These are unedited transcripts and may contain errors.
Plenary session
16 May 2014
11 a.m.
CHAIR: Hello, welcome back. Hopefully you have got your coffee and you're ready to go, we're on the home stretch now so we're nearly over for RIPE 68. But a few announcements, a bit of housekeeping first of all.
Lunch is delayed till one o'clock. We have quite a full and packed agenda for this afternoon. The other thing is ?? obviously we have been kept away this week by some fantastic coffee from the baristas outside. So we're going to do a whip around for the baristas.
The other bit of housekeeping we have got is the results of the PC elections, so hopefully you managed to vote. And what we have got is we have got Jan Zorz returning for another term on the PC, and we have also got Meredith Whittaker joining the PC as well, a fresh face as well. And the other person I'd like to ask to come forward if he is around is Andrei Robachevsky, is he here. Andrei is stepping down from the PC now as the ENOG representative, and I think Andrei wants to say a few words.
ANDREI ROBACHEVSKY: Thank you for that. I think I cannot beat Joao, who spent more the PC when he was the PC, but I spent I think six consecutive terms and because there were no democratic way to kick me out, I could have probably continued doing that, but, at ENOG, we decide that we need to have a fresh face on the ENOG PC, and Sergei, which I think we'll introduce shortly will be the new representative of ENOG community on the RIPE PC. As for me it was ?? I matured together with this Programme Committee, and it's a great team of people to work with. So I really enjoyed it, that enhanced my very positive experience of RIPE meetings, but I hope it will continue that way, and good luck to you all. Thank you.
(Applause)
FILIZ YILMAZ: We have a little something for you for all these years of service.
Sergei, do you want to show your face so people can start pointing at you for the next meetings programme.
Andrei: Thank you who selected me for serving the RIPE Programme Committee. I'm not a young boy with the Programme Committee, I hope it will be a great pleasure and a great success for me to work with you. Thank you.
CHAIR: Okay. Right. I think that's all the housekeeping and other stuff taken care of, so we'll go for things on the agenda.
Where is Emile? You are going to talk to us about crowdsourcing geolocation, it's interesting if you have been following this in the MAT Working Group.
EMILE ABEN: Hi, my name is Emile Aben, I work for the RIPE database, and this is about a project we call open IP map. So this is crowdsourcing infrastructure IP address locations.
So, open and crowdsource mapping of IPs to geographic locations, it became clear that needs to be open and the emphasis here is on infrastructure and not on the eyeballs. So eyeballs geolocation is pretty much solved or there is lots of products you can use free or non?free that actually do a reasonable job for geolocating eyeballs, but for infrastructure it doesn't work. And you can basically think of this as open street map for IP addresses, so. Just to get a feel for the room. How many of you have used open street map? Okay, how many of you have contributed to open street map? Okay. That's a good ?? so for you, who have contributed, this is a project where you can contribute for IP addresses and for those of you who have not contributed, this is your chance to get this warm fuzzy feeling of crowdsourcing useful information, so...
And the idea is really simple, or the basis of the idea. It's here you have an IP address. In a database and you map it to geographic location and down there there is an example. IPv4 address, IPv6 address or even a host name, because the reverse DNS, this map, of course, that type of information to a location, in this case Luxembourg and from the host name you can actually see that this thing is very likely in Luxembourg.
So, and this is crowdsourcing, so, how do you get this information? Well, anybody can put in information, and because network operators have, like, a high quality knowledge, this is like ?? this is geared to this audience, to ?? there is only a couple of conferences or a couple of groups worldwide who are like really high quality sources for this type of information, and of course you have authoritative knowledge of your own networks. You either put stuff in reverse DNS or you just ?? of course you know where your stuff is, right. And the output from this then is that everybody can can benefit. Like, if you make this really open, dump this data periodically somewhere, so other people can use it, it improves existing geolocate, so it fits together with the existing geolocate has eyeballs already and this then this has infrastructure. And it has potential for improving network diagnostics.
Because, this allows you to put traceroutes on a map and like, if you do a trace route and I'm assuming everybody here does traceroutes, from host names or from whatever information there, RTTs, you can pretty much figure out the forward path that a packet is taking. And here you can just you can put it on a map, if you have a location, it's connecting the dots. So, you can compare stuff, changing stuff over time, visually identified outliers, you can put 30 of these on a map, 100 of these on a map and they are pretty much, if all of them are a straight line and one of them does weird stuff, that's the one that you want to investigate, and if you do that with like all trace route outputs, that's going to be a lot more work, right.
Identify strange routing. You can also do statistics analysis, so you can just look at a mesh for a country and see if there are paths that are out of side a country and it will show you an example of that later.
This can contribute to RIPE NCC tools like RIPE Stat and RIPE Atlas. Other tools, it is open ?? intention also is to have an open API, or actually it's already there. And when I show this this week to various people there were ideas like oh I want this in my looking glass, I want to replace the text there with a nice map of actually how stuff is working. Or how we see stuff.
And this can provide a raw and both data not only to geolocation providers but to the whole community and also to researchers to do useful stuff. For instance, analysis of events, like for me this started with Hurricane Sandy, for instance, where it was kind of hard to actually see what was going on from traceroutes.
And maybe even this has the potential to help answer strategic questions, if in lots of traceroutes that you visualise, you see that a couple of networks that is high volume for you, for instance, they all come to you through a certain location where you are not, then that's an obvious thing and well maybe you get that information from peering DB or ?? but peering DB could be missing this information for instance, or this type of information could actually warn you if you haven't updated peering DB if a new location in your network it found for instance. And it can help you reduce latency, if you see a strange path and you can verify it as a strange path you can work on, it right, but first you have to know it's strange and it can improve resiliency, are there bottlenecks in my network or outside my network that I need to fix? And security. I don't want my traffic traverse, there, I want it to stay here.
