These are unedited transcripts and may contain errors.
NCC Services Working Group
15 May 2013
11 a.m.
CHAIR: If you can close the doors, I think we are going to start because we are quite tight on time and we are already past eleven o'clock and if those people who don't plan to participate, could sit down and be quiet, or leave ?? no reaction...
Okay. I am Kurtis Lindqvist, this is the NCC Services Working Group. It's your favourite Working Group. As a matter of fact it's such a big favourite that this time we got two slots and I am looking in the future to take over the entire agenda. I'd first like to thank Gert and Sander for giving us the extra slot to handle the proposals we have, because we were very packed on time. Otherwise, but we solved that, thank you for that.
So, very quick overview of the agenda. This agenda is not word by word the same one that is on the website, and we won't follow any of them. I explain why in a second.
We are first start with the administrative matters. We have a welcome which I'm doing now. We have Andy from the RIPE NCC doing the scribing, thank you very much. We have the agenda and the minutes from the last RIPE Meeting, if I do the minutes from the last RIPE Meeting, I don't think there was any comments that I know of, anyone have any additional comments or questions? No... minutes approved.
The agenda I published was then we should then go to policy summary, where I'll go where I think we are.
And then we have Nick and David Freedman ?? Dave doing the presentation of the sponsoring LIR, and then Axel Pawlik and Randy will go through the introduction to 2012?03 and 2013?04 for RIR PKI. We are going to have each of them come up and go through the presentations, 2012?03, 2013?04 which is the latest proposal and then we are going to let Richard go through the straw man proposals which he made on the mailing list. Richard is actually going to present online and is online waiting to present, so I'm going to let him go first, contrary to the agenda, and go through this. And we will then go back to the agenda as published.
With that, Richard, can you hear us?
Yes, I can. I will let you take over and present from here.
SPEAKER: So, are you pulling the slide? Yes, so I send five e?mails to the Address Services Working Group about, A, having all the policy proposals in plain text and also the documents in plain text by default.
Second, about renaming the proposals to a more common and global scheme.
Third, to always use unified diff for any kind of e?mail conversation, so basically all automated systems can simply process all the updates.
Then I had one which was called maintaining everything by means of GIT, which is has basically changed to just use any kind of version control system be the same as others do, or just anything which basically allows you to have everything in a single database.
And the fifth one is a yearly list of all the services which RIPE is providing to the community which has kind of been accepted already by Nigel Titley as as far as I know.
So the last one is more or less just about codifying everything.
If I could just get a show of hands, who of you did read those five proposals? So, does it make more sense to discuss the actual content or should I give a little bit of a summary for each of the points?
CHAIR: I think that my ?? as my main question is do we think that any of these or which of these should go through the PDP process as a proper proposal or do we think that these should be discussed as on the mailing list or do you think that Richard should have this sorted out with the NCC by themselves. I think it was enough hands coming up saying that they read the proposals that we don't really need to go through them, but I would like to get some feeling for what people should think what we should do with them and how we handle like this in in the future. Do we need a full PDP process for each of the proposals or do we think we should handle this on the mailing list?
TORE ANDERSON: I recently made a quite big proposal, and one thing that I would have ?? would have helped me is that the format was ?? the authoritative format was a plain text format or at least something that's easy to work with with standard tools and not just to scrape off a web page. So I agree with the last point there. That said I'm also far enough reduction of policy per se. So if the RIPE NCC is kind of willing to work with Richard on this and come to an agreement and find the solution without actually having to compel them to a PDP process, then that's preferable in my opinion.
AUDIENCE SPEAKER: Rudiger Volk. First of all, a couple of the proposals seem to address concerns that I recently had seeing the process moving on, so I'm quite happy about that. I wonder whether ?? well, okay ?? the question should the policy process be applied? Well, okay, do we want or need to actually figure out consensus about this? If so, the question is: What tools do we have to do that? And the only thing I see is completely informal or the policy process. Bypassing the frustrations of the policy process, I would say it might be a very good start to have a document that explains what the RIPE NCC would propose to do about these requests and see how a discussion starting from such documentation would go.
CHAIR: I think that's a very good suggestion. I was standing up here thinking it's very easy for us at the RIPE as ends up doing most of the work with these documents, but the problem is of course, the format also has to fit the proposers and the community. I think Niall is next.
AUDIENCE SPEAKER: Niall O'Reilly, University College Dublin. It seems to me that these proposals are very sensible. There may be some details that need to be worked out but essentially they are not about policy. They are about administrative operations in support of the policy development process. They are really operational and really good suggestion that the RIPE NCC should consider these ideas and come back with a proposal about how they might address them to improve the process is good. I have one question, sort of lurking doubt in the back of my mind about whether something that will affect the policy development path through all of the Working Groups and not just this one doesn't need to have perhaps a broader consent than just in this Working Group. It might be well to raise the question in the Plenary, but I'm guessing.
CHAIR: Fair point.
AUDIENCE SPEAKER: Wilifred Woeber. Vienna University. I don't have very, very strong feelings about the pros and cons to use the PDP process to write down very generic, very fundamental principles or expectations from the community, or posit to the RIPE NCC. Like a request to have an annual service list and that sort of things, that would make sense to have that in a document you can reference or...
