me i should not be able to register my data in the rpki. you don't need to do the same with yours. randy From lists-ripe at c4inet.net Mon May 20 18:43:09 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Mon, 20 May 2013 17:43:09 +0100 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <81FFA408-2E17-4DCC-A47D-46D53EE1B31F@steffann.nl> References: <20130518132453.GA92411@cilantro.c4inet.net> <20130520144851.GA1122@cilantro.c4inet.net> <20130520160536.GB1122@cilantro.c4inet.net> <81FFA408-2E17-4DCC-A47D-46D53EE1B31F@steffann.nl> Message-ID: <20130520164309.GD1122@cilantro.c4inet.net> On Mon, May 20, 2013 at 06:23:16PM +0200, Sander Steffann wrote: >I just read the Regulation you mentioned but I fail to see how >this would even apply to anything mentioned in this discussion... That's why I asked a lawyer. In simple words: The NCC is vulnerable to court orders from anywhere within the EU. >>> Ah, ok. But since your assumption is invalid (there is no default, >>> and the quick-start examples which would probably be used for such a >>> "lazy default" are completely different from what you assume) then >>> your case isn't very interesting to discuss any further. [citation needed] >> There may not be a default *yet*, but there will be and it will be >> "drop if invalid/missing" because that is much easier to understand >> ifor the decision-makers than localprefs, metrics, etc. >Ok, now you are making even more unfounded assumptions. Please stop Well, if you can see the future any better than I, please enlighten us. rgds, Sascha Luck From lists-ripe at c4inet.net Mon May 20 18:55:46 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Mon, 20 May 2013 17:55:46 +0100 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <519A365B.3060304@fud.no> References: <20130518132453.GA92411@cilantro.c4inet.net> <519A365B.3060304@fud.no> Message-ID: <20130520165546.GE1122@cilantro.c4inet.net> On Mon, May 20, 2013 at 04:42:35PM +0200, Tore Anderson wrote: >If I read it correctly, the linked to argument is against RPKI as a >whole. However, 2013-04 isn't a question on whether we should do RPKI or >not, but whether or not our *existing* RPKI stuff should be extended to >include non-members. It's not against rpki as a whole but the implementation as it is. Which was, after 2008-08 failed to achieve consensus, brought in by (close) membership vote which raised some disquiet within the community at the time. It seems that the Board has decided to put this to the community for PI/Legacy space again, the idea is presumably that, if 2013-04 gains community backing, the same can then be done again for PA space since it would "merely harmonise policy". rgds, Sascha Luck From sander at steffann.nl Mon May 20 19:26:40 2013 From: sander at steffann.nl (Sander Steffann) Date: Mon, 20 May 2013 19:26:40 +0200 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <20130520164309.GD1122@cilantro.c4inet.net> References: <20130518132453.GA92411@cilantro.c4inet.net> <20130520144851.GA1122@cilantro.c4inet.net> <20130520160536.GB1122@cilantro.c4inet.net> <81FFA408-2E17-4DCC-A47D-46D53EE1B31F@steffann.nl> <20130520164309.GD1122@cilantro.c4inet.net> Message-ID: <8351EDF3-8EEF-4369-8408-BCA720A14282@steffann.nl> Hi, > On Mon, May 20, 2013 at 06:23:16PM +0200, Sander Steffann wrote: >> I just read the Regulation you mentioned but I fail to see how this would even apply to anything mentioned in this discussion... > > That's why I asked a lawyer. In simple words: The NCC is vulnerable to > court orders from anywhere within the EU. I understand that if anyone in the EU enters into an agreement with the RIPE NCC then they can bring the RIPE NCC to court if they break the agreement. I still fail to see how this affects the case where governments want to tell the RIPE NCC to take a certain action... >>>> Ah, ok. But since your assumption is invalid (there is no default, >>>> and the quick-start examples which would probably be used for such a >>>> "lazy default" are completely different from what you assume) then >>>> your case isn't very interesting to discuss any further. > > [citation needed] In random order: http://www.ripe.net/lir-services/resource-management/certification/router-configuration http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/command/bgp-m1.html#wp3677719851 http://lacnic.net/documentos/lacnicxv/rpki/2BGP-Origin-Validation.pdf