So, to get back to the actual problem here, there is no comprehensive and open service like this that exists currently, I'm not aware of one. So, existing stuff focuses on eyeballs, on end users, and not on infrastructure and just to give you an example, these are infrastructure addresses. Does anybody know where they are? Well, geoloc: Britain, France, EU, that's kind of big, Englewood, Colorado, US, that's existing geolocation, gives you this information. Let's put the host names next to it. Warsaw ?? that's a CLI code ?? and there is structure in this stuff. So, it's pretty obvious that with quite high confidence, you can say this is in Warsaw, Poland and that's sort of the core of this idea. As an operator, as a human, you can see this. This is not hard. And so where do it this way, and this is because crowdsourcing is a proven concept. Open street map works, Wikipedia works. Why couldn't we do this for IP addresses, right? And well, anybody can contribute. There is no need to be authoritative for the resources, and that's a problem that you have with putting this type of stuff in a registry, like RIPE database, there is geoloc in there but only so the authoritative source can feed it. There is a couple of people using DNS LOC; DN LOC Ring uses it, [] inordinate uses it, there is a couple of organisations that are actually using it but you have to be authoritative ?? you have to have the reverse DNS delegated to you and then the forward because the LOC record is on the forward. So, if you are not authoritative, you are out of luck if you still know where an IP address is. But what you can also do here is add a confidence to this assertion that you make from an IP address to a location. So, you can say, I am 70% sure this is there and if somebody else has better knowledge if you are the operator, you can override that basically. And because operators have the high quality knowledge, you can even think of schemes as anybody, if you are not authoritative, you can go up to 90% confidence. An operator can go over. And the other thing here is that this open IP map is more global than the RIPE NCC service region. I mean the Internet doesn't stop at the edge of the service region or at the edge of a country. So, this is wider than the RIPE NCC service region.
So, additional possibilities. There is some existing geoloc data, there is stuff in the RIPE database, research group CAIDA that I used to work for are also working on a similar project that is actually trying to automate figuring out the naming schemes and that type of information you could just put in here as low confidence information, so, it's automatic, so it could very well be wrong, especially for cases where ?? this could be wrong for cases where people don't use automated systems to populate reverse DNS zones for instance. So, as a user, you can actually improve on that then.
Could have a suggestion engine in here, do a little bit of machine learning, artificial intelligence, if something is one character off, multiple interfaces at the same location, it's probably the same location. Can go fancy and capture the naming schemes, you could do that with just this tag is this location for this domain or you could use regular expressions which are more complex, so it's lowers the amount of people that actually contribute but it can capture everything, or you could create a fancy tool to analyse domains to just take a domain, look up all the host names in it, and then just provides hundreds of these simple rules to actually populate this database.
And we have running code here. So, this is actually a basic functionality of this idea, and some of the additional possibilities to populate this database are there. So, what you see here is just a trace route, right. IPs, host names, RTTs, and this actually is from Poland eurovision.tv, which was maybe your customers were really interested in this event a week ago, so, and what you see here in this column is location, cities, so right now I have focused on city level. Green is this crowdsourced information. Right now the crowd is me.
So, I figured out, this is probably Warsaw and the other green one actually I took the IP addresses from peering DB IXPs took ?? I took the peering LANs and shoved that in and so that's why this says it's in Amsterdam, but the whole remote peering kind of throws that had a bit off so I put it in with lower confidence but still it's the only thing in there so it's what it's showing. But in red are things from a guessing engine that I created. And well, this is Frankfurt, this is Amsterdam, that's Amsterdam. And apologies to the people in the back of the room that this is really small and to the colour blind people, but ?? this part is in red. But if you look careful here if you can, PIRA here I guess it's Parana, Argentina, because that's the airport code and my guessing engine is too stupid to recognise CZ here for now, so, human input can correct all these errors and what you can do here is just ?? it's an HTML input box, you type the right information in there, click okay, updates, gets you back into the database.
So, then just take three traceroutes from Poland to Tallinn, maybe that's important for you. And so, you can ?? you put that information on a map and you can actually see three diverse paths. One to Russia, one to the balance particular states and one to western Europe. So pick you're poison.
Another example from Poland and, three traceroutes from Poland to a destination in Poznasn, and here the connection you see one that once goes through Germany, which is fine, but if you click on it you can actually verify if that crowdsourced information is correct and if it's not correct you can just correct it.
So, where do we want to go with this? We received a lot of support for developing this idea at RIPE 67 at the MAT Working Group, so that's why we started doing something on this. And the open question is: Is this going in the right direction? Do you want to see it go left or right or go in a different direction? It's up to you.
And the other question is: Do you want to see this as a service in the future? So, our current plant is to boot?strap this to see who the possibilities are, create a prototype service, publish code initial data to boot?strap this, but this is more global and so, should it be the NCC, the RIPE NCC running this or should it be something else? It's open to the community to decide what actually, what to do with this.
And the other thing is is that if you want to know more about this or help, please contact us, my e?mail address is at the beginning of the presentation or if you have public comments, you can send them to the MAT Working Group, but so the other thing is that I'd like to see pioneers for using this, for testing this out, see what works and doesn't work. Over the week I have talked with a couple of people here that are very willing to help already, so that's encouraging, but if more people are interested, please step up.
And of course, updates to what we're doing, we have always published to RIPE Labs so that's a mechanism for you to keep up to date on where this is going.
So, that's it. I'll move back for the questions.
AUDIENCE SPEAKER: Lars Liman from NetNod. A fantastic list of opportunities and possibilities but what are the drawbacks?
EMILE ABEN: Well, one that we have already heard is that people might be afraid for having locations known. For instance, terrorist attacks or that type of threat, but ?? so that's why I focused on the city level exclusively here. If you go deeper like to data centre level, that might actually be something that people are not comfortable with and that I could totally understand. But, that I see as a downside. And I mean, if you have more downsides, please speak up.
AUDIENCE SPEAKER: That was the one in my mind too. So I would encourage that if you, in this room, participate in this, make sure that you put a sufficient level of fuzziness into the coordinates that you submit to this ??
EMILE ABEN: For now it's just like ?? what I have implemented and it's up to everybody, it's just a city level, so it is a city. So, for terrorists to attack a whole city to get the Internet down there, that's probably I think a botnet might be more efficient for getting your infrastructure down.
AUDIENCE SPEAKER: One more question, Martin []. There is a way for marking address ranges as a global or something which like the moving around, something like the RIPE network using the conference that you can say don't attack the city, just assume it could be different every single time or like VPN users, same thing.
EMILE ABEN: I have two things currently that help in that. I have an option in there currently and it's totally that is just blank, like, this IP address no, don't try to geoloc this, and the other one is that this has time?stamps, so, for the RIPE network, it just has time stamps and if information gets updated, then you get the latest or if you are asking for historic trace route or historically, what's the location of this IP address at this point in time, that type of information could also be stored. So I think that could ?? does that answer your question?
