These are unedited transcripts and may contain errors.
Address Policy Working Group
14 May 2014
9 a.m..
(Address Policy Working Group
CHAIR: Good morning dear Address Policy Working Group, or what is already here at this point in time. It was a great party yesterday, and I appreciate all those that managed to get up early enough anyway.
So, this is the Address Policy Working Group. We have two Working Group Chairs, Sander Stefan and me, Gert Doering. For those that are here for the first time, looking into the group, I think we don't have that many first timers here, they are still sleeping from the party, or, have gone to Open Source, which is in the other room right now.
This is what we are going to do now. And then we have a second time slot after the coffee break. We start with some administrative matters, approving the minutes, seeing whether we need to change something on the agenda. Then Marco submitted from the RIPE NCC will give us the traditional intro talk into what's hot in Address Policy land in our region and in the other regions.
Then I hope we will have a good discussion on the topic of personal identity and identity verification as far as natural persons that have PI address space go.
And at the end of this time slot, we will have the feedback from NCC registration services. That the tell us what sort of kinks in the policies they found in the last six months and whether we want to do something about it.
After the coffee break, we will have the shoulds and musts talk. That was brought up at the last Meathing that we had. Some wording ambiguity in our policy documents where it's not clear whether "should" is a should or a "should" should be a "must," and whether the policy should be clear or must be clear about things. English language and IETF RFC 2119 language is not exactly the same on this, so it was decided that the NCC should look into the policy documents and tell us what they find about ambiguity and this is what they found.
And then we go into the discussion of the open policy proposals that were on our desk today.
Actually, in the last few weeks, you have been quite busy ?? when we did the first time planning I had one proposal, when I did the first draft of the agenda I had three and now we have five, so, this will be a good discussion I think.
And then the open policy hour for something that is not yet a formal policy proposal but might warrant discussion.
If we happen to be quick with the first part, I might pull up some of the policy proposal discussions, because I think the second time slot will be a bit full, but we will see how it goes, it depends on how active you are discussing things. If you are all too tired to discuss anything, we can do it all in one hour and then go for coffee.
So, agenda bashing. Have I missed something? Oh yeah ?? and please switch your mobiles to silent, thank you.
Have I missed something on the agenda? Is there something that is conflicting with the other Working Groups in parallel that just needs to be done in a different time slot or any other changes? No... okay, then we'll stick to that.
Minutes from the last RIPE Meeting in Athens. The minutes have been announced on the list about two weeks ago. I apologise for the delay,s RIPE NCC was very quick with producing very good minutes and they were sitting on my desk for four months waiting for me to say yeah, that is okay, let's publish it. So the delay was all my fault, but anyway, thanks to the NCC for very good minutes again.
A question to the room: Anything in the minutes that is not accurate, that is missing?
Okay, I see no comments, so, I declare the minutes final and we will publish them at minutes from the last RIPE Meeting.
And that is pretty much from me. Now it's Marco. For those of you that haven't read the announcement, Marco Smith has been appointed official Policy Development Officer of the RIPE NCC in January. He has ?? (applause) ?? he has been with RIPE NCC registration services for longer than that and been sort of back up PDO to stand in more Emilio, but now he is the formal official single PDO, so all your policy complaints go to him and he will bring us the policy update now.
MARCO SCHMIDT: Thank you Gert. Good morning, and also from my side welcome to all the early birds here in the room and on the webcast. My name is Marco Smith. I'm working for the RIPE NCC as the policy development officer, and I would like to give you the regular update about the current policy topics. What is going on in our region since the last RIPE Meeting, what is going on in the other regions, just a brief overview, just some selections.
First, I would like to talk what is going on in our region and then what's going on somewhere else and I hope that now it goes well. Quite something has happened since RIPE 67 in Athens in October. Some proposals got accepted, first one to mention is the 2012?07. And the RIPE NCC Services to legacy Internet resource holders. This one was discussed in the RIPE NCC Working Group mailing list and it has reached consensus in February this year. And it's currently in the implementation status. If you would like to know more about the status of this implementation, I invite you to attend this afternoon's session of the RIPE NCC's services Working Group, where an update on this will be given.
Same applies for proposal 2012?08, the publication of sponsoring LIR for independent number resources. This one has reached consensus in January this year. It's still in implementation or it's currently in implementation and again, if you are interested this afternoon, more updates on that one.
Then we have proposal 2013?03, the proposal with probably the longest title in PDP history, "The post?depletion adjustment of procedures to match policy objectives and clean up of obsolete policy text." So most of you, you might remember this proposal more under its first name, the no need proposal. It has reached consensus also in February this year and a few weeks ago the RIPE NCC announced that it was fully implemented.
Another proposal that has actually reached consensus during the last RIPE Meeting in October, is the resource certification for non?RIPE NCC members. Also this one was discussed on the mailing list of the NCC Working Group services, RIPE NCC Working Group service ?? services Working Group and the implementation is ongoing and all the data will be update this had afternoon. And last but not least, we had proposal accepted about no restrictions in end?user assignments and intraRIR transfers. This one was ?? reached consensus in December last year and also it's already implemented and since this implementation, it is possible to transfer allocations even if they are assignments in it, so if they are in use.
Also, we had some proposals that were withdrawn since October last year. First one is the 2013?01, the openness about policy violations. This one was discussed in the anti?abuse Working Group and the proposals decided, because of some initial objections and then lack of feedback and support for the revised version, to withdraw this proposal.
And the same goes for 2013?06, the PA /PI unification of IPv6 address space. Based on a feedback received during the last RIPE Meeting and later on the mailing list the proposals came to the conclusion that consensus for such complex change is not likely to achieve at this moment.
As Gert just mentioned we have quite some ongoing proposals. I will just mention them very briefly, because later in this session and in the second slot, especially in the second slot, you will hear more about them as the proposals will present them themselves. The first one in discussion phase to the 2014?02 which aims to allow IPv4 transfers. Then we have the 2014?03, which proposed to remove the multi?homing requirement for as numbers. And then we have very fresh last week published 2014?04 which would relaxing the IPv6 requirement for receiving space from the final /8" and currently you might know you need to have an IPv6 allocation to get the last /22 from the last /8, this would also include IPv6 PI as sufficient.
Then we have also some proposals in the review phase. First one is 2012?02, the policy for inter?RIR transfers, of IPv4 address space. As you can see on the policy number, this is ongoing since quite a while and in the last 12 months not so much has happened. But today, the proposal, Sandra Brown will be here and she will give an update and I can tell you already there will be some interesting news about that one.
And we have 2014?01, the abandoning of the minimum allocation size for IPv4. This is actually a little sneak preview because officially this proposal is still in the discussion phase because the RIPE NCC is finalising the Impact Analysis, but if nothing unforeseen happen I expect that tomorrow the new version will be published and will include the impact analysis, then it will be in review phase.
That's about a brief overview of our region. Now let's have a look into the other regions, and I divided ?? I will give some examples what is discussed in the other regions and I have divided them a bit by topic.