http://m.apnic.net/__data/assets/pdf_file/0008/38258/RPKI_Deployment_LACNIC.pdf http://www.juniper.net/techpubs/en_US/junos12.2/topics/topic-map/bgp-origin-as-validation.html#jd0e385 And from http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/xe-3s/irg-origin-as.pdf: "You can allow an invalid prefix to be used as the BGP best path, even if valid prefixes are available. This is the default behavior." >>> There may not be a default *yet*, but there will be and it will be >>> "drop if invalid/missing" because that is much easier to understand >>> ifor the decision-makers than localprefs, metrics, etc. > >> Ok, now you are making even more unfounded assumptions. Please stop > > Well, if you can see the future any better than I, please enlighten us. I'm not the one claiming "There may not be a default *yet*, but there will be". *You* claim to see the future -> *you* provide evidence. - Sander From pk at DENIC.DE Mon May 20 19:51:34 2013 From: pk at DENIC.DE (Peter Koch) Date: Mon, 20 May 2013 19:51:34 +0200 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <20130520165546.GE1122@cilantro.c4inet.net> References: <20130518132453.GA92411@cilantro.c4inet.net> <519A365B.3060304@fud.no> <20130520165546.GE1122@cilantro.c4inet.net> Message-ID: <20130520175134.GD23630@x28.adm.denic.de> > [...] if 2013-04 gains > community backing, the same can then be done again for PA space since it > would "merely harmonise policy". combined with ``Currently, the RIPE NCC Resource Certification (RPKI) service is only available for RIPE NCC members'' in the introduction of 2013-04, I must say this approach has an extraordinary bad smell, probably unintended. For the sake of keeping the PDP sane and credible I voice my objection against this en passant and ex post blessing of 2008-08. Current certification operates outside policy space, based on an NCC membership vote. Why wouldn't that be the appropriate body for an extension to the certification service? -Peter From millnert at gmail.com Mon May 20 20:30:26 2013 From: millnert at gmail.com (Martin Millnert) Date: Mon, 20 May 2013 20:30:26 +0200 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <20130520162739.GH2504@Space.Net> References: <20130518132453.GA92411@cilantro.c4inet.net> <20130520162739.GH2504@Space.Net> Message-ID: <1369074626.19635.29.camel@galileo.millnert.se> s/If/When/g On Mon, 2013-05-20 at 18:27 +0200, Gert Doering wrote: > When the black helicopters force the RIPE NCC to remove a route6: > object, the (former) owner of this object will have issues with his > prefix as well... [ remove / change / reroute / issue ROAs / whatever ] On Mon, 2013-05-20 at 15:57 +0200, Sander Steffann wrote: >When the Dutch legal system gets so bad that they require >disproportional measures to be taken by the RIPE NCC then I think we >have bigger issues and should move the RIPE NCC to a different country. +1. Obviously, and not only due to RPKI, a classic deterring safe-guard is required: a) Define what "disproportional" is -- think long and hard about this and cover all ground with clear definitions -- minimize what's left up to interpretation towards zero. b) Create a stand-by infrastructure which will take over when the current system has failed on a). Then communicate to the power-abusers and enemies of a free and open Internet, resilient against centralized censorship flaws: - "This is what will happen. Your attack will fail. We continuously invest resources into research to furthering our guard against your attacks and it will be hugely disproportionately counter-productive of you to even try it." It doesn't get much more bottom-up than this. :-) Best, Martin From ebais at a2b-internet.com Mon May 20 20:36:43 2013 From: ebais at a2b-internet.com (Erik Bais) Date: Mon, 20 May 2013 19:36:43 +0100 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <519A365B.3060304@fud.no> References: <20130518132453.GA92411@cilantro.c4inet.net> <519A365B.3060304@fud.no> Message-ID: <004301ce5588$f9d74130$ed85c390$@a2b-internet.com> Hi Tore, >> http://www.ripe.net/ripe/mail/archives/address-policy-wg/2011-May/005737.htm l > If I read it correctly, the linked to argument is against RPKI as a > whole. However, 2013-04 isn't a question on whether we should do RPKI or > not, but whether or not our *existing* RPKI stuff should be extended to > include non-members. Correct. > I've got one question though. What is the