AUDIENCE SPEAKER: Yes, but it doesn't solve the issue that you could say that if you had authority user and you know that this is like a RIPE like conference network or something that, that you can specifically exclude so people can't change it or update it, so, like, as an example, if people use Google location, most people think obviously ?? right now, because what they chose upright now from the wireless and similar things from IP address ranges. So I worry about that part, so ahead of time like block it, say like I'm the authoritative user of this net block and I know this has moved around, it's a VPN or it's a conference network, don't let that update, just mark it as global unknown.
EMILE ABEN: That's a possibility that we could certainly explore, yes.
CHAIR: Before we go onto the next question, we are sort of out of time on this topic.
AUDIENCE SPEAKER: Geoff Huston. I'll really be quick. This isn't the first time that this kind of crowdsourcing?based geoloc has been done. Do you intend to leverage from the previous efforts and the previous databases that's down there already?
EMILE ABEN: You mean the [surang] world and IXP maps?
GEOFF HUSTON: Do you intend to populate your database with some of that material or do you intend to start afresh?
EMILE ABEN: Actually, that's sort of comes back to that to CAIDA, in their ?? in that naming scheme thing they have actually included [surang] world and all the other known once, so, sucking that in as like low confidence information already give you that. It's just not implemented yet.
GEOFF HUSTON: But you intend to go down that path and leverage the existing?
EMILE ABEN: Yes.
AUDIENCE SPEAKER: Hi, Ragnar from ALtibox. I love the initiative. I'm a great crowd source guy myself. I do a lot of different stuff. I see some interesting challenges when it comes down to the trueness of the guys actually putting things in here. You might have the black hats and stuff wanting to spoof their addresses and such, so we need to kind of find a way to trust the guy who actually enters stuff here, a point system or whatever.
EMILE ABEN: Yeah, it is ?? I mean, every ?? what you eventually get in a database is this user says this. So, you could grade users, you could do all kinds of stuff with like do I trust the confidentiality that this user puts onto it? That's certainly something to explore. Yes.
AUDIENCE SPEAKER: The second point is, in these days of transfers, that needs to be considered as well.
EMILE ABEN: Okay. Thanks.
CHAIR: Thank you very much, Emile.
(Applause)
Moving on. Our next presentation is the RIPE NCC technical report and it's Razvan going to give that.
RASVAN OPREA: Morning everyone. I'm here on behalf of my team to give you a few information about what you have experienced in terms of network connectivity, Wi?Fi this week, but also to discuss a little bit about the other services that we provide and of course to get the feedback from you on future improvements and ?? well what went better than last time, what went worse than last time, and how do we strike this balance.
We're going to start by discussing the connectivity. We have a cluster of two SRX to 40 Juniper routers, we have just put switches in between, four switches, with 48 ports. The access points that we have are net gears with POE. I could have just included the internal network map, but it was very, very hard to read from any kind of distance. It was pretty complex, there are four different patch rooms. One in the basement and three on different floors. And we ran a lot of connections ourselves.
Our peering is with the GTS. It goes via fibre optic from this hotel and also we have a radio link on the roof ? 1 gigabit fibre and 300 megabit the radio link. During the setup weekend previously in the weeks prior to the meeting we have seen a lot of fluctuations on the radio link even though the installation had been performed successful. When we inquired what the problem, we found out that the hotel staff did some maintenance work, went there, moved it a little bit and we just ?? one of my colleagues just went upstairs, put a big poster on the antennae and since then everything has been stable.
In terms of network traffic. Well, it's nothing out of the ordinary, except for some v6 traffic. So, the outgoing v6 traffic has a certain pattern, and we need to thank Jim Reid for that, he actually asked the permission to upload a lot of files and Colin was in the pub with him and he jokingly said, all right, you can just do it as long as you do it over v6 and he took it seriously, so, he tested our network and yeah, it was stable.
How many clients have you seen? Again, nothing out of the ordinary. Around 700 hundred. It's pretty much our standard.
Access points. We have on the ground floor and on the first floor where the side room was roughly 50 access points, and they have performed quite well. We actually used some of the ?? they have also ethernet port so you can just plug in the Terminal Room, for instance, computers or laptops over there, they performed admirably.
50 access points actually. The hotel turned off their Wi?Fi. The conference area Wi?Fi access points had been turned off with the exception of three of them running and they were next to the Opera Room and also next to the bar area in the far corner. We did not cover the lobby, the lunch and the breakfast areas so if you have seen any RIPE empty ?? it was just something that was from an access point next to the registration desk or so on. That conference area was the one that we actually covered and we tested.
We had 2 SIDs, exactly like the last time and previous times: one on 5 gigahertz, one on 2.4. There was one difference this time. We made the RIPE MTG the default CID that a lot of you have already in their devices as the default for 5 gigahertz. We put another with RIPE MTG for 2.4 for those who can't support 5 gigahertz. We thought in this way we would encourage your device to say just pick the 5 gigahertz if possible by default and it did and I'm very happy to show you the radio mode distribution which shows that two thirds of all devices were connected on the 5 gigahertz and that means less interference and that generally leads to better performance. I hope it wasn't confusing for those who had to choose the RIPE MTG 2.4, but we tried to communicate that on the website and on the patches.
What do we see here in terms of SIDs? Well, the RIPE MTG 1 has the biggest share obviously. And it's exactly as I saw ?? as I said, two thirds it's the 5 gigahertz. And also, you can see some of the traffic on the experimental network that Marco has set up together with Jan.
Operating systems is pretty much the same picture as last time. We have Google Chrome, and I see that the operating system unknown is dropping, so that means that recognition is quite good. This is taken from the Aerohive Manager and it's, well a guess based on Mac addresses.
We have a webcast system. You have seen it. We are encoding H.264 and AAC. You can put it in VLC if you want to watch it, so we are providing three different ways, embedded in the website we will see the devices. Our stream goes directly to a publishing point in Amsterdam where it's actually being distributed and you can connect over there, so if you have seen the stream locally here it doesn't come local, it comes actually from Amsterdam.
And we have upgraded the quality of the stream in the side room. We have exactly the same equipment as we have here in the main room, I'm talking about cameras and TriCaster that you see in the picture here. If there were differences in the quality were due to the lights in the room and probably equipment that was the AV company we have outsourced some of the services like the projector and the mixing for the video wall.