First topic that I selected is the IPv4 depletion, and in APNIC a proposal has reached consensus about distribution of returned IPv4 address blocks. This one talks about that APNIC has a similar last /8 policy like us, everyone can get one /22 and now with this proposal actually, it will be possible for LIRs that have received this /22 to get a second /22 out of a pool of returned address space. So address space that was returned back to APNIC or that will be distributed soon by IANA once there will be a threshold of a /9 in run of the RIRs. And at this moment when this will happen, probably in the next weeks, APNIC will implement this proposal. And to some of you that were following the discussion on our mailing list, this APNIC proposal triggered a quite lively discussion also if something similar is possible here.
In LACNIC, a proposal has reached consensus called adapting the allocation and assignment policy for IPv4 exhaustion. They had, before this proposal, a pool reserved of total /11 for a kind of soft landing. They don't have a /8 policy and two times, one /12 for a soft landing and another /12 for new members, and this proposal extended these two pools for a /11 so now they have reserved a total of /10.
In ARIN, there is a proposal, it's called remove sections 4.6 and 4.7. It's in last call right now. These sections are talking about amnesty and aggregation, there was the option that LIRs could request a big Atlas block in order to aggregate their several smaller blocks that they had received earlier and it was seen that this could give a potential risk for abuse in the light of upcoming depletion in the ARIN region and based on that and also actually the last request received, it was decided to remove the section.
Another topic that is discussed in a different region is of course Internet resource transfers. In APNIC, there is a proposal that has reached consensus about as numbers, that it can transfer within the APNIC region.
In LACNIC, there is a proposal ongoing since 2012 about inter?RIR transfers. It was just presented the latest version last week, during LACNIC 21, it has not reached consensus yet and it was returned back to the mailing list for further discussion.
And in ARIN, there is one proposal called improving 8.4, the anti flip planning language. What is this about? Currently, it says in the policy that you cannot transfer as a source any address space if you have received yourself in the last 12 months, any allocation, any assignment or any transfer except of merger and acquisitions, you so you might have received block A and cannot receive any ?? sorry, cannot transfer any other block to another organisation. And this proposal aims to move away from this organisation 12 months restriction, to address block restriction that openly the address block that was received cannot be transferred to another organisation
Another proposal that I want to mention from ARIN is remove 8.2, 83, and 8.4, the minimum IPv4 block size requirements. These sections are talking about transfers of IPv4 and then all these sections are minimum size of /24s mentioned and this proposal, want to remove this, yeah, minimum size. So this goes a bit in the same direction like our proposal 2014?01.
Then, of course, very important topic is IPv6 deployment, in APNIC, proposal 1.1.1, the request based expansion of IPv6 default allocation size. What is this about? . The proposal suggested that LIRs can extend their /32 allocation to a /29 without any further justification needed. To many of you this might sound very familiar because we have exactly this situation implemented here. However, in APNIC, during the last meeting, this has not reached consensus and it was returned back to the proposal for future development.
In LACNIC, a proposal has reached consensus during the last meeting, last week basically, to create a reserve pool, IPv4 reserve pool exclusively for IPv6 deployment. So they will set aside now a pool of /14 that will become active at this moment that reserved pool of /11 that they have is exhausted and then LIRs that have received an IPv6 address space allocation can regress up to a /24 out of this reserved pool. So they have to show a certain level of IPv6 deployment to get this extra chunk of IPv4.
In AfriNIC a couple of months ago the proposal was accepted to remove the requirement to announce the entire IPv6 block as a single aggregate, because it was identified that this is stopping or at least delaying the IPv6 deployment because multinational organisations had problems to use their v6 in different countries inside Africa.
Another topic just quickly selected are the RIRs principles. This is related to the fact that RFC 2050 which defined the RIR principles was seen as historic and in ARIN and in LACNIC it was decided because of this development to include them in their own policy text, and both regions it has reached consensus.
And last topic that I chose is the out of region use. Because so far, most of the RIRs don't have a specific definition of address space or resources can be used outside of the service region. And it has triggered quite some heated discussions especially in ARIN; and now this proposal would make it clear, would permit clearly, without restriction, that address space can be used outside of the ARIN region.
That's, as I said, is just a brief selection of proposals. There is much more going on globally, especially the ARIN community is pretty active. I have collected here just a draft policies that are currently under discussions, and no worries, I'm not going into detail of them right now. On the top there is even six more proposals under discussions that have not reached the status of draft policy and just want to mention one that is quite new, there is one proposal to remove the need requirement for the transfer of smaller IPv4 blocks up to a /16.
If you want to know more about the proposals and the policy status in the different regions, I invite you to attend here on Friday, the RIR NRO session in the morning, same place, and then my colleagues from the different RIRs will give you a more deeper update about this. And of course you always can catch me in the coffee break or so if you want to get some more information.
At the end of my presentation, I would like to give you some useful links, if you want to know a bit more about the PDP, you can look it up here, if you want to see the status of the current policy proposals, then you can find it on this link and of course you can always send me an e?mail or you can find me on Twitter if you want to know something about proposals, if you have your own ideas, if you want to know ?? anything that you want to know about PDP and you don't dare to ask, you can do this; and, of course, in the next days, I'm always available, just get me and I will be happy to help you.
That's the end of my presentation. Are there any questions?
AUDIENCE SPEAKER: Hi, my name is Basado, APNIC policy co?chair. I have one additional comment about APNIC proposal 107, which is as number transfer. It also allows as number transfer with other regions who have compatible policy, but right now there is no such region, so it's very welcome if somebody proposes same thing in here.
MARCO SCHMIDT: Thank you for this clarification.
CHAIR: Okay. I see nobody else coming to the microphone, so thank you Marco for being up here at nine o'clock and giving us the overview.
So, which brings us to the next topic, which I hope to see a pretty lively discussion on because this is important and it has been raised on the mailing list and there was quite a bit of discussion on the mailing list with no clear outcome. I'm not going to say much more as introduction because I think Nick will cover it anyway. Nick Hilliard has volunteered to sort of introduce the subject and lead the discussion, as it's all his fault anyway, to put it more politely, he fought for the 2007?01 policy proposal that brings stronger ties to end users of address space of PI space and that brings with it some consequences and these we are going to discuss today. Thank you Nick.
NICK HILLIARD: Thank you Gert. I don't think I am ever going to hear the blame, the end of the blame which has ensued from 2007?01.
So, hello, good morning everybody, my name is Nick Hilliard, and as Gert said, there was an issue, it was brought up on an online discussion forum and it concerned the whole issue of how does an individual, a person, identify themselves to the end user and the RIPE NCC has a whole bunch of options, you can use a passport, a national identity card, a signed statement from police, etc., etc., etc. The issue was, the person in question who brought up the issue first stated that it was actually not legal in his country to make a digital copy of his formal identification in that case the passport or identity card, and he quoted some cases in the German Federal court to back this up. I'm not a lawyer, I don't pretend to be a lawyer. But this brings up the issue of what level of identification is necessary for resource assignment and there is actually two things. First of all, you know, what works well for users, secondly what's necessary for the RIPE NCC.
And it's this sort of general discussion that we want to examine today.
So, there was also the question of well, look, do we actually have a problem that we really need to fix? Because some people were saying well look you know, it's kind of okay, you have other options other than a passport or an identity card. You can do other things. One option ?? there were several options which could have been used. The option that this particular user, end user wanted to use was called Post?ident, which is a private scheme operated in Germany, it's run by the post office, and it's designated under law, under German law as being suitable for opening bank accounts and it's, therefore, compliant with EU regulations on money laundering. He wanted to use Post?ident because that worked for him. He didn't want to, you know, send copies of passports because he felt that this was an innovation of his privacy.
