Archives

These are unedited transcripts and may contain errors.


Plenary session

Monday, 12 May, 2014, at 2 p.m.:

ROB BLOKZIJL: Good afternoon. If the last people wandering around can find a chair, then we can start this.

The RIPE meeting, and it's RIPE number 68, or that is just a number, but we have a few more interesting numbers. This is exactly 25 years after the first RIPE meeting, and I think that nobody who was there 25 years ago could have imagined that we would be here in great numbers 25 years later, working for a whole week on the coordination of the Internet, because that is what our mandate says.

Numbers:

The RIPE NCC, a few months ago, passed the 10,000 members milestone. It's just a number, but I think it's a very impressive number. At this meeting, we have 575 attendees registered, of which 423 have already checked in so I think it's safe to predict that this meeting in Warsaw will break all records, as far as numbers of participants is concerned.

Also, we are very pleased to welcome the 101 newcomers who have already checked in out of the 163 who are registered, so it shows that we still succeed in attracting new participants.

RIPE meetings. I think it is appropriate to reflect that these meetings are open to everyone; it's not a RIPE NCC membership closed meeting. Everyone means everyone who has an interest in the developing of the Internet in our service region, which is Europe, the Middle East, Central Asia, and we bring together people from different backgrounds, different cultures, nationalities, beliefs, genders and I am sure there are other markers that one can insert here. And it's kind of a challenge to make sure that this is a safe, supportive and respectful environment.

Our experience, so far, is that the overwhelming number of participants of you, after a week of RIPE meetings, have had a very, very joyful week, but with these number of participants and the wide variety in backgrounds, it's good to remember that sometimes things can go wrong. If you have any concerns, you can contact our dedicated staff. We have two staff members of the RIPE NCC who are there, among their other duties, to listen to your complaints, concerns, whatever you might have, whenever you feel something is not right, and of course, all these conversations will be strictly confidential. So Nick and Mirjam are here to help you with whatever, except policy proposals.

So, I have a few more things to announce if you are using a laptop, an iPad or iPhone or ?? without iPad, phone or laptop, you might have noticed that there is an experimental IPv6?only network. This is an experiment of the IPv6 Working Group, it is not a RIPE NCC technical department supported service, but it's not the first time we do this; we did it at the last RIPE meeting as well. The purpose of this is, we have been talking for 15 years or longer about IPv6 as being ready to be deployed, so it's about time to do some deployment, and if you are interested in the future of the Internet, try this network out. And based upon experience from the last RIPE meeting, it works. Not all the time; there might be glitches. If you find glitches, contact people from the IPv6 Working Group. I don't know ?? Marco, are you here?

SPEAKER: He is with the students.

ROB BLOKZIJL: Anyway, you are encouraged to try this experimental network. 25 years of RIPE, we will have some special sessions dedicated to that. Tomorrow afternoon, the last session in the plenary has a special programme around 25 years of RIPE, and we have some other related programme items. At the closing session on Friday.

Tonight, there is ?? there are two social events. The first one from half past six until seven, that is a 30 minute social event. The title is meet the RIPE NCC Executive Board in the foyer on the ground floor. And if you think, well, that is not very cordial, 30 minutes of beer, if there is beer, it will be immediately followed at the same place with the RIPE 68 welcome drinks.

So you are all invited for drinks and snacks tonight.

I think that is all I have to say about this particular meeting. Now, it's my great pleasure to invite Jakub Koziol from PLNOG, our meeting host this week, who would like to introduce PLNOG and say a few words. Jakub.

JAKUB KOZIOL: Hi. It is nice to meet you. You can also call me Kuba in short. If it's hard for you to remember you can connect that with the drink. I hope that during the welcome drink we will be able to have some beer, if they run out of it because yesterday during the before party I was told the hotel ran out of beer. So they have to switch to vodka and vodka. And vodka. I am very happy that PLNOG became the host of the RIPE 68 meeting in Warsaw. I am very glad that so many people from the RIPE community decided to come to Poland, and it is very ?? it's an honour for me to host you here. For me, RIPE meeting is like touching the history of PLNOG. In the corridors in the foyer I met Jan, Martin Levy, and other speakers who I know from the past who came to the PLNOG and who helped us promote the event internationally.

I am very happy that you decided to come here again and that I can meet you again in Warsaw. Today, I attended the newcomers' info, which was hosted by the representatives of RIPE, and I found out ?? especially one sentence I am keeping in my mind, that the RIPE and the PLNOG community are there almost the same. What does it mean? That the past of those both meetings, they are similar, which means that it was the beginning of those meetings ?? it was just a group, a bunch of people, of friends, who were orientated on the Internet, on the IP issues. They decided they want to meet and they want to meet each other ones a year, two times a year, etc., etc., and this is how the ?? through this whispering promotion, this is how the number of attendees, the number of people who are in this room, who are attending the PLNOG, because recently during the last edition we had almost 800 attendees at PLNOG. This is the success of both those events and I am happy that the RIPE community is getting bigger and also the Internet community around the world is getting bigger and I am very happy that I have you here. I wish awe great stay and hope you will have five extremely interesting days here in the capital city of Poland and I hope that we will meet at another RIPE meeting or another event organised by the foundation. Thank you.
(Applause)

ROB BLOKZIJL: Thank you Kuba. Now, this is the end of what I had to tell you. I I will now hand /TOEFR Filiz which will Matjaz Straus Istenic, the chairperson of the Programme Committee (Filiz) who will introduce the Programme Committee and will further chair this session.

FILIZ YILMAZ: Hello everyone. I would like to give you an update from the RIPE Programme Committee but first of all I want to welcome everybody to this very special meeting in beautiful Warsaw. We got a little support from the community here from PLNOG. This is also special because it's the 25th year of RIPE, so I am very excited being here, and welcome, I want to start with that.

And so, what do we do? Very quickly, we are responsible as a Programme Committee for the content of the plenary sessions. Those sessions take mainly part on the Monday, Tuesday and part of the Friday. Not only the plenary sessions and the plenary talks, you will see in those days, but also we had tutorials this morning. I do hope you manage to sneak in those rooms and see a bit of them. I heard they were pretty good but let us know. We had three of them this year, or this meeting.

We are also responsible for the BoF, bird of feather sessions, together with workshops, although this meeting we don't have any workshops scheduled.

So, if you have any comments in regards to these parts of the meeting, of the whole week, come and talk to us, we are the guys to blame if you don't like or if you want to see different things we are the ones to provide that feedback. The Working Group Chairs are responsible for the Working Group sessions that take mainly place on Wednesday and Thursdays. So that is the general layout.

So, for the plenary content, what we are aiming to do, obviously, this is a networking event, this is about European networks as it is very clearly laid out in the name of RIPE, in the brand of RIPE. It needs to appeal to you guys in terms of the content itself, but as we are seeing more and moreover the years as Internet grows, the networks get even more complicated, there is interesting correlation between policy and engineering side of things. And that is mainly getting manifested on the operational base, so we want ?? we try to bring that content to you as well. So we want to balance it out.

