RIPE NCC Services
17 October 2018
At 4 p.m.:
KURTIS LINDQVIST: Good afternoon, if you please take your seats and cool down, I know it's very exciting, I know, I can feel the excitement building up and I have been this excited all day because we have the NCC Services Working Group but if you could please contain the excitement a little bit.
So, before we begin with anything, I'd like to remind you, those of you who haven't been to this fabulous event before, this is the NCC Services Working Group and immediately following this we have the GM, and you need to go and register for that, if you haven't done that you have minus five minutes to go get your little sticker on your badge and the GM will follow immediately after NCC services and will be in here, maybe? Yes, okay. And so as usual, you also know that if you are not out of here instantly we finish, really bad things will happen to you, we might increase your membership fees by a few euros. So please try and leave the room fast and orderly so we can prepare for the GM. And also as, you know, one of the presentations, here is actually part of the GM but we give it here for the benefit of everyone.
So, with that, but before we go any further, I'd like Hans Petter to come up, which is over there, and we will give him a microphone.
HANS PETTER HOLEN: Thank you, Kurtis. One of my pleasures as RIPE Chair is to recognise people in the community when recognition is deserved. Jaap Akkerhuis, could you come to the stage, please. So for those of you who tonight know Jaap, he used to be Chair of a Working Group and I can't tell you for how long because he has probably been here longer than me.
(Applause)
So I know it was the DNS Working Group but for how long, Jaap?
JAAP AKKERHUIS: I actually for got, it was D N I, which was left over from when the names were still part of RIPE, and I did realise that I was actually have been long ‑‑ longer Working Group Chair than I ever worked for employer.
(Applause)
HANS PETTER HOLEN: As an appreciation for the work for your community, we have bought some gifts for you. So we hope that is something that you can enjoy.
JAAP AKKERHUIS: Thank you, I will have a look, I probably will. I has been a pleasure to be part of this group and I hope it will continue with more and younger people than I.
(Applause)
KURTIS LINDQVIST: Okay. With that, back to the regular programming. So this is the NCC Services Working Group and we have the fully proposed agenda. I have added one item to the agenda that Bijal sent out which is quite topical after the presentation and it is the Working Group Chair selection which will follow after this but with that, any other ‑‑ anything else anyone feels like they want to add to the agenda? If not, this is all the NCC services eyesight reading test on my screen up here because it's very small. And so, with that we have the ‑‑ we have a scribe were the NCC and we have have monitoring as well so if you have any remote questions, please pose that. Thanks for being volunteered by the NCC by the way. So, we also have minutes from the last meeting which there was no comments to, so unless anyone objects, I will call those approved. And with that, that brings us to the first agenda item and that is that Bijal will stand down as Working Group Chair before the selection so thank you very much for the work done so far.
(Applause)
And according to the Working Group Chair selection process for this Working Group, I sent out a call for proposals, of which we had one, which was Bijal, and there was an intense ‑‑ it wasn't really a discussion necessarily, it was a very unanimous endorsement of the candidates, of the only candidate we have, unless there is any other candidate stepping forward now and deciding to challenge this I would declare for Bijal to be reselected. Done. Welcome back, Bijal, thank you.
(Applause)
So me and Bijal were having a discussion earlier today about the fact that there was only one candidate and of course you could say that we appreciate Bijal very much for this work and Bijal thought I should say that the almost better to have some candidates, probably if I go here and say unfortunately we only had Bijal I am stuck with her for another two years, that sounds a bit negative, I don't think that is quite the message but the point we are trying to make is, we ‑‑ it's great you appreciate the work we to and thank you for keep selecting us back here, but although job clearly did ‑‑ Jaap did it for a long time, I am not going to challenge his record, I am going to stand down at some point, if you are interested in the job, if you think you'd like to become a Working Group Chair or chair this Working Group we can actually have three Working Group Chairs, up to three, maybe one thing we could do at the next meeting would be to select a third one to bring you up to speed and me and Bijal can hand this over. I have run this Working Group since it was created a long time ago, and I don't intend to continue until we close it down. So, anyway, with that, that brings us to the next agenda item which is Axel, who is going to give us the RIPE NCC updates.
AXEL PAWLIK: People of the RIPE NCC Services Working Group, welcome and guests and those of you walked in by accident and find out that this is the place you really wanted to be only didn't know it yet.
So the update from the RIPE NCC and outlook into next year. Right. So, this year was interesting, it was full of excitement and it's not over yet, so we see again lots of membership growth, quite radical growth there. It's up and away and you see that the right most bar is solid and it shouldn't really be solid, it should be a bit lighter in colour because we don't really know but we think it will be up there somewhere. So, we have seen over the last, after the last, the time after the last /8 was announced in 2012, we have seen, believe it or not, 12,000, 12500 new LIR accounts, well that is a couple. We also see growth in, we believe we see growth in sort of sectors of industry like finance, banking and so general enterprise and we think some of that is real. I also am on the record as saying yeah, yeah they just want data analysis but we see those developments there and we want to cater to them as well. We have done of course quite a number of things over the course of the year, or the years already, that you told us to do, okay, NWI 5 we implemented that change, abuse‑c validation, that wasn't you who told us to do this, that was the Anti‑Abuse Working Group that we did ‑‑ well, we are doing this as well, we are ‑‑ we are beginning to test it over the last quarter of the year. And of course it has quite an impact on workload. The strategic focus for this year and this should not come as a big surprise because we talked about this of course before, increasing engagement with our members, with our stakeholders, with the environment and so more outreach effort. And understanding and this is a continual thing, understanding the needs of our members. We do think we have a fairly good idea but prove us wrong and tell us what you really, really want.