The presentation system is actually the one in which, well I'm talking now. My colleague is prepping the next presentation and generally it works quite well without so many interruption as long as the agenda of course is being preserved and being respected, and generally it is. So, it's going quite well.
Remote presentations you have seen not so many, but important ones. We accept Skype, we accept Cisco, Jabber, VDL, we accept Google Hangouts and we are open to others, but I think threes three should cover most of the needs in case you need to remotely present. We encourage you to do so if cannot make it to the meeting. And you can also get feedback from the room, so basically a remote presenter will see you, will hear you and will be able to interact with you realtime.
Web services: [Mikne] was here this week as well, took care of the RIPE 68 website and also about the preparation upload mechanism. When you upload a presentation, just as being synchronised within a few minutes to the presentation systems.
Stenography: Again, the wonderful Aoife, Mary, Anna, led by Ronan, they have done a great job, we're all grateful, otherwise you wouldn't even understand me with some difficulty.
And we have the technical team. You have seen this slide before, you have seen it the entire week. It's us, the technical team that do not only the connectivity and the Wi?Fi, but things like the term al room and the were you noting system and the power blocks, yes, the power blocks, actually I had this impression that as the technology evolves and laptops become better and better we need less power blocks, you know, we just keep on growing, and the room is bigger and people have this very reasonable expectation that there should be power, they should just sit anywhere and be payable to charge the laptops, we provide that. We have roughly 6 hundred power blocks with a six way each. I'm fairly convinced that wherever you are now in this room, you are within the reach of a power block. Either next to you or in front of you.
But we also have an IT support ?? oh, no... just making sure everybody is listening.
All right. Thank you very much. So, we have an IT support desk and it's upstairs on the first floor. We generally try to make ourselves visible, and it's a service that we just created for you, so we hope and we expect that you are going to use us even more next time. We help some of you with as much as we could, but ?? yes ?? we expect to be the first person, or the first entity you come to to just report any sort of issues and the sooner the better. Is something wrong with your laptop? Perhaps we can help? Or is there something wrong with the connectivity? Can you reach a prefix, perhaps you have been disconnected from the Wi?Fi. Those who actually came and asked us, they have seen that we have been helpful to, well the best effort possible.
And also, we have the e?mail address there, just send us please the feedback. We love to hear from you. What can we do better next time. What things we could improve on. So, just get in touch with us. And since the 25th anniversary, my last slide will be on a big thank you to all those who, during the time, during these 25 years, have contributed, have been part of the technical team at least once. And we're having here their names, the 38 names, including the current team, so I would like just to thank them for being here, they are in alphabetical order, not by year, and apologies if any has been forgotten, and please join me in thanking them for everything they have done in so many years and improving the meetings and supporting them hopefully better and better. Thank you.
(Applause)
If there are any comments and comments ?? please...
CHAIR: Anybody got any questions about the setup?
RANDY BUSH: Next time, it would be really cool if somebody explained the technology that the stenographers are using.
STENOGRAPHER: We don't even know it ourselves... (fast fingers)
CHAIR: I think the technology the stenographers use will remain a secret and therefore in the controls of the Secret Working Group obviously. Maybe we can discuss it at the next Secret Working Group meeting.
AUDIENCE SPEAKER: Marco, co?chair of the IPv6 Working Group. I want to use this to say thank you to you and your team for helping us running the IPv6 network only. Andrei, who is probably listening in, was probably instrumental in providing the equipment and make this work. Once again, thank you.
CHAIR: Well thank you very much. One more talk from the Programme Committee side anyway, which is a lightning talk, so I'd like to ask Randy Bush to come up to the stage. And Randy, not being one for doing things by halves, is actually going to give us two talks for the price of one I believe. But he still only gets ten minutes to do it.
RANDY BUSH: Hi, Randy Bush, IIJ. You are going to try to get two talks for the price of one. This talk was given yesterday, so you can see the longer version of it on the website from the Cooperation Working Group yesterday.
This is about hardware security modules. And essentially, you know, there is all the horrors about what my Government and everybody else's Government is doing. Not very pretty. But what's funny is we're relying on hardware security modules, we are keeping our secret keys in HSMs, which are designed and made by Government contractors. US Government contractors, French, British, Israeli, etc., not very pretty. Do you trust them? I don't. So, what they are used for it lock boxes for private keys and also encryption. So you are trusting Government contractors for your privacy. We know how far that goes.
So, six months, four months ago, Jari Arkko, who is here from the ISG, Russ Housley, etc., said let's do something about this and they beat me up. So this is an IETF or ISOC project, though both contribute and essentially it's an open source reference design, we're not producing hardware, we're producing an open source reference design for hardware security modules. The idea is it's scaleable, so, the first cut is FPGA and CPU, you could do higher speed options or lower speed options. You could just take the software and run it on an R M chip. It's composable. Give me only the stuff that I need for DNSSEC.
But the real problem and the real difficulty is assurance. So, we're getting assurance essentially two ways. One is openness. And the other the diversity of the design team. And the other part of the problem is that it assured tool chain which is a really messy problem. I'll go into in a second. The project is being run in as open as possible manner. All the mailing list is open. All the source is open, etc., and we do it to try to build trust in the project.
The design essentially looks like this, there is an FPGA, which has the ugly math, and random number generator, stuff like that. On the same chip boundary is a, maybe an arm chip or whatever, that does the low level CRYPTO that you think on P K S, etc. And this is a security boundary, so that if somebody tries to tamper with it, it blows up, etc.. then there is the off chip code that you are used to. And all the way up to the applications.
The real secondary problem is the tool chain. What are we making this week? Why do I trust the compiler? Okay. And in fact, you know, I have this joke on my laptop, I think it's the NSA, GCHQ, fighting to see who owns me today. I don't trust that chain. And when constructing assurance critical tools we need to maximise the comfort with the tool chain.
Way back in '84, Ken Thompson, who we all should know, did his touring award paper showing that a self?reproducing compiler could be [trojan]t, and this stood the test of time until 2009. David Wheeler showed how you can use two compilers compiling each other etc. To essentially get some assurance that the compiler is not Trojaned. Then you can sues that to go down the tool chain, but at the bomb bottom, once you get there you have to inspect the source. You get to live C, why I do trust that? And the problem in the open community today, is we're not inspecting the source, which is really ugly.