So, I think there is a good case to have a discussion on this. The RIPE NCC have an opinion about it. Some members of the community have their opinions about it. So, there is why we have having the discussion here. So the RIPE NCC are going to take a few minutes I think to explain their case, and afterwards, we're going to open the discussion to the floor and see if people on the floor today have any opinions that they want to make about the whole issue. Okay. So, I think I'm going to hand it over to Athina to let her say what the RIPE NCC thinks.
ATHINA FRAGKOULI: Hello, good morning for my part too. There is a presentation. It's the shorter version of a longer presentation which I will give at the NCC Services Working Group, but hopefully, this shorter version will give the appropriate backup information and will help your discussions here. I am the legal counsel of the RIPE NCC.
We will end up here, eventually.
Okay. This slide says due diligence of the quality of registration data, and actually, it is about the due diligence checks we do to make sure the registration data are correct and accurate. This procedure is documented. It's publicly available. And has been there since 2012.
So, according to this procedure, we only register resources to those that have a contract with either us, the RIPE NCC, or with a sponsoring LIR. And we try to confirm that the signing party does exist, because if the signing party does not exist, then the contract is not valid. So, if the signing party is an organisation, a legal person, as we call it in the legal language, we ask for registration paper issued bi?national authority that proves the establishment of their organisation. If the signing party is an individual, a natural person as we call it, we ask for identification paper, IDs, passport, or any kind of confirmation issued again by a national authority. And that's all the background information I would like to give you, and I'm here for your questions. I think this can stay there.
AUDIENCE SPEAKER: Good morning, Raymond from lies a. These issues with instances that don't want to give out the passport or certain ID papers, has it been because they don't want to or has it been because of a law in the country that specifically forbids to copy passports or special papers?
ATHINA FRAGKOULI: Is this a question for me?
AUDIENCE SPEAKER: No, it's a question I have.
ATHINA FRAGKOULI: From what I understand, they claim it is illegal in their country to copy their IDs. That's what I understand.
AUDIENCE SPEAKER: Correct, so in this case, this was a specific case, we have been running this project for five years already, and we had a handful of cases and this one became prompt on the mailing list. This case somebody said that it was not ?? that it was an issue of their law which was not allowed, but we understand that that's the case and that's why the NCC offers different methods of identifying yourself which are shown by Athina as well. So it's not like if you can't show your passport or don't want to or are not allowed do then the door is closed.
SANDER STEFFANN: I think, in this case, he also was more on principle questioning like even if I send my passport, what will the NCC be able to verify? I mean, they don't ?? they can't go to the Government and check whether this passport is actually valid and things like that. So it was also partly because of law, partly because of principle.
AUDIENCE SPEAKER: Hans Petter /HAOURG, not speaking as the Chair of RIPE but sharing my experience from my work on this one. You may run into privacy issues by storing copies of passports. I have had that brought up by one of my customers when we were doing this, but I don't think you can actually ?? there is nothing illegal about asking people to identify themselves with some proof, so that should not be a problem I think. It would be, if I think to the next level, it would be brilliant if we could move to some electronic ID and since I work for a company that provides financial systems over the net, we have looked into this in the in order IX, which is a tiny subsection of Europe and we have not found one method that we can use in those five or six countries we are operating in. So while that would be a very nice thing to have, I think it would be some years into the future because it's possible to sign contracts and documents with an electronic ID across all of our region.
AUDIENCE SPEAKER: Eric Bais, the question that I have is in the registration process, does the end user need to identify himself to the sponsoring LIR or to the NCC, what does policy say on that? And if so, is it possible that the end user will actually, you know, provide his ?? shows his passport or identity to the sponsoring LIR, will it actually be sufficient and will the NCC actually accept that as being validated although they haven't had a copy of the passport?
ATHINA FRAGKOULI: Right. There is no specification in the policy itself, and since these resources come directly from the NCC pool and not from the sponsoring LIRs pool, we decided to implement the same due diligence we do for the resources we give to members, to people they have a contract with us. In this case a sponsoring LIR is the middle man, the resources come from us.
AUDIENCE SPEAKER: But would that be a possible solution for you, and acceptable solution?
ATHINA FRAGKOULI: I don't know right now. I cannot reply.
SANDER STEFFANN: The policy doesn't say anything about identification, but it does say that the NCC must, there must be this contract and the NCC must be sure that the contract is there. And I mean, then the question becomes do we blindly trust every LIR all out there, all 10,000 of them. I wouldn't be surprised if the LIR mix mistakes, should the NCC verify that? It's a difficult question.
AUDIENCE SPEAKER: You bring up a good point and Sander is addressing it as well. Who do we trust and who don't we trust and the situation is that we don't want to be in a situation that we ask for verification on one end and not on the other hand. So, we have one procedure for everybody for LIRs, yeah, but also for natural persons in that case, so we want to treat everybody equally and I think that is the main basis on which we operate and which we'd like to continue operating in.
GERT DOERING: But actually you have one procedure for two very different cases. You have one procedure for direct customers, members, whatever, where you need to have the verification obviously, so you know who you do business with and you have the same procedure for people that are not your direct customers, so one could argue for there is a point for two different processors. Just stirring the discussion a bit. I think Wilfried is waiting for quite a while.
WILIFRIED WOEBER: Wilfried Woeber speaking as a private person on the network and a network manager. There are a couple of different issues here that I think we are mixing. The first one I'd like to address is the oficially, nationally issued piece of proof of identity. And at least in our country there is more than one of those and a national ID card or a passport is just a thing which expires which gets renewed and that sort of things. So, while it is very convenient to put my passport pages on to a scanner and e?mail it to you, I think there are other mechanisms which are even more reliable like a birth certificate, because so long ?? or the statement of the national sort of belonging to a particular national state. I would expect that you would accept these types of identification just as well as a passport copy. So just to get that out of the way.
The other thing I'm seeing here is a more fundamental issue. First of all, with your statement that the resources are coming from you, the NCC, which is wrong, because they have been distributed by other parties before the establishment of the RIR.
GERT DOERING: This is not legacy. This is basically PI.
WILIFRIED WOEBER: But it's more or less the same problem space.
GERT DOERING: It's the same problem space but it came up in the context of 2007?01 which specifically does not cover Urex, so this is really stuff that came from RIPE, but you could certainly argue that IANA isn't requiring passport copies either, even if it all came from IANA.
WILIFRIED WOEBER: Anyway, sort of, I'm viewing the thing as a little bid of a broader issue which is very similar when you start to look at particular special cases. And the other one is, I think a different discussion we may want to open, and that's exactly the trust issue, whether you really want to have direct proof of identity between a resource holder by passing an LIR or using an LIR as a pass through element and then you double check the identity at the NCC, which again applies to more than one work flow.
But this is, from my point of view, this is a slightly separate discussion which we might want to open, because I think this is over the top as well. But it's not directly relateed to this one, what I wanted to bring it up in this context of sort of what is the problem space. Thank you.