But, the real reason why I'm in front of the microphone is, I think the community should be extremely cautious not to put any technical implementation details into a policy document maybe other than all RIPE documents should be in plain text, that's probably going to be pretty stable for a pretty long period of time. By any other things like a particular version of a diff programme or a particular version of a document storage and versions system, this provides sort of the danger that this gets out of date on a regular basis and then we would be required to touch this policy document every six months or every two years or whatever. I think this is just over the top.
SPEAKER: Can I interject here? You raised a very good point and I already edited all my proposals to reflect the definition of requirements and not suggestion of solutions, so, yeah, you have got a very good point and I don't think we should really put a lot of technical solutions in there, it should only be requirements.
GERT DOERING: Speaking as Address Policy Working Group Chair. Having our share of policy proposals. I think the PDP might be a bit heavy weight for that. If the NCC is cooperating, that is we can use the PDP to make the NCC do what we want, or we can nicely ask the NCC whether they have ideas how to address the issues being brought up. I would suggest to nicely ask, and have the NCC sort of look at the problem statements and come up with a proposal how to address them. This is, I think, what database mostly does and it works well. And then the Working Group can look at what the NCC is proposing and if that's workable, just say go on. And if indeed the NCC should be incooperative for whatever reason, we can then run the full PDP and make them, but I don't think this is necessary.
CHAIR: Good point. Thank you. Brian.
AUDIENCE SPEAKER: Brian Nisbet, HEAnet. I realise that Emilio is probably going to respond to Gert. But I essentially agree with what Gert has said and what Neill said. I want to make a comment here. Most of these proposals, I think, are a good plan and I think we should ask the NCC nicely to take a look at this, I think that's the best approach. However, I wish to state my opposition to changing the numbering scheme of proposals to rename ?? it's unnecessary, and it's only going to add, in my opinion, more cruft into the whole situation. Proposals come out in the PDP, we know what they refer, to the community knows what they refer to. I think the addition of multiple additional characters and version numbers just isn't required. The rest of the stuff, I think is great, but please can we not lengthen the ?? increase the length of proposal names. Let's just not do that at all please.
CHAIR: I'm going to close the microphones after this, but Richard.
SPEAKER: Can I ?? I know where you're coming from, but the problem is you are speaking as someone who already gets what RIPE is doing. And most people who are here in participating in this discussion will also basically know how to feel their way around the PDP. But, everybody else, if you just tell them that 2013?01, so, they will really have a hard time to figure out what this actually means. What's the resource where they need to look up what is defined by this statement, specially since other registries may use exactly the same numbers for totally different proposals. That's basically where I am coming from with prefix, so if you say RIPE?PDP, it's absolutely clear if you put that into Google, you will find that every single time, you will always find the correct document. About the sufficient fix of versions, if you look at ?? I don't know, the archive we discussed certain points, it's kind of hard to correlate the date, when did new versions of a proposal come out and when did this discussion happen. So, if you can just refer to a single specific version, that makes this whole process a lot easier especially ?? well going through it after the fact like five years later.
CHAIR: Thank you, so quickly, Emilio and then Axel.
EMILIO MADAIO: I wanted to just make some clarification and distinction between what are RIPE policies and what are RIPE NCC procedures. If I understand Richard correctly is just suggesting to the Working Group to reassess the need and how to define better RIPE NCC procedure in order to provide the community with the right tool to work also on the PDP. May I make the suggestion, the humble suggestion, if possible, to create a kind of sub group of comprised by region and somebody within the NCC, I can volunteer myself for that, so that we can just outline the scope statement of Richard's intention and then when we internally in the NCC have performed the cost benefit analysis, they can collaborate with him and that he can present it to the Working Group and see where it takes. Does it make sense?
CHAIR: It makes sense to me. Axel.
AXEL PAWLIK: To me as well. I am a little bit worried by the abundance of ifs in previous speakers contribution. Of course the RIPE NCC will cooperate and happily so. If we have been a little bit quiet about this, this is what we were waiting for. What do you think? Is this a PDP issue or not? Of course we are happy to work together on those things.
CHAIR: I propose the following then: Emilio and Richard already volunteered to be a sub group and to come up with a proposal and I agree with Neill, we should send this to the other Working Groups as well once this is done. Anyone else think they would like to contribute to this together with the NCC an Richard? Rudiger, okay, well, you talk to Emilio and Richard afterwards, I saw one more hand ?? I don't see who it was. Anyway, talk to Emilio at the front. When you are done, I suggest you post this to the mailing list and we can discuss it here and take it to the other Working Group group for more analysis. Does that work for you, Richard?
SPEAKER: Yes, perfect.
CHAIR: And with that, I should be back on my slides. This is the agenda for the afternoon actually, so we're going to just skip that for the time being.
So, just a quick summary of the proposals. Each of them will actually ?? that the policy proposals we have in the Working Group, each of them we'll go through and present this in great detail. I just wanted to put up the dates for when each of the proposals are. 2012?07, the services to legacy Internet resource holders. The Impact Analysis was posted last week, and that will remain in review phase until 3rd June, and we will have a discussion started on that, and there was some discussions yesterday between the RIPE NCC and the proposers, which I think we'll hear more about.
