Address Policy session

17 October 2018

At 11 a.m.:

ERIK BAIS: Good morning everybody. So, welcome to the second part of the Address Policy Working Group. This session is being webcasted and we had a presentation on the first part that was a bit of time constrained, that is why we had a shifted agenda, and Ingrid is up next.

INGRID WIJTE: Good morning. I work at registration services in RIPE NCC. And I want to bring up some topics regarding the country codes that we registered in the RIPE database and extended delegated statistics. I will do the same presentation in the Database Working Group and after the RIPE meeting we will bring this discussion to the mailing list for further comments.

And well, I might be opening a can of worms here, we'll see, but where is the ‑‑ so, what am I going to talk about? We register country codes in two different data sources, RIPE database and in the extended delegated stats and we assume the country code, we have always assumed, reflects where the network is located, this is based on RFCs, RIPE documents around which the RIR system was originally designed but we see some changes happening, and also, what does this actually mean? A network can be spread over multiple countries, which country code do you use? It's not a fully static thing. Theoretically, today, it could be one country, tomorrow in another, maybe not that fast but things can happen. And also, as RIPE NCC, we accept what the user tells us without any verification. I want to make clear before I continue that I am talking about resources that the RIPE NCC has distributed so the country code in allocations and in direct assignments. So not sub allocations, not PA assignment, resources that we directly distribute.

And I also want to show some inconsistencies that there may be between the different RIR regions.

So, what we see is that until recent years in the majority of cases, network and country were matching, and we see that over the last years this is growing further apart. We have a growing number of out of region members which a large part of also majority, almost all, have also a presence in the service region and we also see an increasing request to update country code in the extended delegated statistics. And we see that country codes seem to be used for different purposes than we previously were seeing. Most requests for changes are for deallocation purposes, language topics and different areas, but we start to see also some commercial purposes for it, and in some cases this might be leading to inaccurate data and inaccurate data that we as RIPE NCC are asked to put in these delegated statistics.

So, let me give you one example. We have, for example, an LIR that requests us to change the country code from one in our region that might not be a very popular one, to we change to another country code in the APNIC region where, in some cases, yes, in some cases no, the organisation is legally based. So, we asked some questions so does this mean that the network moved to the APNIC region? What is happening here? And maybe you should consider, that if that is the case, an Inter‑RIR transfer, that is now an option that is out there for you. Responses are, no, network didn't change, still in the same location, but our customers have some issues with some applications due to restrictions, filtering on that particular country code. So, as we do not really have documentation that clearly stipulates what that country code should be, we update the country code as requested, as I mentioned previously we accept what is being told. And then a few weeks later we get a transfer request for that same and the request is to transfer it to a different organisation in the ARIN region, so what does this mean? What has this change been done for? What tat have we been putting in the database? So, looking at the ‑‑ yes. Looking at the documentation that I mentioned on which we have to base that information, the description in the RIPE database. I won't read them out loud, but basically, there are no rules defined for this country code, it's not reliable to map to countries, it's undefined. Same in the extended delegated statistics, I listed here, where they are published in case you don't know them. It identifies the country, not specified where they were first allocated or signed. It does not give any further information, what does that mean? So what do we see as additional effects of this. In the RIPE database, when we distribute resource, we create the object, we put in the country code that has been provided, and after that, the user can maintain that attribute, it's an open attribute in the RIPE database, can update it to whatever they want. Extended tell gaited statistics, that is a file that the RIPE NCC maintains, we add the entry. It's a file also contains information regarding free and reserved space, allocated space so it comes from our ‑‑ from our files and we maintain it. So, if it needs to be changed we need to make that change. When you look at the example below, on the left it's the RIPE database object which now contains US country code and in the extended delegated stats still the one we put in for Ukraine. So they are no longer matching.

I also asked what the other RIRs are doing with this, maybe they have some more clarity for the country codes. So in AFRINIC, in both data sources they use the legal presence and they maintain the value and as regional ‑‑ region only. LACNIC, same thing, region only with some other entries still there managed by the RIR. APNIC, legal or network presence, managed by the RIR and they are currently looking at, they presented at the last meeting, options to make some changes to the extended delegated stats, maybe have an additional country code in there to make it a bit more flexible and have some more clarity there. And in ARIN, legal or network presence, managed by the user, and I need to mention there that there is a requirement in ARIN if I am not mistaken to have a legal base in the region and at least part of the resources must be used in the ARIN region. So, they will probably not go as far apart.

So, my question to you really is, is this as intended? Is this what you expect to see in the country codes or do you think this should caning? And if so, what should it be? Should it be up to the resource holder to decide what it should be? With the side effect that the information could become meaningless if you don't really know what it should represent and, you know, anybody can make a choice on what they think it should mean for them, it becomes a bit meaningless, unexpected. Should it be defined for database and extended delegated? And how, should it be legal country, looking from RIPE NCC's point of view is something that we can actually verify? That is information we have and we can assert that that is correct. Should it be the location of the network? In that case, how to we verify, how can we verify? And then a second question: Should it remain in sync with each other? Should the RIPE database country code be the same and remain the same as the one in the extended delegated statistics. So that's what I wanted to put to the floor to the mailing list and if you have any questions or comments please let me know.

ERIK BAIS: Before we start ‑‑

AUDIENCE SPEAKER: Just a quick comment. The country and the country code are not the same thing. I have seen too many people from Kosovo having .eu or .al in their database. Okay, there is the issue of the Ukranian dispute with Russia, I am sure other need to know about. I think in my opinion the database should have one place which is is legal and extended statistics because they are extended may signify multiple allocations, for example operations, to me that makes more sense. Because like the structure of the database was never to be assuming the two country codes, I am talking about the old day so I think that is the most significant change, extended statistics more flexible and open to modification.