The one other thing to consider is we have 30 minutes of sessions or speaking slots for the speakers in the plenary, not everything can be obviously laid out very clearly in those sessions. So in that sense, we are trying to complement the Working Group sessions where things can be worked through in more detail. In fact, for that, we have one dedicated RIPE PC member who is in constant coordination with the Working Group Chairs, if you see a content proposal that will not maybe fit in 30 minutes and can benefit from a longer session in a Working Group session. Then we try to manage that together with them.


One thing obviously we try to motivate the RIPE meeting attendance, this part of half of the week, so I am very happy to see increasing numbers on the ?? in the RIPE meetings, and there is some element of entertainment as well so not every talk you will see here will be similar to each other or identical; we try to keep an open view towards the content of the real detail of any talk.

So, who are we? These are the faces and they are all in the ground except Osama. Lucas has been been our contact from the local community. He had been contacting us with the PLNOG. This is what I do ?? what we do often when we have a meeting in a particular area, we want to connect with the local community and we have a representative from the local host, this time it was Lucas. Unfortunately we hear he has been down with the flu but I hope he will get well very soon and joining us here. We have Will, mike, Brian, he is the contacting member to the Working Group Chairs, Benno, Andrei, Job, Shane, Jan and myself. Now, if you are interested, we have two seats for elections coming up this meeting, and there is more information in this link I put over this. These slides are already in the system so you can copy and paste the link or you can go to the meeting site and follow this link programme RIPE community, become a member. We are looking for, you know, candidates from you, hopefully, and for those who would like to vote on the elections on Friday, you will need your RIPE NCC access account enabled so make sure that works.

But before you jump into the position, I would like to show you a few slides where you can see what the cost and benefit of being a RIPE PC member. It is work. The expectations are, all this content obviously is selected proposals but we chase after those proposals, often, so first job is recruiting speakers, and that means you may be attending meetings and then you see some kind of interesting presentation there or you have a chat with engineer or operator and you think they can bring an interesting talk to the RIPE meetings so then you chase them.

And after that, once the proposals are getting in, it is expected from you to read and comment and rate on those proposals. And the numbers differ between 40 to 70, depending on the meeting. There are three or four conference calls which happen in central European time, and we expect everybody to respond and be in contact throughout all times on our mailing list so. Availability is an important factor.

Now, what the benefits are: You get satisfaction for serving the community. While doing that, obviously you get a bit of industry and peer visibility but this is the main thing, really, otherwise it's a lot of work. But it's fun, too, it's a nice group of people that I find myself working with, so come and join us. If you would like to.

Before doing that you may also want to look at our charter where responsibilities and roles are greatly laid out and this was our recent activity. We had an update and received a nice round RIPE document number, 600. So we are not going to change it any more. Once we have this, no. But yes, the main changes are that we had an expansion a couple of meetings ago, we went from 8 members or 8 seats to 12 and that was not reflected on the document. There was also some housekeeping information that we wanted to reflect publically in the document, so here you go, it's out there.

Now, a few numbers about RIPE 68 for this meeting. I must say, the number of proposals we actually received this meeting is quite low, compared to the previous meetings. And there might be different explanations for that. However, it came in handy to be honest with you, because as ?? this is a special meeting, as I said, the 25th year of RIPE, and as Rob announced, there will be some special session tomorrow which will happen in the plenary prime time, so we were able to give space for those and so it worked out pretty well, actually. And we managed to stick with our target deadlines. As you may remember two months before the meeting we tried to publish a draft agenda so you kind of have an idea who is going to be presenting, and ?? or what kind of topics will be touched upon and not ?? one month before the actual meeting, the final agenda is published and we reached those goals, which is great.

Now, due to the celebrations we also have a little bit of, you know, deficiency in the number of lightning talks that we can provide this time. We know that you love lightning talks, they are always about hot topics, actual topics, recent topics, they are short and fun, but this time we don't have many slots for those. The three slots that are already occupied today, they will happen in the afternoon, and there are a few for the Friday, so if you have still a good idea that you want to share with the audience here, you can still send them to us on the normal meeting proposal page. Not that you will only get ten minutes, and we want you to balance that out with five minutes talking and five minutes Q and A.

Well you can help a little more by giving feedback to us. Best of ?? best ways are to rate the talks, and there is always a prize. I checked with the RIPE NCC people and I am not putting people on the spot. There is a prize, definitely. There is a voucher from Amazon. So please, rate the talks. You will see the talks will be enabled for voting on the plenary web page or the agenda page, and you can write to us and please talk to us. This is important.

Well, that is it from me. Again, very welcome to Warsaw and I wish you have a great meeting, you enjoy very much, and I hope you don't have many questions because this is a regular standard RIPE update and if not, then I will move on with our first speaker, and we can start the programme, that will be Greg Hankins and he will talk about the Overlay Networks for Internet services. Thank you.
(Applause)

GREG HANKINS: Good afternoon. So thrilled to be here, thanks for having me. I want to talk to you about EVPNs and give you on overlay of what it is about. EVPNs is a new network technology for overlay services, talk about the background, the motivation, talk about some of the nuts and bolts at a high level, you can read the Internet drafts if you want to know all the details, but I will try and summarise the operations and we will talk about the so. Things you can do with the EVPN: .

If you look at how Ethernet technology and services have involved, we have seen a couple of different evolutions, the speeds and services that run on top of that. So this is just kind of another evolution, it's not really a revolution or anything drastically different, it's just extending the technology that we have to provide more advanced services and in fact we have several technologies but we can't do all the things we would like to do with those.

Why another EVPN technology? We have MPLS and VPLS, PBB, they work well, and great for Ethernet services but really if you look at how the operations has evolved, the control plane hasn't changed at all and we still rely on this flooding and learning in order to build the forwarding database. Introducing a new model based on about a decade of operational experience with VPLS, it also incorporates service delivery over layer 3 networks and it really abstracts and separates the control planes so we have MB BGP as a control plane and a choice of different data planes and allows you to do different things that meet emerging applications in your network like data centre network, cloud and integrated services that deliver a layer 3 and a Layer 2 VPN on the same interface and this is all about taking out technologies and making it simpler with no overlay technology, it just runs over IP.

So the operational benefits, this is the network operator version, so integrated services I mentioned delivering Layer 2 and 3 services object the same interface or the same VLAN from within the same technology so you don't need a Layer 2 VPLS and layer 3 on top to have at that provide two services, it gives you layer 3 with operation but with Layer 2 capability. Efficiency is a very big component so we have this concept called all active multi?homing, it means that two links are active, two or more are active at the same time. And this allows you to do load balancing between the PEs, so it's something we don't do with VPLS. Design flexibility there is a choice of data planes over IP, the provisioning and management because we are using a single technology to provide a layer 2 and layer 3 EVPN services, that gives you greater control. You have the ability to programme your MACs and IPs from the whole network into the control plane and that eliminates Arp and D flooding and things like that. If we had to translate this into marketing buzz words NFV, SDN and probably cloud services.