So what are we going to do in this project? The first year at the end of this year, calendar year, we're hoping to have some prototypes. Next year people can build things with it and the third year hopefully people will make products out of it.
We really seek review. As I said, open SSL fail because of lack of good review.
We have minimal organisation. It's just ?? it's been run administratively out of [NordiNet] in Sweden. It's not that Sweden military is not spying on its own citizens, at least they are not bombing people have the world away. And so we have to thank Maria Hall, who you have all had the wisdom to elect to the Board here. And so we have some ?? we have six people doing this, you don't need an organisation with six engineers. And as I said, publish fundraising. Okay.
As I said, diverse technical team, transparency, auditability. Multinational, multi?stakeholder, financial transparency. You can say you don't want your logo on the front page but there is a donor page and cannot be anonymous. And no large donors.
And that's where to find the website. You'll notice that the servers are in Iceland, and if you're have had in privacy, you should know why.
The second talk is without slides.
So, people here know what route servers are on exchange points? Hello...
And so, you know what OpenFlow switches are? No you don't. They're not switches. They are forwarding engines. Right? They are not doing Mac level. They are doing OpenFlow junk is forwarding at layer 3. So ?? and you have seen the new Zealand and boys, and unfortunately they are all boys, who did an OpenFlow switch for an exchange point where the route server handed the OpenFlow switch what the legitimate routes were. And so it would only forward ?? it would only allow you to forward to me what I had actually announced to you. You can't point default at me, etc., etc.. so, this last six months we took the experiment further and this is mainly led by Josh Bailey from Google, Dean Pemberton, etc., the New Zealand gang, and what we did is we took the route server and we added RPKI. And this means that cannot send ?? I cannot send packets to something that isn't a validated origin. Okay. Cute trick because what I really like about it is, I have been on the roadshow for the RPKI and origin validation and BGP SEC for a couple of years now and I always have to say, but realise that the data plain does not necessarily follow the control plane. Bingo. Now it does. The data plane enforced the control plane. Which I think is way cool. And I made it in one ten minutes. You're welcome. Questions?
CHAIR: We have got time for questions as well.
AUDIENCE SPEAKER: Benedikt Stockebrand, speaking for myself. With your crypto hardware does it include hardware ?? generation, because ??
RANDY BUSH: Yes. And come talk to us about it. Currently, we have SHA1 hashes, SHA 256, SHA 512, we have got a significant part of the chain of the RNG but we are still arguing over the sources.
AUDIENCE SPEAKER: I might have something for you there.
RANDY BUSH: Such a deal. Please.
AUDIENCE SPEAKER: [Marcson], Amsterdam, can you please share some technical details how many route prefix ??
RANDY BUSH: Yes, that's of course the problem with the OpenFlow switches is, as I said, they are really layer 3 forwarding engines. They are based on TCAM which we all know and love and how cheap it is ?? not ?? and therefore, the switches really don't have very many forwarding entries. And that's why it's in new Zealand and. We don't have enough v4 addresses to give them to sheep yet, so that's really ?? I think it's ?? a few hundred routing entries in that environment.
AUDIENCE SPEAKER: A few hundred?
RANDY BUSH: Yes.
AUDIENCE SPEAKER: And what is the level of the traffic through exchange?
RANDY BUSH: I don't know. It's a small exchange.
AUDIENCE SPEAKER: Okay. Thank you.
CHAIR: Do you have a number?
AUDIENCE SPEAKER: Okay. So, Rafal from Juniper. Does this mean that in this OpenFlow we have just the next hop of the peering routers, right?
RANDY BUSH: That's what's in the OpenFlow, but the route server will not install that next hop for that prefix unless it came from something that was origin validated in the route server.
AUDIENCE SPEAKER: So on the contra plane is easy, it's easy to understand, but if I have 100 of entries in the TCAM and hundreds of thousands of the Internet prefixes ??
RANDY BUSH: That's why it's in New Zealand. We didn't give addresses to the sheep.
AUDIENCE SPEAKER: So the ISP have a few hundred of addresses only.
RANDY BUSH: Right.
CHAIR: It works because it's small scale, basically. That's the point, Randy.
RANDY BUSH: Yes, and when you hardware jockeys, give us some big TCAM, then it will scam, but in the meantime it won't. Let me pick on Juniper as an example for the other part of the talk, which isn't picking on Juniper at all but for instance the level of problems we're trying to work with in the CRYPTO stuff is we do this design and everybody is silly enough to believe in it and it looks good and we validate it in many ways and then Juniper says they have put it in a router, how do we validate that what they have put in is the same as what we agreed to in the design? How do we formally test it? This is an exceedingly difficult problem. No blame on Juniper and it could have been Cisco or anything. It's just how do you take an implementation and know that it's real?
AUDIENCE SPEAKER: I'm going to be quick. Robert Kisteleki. HSM topic. Quick question: How can I help? Is there a domain specific knowledge that you're looking for or anyone about anything?
RANDY BUSH: We're especially ?? well ?? there is an open mailing list you can see what we're arguing over today. We're interested in RNG issues this month, we're interested in the formal validation issues for all sorts of things. As I said, there is the tool chain. We can validate the C compiler, verilog which is used to programme FPGAs, it's all proprietary. So, how do we validate that? And we do have a professor from KTH, she is really good at knowing the hardware has not been Trojaned and that ?? but, you know, how do you know that somebody is not a weakened gates in the FPGA etc., so there is validating the entire mess in formal ways is the biggest hope. But, it's whatever you bring to the table, we are open, join the list, write, etc.. if you are an expert in God help you, DNSSEC, there is going to be DNSSEC code up there, I can't see object slider is going to do a lot of that.
AUDIENCE SPEAKER: I am happy to bring whatever to the table.
CHAIR: Okay. Right. We really don't have time. We have to move on I'm afraid. We really don't have time. Sorry. It's a lightning talk. Ten minutes including Q&A.
(Applause)
CHAIR: That brings us to the end of this part of the Plenary content. I'd like to thank Lukasz for being our fantastic timekeeper here and also he was our local representative with the Polish for the event here. And I'd like to hand over to Rob.