Second one is 2012?08, the publication of sponsoring LIR. Impact Analysis was posted 22nd April. Remains in the review phase until 20th May and there has been very little discussion on this one, so I think that it would be very good to have some more views and comments on this.
And the last is Eric's proposal that was also posted last week, that is a brand new proposal, and that remains in discussion phase until June 5th.
And with that, I am done. And we'll go back to the normal agenda and then next up is ?? the publication policy LIR, which wasn't Nick, it's Dave ?? so it's your turn, Dave.
DAVID FREEDMAN: Hello. I'm not Nick, he couldn't make it. Just a refresher, RIPE 452 and RIPE 556, a process for taking an independent end user resource and sponsoring it and verifying the legal or natural person through the due diligence process. That's all very well and good, but it leads to this. The object in the database still exists. We believe the end user has been verified but we don't know who the sponsor is.
So why do you care? Well, I thought this was supposed to be some kind of registry, and if we have this process, it's quite amazing that we don't document the outcome. And if we don't know the outcome we can't help resource hold the come to us, we have to direct them to the NCC. So, really, is there anything to hide? And are there any support or privacy expectations?
This is the proposal as an outcome of the Impact Analysis, it updates the database to include a new attribute sponsoring org. Now, when we were discussing this originally, I asked the question I always ask the NCC but publishing the RegID in the database and the NCC. Well, it scares us when you talk about that. The RegID is a file name. It's not meant to be published, we don't have any means of publishing it, it should be an organisation. And after a year of them constantly telling me this, I'm actually starting to get it. It does make sense. So, the sponsoring org is an organise of type LIR. The database needs updated. The process for the change in sponsor needs to be updated. Then just as I was coming on stage I thought I better have a reread of that Impact Analysis, just to make sure I have all of it in my mind when I speak. I noticed something that I hadn't noticed in it before, I noticed that one of the potentially implications of this was that where this information isn't published, it actually means that the end user hasn't been contacted or even identified in some cases, and I find that quite surprising that 452 in its implementation plan has been there a long time. Why the resources where the end user can't be contacted, area the resources for the end users can't be identified? Why do these still exist? It also mentions that the ?? where the end user resources used for infrastructure for the LIR, that will also be published. I don't think that's necessarily a bad thing.
So in summary, and this is my last slide, this isn't rocket science and I hope this isn't anything major, I think it's a very essential part of actually finishing system of the stuff we started with the 452 process.
And I guess I'd like to open the floor to questions or comments or any other kind of feedback being that the discussion that we have had on this has been...... scant.
CHAIR: So any comments? Feedback? I think Rudiger was first
RUDIGER VOLK: I am still opposed. I am sure the RIPE NCC knows which the sponsoring LIR is.
DAVID FREEDMAN: I would like to know ??
RUDIGER VOLK: Why?
DAVID FREEDMAN: Why not?
RUEDIGER VOLK: Well, the registry is not there for people who are just curious. And providing information that, well, okay, does not serve a clear purpose being published, invites people to abuse the information for some strange ideas that they got the information might be intended for. And I think it is perfectly fine to have the knowledge about the contractual relation rest with the end user who should be a part of an agreement, or a contract and the sponsoring LIR and the RIPE NCC knowing about it.
DAVID FREEDMAN: Just to respond to that. I think that there is lots of data in the registry that has the potential for abuse. And ??
RUEDIGER VOLK: So we need to add more?
DAVID FREEDMAN: Well, I think we need the registry to be accurate, and my feeling on this is that we started a process of collecting some data. The data has an impact not just on the resource holder but anybody that deals in the future with that resource. I feel it should be documented in the registry
RUDIGER VOLK: Yes, but the resource ?? the resource holder should be in the registry with all the relevant contact information and the sponsoring LIR is just in some legal relation that does not mean anything about the resource and that does not mean anything about the end user.
KURTIS LINDQVIST: Could I just say something, there are actually objects in the RIPE database where that is not true. I know objects that is highly doubtful that the data in there is actually correct and I would like to know who the sponsoring LIR was that allowed that to go through
RUDIGER VOLK: Well that is the job of the RIPE NCC and not some random person. You canned send a letter to the RIPE NCC (I can) I hope Axel will accept it and route it to the appropriate department within the offices.
DAVID FREEDMAN: I'm not for one minute I /WUG we do the job of the NCC. I do think it's fair to point out that in the Impact Analysis it suggests there was a /PWHRUFRPBLG of objects ?? it would expose objects that a sponsoring LIR hasn't been identified. I am not suggesting that we do anything about, it but it may highlight that perhaps the NCC ?? perhaps the NCC F the NCC can't get in contact with them, who is best placed to do that
CHAIR: I am going to have to slowly close the lines ?? Sasha...
AUDIENCE SPEAKER: Sascha Luck, my /PHOEU self, in principle, Rudiger has pretty much said what I want to say anyway, I might expand a little bit on, it publishing this sponsoring LIR in the database creates to the untrained eye a perception of responsibility for the behaviour of that resource which does actually not exist. The policy so far has been that the LIR does paperwork and handles contracts for the NCC.