rationale for the requirement > that ?the Internet resources reside within the RIPE NCC service region?? > I don't see the reason for this. IMHO, any PI/legacy space > issued/maintained by the RIPE NCC should be eligible for certification > under this policy, no matter where on (or off!) the planet it's being used. The intention is to provide the services for end-users / organizations within the RIPE NCC service region. That the resources itself are used outside the region can't and I think we shouldn't want to restrict. I'll see how to rephrase that before the review. Regards, Erik Bais From sander at steffann.nl Mon May 20 20:37:47 2013 From: sander at steffann.nl (Sander Steffann) Date: Mon, 20 May 2013 20:37:47 +0200 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <1369074626.19635.29.camel@galileo.millnert.se> References: <20130518132453.GA92411@cilantro.c4inet.net> <20130520162739.GH2504@Space.Net> <1369074626.19635.29.camel@galileo.millnert.se> Message-ID: <76F68949-6FA1-48EE-8A8D-5E125DBFF5F6@steffann.nl> Hi Martin, > On Mon, 2013-05-20 at 15:57 +0200, Sander Steffann wrote: >> When the Dutch legal system gets so bad that they require >> disproportional measures to be taken by the RIPE NCC then I think we >> have bigger issues and should move the RIPE NCC to a different country. That is NOT what I wrote. Do not twist what I say for your own (ab)use. Sander From millnert at gmail.com Mon May 20 20:48:07 2013 From: millnert at gmail.com (Martin Millnert) Date: Mon, 20 May 2013 20:48:07 +0200 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <76F68949-6FA1-48EE-8A8D-5E125DBFF5F6@steffann.nl> References: <20130518132453.GA92411@cilantro.c4inet.net> <20130520162739.GH2504@Space.Net> <1369074626.19635.29.camel@galileo.millnert.se> <76F68949-6FA1-48EE-8A8D-5E125DBFF5F6@steffann.nl> Message-ID: <1369075687.19635.33.camel@galileo.millnert.se> Hi Sander, On Mon, 2013-05-20 at 20:37 +0200, Sander Steffann wrote: > Hi Martin, > > > On Mon, 2013-05-20 at 15:57 +0200, Sander Steffann wrote: > >> When the Dutch legal system gets so bad that they require > >> disproportional measures to be taken by the RIPE NCC then I think we > >> have bigger issues and should move the RIPE NCC to a different country. > > That is NOT what I wrote. Do not twist what I say for your own (ab)use. > Sander The first line of my email was the regex expression that I applied to what you wrote, s/If/When/g. Let me show you how it works: anticimex at galileo:/tmp$ cat sander_quote.txt On Mon, 2013-05-20 at 15:57 +0200, Sander Steffann wrote: > If the Dutch legal system gets so bad that they require > disproportional measures to be taken by the RIPE NCC then I think we > have bigger issues and should move the RIPE NCC to a different country. anticimex at galileo:/tmp$ sed -e 's/If/When/g' sander_quote.txt On Mon, 2013-05-20 at 15:57 +0200, Sander Steffann wrote: > When the Dutch legal system gets so bad that they require > disproportional measures to be taken by the RIPE NCC then I think we > have bigger issues and should move the RIPE NCC to a different country. I suggest to get back on topic and address the remainder of my email. Best, Martin From sander at steffann.nl Mon May 20 20:55:20 2013 From: sander at steffann.nl (Sander Steffann) Date: Mon, 20 May 2013 20:55:20 +0200 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <1369075687.19635.33.camel@galileo.millnert.se> References: <20130518132453.GA92411@cilantro.c4inet.net> <20130520162739.GH2504@Space.Net> <1369074626.19635.29.camel@galileo.millnert.se> <76F68949-6FA1-48EE-8A8D-5E125DBFF5F6@steffann.nl> <1369075687.19635.33.camel@galileo.millnert.se> Message-ID: Hi Martin, > The first line of my email was the regex expression that I applied to > what you wrote, s/If/When/g. I know how sed works. I still don't want to be misquoted, even if you provide a manual for it. About the "Obviously, and not only due to RPKI, a classic deterring safe-guard is required": I don't find this obvious at all. - Sander From millnert at gmail.com Mon May 20 21:21:48 2013 From: millnert at gmail.com (Martin Millnert) Date: Mon, 20 May 2013 21:21:48 +0200 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: References: <20130518132453.GA92411@cilantro.c4inet.net> <20130520162739.GH2504@Space.Net> <1369074626.19635.29.camel@galileo.millnert.se> <76F68949-6FA1-48EE-8A8D-5E125DBFF5F6@steffann.nl> <1369075687.19635.33.camel@galileo.millnert.se> Message-ID: <1369077708.19635.47.camel@galileo.millnert.se> Hi Sander, On Mon, 2013-05-20 at 20:55 +0200, Sander Steffann wrote: > About the "Obviously, and not only due to RPKI, a classic deterring > safe-guard is required": I don't find this obvious at all. Again, what you said (no sed): On Mon, 2013-05-20 at 15:57 +0200, Sander Steffann wrote: > If the Dutch legal system gets so bad that they require > disproportional measures to be taken by the RIPE NCC then I think we > have bigger issues and should move the RIPE NCC to a different country. I am really interested in hearing how you think the decision model should work here: - What are "disproportional" measures? - What should be the triggering mechanism for actually moving the RIPE NCC to another country (possibly outside of the EU) ? If you don't see the above "obvious" it appears you haven't follow the thought behind your quote (and mis-quote) through... Please do so. Burying the head in the sand and wishing "disproportional measures" (yet to be defined) will not happen, is not an appropriate approach. Waiting until they do happen (IF they happen! - which I personally see close to 100%) is very bad stewardship of the Internet. In many European countries the past 15 years, we've seen an (never-ending?) erosion of privacy protections and the various interests who see censorship as a solution to $PROBLEM is hardly diminishing in political influence. We've already seen the Dutch police forward a US court order to the RIPE NCC. The (or some) LEA's obviously know how the RIPE NCC works and what it can do with its central repository/record of Who-has-what-IP, and I very much hope it is public knowledge on this list what some LEA's intentions or desires are with regards to centralized control via the RIR's, in particular the RIPE NCC. RPKI in this respect is entirely a non-issue! It's equivalent to TLS to whois.ripe.net, ie. merely the transport - not the data source. Having backups of the central information systems and clear rules of their abuseability, to guard against the [by me, _completely_] expected coming slippery slope, however, is entirely the core issue and a quite obvious thing to implement. Best, Martin From sander at steffann.nl Mon May 20 21:52:06 2013 From: sander at steffann.nl (Sander Steffann) Date: Mon, 20 May 2013 21:52:06 +0200 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <1369077708.19635.47.camel@galileo.millnert.se> References: <20130518132453.GA92411@cilantro.c4inet.net> <20130520162739.GH2504@Space.Net> <1369074626.19635.29.camel@galileo.millnert.se> <76F68949-6FA1-48EE-8A8D-5E125DBFF5F6@steffann.nl> <1369075687.19635.33.camel@galileo.millnert.se> <1369077708.19635.47.camel@galileo.millnert.se> Message-ID: <21C689DD-1471-42F7-8685-6F77B82F372B@steffann.nl> Hi Martin, > On Mon, 2013-05-20 at 20:55 +0200, Sander Steffann wrote: >> About the "Obviously, and not only due to RPKI, a classic deterring >> safe-guard is required": I don't find this obvious at all. > > Again, what you said (no sed): > On Mon, 2013-05-20 at 15:57 +0200, Sander Steffann wrote: >> If the Dutch legal system gets so bad that they require >> disproportional measures to be taken by the RIPE NCC then I think we >> have bigger issues and should move the RIPE NCC to a different >> country. > > I am really interested in hearing how you think the decision model > should work here: > - What are "disproportional" measures? I was thinking of i.e. taking a whole LIR/ISP offline because one of their customers misbehaves. I think the RIPE NCC have a decent relationship to the LEA's so I doubt if such disproportional measures would happen. > - What should be the triggering mechanism for actually moving the RIPE > NCC to another country (possibly outside of the EU) ? Silly things like I described above. I never seriously thought of moving the RIPE NCC to a different country though. The line you quote was meant as hypothetical case. > If you don't see the above "obvious" it appears you haven't follow the > thought behind your quote (and mis-quote) through... Please do so. I still don't see any of this as obvious though. It would only be obvious if you are certain these bad things will actually happen, which I very much doubt. > [...] > > RPKI in this respect is entirely a non-issue! It's equivalent to TLS to > whois.ripe.net, ie. merely the transport - not the data source. I agree. > Having backups of the central information systems and clear rules of > their abuseability, to guard against the [by me, _completely_] expected > coming slippery slope, however, is entirely the core issue and a quite > obvious thing to implement. Ok. This discussion now seems to have gone beyond rPKI policy and so this thread isn't the right place to discuss it. I suggest you take this to the RIPE NCC Board then. I think it is the board's responsibility to take care of these issues, and you seem to have genuine concerns about this. I don't (as I mentioned: I see this only as a hypothetical case, not a realistic one) so I'm stepping aside here and I'll leave the rest of the discussion to the board. Cheers, Sander From lists-ripe at c4inet.net Mon May 20 22:14:15 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Mon, 20 May 2013 21:14:15 +0100 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <8351EDF3-8EEF-4369-8408-BCA720A14282@steffann.nl> References: <20130518132453.GA92411@cilantro.c4inet.net> <20130520144851.GA1122@cilantro.c4inet.net> <20130520160536.GB1122@cilantro.c4inet.net> <81FFA408-2E17-4DCC-A47D-46D53EE1B31F@steffann.nl> <20130520164309.GD1122@cilantro.c4inet.net> <8351EDF3-8EEF-4369-8408-BCA720A14282@steffann.nl> Message-ID: <20130520201415.GA3184@cilantro.c4inet.net> Sander, On Mon, May 20, 2013 at 07:26:40PM +0200, Sander Steffann wrote: >> That's why I asked a lawyer. In simple words: The NCC is vulnerable >> to court orders from anywhere within the EU. > >I understand that if anyone in the EU enters into an agreement with the >RIPE NCC then they can bring the RIPE NCC to court if they break the >agreement. I still fail to see how this affects the case where >governments want to tell the RIPE NCC to take a certain action... Governments will find a way, as an ultima ratio regum they can send tanks or a drone. That is not really what I am worried about. (Or, I am, but there's nothing I can do about that, except take extra care about what government to elect.) The abuse that I am trying to address here is that someone (be it an IP troll or just a pissed-off individual with money and lawyers will be able to get a civil court order requiring the NCC to withdraw resources and/or certificates and this court order, wherever it is issued will have legal force. Yes, this can happen today, for all I know it has already. However, right now, this will not result in an immediate loss of routing for the prefix(es) concerned. With an rpki implementation where the NCC is the trust root and validation is pretty much automatic, it can and will. To put it in 2 sentences: 1) I don't want a top-down hierarchy imposed on the DFZ, and in its current form this is what rpki certs + ROAs will do. 2) I don't want the NCC (or the ITU or anyone else, for that matter) to be the singular Routing Authority for the entire service region. >In random order: >http://www.ripe.net/lir-services/resource-management/certification/router-configuration >http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/command/bgp-m1.html#wp3677719851 >http://lacnic.net/documentos/lacnicxv/rpki/2BGP-Origin-Validation.pdf >http://m.apnic.net/__data/assets/pdf_file/0008/38258/RPKI_Deployment_LACNIC.pdf >http://www.juniper.net/techpubs/en_US/junos12.2/topics/topic-map/bgp-origin-as-validation.html#jd0e385 > >And from >http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/xe-3s/irg-origin-as.pdf: >"You can allow an invalid prefix to be used as the BGP best path, even >if valid prefixes are available. This is the default behavior." OK, I concede it is not, currently, the default practice. It would be pretty insane too, given that verification is barely implemented anywhere and if it is it's probably not in production... >I'm not the one claiming "There may not be a default *yet*, but there >will be". *You* claim to see the future -> *you* provide evidence. I didn't claim to see the future, but I still think, once widely deployed, invalid or missing ROAs will be dropped - it would be reasonable, seeing as a (hijacked) longer prefix should still win over a shorter one with better localpref. Easiest way to avoid this is to just drop the invalid one. rgds, Sascha Luck From sander at steffann.nl Mon May 20 22:23:56 2013 From: sander at steffann.nl (Sander Steffann) Date: Mon, 20 May 2013 22:23:56 +0200 