So EVPN: Status, it's definitley the hot new technology, there are a tonne of new drafts, you can see the whole lost there. Some of these are actually expired in the last couple of weeks so they might not all be active. The most important ones are the base special cases so that went to Working Group last call on Friday so we expect that to be an RFC fairly soon. We don't expect any more changes, the ?05 and 06 and final 07 integrated a lot of comments and there is the requirements documents which we don't expect to change and the PBB draft which we don't expect to change.

From the authorship perspective, this is not a single technology that one vendor or network operator is trying to push through the IETF, this is a diverse set of network operators and vendors that are writing this set of Internet drafts and shipping implementations have been available for some time so you can actually go bet the code, download it and configure something today. This is not something that is come in the future, it's not vapour wear, it's already there today.

The data planes and control plane:

It uses an MP?BGP control plane so that's the series MAC information, that is specified in the base EVPN draft and we have a choice of data planes, there are several other data planes that are being defined, you can see on the previous slide some other data planes but these are the ones that are the most mature and have shipping implementations right now, the first is MPLS, defined in the base specification, this allows to you do ethernet services over MPLS, just as you would with VPLS today but of course the benefit of multi?homing and all active networks.

The variation on top of MPS using PBB so this is really for scaring large networks if you have a lot of MACs in your network, or you want to abstract or protect the MACs in your network you can use PBB at the PE to substitute a customer MAC with backbone MAC and the last one is ND O overlay, this could be the VXLAN or MPLS, the implementation that shipping and most advanced today is the VXLAN one and I will tell you about all these in a couple of slides.

So under the control plane, as I mention this had using MP?BGP so gives us the inherent BGP scalability for control planes that we already use for IP routing so the availability to scale up to several million MAC IP combinations. It gives us a consistent forwarding database, so every router has a consistent view of the forwarding database. And we can add in more scalability or if we use more route reflectors, now we love from BGP for Layer 2

IPv6 ready from the very beginning, the frame that you see there or the header is a MAC advertisement route, you can see there is no difference in frame for IPv4, IPv6, it's all integrated and just uses a length to tell the router if it's v4 or v6 address.

Concepts: I hate showing a slide full of terminology but unfortunately EVPN introduces several new concepts and we have to get a bait liven the concepts or else you won't know anything that is going on. We have the concept of control plane learning, data plane encapsulations, we still have data plane learning at the edge so you see the PE at the edge that is connected to the CE obviously there will be some learning there, and then it will take that MAC IP address and advertise it into the control plane with MP?BGP.

Other important things are the concept of the CE. This can be any type of edge device, a host, serve with VM, a switch, edge router so whatever is connected as a CE, and my slides I most use routers as an example but that is just really an example.

And the other important thing we need to talk about is the two modes, so we have single active and all active. Single active is multi?homing to a pair of PEs that are probably using some sort of multi?chassis trunking protocol, so they appear as one logical chassis to the CE but they are actually two real chassises and we have the concept of all active mode, this is the same thing except all links are active and this is one of the key benefits and you will see it over again in the slide that they talk about all active so it's a very important concept.

From a services standpoint these are the services that EVPN defines. This is not something new that we can't offer today. It's just the way the EVPN draft defines them, there are three main services that he they talk about in EVPN VLAN based service interface, this is you provide a Layer 2 connection, it's a Layer 2 pipe over network. A bundle interface is providing multiple VLANs over that pipe, and then the VLAN aware bundle service interface actually separates them out into multiple bridge domains, so all things we do today is defined in different terminology for EVPN.

Let's talk about the operations, there are several things that it does in order to make Ethernet work over an overlay. And these are kind of the key highlights and I will tell you about the different data planes that I talked about before in more detail and there is a lot of detail on these slides so I will kind of skip through them because the detail tends to be kind of boring. I tend to summarise them at a high level for you. When all active multi?homing now we have the problems that there can be loops, so obviously we don't want loops in the network so we have to control the way that broadcasts unknown Unicast and multicast frames are flooded at the edge so we don't want to duplicate frames over the network so we have a mechanism to control flooding from the core to the CE, something call the DF is a router that is elected to be the designated forwarder and then that router forwards all the broadcast and Unicast and multicast frames to the CE from the core of the network.

We also have the other direction, so we want to control flooding from the CE to the core, obviously we don't want flooded packets to be looped back on the segment so the way that works is the PEs have a split Horizon label that they advertise and then the other PE that is attached to it then knows to block those echos.

So again we don't want to echo frames.

Proxy Arp/ND ?? this is kind of important concept and especially for Layer 2 and layer 3 data centre interconnects so I want to spend time on this. If you look at now networks work today and in orchestrated network means that you know all the MAC IP combinations so there is really no reason to have flooding. This could be in a large data centre or you know that MAC and IP combinations of all your VMs, at an Internet exchanges, so you really don't need ARP/ND anymore and it will be a security risk or even scalability issues in large networks. So and particular some of the Internet Exchanges have published studies for their peering fabrics where it takes up a significant amount on the bandwidth and a significant resource drain so with EVPN because you have the ability to programme the MACs or even eliminate it entirely so the PEs have the ability to proxy ARP/ND onto the local segment so if a connected CE device sends out an Arp request or an ND request, the local PE will proxy that answer on to the segment and it's never flooded over the core to the other devices on the network. You can disable learning and snooping entirely if you programme your network statically from a central management database so this is a really key advantage.

Aliasing, in the case a MAC address not learned on a particular segment, this enables that it can load balance and do all active multi?homing.

MAC mobility, this is important. Obviously if you have a Layer 2 network, MACs can move, this is kind of how Layer 2 networks work. So we have to handle that case where a MAC address moves from one PE to another. The way that this works then is that if a MAC moves that you would have two active routes, one that is to the old destination and one to the new destination so EVPN uses sequence numbers that are an extended community in order to differentiate the age of the route. So the highest sequence number route is the lower sequence numbers are discarded.

This also helps us for MAC duplication, this is how it's specified in the EVPN draft. We refer to this as rapid movement or looping in some cases. So this is also used for loop control. The neat thing about this is normally in a Layer 2 network when you have a loop the whole port is flooded or you shut it down. With EVPN this is actually a per MAC loop control mechanism so it actually works because it uses the MAC IP route to detect the duplication it can shut down a loop for a single MAC address only. It has a whole down and back?off mechanism so if you detect a certain number of moves within a certain number of time the MAC is considered to be a duplicate and then the PE stop advertising the route and then you can have, depends on the vendor implementation but there can be some sort of automated back?off mechanism that is the route or you can have the operator manually clear it.