DAVID FREEDMAN: I would just add to your point there that the services agreement that you are supposed to enter into with an end user as a sponsoring LIR does actually have some constraints attached to it. So, when you say is creates a responsibility. There is a tiny bit of responsibility being a sponsoring LIR, it's not just a same in title.
AUDIENCE SPEAKER: Only for the correctness of the information, not for the content or the behaviour.
DAVID FREEDMAN: Right. But what have the correctness of the information was in dispute?
AUDIENCE SPEAKER: And Rudiger said already, that is the NCC's job to enforce, that's what we pay them for.
DAVID FREEDMAN: Okay. This isn't a general meeting. But I'd like to you raise that point there, if you feel it.
AUDIENCE SPEAKER: Eric, as a sponsoring LIR for PI space, we actually have a lot of registrations for entities that are not connected to our network and I see a lot of abuse messages coming up for whatever those resources are doing just because people will see some kind of connection in the RIPE database, and basically we are just pushing paper, and that is basically where my biggest concern is. It has no relationship between pushing paper and making sure the things are getting done and I agree, yes, it needs to be correctly documented, that's basically it. We're not responsible for anything that the resource itself does or what it's being used for, and for the rest, you know, there are policies in place with the RIPE NCC to fix that.
DAVID FREEDMAN: Yeah, I agree, but I do think that it's important that the one responsibility you do have is to ensure the correctness of the registration data, and if somebody tries to contact an end user that has an independent resource and can't, who are they to go to? Do they go directly to the NCC and say this information is correct? No. They have to go directly to the sponsoring LIR, it's their job to ensure that that information is correct.
AUDIENCE SPEAKER: But it's not ?? I think that it's not the place to actually list the sponsoring LIR in the objects. Having the correct information is something you need to do in order to get the contracts in place, you know, you need to push paper, chamber of commerce details those kind of things, and ?? so that's the part where the sponsoring LIR and the RIPE NCC actually work together to actually make sure everything is correct. And I have done my fair sure of doing that.
DAVID FREEDMAN: Me too.
AUDIENCE SPEAKER: But it's the negative side effect of actually publishing the sponsoring LIR is ?? and the openness for abusing that, and I have had my fair share, which I will not display here, on how that can be abused and I'm just not waiting for that to open that can of worms. So I'm really ?? I'm not in favour of doing anything like this.
DAVID FREEDMAN: Okay, I understand. Thank you.
AUDIENCE SPEAKER: Tore Anderson. I see a potential connection with the RPKI certification for PI space here. If that actually goes through and I see in my routers that there is something funky going on with the certification of some PI resource, then I would like to be able to get in touch with the organisation who actually has the contractual arrangements with the end user or the apparent end user to actually figure outs what's going on. And as I understand, it the NCC would not certify any PI resource that would not have any ?? that did not fill the 2007?01 I think it is, the contractual ?? so at least in that case I would actually want this for information so that I could actually trace the trust chain to the end myself.
CHAIR: Can I just add, I think that's an interesting point to keep in mind for one of the following discussions about the updating the legacy holder with contact information as well. But we can come back to that.
AUDIENCE SPEAKER: Andrea Cima, one of the points you raised was that the Impact Analysis we mention the fact that there are independent resources that do not currently have a sponsoring LIR, and but I wanted to give you a little bit more information about that and the fact is that we were dealing in total with about 35,000 independent resources. Some of them have been issued like 20 years ago. We have gone through 25,000 of those, more than 25,000. We have less than 10,000 left to go. There is a process in which the end user has six months time to enter into a contractual relationship before we start and before we adjusted the resources. Sometimes it's very difficult to get in contact with them because before they register we want to make sure that the resource is not being used by somebody. In some cases the contact informs is not up to date. We have to do a lot of digging and searching to make sure we don't harm anyone. That's how the current process is.
Another point is that sometimes an LIR and an end user agree to cancel their contract. In that case, you have a period of three months in which the end user may not have a contract. They have three months time to look for another sponsoring LIR. That's also a moment in which they may not have a sponsoring LIR. I hope this clarifies.
DAVID FREEDMAN: Yes. I think the effort you have already gone to sounds quite commendable. Are there any other questions or comments?
CHAIR: I closed the microphones so I hope not anyway...
I think it was a good discussion, there was very few comments made on the mailing list. There seems to be quite ?? and did I cut some people off. We still have about a week to comment on the list, and I would all encourage to you send the comments to the list or pros or ?? for or against or other comments, so we get a bit better feeling of what to do next and we'll then have a discussion with the proposers what we are going to do, I guess. But currently I think I counted only two e?mails since the Impact Analysis was posted, which is not very many to be honest. So I would encourage you all to take this to the list... thank you, Dave.
(Applause)
Next up is an introduction to the the coming three proposals to be done by Randy and Axel. Randy and Axel show, as the three coming in proposals, the three following proposals to be discussed which are the legacy ?? anyway, I think I'll just let you...
AXEL PAWLIK: I am Axel. Hi. I have no slides for this moment. I would like to start off and give a bit of background for those of you who haven't followed the last couple of meetings that closely and for transparency and general background.
I have stood here over the last couple of meetings and did presentations, as I do, and there was some things in there that did not fall on fertile ground with you, you were not that happy about it and that makes me unhappy too. In particular there was a thing, the way we approached legacy holders and how we wanted to go further with getting them into the fold, that was not nice, misunderstood, I don't know.