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <20130520201415.GA3184@cilantro.c4inet.net> References: <20130518132453.GA92411@cilantro.c4inet.net> <20130520144851.GA1122@cilantro.c4inet.net> <20130520160536.GB1122@cilantro.c4inet.net> <81FFA408-2E17-4DCC-A47D-46D53EE1B31F@steffann.nl> <20130520164309.GD1122@cilantro.c4inet.net> <8351EDF3-8EEF-4369-8408-BCA720A14282@steffann.nl> <20130520201415.GA3184@cilantro.c4inet.net> Message-ID: Hi Sasha, > However, right now, this will not result in an immediate loss of routing for the prefix(es) concerned. With an rpki implementation where the NCC is the trust root and validation is pretty much automatic, it can and will. As I tried to explain to you in previous replies: it is up to the network operators to decide what they will and will not route. It is definitely not automatic. [REF1]: Routing is decided by network operators. RPKI is a tool they can use, nothing is imposed, the operator remains the authority for his/her own network. > To put it in 2 sentences: > > 1) I don't want a top-down hierarchy imposed on the DFZ, and in its current form this is what rpki certs + ROAs will do. See [REF1] > 2) I don't want the NCC (or the ITU or anyone else, for that matter) to be the singular Routing Authority for the entire service region. See [REF1] >> In random order: >> http://www.ripe.net/lir-services/resource-management/certification/router-configuration >> http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/command/bgp-m1.html#wp3677719851 >> http://lacnic.net/documentos/lacnicxv/rpki/2BGP-Origin-Validation.pdf >> http://m.apnic.net/__data/assets/pdf_file/0008/38258/RPKI_Deployment_LACNIC.pdf >> http://www.juniper.net/techpubs/en_US/junos12.2/topics/topic-map/bgp-origin-as-validation.html#jd0e385 >> >> And from >> http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/xe-3s/irg-origin-as.pdf: >> "You can allow an invalid prefix to be used as the BGP best path, even >> if valid prefixes are available. This is the default behavior." > > OK, I concede it is not, currently, the default practice. It would be pretty insane too, given that verification is barely implemented anywhere and if it is it's probably not in production... > >> I'm not the one claiming "There may not be a default *yet*, but there >> will be". *You* claim to see the future -> *you* provide evidence. > > I didn't claim to see the future, but I still think, once widely deployed, invalid or missing ROAs will be dropped - it would be reasonable, seeing as a (hijacked) longer prefix should still win over a shorter one with better localpref. Easiest way to avoid this is to just drop the invalid one. Again, this depends on what the network operator wants. The operator writes routing policy / route maps / etc. See [REF1]. Cheers, Sander From lists-ripe at c4inet.net Mon May 20 22:29:16 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Mon, 20 May 2013 21:29:16 +0100 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <21C689DD-1471-42F7-8685-6F77B82F372B@steffann.nl> References: <20130518132453.GA92411@cilantro.c4inet.net> <20130520162739.GH2504@Space.Net> <1369074626.19635.29.camel@galileo.millnert.se> <76F68949-6FA1-48EE-8A8D-5E125DBFF5F6@steffann.nl> <1369075687.19635.33.camel@galileo.millnert.se> <1369077708.19635.47.camel@galileo.millnert.se> <21C689DD-1471-42F7-8685-6F77B82F372B@steffann.nl> Message-ID: <20130520202915.GB3184@cilantro.c4inet.net> Sander, On Mon, May 20, 2013 at 09:52:06PM +0200, Sander Steffann wrote: >> - What should be the triggering mechanism for actually moving the >> RIPE NCC to another country (possibly outside of the EU) ? > >Silly things like I described above. I never seriously thought of >moving the RIPE NCC to a different country though. The line you quote >was meant as hypothetical case. A realistic solution to this issue is not to have to move the NCC (except in really extreme circumstances), a solution could be to have a distributed trust-root (maybe the other RIRs, maybe trusted 3rd parties or a combination thereof). An operator can then choose to trust some, but not other, roots or accept a majority decision). The important feature is that there is no single point where an attack succeeds. This avoids the fatal flaw that a single trust-root implementation represents and, to an extent, preserves the distributed nature of the DFZ. Indeed, this would remove my *only* point of contention. Kind