AUDIENCE SPEAKER: /HRAOEPBL from beak telecom. I don't understand what you call registration papers from national authority, because if you do exactly like you said, like, the members, normally as far as I remember, we have just two identify the company of of the operator, not a person, an individual. So, what is the problem there exactly? What are you asking for that because normally I don't remember to have been identified as a person but as a company or as an operator.
ATHINA FRAGKOULI: Yes, maybe I wasn't that clear. So, a contract can be signed by either a legal person as we say, an organisation, a company, etc., or an individual. It is either/or. So if the contract is signed on behalf of the company, we only need proof that the company exists. So, we don't need any proof for individuals there.
AUDIENCE SPEAKER: Exactly. So, in this case, you don't need any passport copy or anything. You are just to get sort of justification of the reality of the company
ATHINA FRAGKOULI: Yeah.
AUDIENCE SPEAKER: That's all like any contract ??
SANDER STEFFANN: If the holder of the resources is a company, they require proof of the company. If the holder is a person, they require papers from the person. So, in your case, you're a company so you don't have to identify as a person.
AUDIENCE SPEAKER: That was my remark because you said registration from national authority ??
SANDER STEFFANN: Company registration papers.
ATHINA FRAGKOULI: The registration for the establishment of the company.
AUDIENCE SPEAKER: Hi. My name is /PAOERT shelves sky. I would like to point something out about this registration papers for national that is right also because I'm from academic institution. We have that situation right now in Poland that one of the universities is 650 years old this year, and the registration papers, they have the paper from the king, how do you validate it? This is an open question for you.
That's a good one. My university is not as old but still it has been founded by the temporary government just of the Second World War. This Government doesn't exist, even the successor of that Governments do not exist at all I think. So how do you validate that? It's still an open question and I don't expect that you will answer that.
And... but more importantly, is that at least in Poland, we have something which is called kayadas, it's the registration of the companies, and everyone who wants to sign a contract have to prove that he is able to represent the company. Are you checking that? Because it's not like the CEO ?? is sometimes not responsible to sign the contract on his own, sometimes it could be, or should done with someone else. Are you checking that? Because you said to the previous audience speaker that you are only requiring this registration papers and if you are not checking who is signing the contract, that's a flaw in the procedure if I understand that correctly. So that's one issue.
And the second one is just a comment to Wilfried who suggested this birth certificates. Maybe I don't look like I am old enough to see a lot of birth certificates issued for old people in Poland, and they were both in the different reality before war, so right now, those part of the ?? is not in Poland any more, so the certificates are old and how would you validate that? It's a tough question. And one that's again, I do not expect you will answer that one. But I'm curious about this value /TKAEUGS of the company papers.
ATHINA FRAGKOULI: Okay. I think Andreiey here, the manager of the registration service, has a lot of stories about old institutions that could not really prove that they exist, but, yes, they were trying to find an alternative way. It's very funny. We tried to sort these things out on a case by case basis.
AUDIENCE SPEAKER: Andrew delay again. RIPE NCC. You're right. There are some cases which are very particular, and again we have been running this project for five years, and we really have only a handful of cases which we have seen where we ran into some issues, and in 90% of the cases we were able to solve them and come to the right conclusion, so that's one.
A second remark I'd like to make is that we have a list of options, and that list is available because we are trying to serve a region which is more than 70 countries and every country has its specific rules and regulations in place. So we said well we try to offer a list which is acceptable for a large majority. The only thing is we want to verify, that's the question. And we offer certain methods to be able to do so. If it's needed that there are more, it's going to be very difficult and especially if we have to keep track of all the countries rules and regulations. We could. But that is something we'd like to discuss and I'd like to highlight as well, that it is a set of options we give, and we hope it's sufficing and it did so far.
AUDIENCE SPEAKER: Alex loco ball, a comment to what you said earlier about having one identification procedure across the boards and on the surface that might seem reasonable but European and national law makes a big difference about identifying information for companies or natural persons, which is exactly why we're having this conversation here now. And, I'm not a lawyer, but I know Dutch law makes a big difference between checking someone's ID if you need to do this, someone sending you a copy of that ID and you looking at it and destroying it or someone sending you a copy and keeping it. And if you look at how privacy legislation is developing, these problems are not going to get smaller, I think they are only going to get bigger. So maybe we should think of something else, some other system of verifying the identity of natural persons, for example, by having the sponsoring LIR check it, that just solves this once and for all.
MARCO HOGEWONING: Replaying comments from the Jabber channel remote participation. Elvis Flava says I think that the RIPE NCC should also prove kinds of documents coming from an authorised lawyer and documents coming from notary certifying that that person has been present at their offices and exists as a natural person.
ATHINA FRAGKOULI: This is already the case. So, a notary is a national authority and yes, we accept notarised documents.
GERT DOERING: Just to sort of like steer the discussion a bit, I think we should not go to the company registration stuff because this is really about the natural persons. Let's try to focus on that. And I think we should maybe not try to go into mechanics of ID verification like Post?ident or notary or something, this is specifics but we should try to agree on what we think is the benefit of the NCC actually directly verifying the ID of the natural person. You say ?? you do this to ensure the resource holder exists, and well playing the advocate, turning around the badge and speaking as myself, I claim I could send you a passport of anybody and pretend that this person exists. You're not much wiser then unless you do some extra verification steps. I could Photoshop a copy of my passport and put any name and birthday on it. So what are you going to do about that? So, if you have a method that is problematic due to store of information that people consider problematic and is not actually helping the cause, we should agree whether we want to do that or not. I'm specifically just asking questions and not telling you what to do because that's not my job, that's the job of the room to agree with you what the right way is. So, let's focus on what sort of ?? what detailed level of identity verification do we want the NCC to do or do we want to use the sponsoring LIR chain for that? Do we trust the sponsoring LIRs enough or is there good reason to go directly for the end user, end resource holder? Let's try to, well to come and have an understanding about that.
NICK HILLIARD: I have a question. If an end user requests an assignment using forged identity papers and it is found out later on, will that assignment be revoked?
ATHINA FRAGKOULI: Absolutely.
GERT DOERING: That's good.
ATHINA FRAGKOULI: Actually, just to make a short comment on that. They are obliged to send us true information, correct information, and valid, and they will have consequences if they send us fake information.
AUDIENCE SPEAKER: I have a question for Andrew. You said there are only app handful the what are the options to fix this without actually going into a completely different region and are we talking about people from Germany alone or are there ?? have there been options discussed with those people to say, you know, come to a RIPE Meeting, come to a RIPE training, come to the RIPE office, identify yourself and take your passport along with you, and that's it? Because, there is no requirement to actually store a copy. So, it's about identification and that can be done by proxy by one of the trainers, by one of the people from RIPE that are going all over the globe, or if they, you know, not within a certain time do act, you know, you need to come to the office of the registration because cannot validate you. I'm just trying to be pragmatic here.
AUDIENCE SPEAKER: And re delay. I think you are right. I think that should be definitely the case that we can use those kinds of methods. It's not about storing, it's about the identification that we Mo who we're talking to. We gave in this instance, this specific instance and the other instances as well options, go to a notary, for example, show yourself, those kinds of options are available. I don't think we'll have an issue with people going to a trainer and showing their passport in that sense. So I think there are multiple options and that should be certainly achievable.