So I'm happy to say, and Randy will talk a bit further to that, that we are in very close relationships with them, talking to them, to the group, proposing the policy proposal there. That's very nice. And we'll hear some details.
The other one was, the last meeting where we said ?? well I said, oh, PI holders and certification, well they should really become members. That was our idea of how we could approach that. That, like I said, was not very popular. I have talked about this in quite some detail with the board. We sent a couple of mails to the mailing list for feedback, and eventually the board said, look, this certification, RPKI stuff, is a bit touchy in the community, we'd rather have the RIPE NCC not do anything in terms of service right now for PI holders until there is a policy proposal. I understand there is a polocies proposal specific for this on the agenda for a little bit later on today. And then Randy and I stood there in dams said look those PI thing is a bit of a mess anyway and we just heard ?? just one 10,000 to go so that's a good thing. However, there is some issue still open with PI holders and kind of services they get or they should get or in future will get that is similar with how legacy holders look at the RIPE NCC and wish for services and similar things.
So, Randy... explain the photos...
RANDY BUSH: So, as people have said, we have got a number of issues here. Axel and I promised progress, and so here we are again. And we think we have made a little progress. We haven't lacked proposals, there have been plenty of them. And the sausage machine process has certainly been its usual exciting fun, though I must say spending 20 minutes arguing about commas earlier in this meeting was impressive. And we used e?mail which is always a wonderful form of communication, and amplified the misunderstandings, confusion, etc., very well. So we took a radical step. And Tuesday morning, the NCC staff in the proposals actually met face?to?face and talked, and talked, and nobody called the police.
So ??
AXEL PAWLIK: No injuries either.
RANDY BUSH: No injuries, it was fine. And surprise... we found that we were pretty much in agreement. Except of course the devil is in the details.
So ?? and I'm not going to go into the details. We have had enough details already for this meeting. So, let us remember the key goal is an accurate registry. That is our job. The network information centre.
So, until we know who the heck you are, talking about issuing certificates to you is silly, okay. Because we issue certificates that say we really know ?? have a relationship with you and we are certifying that. So what we have now is two proposals formalising the services to legacy holders and formalising PI holder relationships and services. And until we have those and once we have those, then we can say how to provide the certification service to all address holders.
And so that's kind of the order we are going to do it. We are going to talk about legacy holders, we are going to talk about PI holders and then Eric has got his proposal. Can we please keep a sense of humour and friendship here? You are supposed to laugh now. Read this... "You don't have to attend every argument you are ininvited to..."
And of course, the real final decisions are made on the mailing lists. And let's remember that the key goal is an accurate registry, not my religion about how I think PI holders should be treated. And with that, I think we have??
CHAIR: Niall is next. So, next will be Niall to present the status of the services to legacy resource holders which the Impact Analysis was posted last week, there was some mailing list discussion and as was said, there was a meeting yesterday. So...
NIALL O'REILLY: I have a short departure from this group before getting down to business. As you notice, we have eight authors for this proposal, and I have to mention formal apologies from four of them who couldn't be here. There is one of those in particular who has been almost part of the furniture at RIPE meetings, who has done a lot of work in the RIPE community, the ENRON community, in promoting IPv6 ?? and I don't know too much what else because I'm not aware of all the other good things he has done ?? who is beginning, or about to begin, his retirement. I don't know what his plans are or what opportunities will be presented to him, so that we can see him again at RIPE. But I'd like to take this opportunity to ask you to join me in wishing well Bernard Twee of TERENA who has just retired. And I hope we haven't seen the last of him at RIPE.
But now to business...
The goals of the legacy resource holders are to have accurate registry data and you'll see this ?? you saw this in Randy and Axel's slides. You'll see this again and again and again. This is the thing that really is important. We want to become part of the family we helped set up. We want to get the services we need without disturbing existing rights, whatever they might be. And we are prepared to pay a fair price.
Three of those were the same goals that I presented the last time around in Amsterdam, and won't come as a surprise, but we realised in preparing these slides that emphasising accurate registry data was something we weren't doing enough.
And so, the objectives for getting to those goals are: To make the registry data accurate, to make it easy for legacy resource holders to keep their data current and to engage with the RIPE NCC, whatever their S are, and to make it easier for the RIPE NCC to give them the services they need and to declare success. We don't need to do more than that.
As Randy said, the devil is in the details. I'm not going to delve in there.
What's proposed is that there will be this first part of the proposal, the first item here came from the impact assessment from the RIPE NCC. There should be a new category of resource called legacy. And then the way that members will register ?? or that resource holders will register there legacy resources will be one of these five ways.
Members can register their legacy resources. Legacy resources cam become members and register their legacy resources. Legacy resources can register via a sponsoring LIR, non?members can register legacy resources directly with a new legacy service agreement, and for the edge cases, the RIPE NCC will do the right thing, they will deal reasonably with the edge cases.
And all the rest is detail, but these six points are the ones that matter. And if you're minded to read the detail, you can read the detail.
Here is a quick summary of the progress to date. And it's not for nothing that the bottom ?? the last one is in a bigger font than any of the others, and indeed there is a progression of the font size from Ljubljana an an up until last Tuesday when we had this ?? that's just yesterday ?? this excellent problem solving meeting with the team from the RIPE NCC.