MAC mass withdraw, this is an optimisation, if an entire link fails then all MAC routes for that segment are withdrawn and you don't have to send potentially thousands or a bunch of update messages so just an operational improvement. This is another important point. The default gate way and you can extend this into adding IP address into the Ethernet VPN. In the base specification it supports a default gate way and it let's you inject more routes the way it works you would set a defect Gateway on all the pest in your network and set them to use the same MAC address. When you have a MAC address or a station that is moved across the network since the default gate way MAC addresses are the same, then it just optimises routing and forwards directly to that attached gate way so you don't have the situation where you have a machine or a VM or something that moves across the network and then still have a MAC address for the router that is on the other side of the network and so it trombones traffic around. We want to avoid that. This allows to you efficiency forward it to the closest next?hop.

The data planes. The base specification mentioned MPLS, this is the MPLS we know and love, whatever, uses fast reroute, whatever you have running today. You put EVPN on top of that, obviously you have top an IGP as well so MPLS runs in the control plane and the data plane of the network and then you also have EVPN then that runs in the control planes as an overlay network.

And this is not used LSPs.

PBB EVPN this is the optimisation that I mentioned. You have networks that are out of your control, so you don't want a customer's MAC address to influence a decision in your backbone you can use PBB to abstract that so that the customer MACs are represented by a backbone MAC. It's kind of like route aggregation, so scaling for a large number of networks, this is probably where you would run PBB at the edge and it still uses MPLS in the control planes so no different than the previous slide.

The last encapsulation is VXLAN is quite pour Lar in the data centre, you might have heard of it in relation to VMs and vitalization and things like that. It's becoming popular as just an overlayover IP networks, it's really simple and uses an IP data spleen runs over any IP network. As I mentioned this is the most defined encapsulation, you can also ?? important point here is that normally with VXLAN you also have to run PIM for the multicast and the replications so in the simplified case if you have the PE doing replication you don't need to run PIM, all you need is Unicast IP network and you can use VXLAN so. This provides all the overlay functionality that you need, the IP reachability, you just use the IGP and EVPN using the BGP control plane to do the MAC advertisements.

So a little more about VXLAN. It's just a way to encapsulate ethernet and IP, it's a small header and a VXLAN header stuck on top of that, it can be run over v4 and 6, it's an IP network, we don't distinguish, because it's routable with IP the underlying network can just be anything so you can use IP load balancing and fast reroute mechanisms and ECMP, a combination of IP networks or you can actually even use an IP network that terminates VXLAN on a VM so you can tunnel right to VM on a hyper visor so it's really flexible and kind of cool in that way.

The use cases. This is the most popular one and the one that EVPN was built to address first but this is if you have a data centre interconnect, it could be Layer 2 or 3, basically you have an overlay network that connects the two segments together so that they appear as one local Ethernet segment. EVPN again using the MAC mobility so you have VMs that can move around the gateway that optimises the routing of the shortest path and again all the benefits of EVPN for data centre interconnect so we have the all active multi?homing, you can lock down Arp and ND flooding by programme the network and ability to deliver Layer 2 and 3 faces on the same interface or VLAN.

You can also use it to provide business services in infrastructure networks, so if you are a service provider and you have a customer, you are doing VPLS or offering them a layer 3 VPN, you can offer them EVPN and offer them the same Layer 2 and 3 services on the same interface, so a big benefit of EVPN is to offer integrated services on the same interface, you are using EVPN you don't have two separate technologies and you can have this all active or single active, depending on the type of service you want to sell your customer. You can provide this over any core network, MPLS without you can use VX LAN to do that.

The last use case that we see people interested in is just site to site network so this is if you are a network operator and you need to connect two sites maybe by a couple of different providers and different locations well, it's hard to do that with MPLS because you don't actually have end?to?end MPLS through your transit providers but if you use EVPN you can just fire up a VPN using the VXLAN, they don't know what is in it or really care. All you care about is your IP packs are delivered and you can build an overlayover whatever sites you need to interconnect. This is a cool technology for ad hoc or permanent site to site networks. It provides all the benefits.

So a summary: EVPN is a next generation ethernet service deliver, technology, Layer 2 and 3 services. We use MG BGP for a consistent FDB, so it's signal crossed all routers in the network. It gives you layer 3 VPN like operation, for scalability but for Layer 2 networks. We have the load balancing and all active multi?homing which is very important. And again the ability to deliver a Layer 2 and a layer 3 services over the same interface or same VLAN to a customer and then if you want to orchestrate the network you can provision the Arp and ND entirely throughout the network and use the PEs to proxy that functionality to the host on the local network and again encapsulation choices MPLS, PBB MPLS or VX LAN. There is more information in the Layer 2 EVPN Working Group so you can go to the Working Group and I have listed all the most important Internet drafts here. The ones I would read are the requirements and then the base draft and then the usage draft also has some interesting examples of how people can use this technology.

And that is a quick introduction to EVPN.

JAN ZORZ: Thank you, Greg. Are there any questions.

JAN ZORZ: We are very early, we have 20 minutes for questions.

SPEAKER: There is one from the chatting room. This is from Matthew at Jaguar network, can you have ?? can you have BVI on your implementation of EVPN like it is possible on VPLS if you need L3 gateway on that L2 network? Do you want me to repeat that?

GREG HANKINS: Yes.

SPEAKER: OK. So can you have a BVI on your implementation of EVPN (like it is possible on VPLS), if you need an L3 gateway on that L2 network?

GREG HANKINS: I think the answer is yes. I am not sure exactly ?? sorry, math use, I don't understand the question exactly. I think what you are asking is, can you have a layer 3 gateway within VPN? So yes you can and you can also inject a bunch of different routes into EVPN so that allows to you do the routing between the layer 3 services.

SPEAKER: . I think I have other questions, too, here. From the room. From Sebastian, NORIS network, how is active active LA G implemented, LA CP signalling

GREG HANKINS: Unfortunately ?? this is unfortunately the only place where there is a proprietary technology so unfortunately there is no IEEE he standard to do multi?chassis lags so this would be depending on however your vendor does it and there are several ?? I think every major router vendor has some sort of implementation for doing multi?chassis LAG, it just depends on how your vendor implements it.

SPEAKER: . I have a clarification from the first question. There is elementitation on ?? on PBB EVPN not allowing you to use BVI with it so I wanted to know if that was the same case on Alcatel?Lucent's implementitation of VPN?

GREG HANKINS: That is a good question and I don't know the answer to that. I do know Matthew and I will do the first to find that out. I can't really answer that question because we are not shipping that functionality right now so I can find out what our plans for that is.

SPEAKER: This thing is on fire. I have many questions.