Right. Preparing further for the huge increase in accounts, more members, more LIR accounts and trying to deal with that in the most efficient way possible, and of course also looking beyond that because yeah, we have shown you the up and to the right fairly steep but we have of course a vision of what happens in a couple of years, so preparing for that as well. Looking at efficiencies and trying to work as efficiently as possible but also working on that, investing into efficiency and automation, to the degree possible so we can do the real interesting work with sort of manual work or brain work, more. And looking again at procedures for due diligence and strengthening those and making sure we have all the right checks in place to to the right things, always.
Okay. A couple of challenges for next year that we foresee and there might be others around the corner as well. Like I said, more members, steep growth, that means more workload in any case. We are looking, again that is the trend that we are seeing for a couple of years already and that we see becoming bigger, mergers and acquisitions and the like, there is a lot of complexity going into those activities and also quite a lot of due diligence activities that we are doing that we feel we need to be doing the right thing. More requests, while trying to be as efficient as possible, we are carrying that activity into the next year and looking at infrastructure that we have and processes we have and making sure we have resilient and effective and again are ready to challenges as they emerge, whatever they might be. You want to be ready for the future and agile as well.
Good. Focus areas for 2019, again efficiency and agility, to handle whatever comes our way. Resilient infrastructure, improving further registry accuracy, working on that continually and making sure it remains where it is and gets better. Accountability is important, due diligence again. Looking ‑‑ look at ourselves as hopefully reliable source for interesting information and data on all sorts of Internet resources and I will talk about that a bit later on towards the end of the day. So this is something that we want to step up and again come to the fore on this self‑image.
External engagement activities is something that we are to go for a long time, the question is what is external. External is anything outside of the RIPE NCC, members and governments and regulators and police force and those people, also into the regions and stuff like that. Just again to make sure that we do what is expected of us by all sorts of parties, primarily our members.
So, we have been asked to give more information on efficiency and accuracy, so like I said, simplify automated processes, freeing up our people's brain works to do the complicated stuff that is hard to automate, looking at mergers and acquisitions, legal name changes, digging deep into company house documents and the like, looking at new LIR applications and sort of doing similar things there. Looking at the billing process and Gwen will talk to that later on as well when she present in the general meeting. There is a lot of efficiency to be gotten there. We looked at the website, everybody looks at the website, that is easy, it's also getting lost in there is maybe easier than we want it to be. So we looked at tracking users and seeing what they are doing, where they are going from here to there and we found there can be quite a bit of improvement, so we are looking at that also.
Other things, I don't want to steal her thunder, Rumy is going to talk about that in a moment, credential for RIPE NCC training, also the Community Projects Fund will continue to support projects in our community for the good of the Internet, good things that we can support, that we have. Again, I won't go into any details, we will see that in a little while. Projects have been selected for 2018 and 2017 have been funded and there will be a bit of progress report there.
Told us to to as best as we can with running K‑root that serves an important service that we are not only delivering to our members but to the rest of the world so we are wanting to get that ‑‑ making it a bit bigger and more capable and resilient to attacks as they might be coming along, probably will, and to increase coverage and, well, we see this as potentially quite expensive so we are slowly running this project and we will spread the cost over the next three years.
Internal information security. That's of course something that is always important. We are looking at a framework to be able to continually update it and measure the performance there. Looking at getting intelligence on things that are going on and that might be potential incidents waiting to happen we want to be prepared for that as well.
RIPE Stat is crazily, what do you say ‑‑ what is the word ‑‑ popular. Simple word. Very popular. You see the growth from within two years to from 6 million hits per day to 55 million queries, that is quite a bit. So we are looking at updating the user interface making it a bit smoother and better and to also improve visualisations for RIPE Atlas. We are looking at increasing collaborations with other organisations to be able to include some of their tat into RIPE Stat to provide a more complete picture of what is going on in the world. And of course, expanding RIPE Atlas coverage by virtual probes, virtual anchors and software probes. Right.
Then there is the not quite so technical but also, I don't know, interesting stuff going on about the ASO review project that I talked about last time in Marseilles, I think.
So the idea, just in summary, we have gone through the other regions as well by now with the ‑‑ with input for this. What we hear is, ICANN is important to the community, we should continue with ICANN, we should continue to the ASO, the way we are doing it, we have been doing it for the last many years, and especially over the last couple of years has become more complex and we should focus on number community matters that /TREBGTly touch us. (Directly) the ASO apparently is quite different to the other supporting organisations within ICANN so the main policy work that we do with ICANN is the global numbering policy, development process, and that's it. And of course on the operation we do occasionally get address blocks from IANA. So we hear that we should politely and gently decline activities with ICANN that are outside of the number community field of scope. We hear that the distinction between NRO and ASO and NRO EC and NRO NC and ASO NC is all a bit confusing so to streamline that we are having food thoughts about that as well. Like I said at the beginning, ICANN is important to us even if it's sort of a little bit remote and there's consistent support for our involvement there from the communities around the world so that is basically next steps we are going to sit together and right up what we want to do and bring it to you again.