ROB BLOKZIJL: Thank you. There are a couple of housekeeping items left from the meetings this week. There are two announcements coming out of Working Groups and I would like to invite Marco to report on the status of the connect BoF session earlier this week.
MARCO HOGEWONING: Hello. I am Marco. I am co?chair of the IPv6 Chair Working Group. We haven't done this reporting in a while. But just to quickly update you. I know you are all on this list. On our mailing list, so you probably all seen the announcement of David Kessens who decided to, after 15 years of active duty as a co?chair of the IPv6 Working Group, to step down. So, I would like to once again thank him for all his hard work in progressing IPv6 in Europe and the RIPE community and everywhere else he could. That also means we have a vacancy. And David stepping down set Shane Kerr and me thinking, the other two co?chairs, time to rejuvenate the group, so, next to David, we have decided to also rotate ourselves out. Now, rest assured, we won't just go running for the exit right away, we will stick around and provide a soft landing for whoever is going to take over. But essentially that means that we have got multiple vacancies to fill and in a few meetings you will see a whole new set of co?chairs for the IPv6 Working Group. The process to select them hasn't been designed yet, etc., up to the Working Group so we're going to take that to the list and also I would like to state again here that if you are interested in becoming a co?chair of the IPv6 Working Group, then please make yourself known to the mailing list and we'll take it from there. So, that's all from me for now. If you need more information about the Working Group or the work involved, please find Shane, David or me or mail us and we can explain it to you.
So, yes, thanks, David. He is, unfortunately, not here. Hopefully we'll get an opportunity to say a proper farewell in person, but yeah, David Kessens, if you are listening or watching the webcast, thank you for all your hard work for the last 15 years.
(Applause)
ROB BLOKZIJL: Maybe I'm getting too old for this. The confusion was on my part. It's Remco who was going to announce the status of the connect BoF.
REMCO VAN MOOK: I actually have a couple of slides to go with this.
This is a talk on the Connect BoF. RIPE 67, the EIX Working Group decided to dissolve itself to make room for a new Working Group and a group of people resolved to go and work on a BoF to set up a new Working Group, so, with with a bit of a broader subject and exchanges and brought in IP inter?connection. The BoF happened yesterday. It was ably chaired by Nina ?? are you able to stand up ?? after last night. That's a compliment. Well done, Nina. Thank you.
So the BoF had three goals: reach consensus on a Charter for a future Working Group; select the chairs; and present content that may belong in that Working Group. So we all get a bit of a feeling of what we would do.
This is the Charter, page 1. If you were in the room, it was discussed and some minor nitpicking was going on. This was rough consensus. There is more to the Charter, including topics that we're going to be talking about but I'm going to keep it short. And the BoF selected a couple of Working Group Chairs which is me ?? I don't know why ?? and Florence Lavroff, who is on her way to Mexico right now. Then we come to the simple how to set up a Working Group. Which is, number one, you reach consensus on a Charter, which we did. Then you need to select the Working Group Chairs, which we did. And then the Working Group needs to be set up by the Plenary, and my question to this audience is can we please tick the final box? Thank you.
ROB BLOKZIJL: So, the proposal is ?? to you ?? do you agree that this would be a worthwhile addition to our set of activities? Show of hands. Yes? Good. Congratulations, Working Group.
This brings us to a few other things that need to be dealt with. In the first place, as I will, in a few moments, show you how large this meeting has been, but it always starts with the first people to register. And traditionally the first three to register and who sit it out during the whole week and are still present here get a little present. And the first three this time were Sergey Myasoedov. I think I know his system. From Monday morning next week, he is 24 hours a day on the RIPE website and is watching the opening moment of the registration for the next RIPE Meeting.
Next one is Raymond Jetten.
And the third one is Bengt Gorden, who doesn't seem to be here. So, tough...
And lucky, Daniel Stolpe ?? has left.
Alexandr Nikitin, I saw you this morning ??
And this proves it pays to stay.
What else did we do this week? DNSMON had something organised with a prize attached, I have no idea what they did, but Robert, could you explain please.
Robert: We challenged people to find flags or things that looked like flags using the new DNSMON, zoom in, zoom out, change colours, that kind of thing and we actually had some submissions. There was someone from Austria who has found traces of the Austrian flag in the Austrian domain, that qualifies and that someone is Aaron Caplan.
ROB BLOKZIJL: Then we had the famous quiz on the occasion of 25 years of RIPE, testing your knowledge of the history of RIPE or your capabilities in using Google. But the people who put the quiz together made sure that if you only use Google. You lose. So ??
SPEAKER: We had many submissions, and three of them were completely right, most people got almost all questions right but not everyone, so we got something to choose from, so, Rob, pick one...
And the winner is Michael Perzi.
ROB BLOKZIJL: Right. Since we are in this giving?away?prizes mood, the next ?? we have had an extremely interesting Plenary programme put together by the Programme Committee, and I would like to hand over the microphone to Filiz who is chairing the Programme Committee who will introduce you to the current members of the Programme Committee who put this together and I think we have a little prize its for them.
FILIZ YILMAZ: Thank you, Rob. Well, before I call everyone here, I also want to thank all of you people here, because we select content for the Plenary but that content is submitted by you guys, so please keep up and let us know when you have a great idea.
So, this group is basically that worked for this meeting is Lukasz Bromirski, our local host, who gave a hand connecting PLNOG mostly for us. Will Hargrave, Mike Hughes, Shane Kerr, Brian Nisbet, if you are still standing, Benno Overeinder, Andrei Robachevsky, Job Snijders and Jan Zorz.
(Applause)
And one last thing, if I may, Rob, and we are going to get off the stage, I also want to thank Gergana a lot and RIPE NCC and Web Services who helped us a great deal. Not only this meeting but all the meetings. Thanks.
ROB BLOKZIJL: Lukasz, you are not done yet...
This has been, again, an extremely successful RIPE Meeting, I think. And I think, on behalf of all of you, I would like to thank our local host PLNOG, and Lukasz is the guy on behalf of PLNOG receives our thanks. RIPE meetings can only be successful with the hard work and involvement of a local host. So, PLNOG, thank you.