AUDIENCE SPEAKER: So how many people are we talking about and can we actually clear it up for them?
Andrew: Two. I know.
NICK HILLIARD: Sorry, two out of how many?
AUDIENCE SPEAKER: We're talking about two cases out of 45, 46 thousand contracts already in place.
AUDIENCE SPEAKER: Buy him a train ticket. Get him to Amsterdam.
GERT DOERING: That is indeed is a strong argument that what you are doing is not definitely offensive to everybody. I think it's still okay to have this discussion to understand the scope, understand the issues and understand how many people are affected. To Andrew, I think right now, one of them actually tried to approach a RIPE NCC employee, present his passport, and got sent back because there is no process for that, so maybe for these two, we could have sort of a lightweight process, show it to an NCC employee who will look at it, nod and give you a stamp of approval. Well the issue is the NCC has seen the passport, is it?
SANDER STEFFANN: Even if we agree that there is no problem here, I think it's good to give the NCC then confirmation that this community thinks the way things are handled is good. So the discussion is good whatever the outcome.
AUDIENCE SPEAKER: Hans Petter Holen again ??
AUDIENCE SPEAKER: Okay. Malcolm Hutty, this is a comment about individuals, but I have got to do it by reference to the companies. It's very easy, at least in the UK, to found a company with essentially providing no checkable form of identification, I can transfer it to somebody without making really any record of having done so for up to a year. The person who is authorised to act on behalf of the company is really whoever I say it is and there is no obligation to keep any sort of record for that.
In the light of that, anyone that wishes to conceal who they are from you, has an option readily available, so with that in mind, I would suggest that it would be disproportionate to introduce strict controls on the identification of individuals that would give you a high level of confidence that you knew who they are but at a cost to in terms of bureaucracy and just general hassle, because anyone that's a bad actor has got an alternative around that anyway so it wouldn't be achieving anything useful.
AUDIENCE SPEAKER: Hans Petter Holen again. I am wondering if we are having the right discussion Address Policy Working Group. I think the other thing to the other Working Group is that we need a registry. That registry needs to be updated. We need to know who is the resource holder. So in order to do that the RIPE NCC applies society's legal instrument like contracts, like identification and so on. I don't think we should invent or own legal instrument to handle this. I think we should use the ones provided by the countries we live in, so if UK has a problem with this, that should be fixed in UK. In other countries, it's much more strict and we should not relax it because one country may have more relaxed rules. And I think if we look ahead, it's going to be very important to be able to verify that if I want to transfer address space issue to me personally and I transfer it to Sander, that that can actually be verified. And if I have showed my passport to a RIPE NCC trainer, how do we do that? I wouldn't put that burden on the RIPE NCC employee. I would have a good mechanism. It's much better with an authorised paper or a passport or any official ID, I agree with my policy colleague here that birth certificate, that's not an official ID. So there are official IDs in every country, let's use those. I think the procedure you have in place is very, very good and if there is an option for an authorised paper I don't see what barrier that is. If it's two out of 45,000 it's way under the noise line I think.
GERT DOERING: Just to answer one bit of that. Area are we discussing this in Address Policy? For two reasons. Basically, because 2011?01 came from this group, and this is a consequence of 2007?01 implementation. So, if we decide here that this is not what we had in mind, this would go as input to the NCC Services Working Group for the actual implementation. But since ??
AUDIENCE SPEAKER: I understand that, my point was just that if we require the NCC to enter into a contract and know who they are giving the resource to, we need to apply the ordinary mechanism for that and not the mentor own. So Address Policy can decide it's not important to have and updated registry. That's sort of within our scope. I don't think it's a wise decision but we can't ask the RIPE NCC to keep an updated registry and not allow them to use the legal tools to do so.
GERT DOERING: Let's leave it at that. Wilfried.
WILIFRIED WOEBER: I agree that this, part of this discussion should probably go to the services Working Group, but as you asked the question about is an LIR a trustworthy partner in this structure for the RIPE NCC, my answer would be a very resounding yes. If you enter into a contract with an LIR, then this is your partner, and I don't see any good reason why you would want to apply additional double checks and that sort of things. It's just like a regular contract. If I'm falsifying some sort of assertions in the contract, then in the case of a dispute, this contract would be challenged and this contract would be probably declared invalid and I would have to bear the consequences, whether this is sort of financial fines or losing property or, in this case, having resources revoked recollect I think this penalty is good enough, because if you start to question the validity of the existence of an LIR, you are actually questioning the whole system that we are used to and we are using as a distribution tree.
MARCO HOGEWONING: Comments from the remote participants. Elvis Flaya, directing a question probably for Andrew. What is the RIPE NCC planning to do about the storage of the personal IDs? Any plans to destroy the data after receiving it or once the resource is no longer used by that person?
ATHINA FRAGKOULI: This is actually ?? there is a process we have on the way we deal with personal data, and it is documented again and it's publicly available in the privacy statement we have.
SANDER STEFFANN: How long do you keep the copy of the passport? Is it on file?
AUDIENCE SPEAKER: We had some copies on file and we are in the process of getting rid of those because we don't need those in the future. That's right. So, that's being worked on.
SANDER STEFFANN: Sounds very reasonable.
GERT DOERING: If I got that right. The actual process is you verify the information, then destroy it, but you still have old stuff that you are trying to get rid of. Okay.
Well, I think that's good enough for me as far as data protection goes. From the room, I don't have a very clear message that anything needs changing. Maybe I am misjudging things, but I have seen a couple of different points of view, but what I have not seen is them up with pitch forks and torches that says the NCC must not ever do this because this is evil. And given that we have two out of 45,000 that are really unhappy with that, I trust the NCC to find a solution with these people, and if I'm misjudging this, feel free to bring it up on the mailing list again, but from what I heard, there is not great unhappiness with it. So... thanks ??
SANDER STEFFANN: I think the NCC can see this as a confirmation that the community agrees with what they are doing.
(Applause)
GERT DOERING: Well, it wasn't a strong confirmation the if wasn't like everybody jumping up and down this is perfect what you do, but I think it's definitely a good enough, nothing seriously wrong with it which is at nine o'clock in the morning after a good party, maybe a strong enough statement anyway. It's sometimes hard to distil clear messages from this group. Thanks for bringing this up again.
AUDIENCE SPEAKER: Very short comment. There is people who can't get bank accounts or mobile phone numbers, they also have a problem. And two out of 45,000 is 99.999999%. Come on...
GERT DOERING: Yes, but I promised to bring it here and I did, and I think it was a useful exercise to really think about that. Thank you for your feedback. Thanks Nick for bringing it up. And with that, we go to the next point on the agenda, which is Andrea, bringing back experience from practical work with all policies.
ANDREA CIMA: After this interesting discussion, I think my presentation will be not so exciting any more.
Good morning everyone, my name is Andrea Chima, I am part of the registration services team at the RIPE NCC.
What is this update about? The goal of this update is to report back to you. What we want to report back to you is the feedback that we received during our daily jobs from LIRs, and we also want to highlight potential issues that we see.
We want to ask you for guidance on certain topics, how do deal with certain issues but we also want to provide you with input with input that you as a community can discuss.