Other engagement outreach RIPE meetings, obviously they are growing and that is a nice trend, we have a nice BoF yesterday on who we are and how big we want to be. So that is great to see them growing and you coming. We do regional meetings, you know, so smaller national‑sized meetings, membership lunches, to, again, contact our members and see what is going on, to understand what they want from us. Supporting network operators' groups, national IGFs in a small way and that fall into our scope of interest. Face‑to‑face training courses are important, are very popular, people want more. We do our best of, of course we will mainly keep them, that is the main thing. RIPE LAPS labs community building, getting studies and analysis out and getting people to contribute to that as well. We have had a hackathon last Sunday, so general academic cooperation and those types of events are not only fun but also bring good results to the community.
And yeah, round table meetings with government, not only ours next door in Brussels but in other parts of the world, talking about what we are doing, explaining things, hearing concerns, hopefully being able to, in a reasonable way, react to those concerns.
Why we go where we go. We had a couple of comments and questions about this topic, you go to all those places, why are you going there? It's to try connect with all of the community, not everybody sits in rest of Europe of course so we try to go places from where possibly people can't easily travel or can't easily travel to these places. Again, to understand the challenges that members have in various parts of the world with different circumstances that we might not normally think of easily so we want to learn. Local technical communities, that is something we see and hear every time we go, there are people that are going there that maybe didn't know from each other that they had existed and had similar interests so it's nice to see those flourishing.
Public sector concerns, what our government is thinking of and giving them information about the Internet and how it works and what we are doing and what they could be to go and what others are doing. To some degree representing to the members of policy arenas, we are very careful in the representing thing, we talk about what we are doing with you and we get our input from you so that we can say the right things. And generally spread know how and share best practice and make new tools as well. So we have been in a lot of places in 2018 and 2018 isn't quite over yet, but you see it's a fairly nice spread through the service region.
Yeah, the RIPE NCC survey 2019 is coming up so please check your mailbox, things will be happening. The last survey that we did was three ‑‑ no, will then have been three years ago and we had 4,400 participants ways great number but like I said, by now we have about 20,000 LIR accounts and maybe, I don't know, 17, 16,000 members, something like that, so we expect more participants. It's a very important thing that we do. Actually, this will be the seventh survey. I was talking to Serge earlier, this is the 4th or 5th and I looked them up and we started actually in 2002 with this kind of thing. That is certainly surprised me a little.
So, yeah, it's an important thing. This is the last survey before exhaustion. I don't know whether that means much or not but we will try on the way there before launching the survey, we are trying to again, as we do, to find the important topics that we should be asking you about. And then we will launch a survey in Reykjavik at the next RIPE meeting and do participate, please.
So highlights were the activity plan. And, you know, this presentation is sort of nominally part of the general meeting as well, like I said we expect 4,000 new LIRs. I wouldn't be surprised if it's 5,000, who knows what is going to happen but that is the big challenge. Efficiency groundwork for the future, be agile and responsive. Registry accuracy is important and remains important, maybe becomes more important so we want to make sure we to the right things and keep quality up and maybe bring it up higher. Service, we deliver good services we hope, we hear from the surveys. And quality of service delivery should stay, or maybe go up again. Stability and robustness with K‑root ‑‑ stability in general for the organisation, this is your organisation, we want to be stable, reliable, all that. And launching new activities as you see fit and useful, the idea here is always that we do things that help you doing your business or enabling you in doing your businesses. So, and credentialing is the main thing there, and abuse‑c is not a brand new host of activities, it's one concrete thing that we will be busy with next year.
Our budget. Some numbers, although this is the Services Working Group, the numbers we say usually go into the general meeting but, yeah, so by the end of 2019 we expect, as we can say now, 24,000 LIRs, like I said could be more. We forecast an income increase due to the mad growth there of 23%. We see for next year, we proposed it in the draft budget, a budget increase of 15%, that is quite significant but also very clearly coming from a couple of very new identifiable projects at that we want to do next year. We think the surplus will be I think 9 .898 million, yeah, probably 10 or something. And the cost per LIR, that is a lovely number, I always like this, is expected to drop further from 13 ‑‑ from 1445 in this year's budget so that is good trend. Having said all that, this is just the first part of my presentation and I go and dive a little bit deeper into the activity report and growing activities and shrinking activities and some numbers there in the general meeting.
I will talk about members ‑‑ members will talk about or decide on a couple of things, the redistribution of the surplus for 2018, for instance, amendments to the Articles of Association, but you have seen that of course in the agenda already. And so I can only say come and participate in the General Meeting. I don't know it might be a little bit too late, of course you have listened to us and you have seen all your emails and you certainly have registered. Any questions?
KURTIS LINDQVIST: Any questions for Axel? No. All right. Thank you very much.
(Applause)
Next up we then have Alastair from the RIPE NCC and RIPE community fund, i.e. what you do with the money.
ALASTAIR STRACHAN: I was going to say my cursive presenter notes and slides has broken but apparently not. Any questions? Anyone? No. Thanks. So, as some of, you know, I am Alastair, I am in external relations with the RIPE NCC and part of my role is to coordinate the RIPE community's projects fund. So some of you may or may not know, the Community Projects Fund was launched in 2017 at the RIPE 75 in Dubai, as one of the good of the Internet initiatives, so it basically boils down to we provide up to €250,000 per year to support non‑commercial projects, with value to operational resilience of the Internet with reference or preference given to projects from within our region.