INGRID WIJTE: I was talking about the country code that is registered which as it says it identifies, so not defining what it should be. Would you in that case, would you think that the RIPE database, because that would also imply that if the RIPE database should become the legal country code that the database should be restricted for update? Because currently it's totally open and can be changed at any time, but it it becomes the legal country then that would imply changes to that.

AUDIENCE SPEAKER: Could have a opinion here. Like I said, the cases where it can be counterproductive to the ISP to identify the country are so ‑‑ I already mentioned two examples being the Kosovo territory and Crimean region, so I guess there are many other cases but I probably would be against it, but it probably must be more like an exception than the rule.

INGRID WIJTE: To add, we have been trying to be flexible with this to make it useful. The examples you have mentioned we have always made those updates.

AUDIENCE SPEAKER: Alex. My comment is purely from an operational point of view, not from legal or data accuracy or whatever. Regardless of what the RIPE database manual says, in reality, people use these attributes for a variety of reasons, I think, mostly geolocation but who knows what else they are used for. And as an operator, I would like to be, like to be able to have that attribute in both the RIPE database and the delegated stats, say what is useful for my network. If there is a requirement to have some other legal entry if there, I'd say add another one, but these operationally, if I can't change them whatever I want my life becomes very difficult.

ERIK BAIS: Alex ‑‑ Alex, so the file here and the database what we are talking about here are only about the allocations, not have about assignments that people put in the database. You can still ‑‑

AUDIENCE SPEAKER: I am aware of that. But both levels are actually used by various geolocation. Everybody does something else so as an operator I'd like to have the flexibility to do what works well in my situation, which might be different from your situation.

AUDIENCE SPEAKER: Hi, Carlos, from the Portuguese NREN and C cert. Firstly, let me tell you that I like statistics and thanks for this work in the last, I spotted something on the stats that said Portugal and it really sounded strange and I asked the RIPE NCC and some days after it was corrected. So I think ‑‑ I think this is useful. That's it. Thank you.

GEOFF HUSTON: APNIC. Look, I am a consumer of your data and the data from the other four RIRs. Why, because a lot of folk want stats by country. They just want it. So somehow we have to take data that he reflects addresses and IP nums and map them into countries. I rely more on MaxMind than the RIRs and there is probably a very good reason for that, because I am interested in which legal locality, in terms of nations and nation states is that address being used, not the allocation, not what was given out, but that individual address. If I wanted the RIRs to curate that information, it can't go in the stats file, it probably can't even go in the database, it's a different granularity. And so you kind of wonder then, what do we mean when we put it in the stats file, you said there are five different interpretations and you are right. Sometimes it's the country of the entity to which we gave, allocated those addresses back in the dim dark mists of time, what has happened since then is none of our business. We do spend a lot of time tracking their locate but at a level of granularity, that is irrelevant. And so for that, you know, the frustration from folk like me who are using this, we tend doing well, that's not actually that useful, and so rather than trying to fix, yourself, because I don't know how to fix it, I go to some other source, so I am not sure I can offer you an answer, but what I can say is, I don't think we understand what country codes are in the five collective stats reports, and I suppose what would really make life clear is to at least define one meaning and stick to it. That's all I ask.

JAAP AKKERHUIS: Okay. Yes. Jaap Akkerhuis, NLnet Labs. For this occasion I want to warning about the use of country codes in general, because a lot of people understand different things about a country and not. If you really want to follow 3166 you will notice that Kosovo doesn't have a country code and that's why the EU is actually using I think SK for the time being. And cannot make a decision on this moment about these things because there is ‑‑ we have actually forgot ‑‑ got requests from three or four different offices, claiming to represent Kosovo and there are more of these and so we are waiting for the UN. And so be very careful because before you know you have got big politic at right hand. If you are really using 3166 it should say that you should use really adhere to that and not invent your own stuff on the way. Despite what the other guy says.


AUDIENCE SPEAKER: Carlos again, I had one more comment. I really think geolocation is kind of a mess and if we could have some more engagement from the RIPE NCC with geolocation providers and making them come to these meetings, because my personal experience, while trying to fix wrong geolocation information for our members' networks is that they offer a way to fix it but they simply choose mot to reply and choose not to fix it.

INGRID WIJTE: I think one of the things that ‑‑ one of the few things that is defined is that those country codes are not a reliable way to map two countries. So we see the people use it for it, maybe as last resort, the hope that something would happen if they change the country code there, but yeah.

GEORGE MICHAELSON: APNIC. I want to give some history to these statistics files to help set some of the context around them. These files are not the product of a public policy process or a conversation with the community. Rightly or wrongly, I simply observe that they came as a result of an operational burden, the RIRs felt they had in providing simple statistical reports on the disposition of resources. APNIC actually produced the original stats file as a file format of its and we took that file as an initiative into a conversation with the other RIRs and we emerged with a consensus view amongst us as RIRs around the field structure of the file. So, the decision to use vertical bar is as is a separator, the decision in v4 to count hosts but in v6 to count prefixes, to include a field which takes the economy code and I do stress, even though it says cc, we really have to start thinking about economies, not countries, for reasons that have been stated in the microphone. Not all entity codes that appear in this file are countries. So, my concern here is to say, meaning of fields is something which has to be somewhat delicately negotiated and I feel in this instance you are right to talk about it and possibly the read me files and the exposition of meaning of the fields is actually the really important goal here, and stating clearly it is a field, it lies with ISO 31662 letter codes, its exact application to the addresses is more loose, I think that is interesting. I wish it wasn't, I wish it was a simple thing like legal entity but there are reasons why between us it isn't. So you no comes the other part: You said some things which went to the extended file because there is the stats file and the extended file. The extended file includes unallocated addresses, served addresses and additional fields like a unique entity code and that process of defining additional fields, field positions in a CSV file it is quite a delicate balancing act because the minute an entity in a common file series says I am going to add a column, everybody either has too far blank or they have to agree to use the column the same way or we have diverged into chaos. So if you are heading to proposals that will have new fields, that requires negotiation amongst RIRs to make a consistent outcome. It would be unfortunate if we want to a divergence of file format so I know that I'm slightly to one side of your topic, what does the field mean, I understand that, but please be mindful that the format is a negotiation between publishing entities and consistency is a high goal that I would really like us to keep. Thank you.