I'll briefly go through the points that we have discussed during the last RIPE Meeting and that have been further discussed on the mailing list and I want to show you the outcome, the results of the points that we addressed. And then I want to go into a few new topics.
Now, first of all going through what was discussed at the last RIPE Meeting among the Address Policy Working Group mailing lists. The first point was the reassignment of returned but references as numbers. The RIPE NCC has over time received about 2,000, 16?bit as numbers back to its pool. These have been returned on a troll tree basis by organisation that is do not need the as numbers any more or where they were adjusted through different processes.
Because these as numbers are referenced in other objects like in import and export lines of our aut?num objects but also route sets, route objects, etc., etc., the RIPE NCC has not been able to re?issue those so far. Now, during the last RIPE Meeting you gave us the mandate to actually go and clean out those references. So, what we did as in the process described on our website, we have contacted all the maintainers of the objects, the database objects in which those objects were referenced asking them to please remove those references. We sent another, an additional three reminders to them asking to do so, and about 200 references have been removed up to this. So I would like to thank the people that actually took the time to remove the references. Unfortunately, though 200 references out of 3,000 is not a lot, and it's less than 10%. So, as described in the process, we will go in the coming weeks and remove the references ourselves from the RIPE database. So that we can then re?issue those AS numbers.
The second point that was brought up during the last RIPE Meeting was the fact that the RIPE NCC was receiving an increasing amount of requests to change status from assigned PI to allocated PA. This usually, this request would usually come from organisations that a long time ago received a PI block, then they became an LIR, and they say okay we have a bit of PA, we have a bit of PI, I cannot do the same things with my address space, can we just unify it and make it all as one and give it the same status.
We brought this up and you gave us the mandate to change our process, to change our procedure and to allow LIRs to change their PI assignment into a PA allocation, we published the procedure at the end of March this year, and within a month, we had about, we processed about 40 requests to do so.
The last point that we brought up was the fact that there was an increasing amount of requests to transfer PI address space between organisations. Policy does not support this. So, we usually say, no, sorry, cannot do this. However, what we did realise was the fact that the organisations would go away, but maybe the address space was still being transferred just the registry was not updated which is a concern, because we want to ensure to have a current and accurate registry.
So you as a community put a policy in place which will be discussed lately err today. So thank you for the input and action has been taken on all the points brought up last time.
Now, the new topics I would like to bring up is the fact that the RIPE NCC is receiving every month an increasing number of transfer requests. Only last month, we had about 50 IPv4 allocation transfers processed. And this number is increasing. Now, I have already spoken to a couple of LIRs at this meeting as well, and they were telling me yes, we would like to transfer all the resources from one LIR to another. We have taken over their resources and I had to tell them like we can transfer the IPv4 allocations because there is a policy for that, but the AS number and the IPv6 allocation can unfortunately not be transferred because there is no policy in place to be able to transfer those resources. And we have seen that this creates a bit of an issue when you as an LIR take over all the resources from other LIR and you can only transfer a part of those. Especially, of course, when those resources are being used. So this is the first point that I would like to bring to your attention.
The second point is something that has been discussed already last week on the Address Policy Working Group mailing list, so I was actually happy to see that we had the same point to bring up as was brought up on the mailing list and this, the fact that if you are an LIR and you have received in the past an IPv6 PI assignment, when you receive an IPv6 allocation, you must return your IPv6 PI assignment. So, policy says, if an organisation already received a PI assignment before becoming an LIR, the PI assignment should be returned upon receiving an IPv6 allocation if there are no specific routing requirements to justify both."
Now, what happens is that organisations receive IPv6 PI, they become an LIR, they come to us, they want an IPv6 allocation. The assignment is quite often actually in use, so, they are using their IPv6 address space, and when we ask them, are you sure that you don't have a different routing policy for your PI and for what you would have for your allocation? And sometimes people come back and say, no, we will have the same routing policy. And in that case I have to say it kind of hurts a little bit inside to ask an organisation that has deployed IPv6 to return their IPv6 address space. So far, since 2013, 22 LIRs had returned their IPv6 PI address space to us in order to be able to receive an allocation.
This was the second point. The last point is coming back to the referenced AS numbers that have been returned. As we all know, there are not many 16?bit AS numbers left, and the RIPE NCC issues about 150 AS numbers per month. Out of these 150 AS numbers per month, we have to say, I'm really happy to say that about between 65 and 70% of those AS numbers are 32?bit AS numbers so we are doing really well in the region. However there are still people who need a 16?bit AS numbers, or at least that are requesting 16?bit AS numbers. We keep getting back 16?bit AS numbers that are being referenced in other objects like I mentioned before. So, what I would like to do is, what we would like to do is re?issue those AS numbers. Now there are a few options that we see.
First of all we could go and send four e?mails again to organisations asking them to remove the references, if they don't after four e?mails we do it. But we have seen this this doesn't really work so much, we had 7, 8% so far. What we like to do to able to re?issue those action numbers. We see a few options. First of all we do not care about the references, we still issue the AS numbers as they are. Another option would be to ask an organisation that has referencing that AS number to remove the reference, and if they don't, we will do that soon after. But of course, these are only two possible options, and there may be actually other options to be taken into consideration.
So, this was the third point.
The last slide that I have is just an FYI, to keep you informed about things, to be transparent. Sometimes it happens that an LIR is closed, an LIR is closed through nonpayment for example and in that case after 120 days all the resources are being deregistered. Sometimes it happens that this LIR comes back after six months, that they have been closed and say hey, yeah, we got out of business for a bit but we're back in line, we're back in business, can we at least get a /22 back from the last /8, which had been registered in the past. In this case, we decided to re?issue a /22 to this LIR for the simple reason that otherwise the only thing they had to do was re?open another LIR and get the /22 and in order to avoid unnecessary bureaucracy and additional paperwork for the LIR we issued them a /22. So this was FYI, and that was it from me.
SANDER STEFFANN: You already touched upon the subject we're going to discuss after the break, because you said an LIR must return their PI allocation and the policy said they should return their PI allocation, so I think Jan will be happy, but let's leave that part till after the break. Any comments from the room first?
GERT DOERING: I actually have a comment on what you said about the closing and re?opening. So, I think it's fine what you are doing. To understand the background of that basically, you are taking the policy very, very literally which says one /22 is ever allocated out of the last /8. Than means even if that 22 is returned, it's gone. So, the process of allocating a /22 happens once and then never again except in this particular case.
ANDREA CIMA: Yes.
SANDER STEFFANN: We talked a bit about this yesterday because there are LIRs that, through mergers, have acquired multiple /22s and if those close are reopened, when they re?open they get one, yes, so I think that's a good implementation personally. I see some thumbs going up, so...
GERT DOERING: Something else I have noticed you mentioned that an LIR taking over business from another LIR and not being able to transfer the AS numbers and the IPv6 space. I wonder why they are not just using ?? in that case, when they take over all the business, why they are not using the merger and acquisition policy?
ANDREA CIMA: Because there is in in case no acquisition of the organisation and no even legal acquisition of the business, so, these are, the resources that are being transferred are just the resources being transferred, there is no acquisition in place in this case. There is no merger or acquisition, at least this is how they bring it to us.