Regards, Sascha Luck From sander at steffann.nl Mon May 20 22:34:06 2013 From: sander at steffann.nl (Sander Steffann) Date: Mon, 20 May 2013 22:34:06 +0200 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <20130520202915.GB3184@cilantro.c4inet.net> References: <20130518132453.GA92411@cilantro.c4inet.net> <20130520162739.GH2504@Space.Net> <1369074626.19635.29.camel@galileo.millnert.se> <76F68949-6FA1-48EE-8A8D-5E125DBFF5F6@steffann.nl> <1369075687.19635.33.camel@galileo.millnert.se> <1369077708.19635.47.camel@galileo.millnert.se> <21C689DD-1471-42F7-8685-6F77B82F372B@steffann.nl> <20130520202915.GB3184@cilantro.c4inet.net> Message-ID: Hi, > A realistic solution to this issue is not to have to move the NCC (except in really extreme circumstances), a solution could be to have a distributed trust-root (maybe the other RIRs, maybe trusted 3rd parties or a combination thereof). An operator can then choose to trust some, but not other, roots or accept a majority decision). The important feature is that there is no single point where an attack succeeds. This avoids the fatal flaw that a single trust-root implementation represents and, to an extent, preserves the distributed nature of the DFZ. Indeed, this would remove my *only* point of contention. How would other parties get the certainty that they are issuing the certificates to the correct holder? The RIPE NCC is the single root of the address space managed by them. The NCC has contractual relationships with the holders etc. How would a third party be able to reliably certify that? Cheers, Sander From randy at psg.com Tue May 21 04:31:42 2013 From: randy at psg.com (Randy Bush) Date: Tue, 21 May 2013 09:31:42 +0700 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <20130520201415.GA3184@cilantro.c4inet.net> References: <20130518132453.GA92411@cilantro.c4inet.net> <20130520144851.GA1122@cilantro.c4inet.net> <20130520160536.GB1122@cilantro.c4inet.net> <81FFA408-2E17-4DCC-A47D-46D53EE1B31F@steffann.nl> <20130520164309.GD1122@cilantro.c4inet.net> <8351EDF3-8EEF-4369-8408-BCA720A14282@steffann.nl> <20130520201415.GA3184@cilantro.c4inet.net> Message-ID: > Governments will find a way, as an ultima ratio regum they can send > tanks or a drone. That is not really what I am worried about. yep > (Or, I am, but there's nothing I can do about that, except take extra > care about what government to elect.) dunno about where you live. but where i vote the choices are not great. > The abuse that I am trying to address here is that someone (be it an > IP troll or just a pissed-off individual with money and lawyers will > be able to get a civil court order requiring the NCC to withdraw > resources and/or certificates and this court order, wherever it is > issued will have legal force. i agree that this is a threat. and that is what i was trying to say in november '11. i hope that you will find that the operational recommendations in draft-ietf-sidr-origin-ops-20.txt helpful to explain why prudent operation ameliorates this issue. folk should not be dropping announcements which are marked NotFound. randy From he at uninett.no Tue May 21 09:06:25 2013 From: he at uninett.no (Havard Eidnes) Date: Tue, 21 May 2013 09:06:25 +0200 (CEST) Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <8351EDF3-8EEF-4369-8408-BCA720A14282@steffann.nl> References: <81FFA408-2E17-4DCC-A47D-46D53EE1B31F@steffann.nl> <20130520164309.GD1122@cilantro.c4inet.net> <8351EDF3-8EEF-4369-8408-BCA720A14282@steffann.nl> Message-ID: <20130521.090625.303954552.he@uninett.no> Hi, off on a tangent(?): > And from > http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/xe-3s/irg-origin-as.pdf: > "You can allow an invalid prefix to be used as the BGP best > path, even if valid prefixes are available. This is the default > behavior." I keep seeing/hearing this when RPKI is discussed. While strictly true, the way I've understood this, it will also defeat one of the main purposes of RPKI, namely to be able to defend against certain route hijacking or route leak events, where more-specific routes are propagated and accepted. In order to defend against that type of events, due to the "longest matching prefix always wins, irrespective of BGP attributes" behaviour (which isn't a trait of BGP but of how our routers look up forwarding entries), you cannot have your router configured to install RPKI- invalid prefixes in your