(Applause)
Right. Some statistics of this meeting. Past RIPE meetings. We see that we have, with the exception of 66, which was in Dublin, I think, a consistent number of participants. This, however, week, this week's meeting has been the largest ever, with 569 attendees checked in, of which 160 came for the first time to a RIPE Meeting. Now, you may think that that's one theory is that we always have over 100 newcomers at RIPE meetings and some people say yeah, it's people from the local community who take the opportunity to go to a RIPE Meeting and then when the RIPE Meeting moves to another city you never see them back. But we see that we have about 70% of newcomers who like it so much that they do return to RIPE meetings, which I think is a very encouraging statistic.
I want to remind you that we are always aiming for improvement, so the organisers of these RIPE meetings are extremely interested in your feedback, and you are find on the meeting page a link to a feedback form and please, please, please take some minutes of your time, either this afternoon or next week, to fill out the feedback questionnaire and nothing goes without prizes apparently in this RIPE world, so there are two prizes to be gotten there.
We are international. So this is where we are coming from. I'm sure you can all read this, especially not beyond the third or the fourth row, but the most ?? there are two things to note here, or three things. There are many blobs, so you come from many many different countries. That's good. The largest blob, as usual, is the United States of America, a well known part of the European region nowadays... and then as some people have indicated to me that there are a surprising number of people who, where the country has not been specified. Don't these people know where they live? No. This is mainly RIPE NCC staff who themselves come from many countries, so, the people who put this slide together decided to put them apart, but next time we will give a better indication what the second largest blob or third largest blob is. And as usual, the country where the RIPE Meeting take place, in this case Poland, that's the third largest blob.
Type of organisation. Earlier this week I gave some historical facts about the RIPE and it was clear that in the early days it was almost a hundred percent academic background, academic institutions were involved in RIPE. The world has changed and now about half of you indicated you are in one way or the other to be considered to be part of the commercial Internet, the Internet industry. But it is also encouraging to see that there are quite a few other sectors of society interested in participating in RIPE. And it is only quite recently that we can see on such a pie chart, Government as a healthy participant.
Sponsors. Without hosts and sponsors it would be a difficult and boring meeting. Host and some of the sponsors help us to get the technical infrastructure in place, and most of the sponsors also participate in the social programme in the coffee breaks, the evenings, participating in more than consuming the things that are on offer. The socials are sponsored in a healthy way by sponsors and we thank all the sponsors. A round of applause please.
There is always the next RIPE Meeting. The next one is in the beginning of November in London, and sometime between now and November, the registration will open, and if you want to know when it opens exactly, you might ask Sergei.
Right. This brings me to almost the end of my involvement. As I announced at the end of last RIPE Meeting, this will be my last RIPE Meeting as Chairman of RIPE. On Tuesday, when we celebrated 25 years of RIPE, I gave my presentation, speech, I gave some of the memories of the first few years of RIPE, so I won't repeat that. I want, on a personal level, to say it has been an incredible experience and fantastic amount of pleasure that I have had in chairing these meetings and chairing this community. Otherwise I wouldn't have done it for 25 years, I think that is clear.
So, it is with a little bit of sadness that I step down, but I will not disappear. So, the next RIPE Meeting you might find me with a blue sticker, a newcomer to a RIPE Meeting, because I have never participated as the hundreds of you are doing at a RIPE Meeting; I have been either behind the screen or on the stage so I'm looking forward to my first RIPE Meeting where I can sit quietly and relaxed and be entertained by the meet and greet team.
Right... I also explained at the end of last RIPE Meeting that I did not want to be involved in designing complicated procedures for electing, selecting, voting on a successor, and that after some consultation with people whom I trusted to have the best in mind for RIPE and finding what I think an extremely good candidate and as I announced last RIPE Meeting, we are all very happy that Hans Petter Holen is willing and ready to take over as Chairman of RIPE
(Applause)
ROB BLOKZIJL: Now, my script has some mysterious things which I don't know about.
(Video)
(Presentation of the Internet to Hans Petter Holen)
We almost forgot the legacy space...
HANS PETTER HOLEN: So, no, Rob, you'll be out in the cold and remember the warmth of this community, I really have appreciated working with you, especially this last week where where he worked closer with the hand over and son, all I have learned in these 20 years, it's really to you and the community, so, thank you very much. And I have brought you a small gift, so, while I prepare my two hour speech about what I'm going to do in the next 25 years, you can carefully unwrap this and see if it fits.
ROB BLOKZIJL: Thank you. I will go to a quiet corner...
HANS PETTER HOLEN: Okay. So, thank you very much for this, Rob. It's a great challenge. It was indeed big shoes to fill, I realise that. I have been here for some 20 years I think, first being involved with setting up two of the first LIRs in Norway in the beginning of the '90s, getting IP addresses then was just as important as now to run our network, but I sincerely think that this community is about much more than just the addresses and the registry. It's a great venue and it's a great place to meet and exchange ideas and to cooperate. And I think that's one of the very important things that I want to work to contribute to make sure that we keep it like that. It's not just keeping a phone book of IP addresses. We are a community that are here to make the Internet better.
I'm a strong proponent of the openness and inclusiveness and bottom?up processes that we have in this region. I really think that it's important that we make sure that not only this community but the Internet stays open and as a vehicle for communication for everybody. That's been an important part, an important driver for me in my work, starting at the university with the UUCP node and getting a connection to Russia in the days when the Soviet Union was falling apart, that's some of the things that sort of triggered me to stay in this community and make sure that we have an Internet that can help people to communicate, even in political unstable times.
So, what about the next 25 years?
Well, since the term of chairmanship here is 25 years, I should probably have a 25?year plan. Well, Rob already challenged me there should be a procedure to replace me. I don't think I will work on that the first three months but during the next couple of years that's something we need to get in place, we are working on a procedure to elect and replace Working Group Chairs, that's been delegated to Working Groups to go through a bottom?up process, and I think that's really also for all you to think about. I'm your Chair to serve you and I am accountable to you. So you need to tell me what you expect of me. I think that's important rather than I tell you what to do. That's part of this community spirit, I think.
Other than that, I think we have an interesting challenge ahead of us. How to migrate to v6, how do we do that collectively? How do we make sure that the network stays open and transparent for end to end communication for the coming years, we're running out of IP addresses so IP address distribution policy for v4 is less and less important but registering who has which addresses is going to be more important. And certification as well. So I think we're going to change our focus as a community a bit from addresses this type that type, all addresses are equal, as has been said here, and we need to figure out how to keep a strong and good registry so we know who has the right to use or is using which addresses, so that we're not subject to hijacking or other things like that.