AUDIENCE SPEAKER: Erik Bais, I was actually one of the people that actually consolidated multiple LIRs that were within a company structure, I believe one company structure that I worked with, they had about four or five different LIRs and they asked us to consolidate everything. We had to return the from the originating LIRs that went into the one that we wanted all the v4 blocks in, we had to return the AS numbers, the IPv6 blocks, now although in the destination LIR, we could expand the v6 block from a /32 to a /29, but we still had to return the other blocks, although there were, in this particular case, they weren't in use, those blocks, but I can imagine in other issues where they are. So, Andrea, you say that there is currently no policy forecast number transfers and for v6 blocks and I would like to take that up with you and Marco to provide two additional policies, if that's okay, with ??
GERT DOERING: Thanks for that, we'll take you up on that offer. I'm still wondering, because my understanding of the merger processors is that if you merge two LIRs, due to, well?being part of the same business anyway and deciding that one LIR is enough paperwork, you get to keep all your resources. So I'm confused though.
ERIK BAIS: In this case it's not a merger or an acquisition. It's actually consolidation.
GERT DOERING: But that sounds very much like a merger to me. If, like, you have 50 LIRs in Europe and they decide one is enough, it's the same thing anyway, so they merge.
SANDER STEFFANN: I think the difference between merging companies and merging LIRs, I think that's ?? should we make a difference there anyway?
GERT DOERING: Maybe there is clarification needed there what you consider a merger. It's not an acquisition but if it's part of the same organisation that gets well, merged.
ANDREA CIMA: One of the points for example I was talking to an LIR for example yesterday, is that for example, there can be a mother organisation that holds different companies and we have a contract with those different companies, and the contract is with those individual companies, it's not with the holding company and then if you want to put together those LIRs but there is no acquisition from one LIR taking over another LIR, for example, that is one of the cases. But what you see as well is that organisations just want to transfer their resources from one LIR to another without there being any acquisition in place.
GERT DOERING: If it's just a voluntary transfer of okay, I keep part of my business, you get the rest, then of course ??
ANDREA CIMA: And we have seen really, only in April, we have seen 50 cases like that and where IPv4 addresses have been transferred without there being an acquisition in place but just pure transfer of resources. And that number is growing every month.
SANDER STEFFANN: So, Eric I think your proposals are sorely needed.
GERT DOERING: I'm still not sure I fully understand the problem space, I can see IPv4 being transferred due to pressing need, and v6 being transferred due to mergers and acquisitions and maybe we are overlooking some other cases but anyway having a clear policy that permits it even for the corner cases is going to help everybody. So, yeah... let's go there.
AUDIENCE SPEAKER: Wilfried Woeber again, this time with my tiny hat of Database Working Group co?chair. Coming back to the recycling of AS numbers, this is also going to be on our agenda later today because there are, from my point of view, there are two separate issues here with the documentation of routing policy and use of AS in the database. One of them is actually the route object where you need the consensus of both the AS holder and the IP address holder to register such an entry into the database, and I presume this is rather easy to get a hold on, so even if some parties still think that they have anything to do with an AS number that has been returned and recycled, I think we can keep a tab on that one. The more difficult one probably is the aut?num, the routing policy on the basis of autonomous number inter?relations because even if you, on the part of the NCC, go in to remove the route objects, I do not believe that it's going to be easy to mess around with individual import or export clauses in a particular AS policy description, and even if we would do that, there is a pretty good chance that during the next regular update, or for whatever reason, the maintainer of that set of routing information is actually going to resubmit it to the database, and I'm not aware at the moment of any cross checks or any sanity checks or any inter locks to prevent that from happening, and I guess from the point of view of parties deriving filters, route serving configurations, whatever you take based on that registration data, you may even interfere with the routing, because you may even advertise something which is wrong by that point in time, and someone else may even believe that, I think it's careful investigation how we actually try to minimise the impact.
GERT DOERING: So what do you suggest how to move forward with this? Given that there is need for 16?bit AS numbers that the NCC has some, and is currently not giving them out.
WILIFRIED WOEBER: I don't have any point of view on that one because I don't have any input on the number of requests, and I don't have any information about the number of 16?bit AS numbers which have never been distributed, so which are sort of virgin and whether there is really a need to recycle those that have been ?? I simply don't know the figures.
ANDREA CIMA: The figures, if I'm correct, the IANA has less than 512, 16?bit ASNs left in its pool. At the RIPE NCC we still have, I think, maybe we can check, but I think not reference one we still have about 600 and then we have those 2,000 referenced AS numbers which will be a pity not to use.
SANDER STEFFANN: We're talking about import and export lines here.
ANDREA CIMA: Mostly import export lines, AS set objects.
WILIFRIED WOEBER: AS macros.
ANDREA CIMA: Exactly.
SANDER STEFFANN: But, import and export lines referencing ASs that are not in use at all, sounds like some action for the Database Working Group.
WILIFRIED WOEBER: Indeed. That's the reason why I brought it up.
SANDER STEFFANN: So can we transfer that part to you.
WILIFRIED WOEBER: Yes, I think so.
AUDIENCE SPEAKER: Sir kid here from via tell. Would I like to go back to an issue of RIPE not recognising the group of companies. We actually had that issue hitting us twice over the last year while we tried to consolidate LIRs into a single holding LIR for the resource of the companies that were acquired by the group of companies and we found it very, very difficult to actually convince RIPE to consolidate it. And actually we're still unsuccessful with that and at this stage it looks like the only solution may be to actually open a new LIR as the company that's a holding company and then transfer all the resources to that company that way, which is kind of counter productive and I think that's something that could go addressed eventually.
ANDREA CIMA: Thank you for the feedback and this is exactly the ?? why we brought up the situation as well, to be able to help such cases, yes.
AUDIENCE SPEAKER: I'm not sure to understand really the reasons why IPv6 cannot be transferred exactly, what was said before, because I am located of the merger for the same company with two LIRs and he want to move one to another, to I like to be sure that I can keep all my resources not only IPv4 but also IPv6 block, because they are in use today.
ANDREA CIMA: Yeah, at the moment there is a policy for IPv4 transfers, a transfer of IPv4 allocations, but there is no transfer policy for IPv6, and that is the reason why IPv6 cannot just be transferred at the moment and that's why we brought this up.
SANDER STEFFANN: I think the message I'm getting from the room is actually if consolidating LIRs, the mergers and acquisitions procedure should be applied in that case, even if there is not a business takeover.
GERT DOERING: That's one of the messages I get that company structures are more complicated than the current processors take into account. And the other message I get from the room is that we have asymmetry in our policy regarding transfers and we have some numbers that can't be transferred and some numbers that can. While I urge you to support Erik's upcoming proposal to get that in line. That's pretty much what we can do as a Working Group to see, yeah, there has been something that we didn't envision when we did the first transfer policy, and now we go to fix it. That's our job.
AUDIENCE SPEAKER: Is there any barrier for that really?
AUDIENCE SPEAKER: Would I actually ask could we have a point or two in the policy because reading RIPE 579, which I believe is the transfer and change of name document, I can't find any reference to what you are saying. So it would be very good to get the concrete pointed to that so that it's easy to create a policy to fix this.