INGRID WIJTE: Fully aware of that. I do see though there are some differences already, I think APNIC accomplishes OPA CID, I think you are the only ones.

GEORGE MICHAELSON: We do now all publish but the exact format of opaque ID is unspecified, some use a UUID, we use a self generated unique code were a database trigger and the file is quite careful to state, although you may, may have a consistent value between generational versions of the file, that is not guaranteed, it is only unique within a single file and so inferences that it's a consistent entity have to be understood. And there are also questions around the date that potentially require the same degree of analysis because some people regard the date as the birth date of the resource into public view and other people view the date as the last transactional moment of change and when you consider blocks split and join, this has massive, massive impact on the meaning of that line. So, there are already other issues in the file.

INGRID WIJTE: Correct, yeah.

GERT DORING: I have another comment of my own, speaking not as a Chair but as a participant in the discussion. We can model this a bit more, this is something that just came to my mind that we actually for the allocations, the allocation object has appointed to the organisation, the organisation object has a country code as well. So if we want to define it that way we can have the organisation in the country and the allocation object be the operational country I would sort of like reintellect what Alex says, that this is used for operational purposes. But the country code field in the organisational object is not can you remember rated either, so if somebody wants to put any country if there they can, so we need to just keep this in mind when discussing the whole can of country code worms.

AUDIENCE SPEAKER: From LACNIC. I just wanted to point out one thing regarding your slide by about LACNIC and our intent for the delegated stats as well as our database is to actually declare information that we can actually vouch for, it is basically the legal presence, that is the only thing we can possibly now. That said, we are trying now two things, one as a result of the policy proposal that reached consensus and the other is an initiative of ours that we want to try out to see how people take it. One is we are publishing another ‑‑ a different file, not the extended tell gaited stats but different file which has a more granular, what we call sub allocations as all the different and the country code in the sub allocations is useful for sort of ‑‑ for the user. The other thing is, we are ‑‑ we will be publishing a different file using format called geofield which is defined in an expired draft, but it's ‑‑ that is explicitly information declared by the user, that is it's not information we can vouch for. We basically only provide interface for the members or users to publish it. Thank you.

GEOFF HUSTON: APNIC. Gert, I really want to react to what you said because I think there is a subtle distinction between the stats files and the extended stats files and the database. The stats files and the extended stats files are a snapshot of the entirety of the holdings of the RIPE NCC on a day. You can see the lot. If you start doing pointers into the database, you have got a referential problem, only certain folk can pick up the whole of the database, whatever it means, and it's not the same as the stats file. So if you are looking for a solution around the country code issue, to change what you are currently doing, I would certainly find it helpful to me and probably others would find it helpful if you looked at a solution that was self‑contained in that holistic stats file rather than doing pointers to other pieces of data that are curated and published, using different mechanisms and different access procedures. Don't make a whole ‑‑ a whole resource snapshot, point into a query‑based system, that way lies madness for me and possibly for you.

GERT DORING: That wasn't my intention. I just wanted to bring to the discussion, that we actually have three different ‑‑ that are already interlinked in funny ways.

GEOFF HUSTON: That is true

GERT DORING: If we go that way and declare that the legal country and the operational country in the database have a well‑defined meaning, it might be necessary to extend the stats file, yes, I have listened, to include the operational at legal country. But I'm not saying we should go there, it's just we are discussion the meaning of these fields and trying to figure out whether we have a common understanding what any of these fields mean or what people are expect them ‑‑ expecting them to be.

GEOFF HUSTON: Well certainly from my experience, my increasing depressing understanding, is that I cannot use what we publish in the stats files and extended stats files as a reliable geolocater even into economies, I just can't. And make legal presence is perfectly fine and geoloc is a separate problem and if we all admit that, let's move on with our lives and that's okay. But Alex uses it one way, I use it a different way, you maintain it in the secretariat a different way, that's where the evidence of madness creep in. So this discussion at least helpful to bring that out, even if we can't resolve it.

GEORGE MICHAELSON: This is not meant to be the Geoff and George show. I would like to expose two conversations that I have had with other people that relate to geo questions, which I think are informative here. One is with a large CDN operator when I discussed the mismatch between assertions they made about IPR and how they associate IP addresses with locations to constrain television content IPR, intellectual property rules that are bound in geography, his assertion was:
'I am a CDN. I am at over 200 points of presence in BGP. Why do you believe your assertion of locations statically is better than my measured presence in BGP of an IP address, arriving at an end‑point and other actions I can do? And so I said 'Well I don't. I think it's better, but you don't expose your model in the way the wider public can consume.' And he said, 'Of course's my financial advantage in the marketplace. The point of this one of the two is, this information is financially important and valuable for entities doing their business and the absence of a common public framework has qualities in that discussion, arguably it would be better if we had the public exposure, it would be a common basis but right now it is an economic element of competing entities. That is point one.