So a quick update the successful projects from last year, so first up we have the ARTEMIS project, this is a study that ‑‑ techniques for BGP prefix hijacking, the ‑‑ next project was the Internet Atlas which is standardising methodology for monitoring digital rights online; the Cryptech project which I know a lot of you already know is creating an open source design for hardware cryptographic engine, for hardware security modules.
We also had Let's Connect, which is an open source VPN solution.
We had open BGPd, which was creating an open source implementation of BGP 4.
We had iSEND, which as clearly says, it's a lightweight IPv6 secure neighbour discovery implementation for the Android platform and also finally the at that stage I can stand K‑Root DNS mirror. I was going to give updates on this but they are pretty lengthy so I am going to do a free plug for RIPE Labs. There are labs articles from all of the successful projects, explaining where they are in their projects, how things are going, what challenges they are facing so I to recommend you have a look at those individual documents. One thing I will say, open BGPd and open BGP 4, they are ‑‑ there is a lightning talk tomorrow in the open source Working Group, that I highly recommend you all go and see. They started announcing K‑Root back in April 2018, so that was project is completed and was a great success.
So, getting on to the selection committee, where we are now with this year, so we have an independent selection committee, they are members selected by the Executive Board so it consist of one board member and three community members. So Mieke, who is glamorously in the corner sitting here, Salam, Nuno and Andreas Larson. A lot of you may or may not know them but they picked on their broad range of knowledge and diversity of experience they have and these are the selection committee responsible for grading and scoring the applications and moving forward and selecting the winning projects.
So, 2018, we saw, as I mentioned the call for application was made at RIPE 76 in Marseilles. We had over 45 applications in the eight‑week period the window was open. We saw 20 different countries, the highest number of applications came from the Netherlands, UK and Germany; however, we also had some from Nepal, one from India, Brazil, so we get quite a good geographical range and the majority of the projects fall into four main categories, so we have commune based projects, open source software, research and development and also measurements.
So based on these, we have the 2018 recipients to announce, which is the moment I will introduce Mieke, who is from SIDN funds but one of the selection committee members responsible for picking our winners.
Mieke: Thank you. I am really honoured to be part of the selection committee for RIPE. In my daily work I select projects for SIDN fund adds you mentioned before. When I do that I look at impact, is the project innovative, does it benefit the general interest, could it be scaleable and is it for the good of the Internet, which is really a difficult topic, of course. But having said that, I can announce the five projects of this year.
The first one is Ethra, collaboration between Colombia university, UFMG, Brazil, Lancaster University UK and this project will develop techniques to intelligently allocate probing budgets by developing techniques to infer still trace routes at low measurement cost, identifying IP level changes implied by BGP updates and to identify and correlations between the routing of the different probes and destinations.
The second one is one from the Netherlands, it's a project which is called My Data Done Right. It's an on‑line tool being developed by bits of freedom, the digital rights organisation that gives citizens of the European Union control over their own data and designed to be used by people of little knowledge of the topic and the tool will be made available in all 28 countries and 24 languages of the European Union will be maintained by the partnering organisations.
The third project is the Internet Health Report; a collaboration between IIJ Research Lab WIDE, Wesseda University ‑‑ large measurement platforms to it automatically pinpoint connectivity issues or routing changes that have ‑‑ may have detrimental effects on other networks.
The fourth one is the open source RPKI certificate authority software and NLnet Labs will create an RPKI certificate that allows network operators to run RPKI software on their own systems and link it to the RIR parent system in an RFC standardised way.
And then the last one is a con den says based approach to anonymise network logs, this came from the Yormouth University Jordan who will develop a new autonomisation technique that provides stronger privacy ‑‑ and is a robust to various attacks. This project will generate a prototype tool that can be further tested in real life situations and encourages sharing of network data sets.
So these are the projects of 2018.
(Applause)
ALASTAIR STRACHAN: As Mieke said, they are the projects for this year. I do want to quickly say thank you to the selection committee, Salam, I can't see you, I assume you are there somewhere. Also Nuno and Andreas, they put a lot of effort and their own time in doing this and we appreciate ‑‑ are appreciative of that. So, just a brief look to the future. So the call for applications for 2019 will take place in Rick Vic at RIPE 78 in May. Again, please keep an eye on the website and RIPE Labs, another plug, check RIPE Labs. People an eye for progress reports from the wing project and also updates from the call for next year. And if you have any questions, drop me an email, projects fund@ripe.net, find me in the corner, I will be the overdressed man sweating a lot because I did not expect it to be this warm. Any questions, any problems, come find me. Except you, Jim.
JIM REID: It's just a comment about the last year's awards and more of a reservation and something I hope the committee could bear in mind for the future. I am kind of uncomfortable about the idea of using the Community Projects Fund money to pay for route server instances, that seems to be something that should come out of a separate pocket in the NCC's money and I would be very unhappy if we ended up in a situation where good projects doing analysis works and other matrix and things have been suggested would not be getting funded because money is going into pay for Anycast instance. I realise that, anywhere else in the service region is a good thing and that is to be encouraged so I am not complaining, and it's one pocket the money is coming out of as opposed to another I would ask the selection committee to bear that in mind for any future requests that come on.