And so, how we think it's going to work. There should be a diagram explaining the existing general service agreement and how the legacy service agreement will fit into the that for members who have legacy resources to register. And in another part of the diagram, it shows how people who aren't members will have, will avail of the legacy services agreement and register their legacy resources. What happened there was that there was a new issue of the slides earlier this morning and I think things haven't synchronised up but you should be able to find in the archive that diagram. And before actually handing over to you for discussion or handing over to the next speaker to tell you stuff before the discussion I'd like to say really what a pleasure it has been to work with all of the other authors who have kept me on message and they have had to work hard to do that sometimes, and also with the RIPE NCC, and I think we are really getting close to convergence and I'd like to thank everybody who has worked on it the thank you too.
(Applause)
CHAIR: Don't go away too far. Any comments, questions on the proposal? All in agreement?
WILFRED WOEBER: I'd like to say thank you, let's all of us go ahead as quickly and as soon as possible and get done with it, because we have more pressing needs and we can never fix the corner cases later on if we happen to find one or two. So, full support and thanks for all the efforts you have put in as this group of authors as well as the NCC to eventually come to something which I think is a good product for everyone. Thanks.
CHAIR: I have a question for you then. The review phase hasn't ended yet. But I suspect that you have some new text to put into the document after your ??
NIALL O'REILLY: I expect there'll be new text. I expect there'll be a version 4.
CHAIR: Do you want to wait for the current one to end and then additional comments I guess ??
NIALL O'REILLY: I guess we'll start on the homework sooner rather than later.
CHAIR: Okay.
RANDY BUSH: The NCC was very kind and brought to the meeting yesterday the general Council, and she is actually working on the legacy agreement, legacy policy, which I think should also be published, discussed on how this all works together.
CHAIR: Do you want that to be part of the document or just separately published?
RANDY BUSH: It just needs to be published and discussed and having how you formally make the sausage, I don't care, I am interested in the protein.
CHAIR: I was just asking what you were proposing.
WILFRED WOEBER: If there is, if and when there is a version 4, I would like to get this process sped up as quickly as possible, so this is not a suggestion, it's an open question.
Would it make the whole thing easier to take out the certification thingey ??
RANDY BUSH: It's not there.
WILFRED WOEBER: It was there in version 3 as one of the items on the list of services privated by the RIPE NCC and my reading was that the version 3 does imply that legacy holders actually also get access to the certification service. I don't have a problem with that. My question is just would it speed up the process to take out that thing from this particular policy proposal and deal with it on a more general basis as was described on one of your slides?
RANDY BUSH: The intent is that this proposal will say that legacy holders get all services, and you'll find the same for PI holders, get all services. And the discussion is Erik's for certification becoming a service. We might also choose to offer espresso as a service.
CHAIR: That's a discussion for ??
RANDY BUSH: That is by the way in the contract that we're proposing.
CHAIR: That's a discussion in 20 minutes though or so. Okay. Thank you.
Next is then Randy again I guess. Andy and Axel again.
RANDY BUSH: I think Axel actually doesn't want to come up because, you know, he has some more formal relationship to the NCC and feels funny about being part of a proposal. But the actual PI proposal came out of an e?mails message he posted to the mailing list, and as Wilfried feared, it did have as a main core, one of the core items, certification. This doesn't discuss that. Okay. The real issue is getting PI holders reasonably registered so we can have accurate registry data. You have heard this song before.
We need a clear relationship between them and the NCC, so that the data can be rigorously maintained. For instance, in this morning's earlier session, you may have heard some confusion about who is the actual holder, is it the LIR or the end user? And who has the rights to update the data? Well, this had better be clarified. This, we have got to get straight.
We need a direct relationship with whoever controls those data. Whether it's the sponsoring LIR or the holder, but when we say the holder, what do we mean? So ?? and if there is an argument, I would suggest to remember what Dr. Pastel did when there was some argument about some DNS over there, he would say it's your local problem, when you have solved it, you come tell me. So if the LIR and the PI and the end user cannot decide, they need to work it out and say who is responsible for this holding?
Again, the objectives is accurate registry data. It should be easy for PI holders to keep their data current. I have a joke about the RIRs actually give courses in how to use their product. This is strange. Okay. Make it easy for them to keep their data current. Make it easy for the NCC to give services to them. And simplify and regularise policy as much as possible. Tore, go for it.
So what's proposed is very similar to what was proposed for legacy. Members are PI ?? members that also have PI space can register it. PI holders who are not members can become members. Or, PI holders who are not members, could stay under an LIR just so the relationship is formalised and documented. Or, non?members could register PI resources directly with a new PI service agreement analogous to the legacy service agreement.
And, again, the NCC is not a row bot. They are human beings over there, and they are adults and they can deal reasonably with the edge cases and the things we haven't thought of and trying to make rules for the things we haven't thought of is going to be hard considering we haven't thought of them.
So...
And that there has been discussion about some of that corner stuff, okay.
That's it. As I said it in the previous wrap, there are details and the devil is in there. Okay. And we have to write this proposal up. You'll notice this is not currently a formal proposal so we have to write it up as a formal proposal and it put it in the sausage machine. Your input and co?authorship on the sausage would be appreciated.