Point two was another entity, a large dominant player in our collective universe who said we have moved to a mental model of proof of possession and when we receive requests for peering and requests for changes in geolocation, we look to you the registries which have an authority model that says can change public data and we say back to the asset holder: Here is a hash string, it's unique to you, you make this visible in a number of public repositories that demand you have proof of possession and when we see it we will believe that you have control of the asset and then, then we will discuss your geolocation problem. And that, that model really intrigued me is because they said they don't want us to publish the geo, they want us to prove possession of the assets, to discuss the geo. Those are my two points.

ERIK BAIS: Thank you.


So we are going to wrap this up, and take the discussion further to the list.

INGRID WIJTE: After the Database Working Group.

ERIK BAIS: Next on is Jordi, he is going to do the assessment clarification of the IPv6 policy. There was already discussion on the list, well, not on this version, the previous one, and it was extended discussion period.

JORDI PALET MARTINEZ: Following the new PDP. Hi. As we just explained it, this has been discussed already during the last year more or less so this is the third version of this policy proposal. Let me explain why this is started. This is started because I was understanding that the previous policy on this point that was 2016‑04 was not very well aligned with the impact analysis so we had a discussion on that and some people said yes and some said no and then I work it out the previous versions trying to solve that and I realised that we have the same problem in all the five regions, so I sent the same basically the same text to all the regions and on this person here ‑‑ version here we didn't have discussion but we had discussion in other regions and one of them, for example, was AFRINIC, and our friend Sander Steffan was saying hey, you are missing something, because I was concentrating only the case that was being covered by the previous policy proposal, which is bring your own device or having a sub‑assignment for users in hot spot, okay? But now we discovered that there is one more additional case, let's suppose you have a company doing video surveillance for you. You get the assignment from the, the PI space from RIPE and you sub assign to the devices of this company doing doing the service for you, not just one address, not just one prefix but multiple prefixes which cameras and video recorders in different subnets of your network. So this is clearly not covered by the previous version of this proposal, at least that's our understanding and that's the reason we made or I made this version 3 because that's basically the difference between version 2 that was discussed in mr say and in the list and version 3, and form because this was posted during summer, I think it was middle of August or something like that and then vacations and we didn't get inputs here. What did happen basically when I talk about this in other regions is people said, hey, why we don't have this problem with IPv4, because in IPv4, you use only ‑‑ you use private addresses and NAT, and one of the reasons it was, for example, rejected or didn't reach a consensus in LACNIC was people telling me, I am a university and I am using public IPv4 addresses so this policy will solve the problem for IPv6 but not for IPv4. So, LACNIC basically told me, and I have already draft, still not submitted, you should have this policy but covering both cases, IPv4 and IPv6. In AFRINIC and APNIC, the reason the policy didn't reach a consensus is according to Chairs, there were no objections but people was not really understanding the problem and consequently not understanding the proposal. So, that was the reason we didn't reach consensus in the regions. And I think the same text, not from this person, the ‑‑ version, the previous one, has gone through last call, so it changed a bit because the PDP is quite different than here so the outer lose the control, but more or less is trying to solve the same problem. I think it's still the actual version in last call is not covered in this case for the surveillance.

So, I took the impact analysis of 2016‑04 and I point here some of the points that I believe are not clearly being completed. So, for example, there is one point that says any permanent and static assignments of a prefix would still be considered subassignment as per clause 2.6, consequently the RIPE NCC will not provide IPv6 assignments for such deployment plans."

There is also another point.

"Despite the intention of the proposer broadband providers will request and receive IPv6 PI assignments as long as they comply with the requirement to only provide separate addresses to customers. The RIPE NCC will make any such requester aware had a such deployment is against IPv6 best current practices and the intent of this policy change, but ultimately it could not deny such an IPv6 request"

What that means, with the actual policy that we have, I can make an ISP from a PI, and RIPE NCC cannot deny it. That's set in the impact analysis of the proposal. So that is one of the things that I'm trying also to solve, having ‑‑ okay, this is the actual text that we have on your left and in the right what I am proposing, the first paragraph is the same, so the first ‑‑ the second paragraph, I am saying providing addressing to third party ‑‑ for point‑to‑point links and and/or non‑permanently providing addressing space to third parties for use on a network managed and operated by the assignment holder shall not be considered a sub‑assignment."

You will understand every core of this sentence in the next slide. And then to avoid the people using this addressing space for broadband, I am explicitly excluding that by saying "the provision of addressing space for permanent or semi‑permanent connectivity such as broadband services is still considered a sub‑assignment is and is prohibited under this policy."

So now trying to analyse every piece of the policy, what I'm saying here is, I am trying to solve four problems, the first one is, the case for the subcontractor with devices sitting on the holder network like the example of this IPv6 surveillance, so we say here providing addressing space to third party devices, we don't mention any more if it's a single address in a single subnet or many addresses in one subnet or several subnets, we just say, hey, if you are using addresses for external company, within your network to provide services, it's okay. Then we go to the point number 2, which is point‑to‑point links, I think it's obvious that that case, you are providing a single address but it's something needed. So I think it should be a case that should be respected.

The third one is the only one that was covered by the previous policy proposal which is bring your own device, which is an exception, the previous policy proposal was saying addresses, not prefixes, which my understanding is incoherent. You say one address or multiple addresses which then is a prefix, okay. We may enter in the discussion in those addresses are consecutive or not that is a different discussion. But tend I think that specific point of the previous policy proposal was not really very, very clear. And the last one is make sure that this is not used for broadband. You want to use this for broadband, you should be an LIR and not get PI space.

And I think that's it. I think it will be better probably to stay here if there are questions because probably it's easier to explain. Max. Is this covering your case or is it still having any conflict with you because you were the author of the previous proposal and obviously your opinion is important to understand, with this we are breaking your case? I don't think so, but please let us know.