Other than that, I sort of look forward to hearing from you, what you expect from me over the coming years, and I'll try to go to most of the regionals in this region and of course all the RIPE meetings, so I really look forward to see you again there. Thank you.
(Applause)
And then I almost forgot. There is something that we have forgotten on this RIPE Meeting, so I guess there is yet another Working Group that usually reports here at the very end.
(Secret Working Group)
PAUL RENDEK: I was chosen to be a master of ceremonies at a very great time in your life when the Queen, the then?Queen of the Netherlands, Queen Beatrix, knighted you for your contribution not only to the Internet in the Netherlands but even beyond the borders that have country. So you can imagine that when they asked me to come here to provide some thank?yous to you, Rob, I had a huge smile on my face and I'm happy that I'm here.
So, before, actually, I go into thanking you and the community thanks you here, we have a few people, some of them that are here, some of them that are not here that we'd like to say thank you to you. I'd like to ask you to move your chair a bit so you need to be able to look at the screen.
(Video)
PAUL RENDEK: With that note from our colleagues from the Russian Internet community, I'd like to ask Dmitry to come up, they'd like to thank you personally.
Dmitry: Rob, now, on behalf of .zu domain, Ross and with the best wish from all our community, great thanks for your participation, for your role and contribution in building major Russian Internet institute and to develop our community.
It's not liquid... ?? some Samuel L James. I hope that you have got value of building community than keep in stone. Thank you.
PAUL RENDEK: Thanks very much and thanks to the Russian technical community.
I know that Rob has done very much for eastern Europe and specifically for the Russian technical community, so it's very nice to see a thanks coming from.
(Video)
PAUL RENDEK: Rob, I would like to also present you on behalf of the RIPE community and the RIPE NCC with some gifts, but before I do that I just wanted to say a few words. Earlier on we walked through kind of the history of what was going on in RIPE, how this all came together, all the achievements that Rob had, you know, you saw all the fights they had with moving things to the IP network that we currently now enjoy. I wanted to speak on a little bit of a different angle, because I think Rob has touched so many of us personally and, at the end of the day, it's really the people that matter. So, I know you don't like to be celebrated so I'm going to be as short as possible, Rob, I know you are not so keen on that but I do want to say a few words.
My path crossed with you 23 years ago this summer, which is a very long time. I was a very young man at that time, out of uni, and I was working for an organisation called RARE at the time, the NREN ?? which Rob was very heavily involved in. And from that time, actually, I already started to learn many things from Rob. I think specifically the things that I probably look back on that I remember from you the most is that you always taught me to be open, to share knowledge and to actually share the experiences with people, but also to be able to learn from others. And at the end, we need to stick together, and those points, I think, have, like, carried me all through years that I have worked with you over these 23 years. You played a very big role actually in the first real job that I had, which was at the first European ISP at EU NET because when I left there I went to work at U NET, some of you might remember that network, Axel is laughing because he was working there too at the time. And then it was great because I managed to move to an office that was just down the hall and up the stairs from you at Nikhef in the Netherlands. RIPE NCC was across the hall, it had just been formed. I had a little trip down memory lane with my old dear friend, Mirjam, who told me that probably one of the first RIPE meetings I would have walked into was about RIPE 16, where EU NET would have come to be part of that because I do remember leaving that and thinking, oh my God, what was that? I was not very familiar with any of this at that time. So of course we have come a really long way since that time and from EU NET through many other experiences, some other work that I had done I ended up at the RIPE NCC, also very much with some guidance from you.
I think this is where I had the most influence from Rob at the RIPE NCC. And it's funny, you don't realise this, most people are always looking for a mentor, you never find one when you're looking for one, it just kind of happens and I think that actually I have enjoyed that mentorship from you for so many years now, and I just want to thank you for that. So on behalf of probably everyone in this room, I just wanted to say that I, and we, are so proud and lucky to have been part of sticking together with you here at RIPE for the last 25 years. So thank you very much, Rob. Thank you.
(Applause)
We have a lovely plaque for you that can collect dust that you can wipe for the next 25 years with Lynn.
ROB BLOKZIJL: It's transparent so it must be good.
PAUL RENDEK: This is just something that we wanted you to have to remember your time here at RIPE. And the next thing, here we go ?? the Working Group Chairs, they had ascend off for you, so we're not going to ask them to come up but there is a slide here just to show that they did throw a party for you here, I heard you had a really nice time.
And there is another gift that we're going to present, but we didn't bring with us, to be and this one comes from the RIPE NCC, as you can see. We know that you're a fan of old maps, so we went digging around, and we thought this would be a lovely gift from the RIPE NCC to you, so that when you're at home you can take a look at all the wonderful places where you had held a RIPE Meeting and have a good laugh. So this is a gift from the RIPE NCC. It's already actually hanging in your home.
There is the certificate of this map, which is actually from 1762, and there is something that I wanted to read here.
To Rob Blokzijl, for changing the face of Europe and beyond for 25 years, thank you, the RIPE NCC.
So thank you very much again, Rob. Thanks.
(Applause)
ROB BLOKZIJL: Thank you all everybody. This nice video collection, that's a one?way stream, I think, so I'll contact these people off line.
So, either I can make this very long or I can keep it very short, and I think I will keep it very short. I want to, once more, thank you all for these 25 years, thank you all for your very kind words today, and as some of you, your little contributions said, we hope to see you. I think I will take that advice. So. See you all at the next RIPE Meeting hopefully, and thank you again.
(Applause)
SPEAKER: There are still a few more videos that we are going to show you and we actually received many many more but we had no time to show all of them. So we're going to put them all together and post them online and send ?? obviously hand them over to Rob, but also send you the link so you can enjoy all the other congratulations, so let's really the rest...
(Video)
PAUL RENDEK: That brings us to the end of the session. Rob Blokzijl. Thank you very much.
(Applause)
HANS PETTER HOLEN: It's time for my first official duty. That is to close this RIPE Meeting. Thank you very much to everybody. Thanks to the technical staff, to the host and a special thanks to you, Rob, again, and to everybody. Safe trip home and see you all in London.
LIVE CAPTIONING BY MARY McKEON RMR, CRR, CBC
DOYLE COURT REPORTERS LTD, DUBLIN, IRELAND.
WWW.DCR.IE