ALASTAIR STRACHAN: One thing I will say that on because you are not the only person mentioned this, with that project specifically, there were additional things that they were tying in with that K‑Root, it wasn't just yes you will have a K‑Root done, there were additional things and we can discuss this. But yeah, we are aware of that.
JIM REID: It sets a precedent which might cause problems in the future. And of course I am not an NCC member so I don't really have a dog in this fight, I perhaps shouldn't be even saying this.
KURTIS LINDQVIST: That was discussed in NCC Services Working Group a year ago as well. Any other questions or comments?
(Applause)
And so next up we have a new face in the NCC senior management parade, Felipe.
FELIPE VICTOLLA SILVEIRA: I am the new COO at the RIPE NCC and this is the operational up day. Who here was at the RIPE 75 in Dubai? If you have a very good memory you might remember this slide, that my predecessor Andrew de la Haye used on his presentation and I thought it would be good place to start my presentation because it explains pretty well the main challenges that we have to face within operations on a daily basis, which is in one hand keeping an accurate registry and for that in many cases we have to ask you very tough questions and be quite annoying, and on the other hand, provide a good customer experience and finding the right balance between those two things can be quite challenging, and in my talk today I want to aim to answers ‑‑ give some answers to this challenge.
So I will start by explaining what is going on within operations, like what the main trends that we are observing.
So the biggest trend we are observing is a very sharp increase in the number of frauds, I mean it's no secret from anyone here that IPv4 is worth a lot of money and where we have money, we have criminal activities. And with us is no different. So we see a very large number of fake passport copies, fake certificate, fake company registration papers and so on.
So this just to illustrate the number of investigations we have been performing over the last years. So, for example, in 2015, we have seen 26 investigations performed. This year, so far, we have seen 128, which led to the disclosure of 203 LIR accounts, so it's a very high number.
And of course, this very large number of frauds lead to an increase in the work complex, especially for requests that involve resource holdership change. So in order to protect your resources, we have added a number of steps on our due diligence process, in order to make sure it's watertight.
So just to some examples of things that we have added over the years in order to make the due diligence process more strong. So, for example, in 2010 we start closing LIR accounts due to frauds. Back in 2015, we start reviewing national authority documents every time there is a legal address change and for an LIR. Back in 2016 we start checking whether the person signing the contracts is actually authorised to sign on that company's behalf. And so on. So this is just to give some examples of things that we have added over the last years, that is increasing the complexity of our workload.
Another trend that they are observing, that Axel also mentioned in his presentation, is a very sharp increase in the number of accounts that we manage. Again, due to the IPv4 exhaustion, one of the ways you have to get the IPv4 address is to open first an LIR account or an additional LIR account and there are a number of companies doing that. So this is the growth over the last six years, since we reach the last /8. So when I joined the RIPE NCC back in 2012, for example, we had 8,200 LIR accounts, exactly one month ago, on 17th September, we reached a mark of 20,000 LIR accounts. So this is the number of new LIR applications that they receive over the last six years, so back in 2013, for example, we had 1,600 approximately new LIR applications. This year, so far, we received around 3,200 and we are expecting an additional 1,000 until the end of the year, which may lead to around 4,000 new LIR accounts just in 2018.
And surprisingly, the number of tickets that we have to handle within customer services and registration services is actually not increasing that sharply. What is changing though is the nature of tickets, you can also expect, so for example, back in 2011, almost half of all the tickets that they were handling were resource requests so basically people coming to us and say can I have more IPv4 address space. Today this number is much smaller, around 17% which kind of makes sense since running out of v4. What is growing is resource holdership change request so things likes policy transfers, mergers and acquisitions, independent resources update, all these kind of things which also makes sense, right? And these requests are the ones that are mainly targeted for frauds, and these requests are the ones that were mainly affected by all these additional steps that we have added on our due diligence because we want to make it ‑‑ want to make sure that everything is done properly.
So now I want to say the things that we are doing to address these challenges.
So first thing I want to talk about is risk management, how we are managing that. If you think about it, every time we receive a resource holdership request that is a certain chance that there is a fraud involved in this request and there is no way we can know that upfront. So right now, we operate on a zero risk tolerance framework, which means that we expect that we cannot make any mistakes and also operate on a trust no one framework so basically ask a lot of questions, to be 100% sure that everything is correct. And of course, this have annoyed many of you so that has led to some complaints. To the board more specifically who have asked us to look into this issue. And specifically, what the board asks us to do was to look into a professional trust model how to manage risk. This means basically that we should assess the risk based on a defined set of risk indicators, in a similar way a bank would if you are asking for a loan so fending on the size of the loan there is more risk or depending on your credit history, all that sort of stuff. And the main goal of this is to apply a stronger due diligence in the right places. So where we have high number of risk indicators, then we apply stronger due diligence, where this Rick indicators are not present, then you can just do the basic checks.
So this is an explanation of how this framework works in practice, like more specifically. So, on the left side, your left side, we have the basic checks, so things that we have checked, have to check regardless. So, for example, if you are submitting a policy transfer, you have to provide us with company registration papers for both offering party and receiving party, you have to provide us with a sign a transfer agreement, and if things are not present we are not going to process where you are request. Now, if these things are present then we move into the second box, which is the risk indicators. And we check them and if there are certain number of risk indicators are present we go into further investigation, otherwise the request is approved. So that's the basic idea behind the trust model, the professional trust model.