CHAIR: Jan.
JAN ZORZ: Speaking as a Go?Six Chair and a PI holder of v4 and the v6 resources and running the RPKI on my router that announces these resources. And I would go for PI holders that are not members may stay under an LIR. This would make the whole thing ??
RANDY BUSH: These are not exclusive. What is proposed is all these are available.
JAN ZORZ: Okay. So, this makes sense.
RANDY BUSH: Sorry, those are inclusive Rs, not exclusive Rs. Unfortunately, english doesn't differentiate too well.
JAN ZORZ: So thank you for doing this, because also we the PI holders can sign our resources. Thank you.
GERT DOERING: Yeah, I like this especially the bits, we'll deal reasonably with edge cases.
You got it? I'm not sure whether the microphone ?? anyway, I like it.
RANDY BUSH: Thank you.
CHAIR: Further comments? Questions? No...
So, we just wait for the text and it will go from there. Thank you Randy.
(Applause)
If we go on like this we might even finish on time. Last one is Erik.
ERIK BAIS: Good morning. I am going to present to you the proposal I created and submitted last week for resource certification for non RIPE NCC members.
Current status is open for discussion. And phase ends on June 5, 2013.
In short, through the PDP process ask the NCC to open the current RPKI system to allow resource certification for non RIPE NCC members.
And the current implementation doesn't allow for PI space or legacy space holders to certify their resources.
So, what does this mean? Basically, this means we have a system that basically allows to certify your resources, if they are actually linked correctly, these prefixes with these ASs, technically a very nice system, and we have only allowed this for a part of the resources that we actually have in the region.
So why the proposal? Well, mostly, you actually read the discussion or followed the discussion left and right, and I was actually one of the people on the mailing list that said once Nigel came up and said well the board decided that a broader community input was desired and invited somebody ?? that was me ?? to put this through the process. So, I raised my hand and here I am.
So, technically, the current implementation says that only covers the current PA space and I have actually put up some numbers here, there are currently about 9,000, 9,000?plus NCC members that can use the RPKI system. However, there are more than 18,000 PI legacy space resources or holders that can not use the system. And within that, there might actually be people that want to certify their resources, that have gone through the process of making sure their information in the registry database is up to date. They have the contracts in place with the end users, but there is no way for them to actually do this. And this is basically the whole thing with this proposal, basically can the NCC open up the system? I will not go ?? as you can see in the policy itself ?? I will not go into telling the NCC how they do it, because I think that's a different discussion. This is just to formalise the process.
So, this is also the reason why I actually stated the policy as simple as possible and actually basically stated the question: Can we ?? can the NCC allow this?
Obviously, with the side mark that for sponsoring LIR can act as an intermediate in the process for PI space and users, and PI space end users must have proper registration, documentation, so all the 2007?01 end user agreement should be in place, it needs to be verified, blah, blah, blah.
So, currently on the mailing list, after the policy was published, it was actually very quiet. Now, obviously everybody was waiting for this great presentation here and running to the mikes already, so, if you have feedback on the policy, make sure that you actually state this also on the mailing list and it can be as simple as yes, I do want to support this.
CHAIR: Okay. I missed the order because I was sitting down.
AUDIENCE SPEAKER: Sascha Luck, don't be afraid, my objections to the whole concept of RPKI is that it currently stands are well known, I have made them time and time again both verbally and on the mailing list and I won't reiterate them here again. I just want to draw attention to the fact that every single objection that applied to the RPKI for PA policy apply to these two policy proposals just the same.
CHAIR: Okay. Ruediger?
RUEDIGER VOLK: I think it is pretty clear we want and we need the possibility for every well recognised resource holder to have the ability to get certificates. And I think we will do a little bit better if we kind of state things in this general terms rather than saying non?members and, as Randy pointed out, that the devil is in the details and one of the detailed devils is in the particular text that I read, I'm reading a mandate for NCC creating certificates for, in Europe used AfriNIC resources which quite certainly will not work very well, but that's kind of not really the important thing. The important thing is to get the resources for everything that is well recognised. And the particulars of what contractual relations and how the identity is checked need to be worked on, but I think a policy that says, yes, the general viability of certificates for well recognised resource holding in the domain of resources managed by the RIPE NCC should be done and other policies may work out, contractual relationship stuff, and stuff like that. And then there is the really nasty details, which I think should not go into the policy development process and that is we actually need to work with the RIPE NCC to understand how they will actually deal with all the tricky details if you have a resource holder that contractually is represented by somebody else and son on, and how is actually the certificate issued and managed. That's probably not completely trivial and obvious. And I kind of would like to see the general policy and the RIPE NCC start to pick up that nasty detail work as quickly as possible so that we can actually take advantage of the result of the damn thing ??
CHAIR: You are making as a general statement not an Impact Analysis on the proposal. But as a general comment on the RPKI and certification?
RUEDIGER VOLK: Sorry.
CHAIR: The analysis you want the RIPE NCC to do, you want them to do that independent of the proposal?