AUDIENCE SPEAKER: Max, no the not breaking the initial case why I did this years ago but it breaks something that we all agreed on. I give you the case that /64 sub‑assignments for at the vices are okay which was missing in my part, I give you that one. I give you the part that you may be want to have equipment from someone else in your network but this breaks hosting and housing, which was explicitly allowed in my proposal, which was explicitly voted on and common sense within this Working Group.

JORDI PALET MARTINEZ: I really believe that that ‑‑ that was in your introduction, let's say, or justification, but according to the policy text in the previous proposal, I don't think that was covered. It's one more of this conflict that I notice between impact analysis and the policy, and again then, we are here in the discussion of what is the important thing is the policy text or is the explanation about the policy text. Well.

AUDIENCE SPEAKER: If I may quote Ingrid and an dry yea, the statement last time was that the policy will be used for justification if someone is likeable for IPv6 PI space and the rationale of the proposals. So in my rationale it was stated clearly that hosted and housing should be allowed so to my understanding may some of RIPE NCC correct me, it is allowed.

JORDI PALET MARTINEZ: Okay. I understand that when you say hosting, housing, obviously it's not the case for the IP ‑‑ sorry, IP surveillance, it's a totally different case because you are actually hide ‑‑ addressing a space to other for having their own systems. We can adjust this text to cover that case as well but my question, and here to the community, do we believe that a data centre offering hosting, housing should use PI or should be an LIR? Because that is an important question to take that question.

AUDIENCE SPEAKER: I guess we should distinguish between big data centre operators like big German hosters or something like digital ocean for example to name one, which I think should be LIR or think about community projects which offer housing for cheap project thingies, whatever.

GERT DORING: So they come in all sizes and shapes and the fact that you currently can't build a garage provider has come up as an argument against the PI proposal, old PI policy. If you want to start with an small shop and don't have the money to become an LIR right away there might be go reason why you want doing with PI first and when you are big and huge and have zillions of customers things like, but many organisations start small. So if the Working Group is fine with it, I'm fine with it.

JORDI PALET MARTINEZ: I am fine as well, I am just asking the community that's what we want, if we want to allow from PI to provide services ‑‑

GERT DORING: This is how I understood the consensus on the last policy proposal.

PETER KOCH: DENIC. Thanks for coming up with this. I cannot but say, so if this is the clarification, can we have the confusing version back, please? The confusion I still have is that we still don't really define what a sub‑assignment is, we have a list of exceptions, but we don't get to the beef what actually do we mean by sub‑assignment and what are the consequences. With further adding more exceptions we can do that, but that makes some EU regulation look like really pros in comparison to what we have here. I guess the slide here is indicative of the problem and the discussion that you started just a minute ago is I guess the one that needs to happen first before further wordsmithing the list of exceptions here. What do we actually want and then maybe rewrite this whole paragraph but this specific organisation and specific purposes, there is so much to read between the lines that I'm still confused.

JORDI PALET MARTINEZ: Well I am using the examples to explain it but I think the text sufficiently generated to cover almost every possible situation except the one that max commented. I really think we need to fix the actual definition of sub‑assignment and I am not really happy with the text we have right now. That's my point. And I think it's clear if you read the policy ‑‑ previous policy proposal, the actual policy text, the comments, the impact analysis that there is some conflict there. That is my impression, maybe aim alone on this. In the other regions I got people telling me it's the same.

PETER KOCH: I am not tend itting the intent and the need for clarification, I am just saying the way this is happening right now by adding more text in form of exceptions may not really clarify anything. I believe this is more complicated than before.

JORDI PALET MARTINEZ: Yes, it's more complicated because before the not clear enough and it's conflictive, so sometimes to make things easier you need more text to explain it. I think that's obvious.

PETER KOCH: We maybe disagree there.


MARCO SCHMIDT: I want to provide some clarification on the discussion about if a hosting service is included in PI and actually the policy text quotes a couple of examples and one is connecting server on appliance ‑‑ currently the policy in the current version allows some hosting serves ‑‑ so I want to make a comment about this case that you mentioned about the subcontractor of a device sitting in the holder's network, just quickly double‑checked, I don't recall ‑‑ got already that detailed request and we normally look into it, who is really using those devices and if it's a subcontractor with a video surveillance system probably still considered as part of that PI holder that receives that service and using it. So also another current policy. I don't think that we would reject such a request.

JORDI PALET MARTINEZ: So you basically are saying that the change I make from version 2 to version 3 is not needed? Basically?

MARCO SCHMIDT: I am just saying this special case of the subcontractor if the device is ‑‑ I am not aware that we got such request in those details and if we would get this would cause really an issue under the current understanding.

GERT DORING: Maybe we shouldn't discussion version 3 right now while version 2 is still in discussion phase. Today we need to discuss version 2 and see if we can agree on a problem statement going somewhere. And from the feedback so far I am not sure we have lots of traction on the actual problem statement.

ERIK BAIS: Which feedback?

GERT DORING: Yes exactly. Like no feedback, which since this is ‑‑ tends to be a fairly vocal group, no feedback is I read as ‑‑ there is not much agreement that this is something that needs to be ‑‑ needs to happen. So I don't know.

Max: What you wanted to raise the point of V2 and v3 so I am a little bit wondering what this v3 thing is, is this version 2, I don't have checked every word, or is it something new besides the current ‑‑

JORDI PALET MARTINEZ: This is version 3, what you have right now in the screen is version 3, which is what we are discussing right now. I just tried to explain what caused the difference between both versions.


ERIK BAIS: So, looking at the huge amount of feedback on the mailing list, even after the extension, after asking the Working Group to actually comment on it.