So, where we are in this project: So we defined a framework for policy transfers and we are running a pilot as we speak now, in registration services are taking a subset of all the transfers and running also against the new model. So to evaluate we are going to report back to the project team and that will be used to define a unified framework for all the resource holdership change requests. This is going to be presented to the Board, if the board approves, then they are going to start implementation early 2019, some point in Q1.
A question that's ‑‑ I keep hearing over, for example, at the last GM this question was asked, is, what what is the RIPE NCC doing to increase efficiency? And the truth is we have been doing quite a lot and I want to report on some of these initiatives that are being done within operations.
One of the main things we are doing is to automate work that is like manual work, repetitive and it is worth automating so that the cost of automating this work is actually lower than the benefit you are examining to get. So to do what Axel mentioned if his presentation, so you can focus the brains of the RIPE NCC, on the right things. So on things like, for example, making sure that the requests are correct, the documentation provided is good, the right person is signing the contracts and so on.
So now I want to report on a couple of projects that are meant to increase the efficiency, so these projects, they target resource holdership change requests. So if you remember from my previous slide on the chart of the kind of tickets that we have, so these are the tickets that are growing, and also the requests are mainly targeted for frauds and also they are the ones mainly affected bit increase in the work complexity, so that's why we decide to focus on these projects.
So these projects, they are divided into two phases, on the first phase we focus on the customer facing side of things, in other words on the request forms in the LIR Portal, and on the second phase we focus on the back office, so everything that happens afterwards, afterwards that the request is actually submitted. So this phase is all about automation and the streamlining procedures. So concerning user interfaces, the problem we are trying to solve is especially for mergers and acquisitions, when you receive a request there are a number of things that are missing on this request, like it was not sent the right document or a lot of information that are missing, and that's mainly due to the quality of the request forms in the portal. So what they are to go is, we are changing this request forms in order to ask the right questions, so we get the right information in one go and it can avoid all this back and forth in the communication that is very annoying for you and also very time‑consuming for us. That way, we are aiming to increase the efficiency, also provide a better customer experience.
So now, this is a screenshot for the transfer wizard, this has been in production since April this year. And now we are working on the new mergers and acquisitions wizard. Some flavours have been deployed to production already since August and we should be deploying the last bit at the end of this month, more or less.
So now about the back office. So as I explained before this is all about automation. So, for example, want to automate all the checks that need to be done to support the authorisation of this operations, so for example, when you are submitting a policy transfer you cannot have any more specific assignments underneath the block that you are transferring cannot have any root objects, and today, the registration services staff have to query this manually in Whois, which is time consuming. So we are all automating that, and then you have all the checks in our CRM showing this is correct, this is correct, this is not good. So then you can focus there.
We are also automating the document management side of things so use a document management system to store all the documentation like company registration papers and so on. These documents they have to be tagged correctly so they can be found later on concerning which ticket they refer to or to which resource if it's about the transfer, so this all being automated away. And also when the request is finalised, when we approve, we have to update the internal registry plus the RIPE database, very time consuming, error prone and we are automating that you will away and the goal is to increase efficiency and to focus the manual labour on the right places, like making sure that a request is correct.
Concerning time‑lines for transfers, we are finalising the project so by the end of this month should go to production so since it's not customer facing, should not see anything in the LIR Portal but should notice the difference on the speed or I hope. And for mergers and acquisitions, we want to start working on it at around of this year.
So that was basically my presentation.
Just to recap: The key points that we have discussed... so seeing an increase in the work complexity due to the very high number of frauds. We have experienced very heavy workload due to the membership growth, and we are tackling those things by looking into a professional trust model to manage risk. And also by automating and streamlining the processes in the request involving resource holdership change which are very complex.
So that's it. Thank you very much.
(Applause)
KURTIS LINDQVIST: Thank you.
RANDY BUSH: IIJ and Arrcus. I am part‑time measurement researcher and in the fraud, excuse my jargon, are you finding a lot of mice, a lot of elephants or both?
FELIPE VICTOLLA SILVEIRA: I am not sure if I understand your question.
RANDY BUSH: Little bits of fraud, small people take regisering one invalid or two LIRs, are you finding cases where people are registering dozens? Elephants or mice?
FELIPE VICTOLLA SILVEIRA: I don't have all the data but I would say we have a bit of both. We had cases in which we have closed several LIR accounts in one go, but I am pretty sure that someone else will answer this, you also have smaller cases. Right now I don't have the answer on the top of my head.
RANDY BUSH: But you to have some elephants.
FELIPE VICTOLLA SILVEIRA: Yes, we do.
RANDY BUSH: My sympathies.
ELVIS VELEA: You guys are trying to automate a lot of things and I like that. I do have one question, though, and this was asked on the mailing list at some point a few months ago; the ticketing system still spits out documents that are being sent by email, by someone to the NCC instead of using the LIR Portal upload.
FELIPE VICTOLLA SILVEIRA: Yes.