GREG HANKINS: Keep going

SPEAKER: From James Blessing, you said available for Cisco, Juniper

GREG HANKINS: Yes.

SPEAKER: Is this widespread or just reflected hardware?

GREG HANKINS: I will answer for my company, in our 12.0 release that we came out with earlier this year it doesn't need any special hardware, as far as I know, but you should check with your vendor for their implementation details, but I know that the other vendors have been shipping for some period of time so I would assume that it's G A.

DANIEL KARRENBERG: Basically, standard question, maybe to amplify ?? RIPE NCC ?? how much running code, how many independent implementations, what kind of operational experience? I would have expected a slide that at least summarises what kind of maturity.


GREG HANKINS: That is a good question and I am a hardware vendor so I don't want to speak for others so I didn't put any details in there.

DANIEL KARRENBERG: We are among nerds here, this is not marketing. So tell us...

GREG HANKINS: A valid question. Right now, as far as I know, we are shipping EVPN VXLAN, Juniper is shipping EVPN, over MPLS and Cisco is shipping EVPN with PBB. As far as I know.

DANIEL KARRENBERG: Any of the centre operators?

GREG HANKINS: That is a good question. So far, because the technology is still evolving, there have been no interoperability events. I got this question when I presented at APRICOT I think. That is a good point, we need to do some inter?op testing when the implementations are ready. Right now I don't think that is ready yet.

DANIEL KARRENBERG: My apologies to the scribes, I will try to speak better English.

SPEAKER: I have more questions for you. This one is from Jan: How does it relate to shortest (Netherlands) path bridging implemented by a via?

GREG HANKINS: I would put SPB also under a separate technology, certainly there was a draft, I am not sure if it's expired or not, there is a draft listed in this list that talks about integrating SPB EVPN this would just be another technology that you would have to integrate in the same way with PBB works with EVPN, I assume you could do the same thing with SPB at the edge of of your network over an EVPN core network so it should be possible and I think I found the draft, it's L2 VPN SPBN?EVPN.

SPEAKER: . One more question from Matthew at Jaguar Network. Do you think some IXP will move from VPLS to EVPN in the coming future?

GREG HANKINS: That is a great question and I have it in the backup slides. I kind of took it out because it's very Internet exchange?specific but yes, absolutely, in a different version of this presentation that I gave at EURIX, I talked more about this slide but I think it is a great technology for Internet Exchanges and we have been talking to a couple of Internet Exchanges that are very interested but no one has deployed it yet so the way that this would work on an Internet Exchange fabric, again as I mentioned because you know all the MACs and IPs, this is a great mechanism to completely eliminate flooding and completely, would you programme all the MACs and IPs from a central databases and the PEs would do that proxy functionality to the attached members.

SPEAKER: Matthew also adds my question also goes to IXP operators in the room, smile efface.

GREG HANKINS: Should we take a quick survey?

SPEAKER: Will Hargrave from LONAP here. I am interested in this technology, this solves a lot of problems that we face, that many Internet Exchanges have experienced. And we are definitely interested in this technology.

SPEAKER: From ECIX, we are looking into that technology also and will have a test?bed next month together with agreeing about it to see if it's actually doable and if it has a future and not just some theoretic point.

SPEAKER: It's a simplified centre connect model, it has all the same benefits, we see a lot of interests in VPN for IXPs, definitely.

Maxim: Amsterdam Internet Exchange. We are also looking at this technology, they provide us some ?? potentially  this technology provides some benefits and removes some hone made tools like ?? Greg you said. So it will be remove a lot of complexability but no IXP has ??

GREG HANKINS: I think in particular it would eliminate the need for your Arp sponge because you wouldn't have the Arp flooding.

JAN ZORZ: More questions.

SPEAKER: From Nicholas from net flask, this question is: Is there any improvements or new features regarding Ethernet multicast in EVPN?

GREG HANKINS: Yes, so the whole all active multihoming and the optimisation ?? I don't really talk about multicast too much, but definitely one of the goals is optisation, I have it kind of here in the middle ?? optimisation of multi?destination frame delivery so that is broadcast and on Unicast and of course multicast so EVPN yes, is designed to optimise all these delivery frame mechanisms so definitely it would also optimise multicast. But again you have the distinction where you have to do ingress replication in some cases. So you would have to do that or else you have to have some sort of multicast protocol in the core network if you are using VX LAN. But yes, as long as you are doing ingress replication then there is no requirement for them.

JOB SNIJDERS: For myself. One of the properties of VPLS is that only one PE at any given time can advertise the reachability of a MAC address. I was curious with EVPN if you were, you know, to say spread out Microsoft load balancing across multi?data centres can you have shortest path first and multiple PEs advertise the same MAC address? Does it make sense?

GREG HANKINS: Yes. That is good question. I hadn't really thought about doing that sort of active and secondary. That is a good question, I am not sure of the answer. But it makes a lot of sense.

ROB SNIJDERS: You are kidding. Network load balancing for Microsoft does not make sense ?? ethernet addresses is a desirable property.

GREG HANKINS: You see in the MAC ?? I am sure you could do it. There is no real concept of ?? all you have is the community that has the sequence number so there is ?? I don't know if there is a concept of multi?active routes for a MAC. So that is why I say it's a good question. I am not sure of the answer.

DANIEL KARRENBERG: Another question. So I haven't really read the drafts and gone deeply into this; I just heard about it from you and a little bit before. But it strikes me that for solving some of the challenges, the Internet Exchanges face, this seems to be adding a rather large amount of complexity for some gain, let's put it that way. Would you agree with that or ??

GREG HANKINS: Yes, certainly you add complexity but you can also take away complexity, so right now your use MPLS and VPLS so you have MPLS in a control plane in the data plane, and you have VPLS and you have an IGP, you can simplify that and just run EVPN over VXLAN so you take out the whole MPLS component and in fact a lot of Internet Exchanges have a very static topology so you could even just run static routes and you wouldn't need an IGP so you have VXLAN and EVPN and there you go.

DANIEL KARRENBERG: So you are saying, if I am hearing, you say if you basically eliminate routing altogether then the Net complexity would go down, that is what you are saying?

GREG HANKINS: Yes. It's going to depend on the size of your network obviously, a large Internet Exchange has a much more dynamic topology than a smaller one. If I build an Internet Exchange I would static route between the PEs, I haddy use EVPN as an overlay and there you go.

Will: It's a little early in the meeting perhaps to be disagreeing with Daniel but let's go for it. Basically what Greg said, the things that we are looking at are Internet Exchanges now are actually quite complicated, we are looking at multiple sets of LSPs in a ?? between all of the PEs on our networks which grow to some quite large size. Internet Exchanges are bit more than some switches these days when you look at them to scale as I am sure you appreciate, we are always looking at new technologies and it's not really a problem for us, thanks.

JAN ZORZ: We should probably move forward.