ERIK BAIS:  ‑‑ my personal view on how I see it there is little to no interest in making the policy change. And now there is going to be another version and I'm not sure if that will actually make things better in getting this through. So, I do agree with Peter, maybe we need to basically go back to the drawing board and have a good discussion on what is actually a sub‑assignment and are we actually looking for corner case for corner case because we can list 20 other cases probably that would fit or not fit in this. One question that I have for the NCC is, how long ‑‑ you know, how large are the actual PI assignments that we are talking about? Are they typical PI assignments within the 48? Because in that case, the majority of the ISPs that actually would do, you know, actual assignments to customers like A 56 or 48, that will probably ‑‑ they will run out of space very soon and need to become an LIR anyway. Aren't we looking for specific, you know, issues that may not be there and just say, you know, you have got a PI assignment for a 48 and if you outgrow it they will go to an actual LIR with a /29 anyway and actually do, you know, properly how it should be. So aren't we looking too strict at this currently?

JORDI PALET MARTINEZ: I think the case you mentioned for the ISPs having a single /48 and providing service, I don't think that was covered by the policy proposal or the policy that we had before, the 2016‑04. So that was not allowed anyway. So it should not be that case. I understand that the corner case of the small data centres as Gert was doing it may be, but for ISPs using PI, that was not allowed at any point.

ERIK BAIS: I understand. I understand. So what I would suggest before I close this ‑‑ you have a question?

AUDIENCE SPEAKER: Just to ‑‑ Nicholas from the RIPE NCC. To clarify and answer your question; so far, according to the experience we have, the vast majority of requests were received are still for /48s and if bigger it can be a /47 or 46, we only have received a handful of very large requests for a PI assignment, so the experience since the policy was updated last time is small still, but we have no evidence that somebody is trying to abuse the system or to... So it's really a handful of very large requests and the ones we got until now are not for broadband services providers, they are mostly due to unique routing requirements like ‑‑ things like that.

ERIK BAIS: Thank you. So what I suggest is that we have a we have a good look at the problem we need to solve and and are we happy with the experience that we have. You know, do we need to be a bit more lieniant on the actual sub‑assignment and do that in general terms without all the exceptions and then have good faith in that once an ISP actually becomes an ISP, from his shed into an actual data centre, then they will also go into an LIR membership and ask the NCC to monitor that because that will make all our lives a lot easier, especially yours.

JORDI PALET MARTINEZ: Yes, I really think we ‑‑ the problem here first is not only for IPv6, it may be also for IPv4, even if most of the time it's using NAT so it's not the case. But I think the point is we need to think twice what as a community want to be a sub‑assignment and whatnot. Really less of the policy text or the policy proposal, I really think we need to understand that. Is the community really convinced that the small data centre should be PI or not for example? I think this kind of questions need to be responded to.

GERT DORING: It's two entangled, what is a sub‑assignment and what should be aloud in PI? So even if you consider it a sub‑assignment if you say this is a set‑up we actually want to encourage, because we want to encourage people to build things on v6, so maybe we do not want to be that restrictive in certain cases where we want that people otherwise we do v4 only. So that is something we also need to keep in mind. We don't want to be restrictive on v6, we want to be clear on the policy but encourage deployments. So indeed like Erik said, maybe we should go back and see whether we can agree on, if there is a problem or if there are multiple problems, and then see how we can solve this.

JORDI PALET MARTINEZ: Okay. Thank you. Any additional point or question?


ERIK BAIS: Okay. Thank you. Let me see. Open policy hour. So, open policy hour, so we don't ‑‑ I don't have time here. Gert how are we doing on time?

GERT DORING: It's 12:00 so we have half an hour left.

ERIK BAIS: It's open policy half hour. So, we have some ‑‑ do we have somebody in the room that wants to it pitch something. Sascha.

ALEXANDER ISAVNIN: Thank you very much. Actually, I am not sure that should be exactly discussed or not at Address Policy but usually I would talking about number sources so maybe it's Address Policy reasonable are. Let's remind ourself why RIPE was created in times. It was created to support IP connectivity in European region and actually, whatever RIPE doing, whatever RIPE Working Group is doing, whatever RIPE NCC is doing is for support for IP connectivity. But actually, now we could see and get more and more evidences, there are some special forces that do not like global IP connectivity and that is mostly governments. Like for us, there are no full country shutdowns in our region, I don't remember about this. But, for example, in my country, by the way I am from a country to which some Netherland minister declared ‑‑ maybe citizens shouldn't listen to me. In my country there is a government enforced prefix filtering so now about /12 is not available for Russian citizens including like Amazon and in the worst case it was about /8 spaces, /8 of IP space belonged to major hostings. Some countries like Ukraine tried to enforce AS level filtering because of disputes with Russia, request some of their companies to ban ‑‑ to prevent connectivity on AS levels. I hoe if you was one year ago, your IP telephone works but when you go to your hotel it doesn't work. So it's protocol filtering. Now we have Russia small region in ‑‑ have turned off transmission for operators and it's well‑documented.

Actually, for governments they do like to be connected by themselves but they trying to use Internet for their own purposes. They like to be connected but they don't like for some others to be connected as well. And we have to do something with this. Our community is very, very welcoming, everybody could participate in RIPE meeting but sometimes ago the code of conduct for meeting was invented, at the beginning of the meeting RIPE Chair saying something, okay, if you violate our unwritten rules you may be asked to quit. So I think it's a time to talk and maybe create something for asking to quit from the Internet though then it is who breaks our Internet. It's very important for the case of governments. First of all, Internet have a global structures and any action of governments and states against the Internet have a global impact. I have mentioned the content filtering at AS levels and prefixes in Ukraine and you have seen once we are Cloudflare such blocks are leaked to the global Internet and in some resources lost its connectivity. There are a lot of American citizens here and they would ‑‑ I would like to remind them sometimes ago Mr. Trump sanctioned 13 persons who interfering American elections with social networks. Actually, those persons was not greed started the activity to interfere in American elections, they were created and started activity to fight against Russian opposition, and when Facebook and Google and global companies said no, no, the not our business, we would not ‑‑ they started action against you. So it's a global, Internet is global. You can't say that oh, those government doing something strange and ‑‑ it's government let's do it. No, that will come and hit you again. That is one point.