ELVIS VELEA: And those documents are still there available if that person forwards the email to a broker, I can click on those links and see copies of IDs, anything that was sent to the NCC via email gets a link in send desk. Maybe you guys should try and become those available only with login or somehow ‑‑ those are basically some links with documents which should not be easily available by anyone.
FELIPE VICTOLLA SILVEIRA: The documents are advise visible because of the ticketing system.
ELVIS VELEA: Let's say a copy of a passport, the ticketing system creates a link and then the RIPE NCC .net attachments something like that. If that email, the conversation with the NCC is forwarded to someone else that someone else can just click on the link and doesn't need any authorisation or anything, will just access had a copy of an ID.
FELIPE VICTOLLA SILVEIRA: To be honest, I was not aware this was the case. I thought as soon as you upload a document through the link it would be private. Maybe we can check later on to make sure we remove this. I agree that it's not ideal.
ELVIS VELEA: I think it was already mentioned a few months ago on mailing list but it's still happening. We will talk off‑line.
AUDIENCE SPEAKER: Alexander Simon: Sounds so beautiful presentation, seems previous operations officer did not nothing for automation. You are planning to automate a lot of things, as we have seen from previous, is decreasing year to year, so what kind of decrease of cost per LIR are you expect after this automation? Maybe not €100 but €500 per ‑‑ after automation finishes? Do we have such?
FELIPE VICTOLLA SILVEIRA: A very good question actually because we wanted to measure all those things, right now I don't have any numbers to give you, but the idea is to measure, for example, the lead time that each application takes, between the moment that you submit a request up to the moment that it's completed on, and we want to measure that and expecting to see a decrease, especially for these two kinds of requests. We also measuring the customer satisfaction so as soon as a ticket is closed we send a survey and we want to see also any improvement there. And another thing that we do, but that is company wide, is the cost per member, so how much it costs to each LIR based on our budget divided bit number of LIR accounts but it's hard to measure based on these specific projects but the idea is to have based on other initiatives as well that we are doing. And just to answer your first comment that we are starting automating things now, that is actually not true, we have for example resource requests completely automated as things like four years ago at ‑‑ focusing a little bit more on this area.
AUDIENCE SPEAKER: But I hope and pray for ‑‑ decrease. Thanks.
RUEDIGER VOLK: Deutsche Telekom. I heard you essentially only talk about services related to number resources. I wonder whether you are also responsible for some other operations where, for example, my experience is that for tracking the status of operations and the ‑‑ well, okay, recording problem reports and tracking the follow‑up, in my experience falls pack to the ticketing system used for the resources and is completely inadequate for tracking that kind of stuff. Is that a different department or is that also under your control?
FELIPE VICTOLLA SILVEIRA: I am not sure if I understand your question.
RUEDIGER VOLK: Well okay, if I report that I'm getting a bad syntax in database objects and it turns out that the database lost the ability to even parse a simple email address and accepts bad stuff which then blows up, well okay, I submit an error report and kind of that seems to be operations
FELIPE VICTOLLA SILVEIRA: It, it will go to customer service that it needs, etc. Escalation go to the RIPE database team and you get your answer. Why did you say the ticket system is not adequate?
RUEDIGER VOLK: The experience is the ticket system at least as it has been used is just recording, someone has the token for the next operation, which doesn't tell anything about what the processing state of the analysis of a problem is, and the ticket system also is not adequate for tracking, yes we have discovered the syntax problem and it should be ‑‑ well kind of, it is closed immediately and we wait for maybe years until someone actually picks it up.
FELIPE VICTOLLA SILVEIRA: I get your point. We don't use the ticketing system for that so it's mainly for tracking the communication so let's say we report a bug in the RIPE database, so that's ends up in the RIPE database team and there we create a bug in our internal bug tracking system but that's not feasible for you so maybe you want to have access for that, something like that. Then we have to see how we can implement something like this. Thank you for your input.
RUEDIGER VOLK: Okay.
KURTIS LINDQVIST: Okay, I think that was it, thank you very much.
(Applause)
So next up we have Rumy with the ‑‑ the RIPE academy, RIPE training and academy, I guess.
RUMY KANIS: Thank you. Good afternoon, I am the training manager at the RIPE NCC. And I am here today because I want to give you an introduction on a very exciting project we have been working on.
So historically, over the years, as you know, we have ton a lot of activities for our members, mainly trying to increase efficiency and increase the knowledge in our community, so our goal is to train our members to work better with us, to have better knowledge, to work better with each other and to build capacity across our service region. Over the years, our target audience has slightly evolved so we don't only focus on members, but we also train people from the community alongside meetings and conferences, for example, we go to universities to train students, we train law enforcement agencies and other regulators, we do some internal training for our staff as well so we have been developing a lot of activities over the past years.
For our community, as I mentioned, we have our face‑to‑face training courses which are still very popular, people keep asking for more. This year, we will have ton at the end of the year about 120 training courses all throughout our service region. So every week I have two [trainers] somewhere in our service region spreading the love. And for those who cannot come to our training courses or who prefer to learn in their own time, we also offer some online learning possibilities so we have webinars but also have the RIPE NCC academy which is for members and non‑members. We have the online Educa which is a full day educational event online that we do about two or three times per year on specific topics. Apart from that, we also do some courses on demand, sometimes we receive requests to do presentations or tutorials alongside conferences and IX meetings or NOGs. And finally, we also have the IPv6 programme management and the trainer programme in there.