RUEDIGER VOLK: Yes, kind of, well, okay, unless a general position is taken that we do not want to have RPKI at all, which I certainly would object to. And that detailed work needs to be done and it needs to be started and, well, okay, I found it embarrassing at the last IETF when the networking team actually tried to do RPKI and they came back and told us, well, okay, unfortunately cannot certify the IETF networking space because, oh, it is PI from RIPE NCC. And I wonder, and I wonder what the networking team in Berlin in July will have to face?
CHAIR: I happen to be the sponsoring LIR, but anyway... Gert.
GERT DOERING: Basically, the point I want to make is that the fact that we have IP addresses in two different colours is, well sort of an historic accident. So, when they show up in the routing table, we have no colour any more, so there is no distinction between PA and PI as soon as it hits the routing table. So, if we do RPKI for PA, I think we strongly need to do it for PI as well. Whether we need to do RPKI at all is a different discussion. I'm not going to argue for or against RPKI here, but if we do it for PA, I strongly support doing it for PI as well. As for the tricky details, I think Alex Band has already sent a proposal that it could be tackled to the NCC Services mailing list and I'm trusting the NCC to actually know what sort of business relations she see what sort of problems they have and what sort of communication path they can use to securely distribute the certificates. So... to wrap it up, I support it.
CHAIR: Thank you. Sasha.
AUDIENCE SPEAKER: Sascha Luck, would I like to respond to Rudiger actually. There was already a proposal, a policy proposal for RPKI for PA and if you remember, it failed spectacularly, so why is this coming back now?
CHAIR: Randy?
RANDY BUSH: Gert, just one point, you said PI and PA. And legacy, please. Right?
GERT DOERING: Was unclear on that point. In my head legacy is the same thing as PI, as it is sort like independent of LIRs ??
RANDY BUSH: It doesn't have much colour in the routing table either
GERT DÖRING: Any sort of the prefixes that you see in the routing table that are sort of under ?? are under or can be brought under the jurisdiction of the RIPE NCC should have the same treatment as far as RPKI goes.
RANDY BUSH: I believe we are in agreement. And to Sasha's point about how evil and dangerous the RPKI is. I would point out that ISIS is a layer two protocol and only reachable on the link. Where OSPF is attackable from anywhere in the Internet. So, that's very dangerous and I suggest we ask the IETF to deprecate OSPF and remove it. Similarly, RPKI, as my presentation from the November 1911 RIPE, which I think was in convene, specifically pointed out some of the dangers in ROAs intentionally so that operators could make an intelligent decision, and that's the point, it is my choice whether I want to use this tool or not, whether I wish to have my space certified and whether I wish to issue a ROA don't tell me how to run my network. It's my network. I choose to register it. I choose to put in WHOIS data. I chose to put in routing registry data. I chose to issue a ROA. It's my network. I make my decisions. I am not so worried about the threat. When the people with guns, lawyers and money and drugs want you, they will get you. They took away 7 thousand domains last week. Talk to mega upload about how much the RPKI didn't help him. Right. And we have how many thousands of ROAs out there today and have we had one problem? So, what's the threat? The threat is the fear amongers removing a tool from my tool box to protect my network. Volk /SR?BG and by the way, last week, someone did a hijacking on some part of my address space and the guys from BGP Monday sent me a nice (MON) incident message remarking, hey, you have the ROA and that ROA would have invalidated the damned hijacking.
RANDY BUSH: Hijacks occur everyday. Misuse of ROAs have yet to happen. They'll happen. But nowhere as near the rate of hijacks, or I don't like hijacks, miss originations because I don't know that it's malicious, miss original nations.
CHAIR: So we have a debate of the /RO*BGs to be or not to be. Coming back to Eric's proposal, which I think was a little bit more than that. About services for PI or not. We had, as Gert pointed out also perhaps the upcoming, or upcoming proposal to remove the difference between PA and PI and legacy. That will affect the outcome of this as well but it would have a bearing on how this /TPW?S forward as well, right, if that case.
ERIK BAIS: Yeah, so this basically, you know, provides a way for the other resource holders to allow to participate in this system as well, like the IETF. But, if there is going to be, you know, removal of the system between PA and PI, then you know, we'll have to look at the whole discussion again.
CHAIR: Yeah. Niall.
NIALL O'REILLY: I don't want to say anything here about Eric's proposal because the place is on the mailing list and I'd encourage everybody else to go there too.
CHAIR: Okay. That's a good idea. So thank you Eric.
(/PHRAUZ)
Do I encourage to you take further the comments and the proposals to the mailing list. Of course it wouldn't hurt with some for views because at /SOL point in the not very distant future we have to make a decision. If you think there is consensus or not. And with that, we are actually going to finish ahead of schedule.
Amazing...
I think that's the first time the NCC Services finishes ahead of schedule. Enjoy lunch and see you back at 4 o'clock. And don't forget to register for the AGM and Serge wants to say something.
SPEAKER: I want to make one /TPHOEPLT. We have another winner for the ratings of the presentations from the Plenary yesterday and that is Parvel /KHABG a, from the Czech Republic. /PAFL in any case we'll /S*EPBD you an e?mail you won a prize. You can keep rating the Plenary presentation, we'll keep it open to the end of the week and there is also a Plenary Session on Friday, if you did see those presentations yesterday, please give us your thoughts, thanks.
(Lunch break)