ANDREA CIMA: I'm not sure but maybe the document that you are referencing to is the procedural document, and what we are pointing to is the policy, the IPv6 allocation and assignment policy document, where it doesn't mention about transfers, while it does talk, there is an entire section about transfers in the IPv4 allocation and assignment document.
SANDER STEFFANN: I think some of the cases that are being mentioned here are not seen as transfers, so, I think ?? I think Gert is right, we have two aspects to look at. One is the policy side of actually transfers and the other is looking at consolidation of LIRs should not be seen as a transfer. I think that those are ??
ANDREA CIMA: Yes, the point though is we have some legal obligations and again, if we decide ?? I'm not a lawyer ?? but if we have done all the due diligence checks necessary to see what we can do qua contract transfers and what can not be done, but we have been trying to sort this out.
SANDER STEFFANN: This is not something we're going to solve right here right now.
GERT DOERING: Maybe what we can do is put an action item on you and a Sheehan a so for the next RIPE Meeting sort for these particular cases where you have an umbrella corporation that has acquired all the daughter companies but is not the mother LIR, that these can be sort of like fixed in the processors or not.
ANDREA CIMA: Yeah, to look at it from a legal perspective and report back to it on that. Thank you.
AUDIENCE SPEAKER: Nick Hilliard can we just get back to the ASN 16 situation again. The reason that there is a disparity between ASN 16s and ASN 32 is is that we don't have a full feature compatibility between the two of them on standard routers today, and the reason we don't have that is because there is no IETF standard which treats ?? which allows us to define a fully 32?bit communities which is to say 32?bit: 32?bit and I'd like to just throw it open to the room: Do we as the Address Policy Working Group want to put forward a motion to ask to formally ask the IETF please to sort this problem out? Because cannot really run transit providers with 32?bit communities at the moment, or at least 32?bit ASNs. This is going to become an issue very, very soon and there is no sign of this problem being sorted at the IETF.
SANDER STEFFANN: I personally think there will be a good message, whether we can issue official statement, I don't know.
GERT DOERING: Of course we as a Working Group can agree to funnel this into IETF and say this is an operational problem, please go fix it and BGP. Would you be willing to draft and circulate on the mailing list? When you stand up and ask the group to do something, I'm going to find a volunteer, you know that.
NICK HILLIARD: I just shot my foot off here, didn't I? That has to be yes, okay, I will do that.
SANDER STEFFANN: One second. One thing I just ?? you reminded me of, we actually gave the problem of the import export statements to the Database Working Group, but there is still one issue that we have to think about. Does the NCC start distributing those referenced ASs or not? And that's something we should decide on. So, should we wait for the Database Working Group to clean up the import and export statements and keep them on hold, or should we just start distributing them even though they are still referenced?
AUDIENCE SPEAKER: So, this might have been bounced to the Database Working Group but I'd like to ask the room anyway, I can put anything in my import/export lines I want and the only foot I will shoot in it if I put nonsense in there is my own. Is there anybody in the room who cares what I put in there? So, let's just assign those things.
SANDER STEFFANN: Any objections? I don't have a hammer to ?? of course it will be possible, the thing is it's even now possible to put complete garbage in there and you will only damage yourself with that. So, the thing is if somebody receives an ASN that is still referenced in some garbage, do we care about that?
WILIFRIED WOEBER: First of all, I have to agree with the statement that the problem is there already, whether it's recycled once our once that have never been given out or you are putting in stuff for numbers that are not there year round. The other thing is you are only shooting yourself in the foot is mostly true, but there may be funny coincidences if someone wants to mess around with filters or with peerings, then you can probably do some mischief by putting in stuff. Whether the other party accepts this is a different story. But, the fundamental thing is that there is no sanity check at all at the moment, irrespective of whether the number has been assigned or not, that the policy statements that you are putting into the database make sense and this is, I think this is the problem that we have on our plate for the Database Working Group, and this is sort of relevant to this question here whether you hold back for another couple of months or whether you just go ahead and use the recycled ones as soon as you don't have any virgin ones on your desk.
AUDIENCE SPEAKER: Hans Petter again. I think you should consider before deciding on this is this for the good of the Internet or not? If all of us can make individual mistakes, that on our own, that's our own responsibility but if we as a group or the RIPE NCC makes mistakes for the whole community that we don't understand, maybe it's better to do it the safe way and wait. Let's just think about what's the sort of ?? what's the trade?off here.
AUDIENCE SPEAKER: Freddie of N 87. I vote for option 2, because I have to admit I got a mail from you guys that you have still reference days, numbers and I was just too busy or too lazy and I did nothing so I ignored, it's probably still on my to?do list but it never showed up on the top, so go for 2 please.
AUDIENCE SPEAKER: George from APNIC. I just wanted to make two slightly separate observations. One is that the shortage of 16 bits is a worldwide problem and we have the same issue that he have with where are we going to find resources for people whose equipment is not capable of coping with 32s that was a side point.
The other thing is I believe Andrea you said earlier that you are handing out 160 a month, 65 percent or so are 32?bit. So you have a consumption rate of 80 a month, which are forcibly 16?bit. And you said you have a reserve of around 600, so you actually have somewhere potentially up to six to ten weeks to resolve this issue. I personally see retractions in saying if it's a marginal cost issue, if it's in an import/export you might as well go ahead after a two?week clamp and remove them from procedural management. You have had eight to ten weeks to think about that. But that's just an observation from this side.
ANDREA CIMA: I would like to clarify what the number of ?? for the amount of people which we have resources. We issue like about 150, 160 per month AS numbers, so, the 35%, 40% max of them are 16?bit. But that is on a monthly basis, so, we have a bit longer than ??
AUDIENCE SPEAKER: Oh monthly, not weekly. Monthly. I may have not been clear, sorry.
GERT DOERING: One more comment and then we are far enough into the coffee break that I'm closing the line.
AUDIENCE SPEAKER: Option 2 isn't going to solve anything. A long long time ago the RIPE NCC used to chase up these references much more than they do now, and what you saw is that references got removed and then two weeks later the references are back because people used their aut?num template for updating their aut?num and they might update the object in the database but not not in the template on their hard disc, there is never been any continuous checking to see if there is anything sane in these import/export lines. I think it's a non?issue and I think even option 2 would be a waste of time.
SANDER STEFFANN: I hear different voices. May I suggest the following: As long as it's possible and there are still unreferenced AS numbers, go for option 2. If at some point the decision is do 1, or refuse the request, I think 1 would be the good answer. So, not refuse any requests because they are still referenced but as long as you have the option to give clean ones, do that.
GERT DOERING: And listen to what Freddie said, send a new round of reminders that people need to clean up their objects and find time for that.
SANDER STEFFANN: Then I had, because the microphones ?? if we are done with this subject, I had a request from Filiz to get a microphone before we go for the break.
FILIZ YILMAZ: It's just a house?keeping thing. If Seiichi Kawamura is in this group, in this session, you won a prize because I rated the talks yesterday, so you can go and pick up your prize at the registration desk. And I hope I'm saying the name correctly. Seiichi Kawamura from Japan.
GERT DOERING: Okay, thanks to all of you for being here for contributing and please be back at 11 for the specific policy proposal discussions. Thank you and enjoy your coffee.
(Coffee break)