Second and important point, most of us are network engineers and we all know that it's relatively easy to fix connectivity users. I think, well, if you never have announced one upstream to another you are not ‑‑ very experienced network engineers. Now, a lot of automation ‑‑ a lot of automation so ‑‑ but once in my life I did this but have not greatly hid Internet in global. So ‑‑ any connectivity issues, could be resolved, unless this issue is invented by a government. So, you can't talk with government and that could bring you problems. So, I would like to propose some policy changes maybe in address ‑‑ in distribution of resources. Maybe somehow else. But we need to understand what is IP connectivity violation, how to measure and officially confirm that somebody is interfering in the Internet. We need to understand which entities are doing this or getting benefits from this. We need to know how to enforce and ensure connectivity and, well, what to do with resources used by entities who are breaking connectivity. We need to understand to we need to do something with governments who are already interfering in Internet connectivity or just start ‑‑ need to start from scratch. Well, if you don't believe governments are abusing Internet in Europe, there is European Court of Human Rights and I think there are already resolved cases related to human rights violations which ‑‑ Internet.

Well, we have an example and even presentation at one of RIPE meetings, that is how African colleagues call it anti‑shutdown because in their region it's very popular to shut down Internet in the whole countries. In Europe I don't remember that any countries did this but they they tried to use much soft ‑‑ by content filtering, also another way. But we can try also to to or something not informing number ‑‑ RIPE NCC have excellent communication and external relations and they really like to sign some memorandums of understanding with governments which are not legally binding, we might ask them, well, to try to sign ‑‑ to ask governments and states to sign some agreements that is governments would respect RIPE community value, would respect RIPE policies and would not break connectivity for any cases, so I invite everyone to start the discussion, again remember if your government and state is not everything in connectivity, doesn't mean that ‑‑ does not mean, IP activity would not hit you. Thanks.

ERIK BAIS: Any questions?

AUDIENCE SPEAKER: Erik, please assist us and tell us a what is a correct place to have such discussions? Where is it? What mailing list

ERIK BAIS: That is a very good one. Because personally I don't think it's Address Policy thing first and we need to have a discussion with people from external relationship from NCC and with the Chair, you know, to how do we want to do this. If we want to to this. And if it's the place for RIPE to actually be a part of this. But, you know, we are here now, and let's see what the room has to say and we will take it further.

ALEXANDER ISAVNIN: We are taking African anti‑shutdown policy it was completely about IP addresses so if government shut down Internet in the country they should not take new addresses and ‑‑ that is why I introducing it. I am not sure that we should follow this way. Well, actually, over there we have Connect Working Group, but it's well, not much about policy, it's about technological thing so let's start it here.

AUDIENCE SPEAKER: Steffann from Megaport. I am really afraid if you suggest governments should sign something there was always something in return, I am a bit afraid that we open here some discussion we don't want to have here.

ALEXANDER ISAVNIN: Well if your state is not interfering your IP connectivity, it does not matter ‑‑ does not mean that we should not discuss it.

AUDIENCE SPEAKER: Then it should be done on European level and not on country‑based level.

ALEXANDER ISAVNIN: But on countries level it's not possible. As I said, that is countries who usually interfere IP connectivity, they are usually very well known for also breaking and violating human rights and in this case discussion inside this country is meaningless.

AUDIENCE SPEAKER: What kind of sanctions you would suggest there? You you want to check it. There is so many questions you cannot answer.

ALEXANDER ISAVNIN: I prefer not to suggest sanctions.

AUDIENCE SPEAKER: In a way then this paper is ‑‑ you do not need niece papers, if you have no sanctions, no checks.

ALEXANDER ISAVNIN: We had an example if you are trying to break Internet you don't need Internet so you don't need Internet resources, that is what we are all about here. It's a possible sanction, it's still not policy proposal, just discussion. Okay you may suggest something else, imagine your country wants to cut you out of Internet or, for example, enforce you to cut the whole Amazon hosting or Google or whatever else, think what you will do in this case.

AUDIENCE SPEAKER: I think we discuss this later.

ALEXANDER ISAVNIN: For sure, let's discuss.

Malcolm: Three short comments. There is a Working Group that specialises in discussing the relationship of the RIPE community and community consensus policy with governments and public policy interests, that is the Cooperation Working Group, it will be meeting tomorrow.

Secondly, if you are proposing that the community should use the consensus policy mechanisms it has as a sanction against internal legal policies of particular countries that you or I may share a dislike of, that is going to create an adversarial stance that I think that this community is unlikely to be prevailing. I would suggest to you that rather than looking for sanctions for those sorts of things, you look to alternative approaches, that can include the sort of cooperative persuasive approach that gives the Cooperation Working Group its name. You might also look to the example given to ‑‑ by the IETF. Now, in relation to pervasive surveillance. In that issue, they did not say if you engage in pervasive surveillance you will not be welcome in this community, you can't take part, they just we are going to at the sign our policies or seek to design them in a way as to seek to preserve the fundamental enterprise of our community which is to enable people to communicate. That may be a more productive line of inquiry, but nonetheless ‑‑ I don't know if it's applicable in the community but it might be something you might wish to consider rather than sanctions‑based approach.