SPEAKER: I have Sebastian Norris network. I will start with a comment he sends in the second part he says comment regarding load balancing from Microsoft, no, it doesn't make sense, it's horrible. And his question: Is there an implementation that will directly connect VM W R ?? VX LA N coming from to EVPN?

GREG HANKINS: Is there an implementation? Yes. I believe ?? so Alcatel?Lucent has a small subset called Nuage Networks and these exactly what they do, I don't want to talk about the details that have because I don't really want to talk about the marketing stuff but yes, there is at least one implementation that does that today.

JAN ZORZ: OK.

MIKE HUGHES: Mike Hughes. Talking about doing cook?offs into vendor stuff, where has it been happening, things like that or where do you think it's going to happen?

GREG HANKINS: My guess it would be coordinated within the IETF and the authors of the different drafts would just kind of get together. I have mentioned this to our guy that goes to the IETF, he is quite active in the L2 EVPN Working Group and I got that question at APRICOT that Daniel asked I mentioned, hey, we need to get together and do an inter?op, really, event, because I think it's important to do that.

SPEAKER: I think otherwise people will throw stones at it because of the three different implementations and angles.

GREG HANKINS: Absolutely agree. So I will keep ?? I will keep asking, you know, if it's time to do that, but if you all could ask, then your questions to your vendors mean more than my questions internally. So I would encourage you all to ask about it.

SPEAKER: Last question from Matthew Jaguar Network: Vendors see goes with PBB EVPN. Vendor J with EVPN. Why doesn't Alcatel?Lucent and ?? who will win between those two implementations.

GREG HANKINS: So every vendor has a business reason for supporting a feature. And in our case, we wanted to focus initially on the data centre interconnect so again we have a Newage Network Company, they build the smaller scale edge switches for data centres so our goal in our initial release is to focus on the data centre interconnect functionality. I don't know, I can't speak for Cisco and Juniper as to what their goals are were, that is why we focus on EVPN VX LAN and supporting for PBB EVPN in a future release.

SPEAKER: I can speak for Juniper, vendor J. We do exactly the same but in other order, that is it.

GREG HANKINS: Exactly. I think everyone will eventually get there. It's just certain companies have different priorities on what features they implement first because of where they are focusing the feature.

JAN ZORZ: Greg, thank you very much, it was a long presentation.
(Applause)

I like presentations when the discussion is longer than the presentation itself. I will do the housekeeping for the rest of the session. And our next speaker is Philip Ondrej from cz.nic and he will talk about the Project Turris.



ONDREJ FILIP: Just a small marketing vendor but I hope you know my company, we used to be a domain registry and now we have R and D department and small register ?? we do many projects for the good of the Internet and I think for the RIPE community and BIRD and DNS and if you are interested in DNS we have some new fancy feature for IPv6 enabled so there will be a presentation on Wednesday morning so don't forget to be there. That is the end of my marketing window.

Let's return to the business. So, Project Turris, very new project and a bit larger than usually. It started with a not very interesting name project of shared cyber defence and with this project we wanted to follow three main goals:

First of all, we wanted to do some more security research than we did previously. We would like ?? wanted to improve the end user security and really significantly improve the situation of SOHO routers to small CPE devices that you have in some very dark room below your table and connects you with I would fire to the Internet.

So the security research part, we are doing all that stuff in, security we run some Honeynet and we have some analysers on top of it. But we don't know anything about the edges of the network, what is happening at the edges. So we wanted to have probes close to the end users, it sounds like the ideal ?? this is a very different thing. So we wanted to have some probes distributed in many networks, in many geographic locations and do some analysis of the flows there, like anomaly detection. We wanted to be able to be routers so it can also protect the end users with service and firewall that would be built based on the collected data and also we could feed our national security team CRT.cz which is run by us.

I hope you know the common problems but those devices are very cheap, probably awful us have them in homes. But it has very bad support of IPv6, if any. It has many problems, you know, with DNS, I am mot mentioning DNSSEC, it doesn't do any validation. It doesn't support any third party application. You have CPU running in your home, could you use it for something else but you can't because it's not support by a vendor. It has limited features, if any, and the main problem is it doesn't have any automated software upgrades so if there is any problem with those devices there is no way or easy way how to upgrade them, so those devices take forever unless they are hacked and they ?? some has to be bought.

And, you know, there has been a lot of issues recently with those devices so many of them were hacked or hijacked or whatever.

So, the idea was to distribute about 1,000 of those probes, those SOHO routers to the end users. Technically it's not for free because of tax issues, it's less than a euro basically per three years.

We wanted to have routers powerful enough for one gigabit of traffic and while routing and analysing it so something very powerful and that has some power to do good analysis. And also we wanted on these routers to bring some new features, something that people can play with, so that is why maybe one more thing:

We didn't find on the market anything that can do this. We couldn't find any hardware that is capable of this. So that led us to the conclusion that we have to do some hardware development, to design our own routers.

So, this is a router Turris, that is the most visible part of it. It looks like that. It looks like normal routers but it's quite powerful. I have one and my young and sexy assistant has also one so you can look at it. It's powered too, he can show you how it works.

So, as you can see, this is normal router. By the way, it's not for sale. So you can put the wallets back to the pockets.

It has 1.2 gigahertz, 2 gigabyte of memory is it's more than ten times the normal routers have. It is a quarter big bite of flash for the main system and backup system in case something breaks, you can re?set it back to the installation stage.

It has 5 gigabit interfaces, 5 LAN ?? connects them to the CPU so it can be a little more than a gigabit, it has one gigabit interface that is directly connected to CPU. While you have switch you can make VLANs and reorder the logic of the ports, so people run 2 one ports gigabit and just for LAN ports so it's up to you how you play with it.

It has two express loads, one is occupied by wi?fi, three times three, M IMO. A lot of pin outs for some future use or for some other games. It has one free micro LSD slot, we designed it and couldn't find any use for it because the integrated flash memories are enough, you can just put a S D card into it and you have some some capacity.

The power consumption is quite reasonable, it's not the lowest on the market, this hardware is quite powerful but it varies between nine and 14 volts, depends on the load and it use USB slots so you can plug some hard drives into it, that is not counted. In such cases the power consumption increases a little bit. You cannot buy it but you can make it by yourself, it's OpenSource. So although documentation and manufacturing plats are on the websites, so if you like it just make it yourself. I know it's not so easy.

This is just a picture of it and you can see the same picture.

This is just to believe me that we design it, this is part of the plan. As you can see all the wires has the same length because of the link between CPU and DDL3 memory so it has to be quite precise with timing and this is thousand looks in reality when it's made.

It has one cool feature that is very popular among the people. We have a lot of users that are students and they have it in the same room where they sleep so you can just dim it by pressing a button or you can software ?? manage it by software. So you can dim it for night and bright it for the day and it's RGP so you can do many, many other ?? some people did synchronization with music, some people made a script. I don't know if you know the knight rider movie, the moving thing, some of those pieces have such features.