forwarding table. Regards, - H?vard From randy at psg.com Tue May 21 10:31:06 2013 From: randy at psg.com (Randy Bush) Date: Tue, 21 May 2013 15:31:06 +0700 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <20130521.090625.303954552.he@uninett.no> References: <81FFA408-2E17-4DCC-A47D-46D53EE1B31F@steffann.nl> <20130520164309.GD1122@cilantro.c4inet.net> <8351EDF3-8EEF-4369-8408-BCA720A14282@steffann.nl> <20130521.090625.303954552.he@uninett.no> Message-ID: > I keep seeing/hearing this when RPKI is discussed. While strictly > true, the way I've understood this, it will also defeat one of the > main purposes of RPKI, namely to be able to defend against certain > route hijacking or route leak events, where more-specific routes are > propagated and accepted. > > In order to defend against that type of events, due to the "longest > matching prefix always wins, irrespective of BGP attributes" behaviour > (which isn't a trait of BGP but of how our routers look up forwarding > entries), you cannot have your router configured to install RPKI- > invalid prefixes in your forwarding table. from draft-ietf-sidr-origin-ops-20.txt Sec 5. Routing Policy Operators should be aware that accepting Invalid announcements, no matter how de-preffed, will often be the equivalent of treating them as fully Valid. Consider having a ROA for AS 42 for prefix 10.0.0.0/ 16-24. A BGP announcement for 10.0.666.0/24 from AS 666 would be Invalid. But if policy is not configured to discard it, then longest match forwarding will send packets to AS 666 no matter the value of local preference. As origin validation will be rolled out incrementally, coverage will be incomplete for a long time. Therefore, routing on NotFound validity state SHOULD be done for a long time. As the transition moves forward, the number of BGP announcements with validation state NotFound should decrease. Hence an operator's policy SHOULD NOT be overly strict, and should prefer Valid announcements, attaching a lower preference to, but still using, NotFound announcements, and dropping or giving a very low preference to Invalid announcements. as you point out, that latter is ill advised, and i have a fix in my edit buffer for the next rev as follows: Merely de-preffing Invalids is ill-advised, see previous paragraph. randy From nigel at titley.com Wed May 22 12:13:37 2013 From: nigel at titley.com (Nigel Titley) Date: Wed, 22 May 2013 11:13:37 +0100 Subject: [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members) In-Reply-To: <20130520165546.GE1122@cilantro.c4inet.net> References: <20130518132453.GA92411@cilantro.c4inet.net> <519A365B.3060304@fud.no> <20130520165546.GE1122@cilantro.c4inet.net> Message-ID: <519C9A51.80708@titley.com> On 20/05/2013 17:55, Sascha Luck wrote: > > > It seems that the Board has decided to put this to the community for > PI/Legacy space again, the idea is presumably that, if 2013-04 gains > community backing, the same can then be done again for PA space since it > would "merely harmonise policy". Just to clarify. The board merely declined to extend PI/Legacy RPKI without community guidance. 2013-04 arose spontaneously from the community, it was not "put to the community" by the board (or anyone other than the author). This may seem to be splitting hairs but it is the difference between inviting someone to dinner and feeding them if they turn up at the front door uninvited. Nigel From training at ripe.net Mon May 27 12:12:35 2013 From: training at ripe.net (Training Team) Date: Mon, 27 May 2013 12:12:35 +0200 Subject: [ncc-services-wg] [training] RIPE NCC Training Courses July-September 2013 Message-ID: <51A33193.30303@ripe.net> Dear Colleagues, Our training team travels the RIPE NCC service region to deliver training courses to our members without any additional cost. Over the next few months, we'll be in Rome, Chisinau, Munich, Moscow, Prague, London, Ljubljana, Yerevan, Malm?, Istanbul, Amsterdam. Visit the following page to register and to check which training courses we are giving in your area: https://lirportal.ripe.net/training/courses The RIPE NCC delivers the following training courses: - LIR Training Course - Database Training Course (new) - IPv6 for LIRs Training Course - Routing Security Training Course For more information visit: http://www.ripe.net/lir-services/training/courses With kind regards, Rumy Spratley-Kanis Training Services Manager