Thirdly and finally, I would suggest that you distinguish two issues that you conflated in your presentation; that is, between government action that seeks to preclude or hinder or interfere with Internet access within its country, and government action that has the same effect beyond its borders and therefore harms third parties that are not properly under the jurisdiction of that country. There may be a reasonable distinction to be drawn in those cases. Thank you.

ALEXANDER ISAVNIN: Thank you. I hope to receive more of your comment later.

SANDER STEFFANN: I fully agree with what Malcolm just said. We are a technical community, starting to fight governments in this place is not something we can win. We don't have black helicopters and cool stuff like that. So I don't think this is the right place to fight it. I fully understand your need and your ‑‑ harm that is being done to you and your community, but I think if we start this fight we are going ‑‑ we are going to lose it and take down the RIPE community with it.

ALEXANDER ISAVNIN: Sander, I think with this approach you already lost because in Russia, related content filtering regulations, some representatives, well, from beginning of Russian Internet, ordered this approach and saying oh, no, we didn't telecommunity, we should not do everything. I have even recording of such saying by, well, ccTLD at that moment. Saying no, no we should not do something, do somehow else but that wasn't work also. But being ‑‑ be aware of make governments angry about you is a really lose. So ‑‑ I'm not talking about fight anyway, you is it not hear the word fight, but as I say, we are being abused by governments, they are using resources, they are using positive outcomes from this community, but they do not share the same values.

AUDIENCE SPEAKER: For the part that Malcolm said like, governments doing something within their own borders, we as a community have no right to interfere with the sovereign rights of a government to make policies for their own country. The only thing we can look at is the harm outside their borders but within the borders that has to be solved locally, that is not something we can do.

ALEXANDER ISAVNIN: I have not final solution. I welcome in discussion. But also talking about you're European citizen, talking about within borders and outside, European Court of Human Rights is a state is member of parliament or Council of Europe, well they agrees to follow this, so it's another example. Internet is not like government association or whatever else. But while this is one of the government ‑‑ governments institutions or the Internet, if not us who else?

Lee Howard: Your second ‑‑ your last slide suggested that we find ways to get governments to sign binding legal agreements I think is one of the suggestions that you had suggest, that you had made. The problem with a binding agreement is it's only as binding as your enforcement mechanism and I don't think that we can success flee wield the power of Whois against national governments. I don't think ‑‑ or you know we can update RIPE DB entries, the people with guns are scared now.

I have a further concern. My governments, I am an American citizen, my government shuts down Internet connectively all the time, child pornographers ‑‑

ALEXANDER ISAVNIN: It's consent shutdown, not, I am not talking about content filtering in Russia because it's much more, it went to become infrastructural shutdowns.

AUDIENCE SPEAKER: I think you did talk about content filtering as one of the cases.

ALEXANDER ISAVNIN: Because infrastructural interference, like trying to block ‑‑ or inject routers, that's affects the global Internet. Child porn, find the source, no one hear in this audience will object to this. Well, don't remove from the routing the whole autonomous system, do not block the whole Amazon hosting.

AUDIENCE SPEAKER: When already global command and control systems that control botnets one of the most effective tools is shutting down routing. That is the way it's done when you have a distributed network that is doing something bad. We don't want to stop that or take away that tool from doing good things and I don't know how to distinguish between good and bad because different governments and different countries and different groups have different ideas ‑‑

ALEXANDER ISAVNIN: Again, I am not deciding what is good and what is bad. Even from my government, just here. But losing IP connectivity is bad, that is all we understand. It's not a government elections.


ALEXANDER ISAVNIN: We could see and understand. Again the first slide if you are American you maybe missed the basic RIPE documents. RIPE to 01 document from creation of RIPE, IP connectivity. So, okay, I am glad you joined the discussion lets try to continue.

AUDIENCE SPEAKER: Just clarification question. Not strictly talking about any government or state, there is an agreement that a contract between LIR and NCC, being an LIR if I block a prefix to my customers and not allowing them doing and reach out to that prefix am I in breach of contract?

ALEXANDER ISAVNIN: Well it depends what is written in this contract and when talking about commercial contracts usually, usually there is another option, if you block some prefixes for your customer, customer could choose another LIR but when government enforces something or breaks something it's, as I mentioned, it's much difficult to resolve this issue by negotiations or by choosing another government. In European Union okay, if you don't like your government you can move to being European citizen, to another country. It's resolved somehow. But European region is a bit more than European Union.

AUDIENCE SPEAKER: I want to strictly remain on the LIR and NCC agreement without commenting on the government because governments do not control the transits they don't control the routers. Of course you go to LIR to LIR to LIR so I am just asking if I am blocking a prefix, am I in breach of contract? That's the matter we can discuss here. We cannot discuss anything else, that is what I am saying.

ALEXANDER ISAVNIN: In a contract to your customer?

AUDIENCE SPEAKER: No, contract that the NCC, gave me ‑‑

ALEXANDER ISAVNIN: Well even talking about resource allocations of NCC and, but for example, for historical allocations, IP resources may be used in private networks without global routing, so in this contractual basic, it might not be breaking of contract.


ERIK BAIS: We are going to cut this. Thanks. We are going to take this off‑line further. I would suggest you have a chat with Malcolm and take this up in Co‑Op and then we will see where it goes.


Okay. This concludes the Address Policy for this RIPE meeting. Gert. Do you have things to add?

GERT DORING: There is two more slides.

ERIK BAIS: Anything else?

GERT DORING: One more, even. Thanks.

ERIK BAIS: Thank you all for your input and thanks for helping, informing policies for RIPE region and enjoy your lunch and see you in RIPE 78.