So it's very popular with some crazy users.

A little bit about the software. It's based on OpenWRT, it's OpenSource. We started to develop some things for OpenWRT which we plan to return to the main tree if accepted. We started to do some things that are handy for configuration so we created configuration result, it's based on NETCONF so we can also remotely configure it if needed. The configuration results is not for powerful users that need to plug it, feel a if you fields and ready to go. The key feature which is the best one, it has automatic updates, and the users can, for example, say yeah, if that update requires reboot, send me a message and wait for seven days, if I don't do anything please reboot it between 3 and 5 a.m.. so that is it. So very good, people don't have to care about it and it is very well so this is probably the only sort of router that was patched against the heartbeat attack, for example. It sends some security data to the central server there encrypted, it has a crypto chip inside so it is stored in the hardware. And if you receive ?? this box, the only thing you need to do is to keep running a collector, a process that does the security research for us and you have to connect this device to the Internet and switch it on. You can play however you want with that; you can gate route access, you can add some hardware. We don't limit, which is great because many people play with this, there are some people that connected USB sound card and made music server for their bathroom and stuff like that, and we like it, it's great that those guys play with this.

Other than that, it's fully supports IPv6, DNSSEC including validation and it really requires the use tore set a password, strong password and stuff like that so it's not easy to configure it in the way that anyone can hack it, and also, we have an application so if you are home and you open up you can see load on the interfaces and a lot of not important data but people like it, of course.

What else can we do with that? We can use it also for network testing so we can do the basic reachability test or some protocol specific, the agreement allows us to send some packets so we can send like DNS packets to test or DNS and ?? close as we think we are. Some speed measurements of the lines. We plan to use this for the national speed testing of how the networks really perform according with ?? to what is declared by the ISPs. And one I think that we plan, we discussed with universities and researchers because many people have good ideas how this whole project can be reused for.

The key part of it, the data collection we develop our own OpenSource of course, deem oranges called micro collect or uCollect if you wish. It does some basic stuff and anomaly detection. We collect the firewall logs so anything that is dropped on the firewall we know about it and we analyse why this happens and what was that about. We also watch the router logs, whether the upgrade was okay that there are no problems and also some other measures like the temperature, the load, memory utilisation because these devices are for three years owned by us so we need to be sure that everything is on track. It's our first piece of hardware so we are quite careful with this.

A little bit about micro collect. It's modular system for data collection and reporting pick up library or something like that. It's two main modules, count which just do the basic stats, IPv4, IPv6, stuff like that. Which can be displayed to the end user on the end user portals so each end user logs into the portal and sees what the other flows and stuff like that.

The second module is called bucket. It's IP anomaly detection thing so it observes the traffic, if there is any anomaly it reports to the centre, if you collect more anomalies from more routers we try to analyse the anomaly and try to guess what that means, actually.

And again, it's transfer security as we have crypto chip so we wanted to minimise the risk that somebody will forge this report so that is the only not very open part because there is some key material in the crypto chip but everything is OpenSource as I said.

Here is some example of what reports that we have, some just really pictures. You can see IP address is reported by the system and if would you click it you will see how many routers were affected by this anomaly and what does it mean and stuff like that.

This is, for example, if you watch some of the anomaly you can see the routers that reported it, and how many times and so on. So, a lot of graphs which you can click overnight and you don't have to sleep.

We also owned whether those devices are on lines, to send reports so this is basically picture of just five routers that are, that some of them were switched off, some of them not, so we check what is the problem, was it our problem or end user, and so on.

Talking about end user portal, we would like to be in touch with the end users as much as possible so we create add portal where there is a lot of graphs, tutorials, many things that I would say mainly geeks like, although we try to have some not very powerful end users, people that really don't know and anything, that is just the Internet. They are perfect because they might have a lot of viruss and stuff for us. The end user forum is very active, 100 messages a week, and people are communicating and telling us the stories like I describe with the knight rider.

This is an example of what you can see if you are a member of the project. So, this is, for example, from my home router, as you can see I have quite a good version of IPv6 home and this is how it went. There are two upgrades so that was done normally through IPv6 and of course, you are change time and download the ?? this is the same from the firewall logs, as you can see the majority of packets that were dropped by my firewall went to port, 5, 6, 7, 8, I don't know why. Those are graphs we show to the end users.

Why they do it? They got it for three years, for one crown, for free basically, and after this period the device became there for another one crown basically, also for free. For those three years they have to run micro collect, they shouldn't switch it for longer time, of course they can switch it for an hour but it shouldn't be switched for a month e? for example. They have route access to the device and they can do any modification that they want except destroying it and so on. And as I said, the people really do like it.

Of course, this is really tied with privacy. We send probes to people's home and we declare ?? this is something very dangerous so we are very explicit and open and transparent on this. There is an agreement on the web pages if you would like to look at it, that says what we can and we can't. We are very strict in the data separation, different teams that handle different parts of the database so no one should be able to, for example, say I was surfing yesterday. We have, you know,  ?? we went through the exercise to prove, at least to have some certificate that we do have processes for that. And also we consulted this with the local data protection authority because we wanted to be sure that we will not be fined or something. And surprisingly, we got a big brother awards and it was positive Big Brother Awards, that we were chosen as a good example how to deal with the privacy, if you are doing something like that. And again, everything is OpenSource, and one more thing: We don't go deeply into packets, we just stop on the header levels so TCP, UDP header is must have for us for many things and we have very strict data retention policy, we delete all data in ten days. So it should be OK, if you know somebody would come to us, what this user did 14 days ago, we don't know, we deleted it.


So what is the current status? As I said, we wanted to manufacture 1,000 of probes or routers. We manufactured a few more but basically 1,000, more than 50% currently is up and running in the homes. We have more than 4,000 requests so we really could think of the distribution of the routers to cover different networks and topologies. So we distributed slowly a little bit about to think where to send it about, 100 per week so distribution is going to end before the summer.

We started to do some operating system improvements which was something we were a little bit afraid of, you just send an update and you don't know what happens. We did two minor updates, for ? library for obvious reasons and very huge update, so currently the version is 1.1 and it ran smooth, now all the is on the same firmware, so great. We work on the central portal, of course, to give more data to the end users to find new ways of visualising that and we prepared some tutorials, how to run Turris, how to stream it using DNLA, how to make VPNs to your home, what if you have to two SIM providers, what if you need 3 backup using dongle and what if you need to separate V LANs in your home. So, a lot of tutorials, for mainly advanced users so they will love this project. They are happy something powerful at home and they can play with it.

We are implementing detection methods, the anomaly will take some time to collect data, know how to interpret the data. We do have some results so far so some IP scans scanners and port scanners, found some NTP scanners in certain networks that were not worldwide visible. We are trying to find if there are some flows of some data transferred to some well?known virus command and control centres. And we started to publish some grey and blacklists, something that is going to be distributed to the firewalls of those routers. And also we started to filter some IP based on.cz information. By the way, this firewalling stuff is not mandatory. People usually use it but it's not mandatory. If you are know what you are doing it's not a requirement. Many people download if even if they are not connected to this project.

Short future, we plan to make another batch of 800 routers this year. We are working on VDSL interface, a small dongle that can be added to this. You need some modem, and they say well, yeah, I can set it up into the transparent bridge mode but I will have two devices, why? So that is why we are working on this. We continue on working on software improvement and we would like to make some market for third party applications and some beauty contests among the users if they can create something funny for Turris and we can distribute it and we plan to make some more tutorials, how to connect camera and make it security devices and connect to some devices you have at home. That is basically it.

I just wanted to give you an overview of what we are doing. We have quite big vehicle and we would like to find some partners that are interested in that. One very Comcast decided to support this project so that is a good partner for us. And I find out that many presentation has something like that at the end, some box with ornaments, so there is another one. I don't know what that means but this one in particular is X?ray picture of Turris CPU so I hope that fits the overall mood. Thank you very much.
(Applause)

JAN ZORZ: Thank you, this sound dangerous. I have a question, is this limited only to your country or you are sending these devices out your country.

ONDREJ FILIP: We don't do this. This is straight from the Czech domain so we don't plan to send it unfortunately overseas or abroad, but we might discuss it but it's really hard to justify sending those ?? it's not so cheap boxes outside the country if we are paid by the local.

Benno Overeinder: NLnet Labs. I was just thinking about updating these firewalls automatically and just you mentioned it also, I think it would be great service, people could opt in. Are you thinking to make this publically available and people using OpenWRT as some kind of module to hook into.

ONDREJ FILIP: That is our plan, because we can ?? we not ship those devices to every home in the sun tree so we would like for the powerful users make a release of OpenWRT package just for them to reuse this. Yes, that is the plan. Because those devices are able to do firewall but they are probably not powerful enough to do any collection that is does not make sense but firewalling should be enough.

SPEAKER: You get the data, get the intelligence to make the decisions and push out the rules.

WILFRIED WOEBER: Sometimes wearing little bit of a security hat on top of my database thing. One of the the questions would be how does the distribution mechanisms actually interact with commercial service providers? Like for my own DSL connection from one of the commercial providers in Austria I would probably not have an easy way of removing their CPE device and replacing it by this box. Any experience how there is collaboration developing or is it just a different market?

ONDREJ FILIP: We don't talk to the ISPs, it's it's not project?targeted for them now. Maybe they will be interested in some software versions of it but we don't cooperate currently with them, except Comcast, and we didn't face any problem with that so, people in their homes they are fine with that. Into the problem. I haven't heard about any ISP that requires just some mandatory CPE device for the Czechs so maybe that might be a different situation in Austria but no problems so far

ALEXANDER AZIMOV: I said, it's about 600 of them up and running.

DANIEL KARRENBERG: RIPE NCC again. This is great, I like it. I like it very much and the real good thing I see about it is that you set up a packets in people's homes and got a positive big brother award. I mean, that is an achievement, I think that is worth a round of applause, really.
(Applause)

DANIEL KARRENBERG: My questions, number one, is you mentioned that you were concerned about people faking the results, and what I understood from your talk is that you encrypt the way the results are sent back so that people cannot impersonate one of the devices?

ONDREJ FILIP: They cannot easily.

DANIEL KARRENBERG: Easily, yes, you are absolutely right. But did you do anything to fortify the collection process itself because you make it all open, it opens the possibility, at least, for someone to send you fake data because they have access to the device, that is one the concerns we had with RIPE Atlas, that is why I am asking.

ONDREJ FILIP: What we did, you cannot avoid it if do you OpenSource, what we did, the source code of micro collect is free, is open, is available. When we do the final compilation, one key material is combined into the binary of and another is on the chip. So at least we know somebody has a device, and somebody, unless URLs engineer the binary is running micro collect. If somebody is good enough to somehow get the key from the micro collect and compile his own version then he is good enough.

DANIEL KARRENBERG: Basically what you are saying I get a binary from you and I have to trust you that the binary is compiled from the source that you publish?

ONDREJ FILIP: Yes, yes

DANIEL KARRENBERG: And people trust you?

ONDREJ FILIP: Well we are a well?known company for many years so yes, they trust us, at least 4,000 of them did.

DANIEL KARRENBERG: One more small question. I would be really interested in running a RIPE Atlas collector on these things. Would you be willing to talk?

ONDREJ FILIP: I think that is a good thought for one third party application, I think that sounds good, yeah.

SPEAKER: Carsten Schiefner. You said when Jan asked, you said can't send these box toss anywhere else within the Czech Republic which I actually understand because it's being paid by the Czech domain registrants and I wonder whether you would have any plans to, say, publish the the full blueprints of the box so your initiative and your idea can be picked up elsewhere so that other distributors or vendors can actually make an identical box or even some modified box?

ONDREJ FILIP: As I said, everything is open so, including the hardware so there are plans on the website ??

SPEAKER: I haven't checked the website yet.

ONDREJ FILIP: If they are not good enough we can make them better. There should be plans for engineer that knows what he is doing, he should be able to make this box, probably not the metal box that is covering the thing but at least ?? the guts of it.

JAN ZORZ: Is Matthew making you read more technical acronyms?

SPEAKER: Not this time. I have a question from Erik from AMS?IX. Are there any plans to control multi?AP routers at once?

ONDREJ FILIP: Can you repeat it, please?

SPEAKER: Are there any ?? are there any plans for a centre of control of software to control multiples and AP routers at once?

JAN ZORZ: If you are planning to build a software that would you manage, of multiple routers?

ONDREJ FILIP: Yes, sort of, yes, that is the plan. That is why we implemented NETCONF into the ?? yes, that is the plan. We currently we are not touching the configuration of the end users CPEs but one output could be for ISP that would like to have some controlled environment and like to manage CPE that it ?? that was one of the ideas but we develop it and it's not run currently on those devices, we don't have access to those devices, except sending updates and receiving some data.

SPEAKER: I have also a comment but I don't have the name of the commenter yet. He says, I think it's time for the Czech government to take this to Brussels and encourage EU to push it to all Europe.

ONDREJ FILIP: I hope it's not going to happen, we are not cooperating with the government so...
(Applause)

JAN ZORZ: OK. I think we are approaching the coffee time. The next plenary will have lots of good contents and lightning talks so be back in half an hour and then for those interested in developing the best practices we will have a task force meeting at 6:00 to 7:00, so be back in half an hour. And yes, please rate the talks. That is how the committee know which one was the best and what do you want to hear from us. Thank you.