That's a lot. And apart from that, we also try to see every year or every few months how can we do better, how can we improve our services. So we know that our training courses are very popular, we are technically up to date, we are vendor‑neutral, we also try to make our training courses fun and interactive, have people talk to each other and learn from each other so our courses are popular, always fully booked, people want more and we can't do so we are going to stick to 120 for the next year. We have noticed certificates are in high demand and really very popular, people sometimes come to the course just to obtain a certificate. So we have been thinking about that, and asking ourselves what do these certificates prove.
Basically, if one sits on a chair for a whole day and the chair is warm at the end of the day, they get a piece of paper saying you were in the course. It doesn't really mean much. But our members and participants really attach a lot of value to that so we are thinking about how can we add more value to our certificates. The other issue we have, if you look at our on‑line courses in the academy, it is actually possible to obtain certificates and scores and prove what you have learned; but, via the academy we don't really check whether the person who does the test is the person and not their very smart sister, which we all have. So great, our courses are really good quality, we know that, people like our certificates. But as I mentioned, the certificates don't really prove anything. How can we add value to that and especially how can we do that without increasing the cost too much for our members? Because you don't like it when we increase costs. And also how can we make sure that these certificates match the needs of the job market? Because people want to have certificates so that they can prove they have acquired a skill.
So, that is where our exciting project comes in. Credentialing ‑‑ you like definitions. So credentialing basically is a process that forces people to go through a process where we can assess whether they have the skill needed to do the job. How do we want to do that? Our idea is that our content will be available to everyone so face‑to‑face courses still only for members, on the academy, members and non‑members can follow the courses, and then if they want to obtain certificate, they can book an exam, we would provide vouchers for members, non‑members would pay for that and through an online proctored platform these people can take an exam.
This online proctor or live proctor will verify the identity of the person so we know that not someone's very smart sister is doing the test but they are doing it themselves and these tests are done in a secure environment. This means people will not be able to take convenient shots of what they are doing so questions cannot leak. People will not be able to Google or look up the answers, they don't be able to have a phone or another person in the room so it's really a secure environment in which they will take the test and once they have done the test successfully they will get a badge. That is different from certificate because we are modern and we like to innovate and the new hype in the learning industry is digital batches, we do away with paper, still get a PDF, people can share it on LinkedIn and Facebook and all kinds of social platforms and the other advantage of a digital badge is it contains a lot of information. So potential employers can click on the batch and know exactly who issued the badge, when it was issued and what the badge holder learned to obtain that badge. So that's one thing.
Now, we can prove that the person who is doing the test really is the person who is doing the test but there is another element, we also want to ensure that the knowledge people obtain matches the job market so that it adds even more validity to the certificates. How do we do that? That's through job task analysis. We have done a bit of that in the past already and make very sure our training courses are tailored to the needs and want to ramp this up and meet with people from the community, ideally people who do not need our courses, who to the job daily and ask them, imagine let's say we do this for the database course, ask people how often do you do what task, how important is it for your operations, what do you need ‑‑ what steps do you need to perform to do it, how crucial is it and how often to you do that, and the more information we have based on this, the more relevant we can make our content. So once we have gathered all this was, we can then build a courses and tests and certification programmes that really validate the skills and really make sure that when people obtain the certificate from the RIPE NCC, we will be proud of it, want to put it on their CV and employers looking at that will say hey, this person is fit to operate and can work with the database, I want to hire them.
So, how are we going to do this?
As I mentioned, we will start in the coming months doing job task analysis. We have already started a little bit in this area but we will continue. Then we want to modularise our online content, at the moment I don't know, some of you may have done our courses, I know a few of you here who did, our on‑line courses are quite long and bulky and we want to modularise them so people can pick and choose what elements they want to learn and have shorter elements. People can ask or book or schedule these exams take the tests and end up with the digital badge. At the end, I know most of you are certified already, let's all get certified and we will all be certified professionals. We increase the knowledge in the community, but we also prove or can prove that we have that knowledge.
And another thing that we are looking at longer term is partner models. So right now we are running a pilot with the American University in Beirut, they have ‑‑ students in their computer Science Division are following our IPv6 online training course. Once they can complete that training course successfully and done the test, they will obtain three credits that will contribute to their degree. So now we have not only RIPE NCC saying you are good at this, we have universities who are picking up on our content and want to plug it in their curriculum so we want to get that.
We have a couple of other universities who are interested in working with us and we want to finish the pilot with the AUB first to see how it goes and learn from that, but this is definitely something, having our content offered by universities will add more value obviously to the certification we offer.
Same goes for law enforcement agencies, as you know we do a lot of training already. But we have various law enforcement agencies that have contacted us that would like to investigate whether it would be possible to have agents being certified through our system.
So, as I mentioned, we ‑‑ I mean, this is a project Sander and I have been working on for quite a long time, it's been our ambition for long time, working on it for a while already. When we started working on this credentialing used to be called certification and at that time we released the RPKI thing and I am happy in the meantime the learning industry has changed the definition and called it credentialing so we don't have to confuse you think more. But last RIPE meeting in Marseilles, we met with a few community members, just because we wanted to see how would you feel about this, do you think RIPE NCC should start doing this, and would you see value if we would certify and either as an employee or potential employee or potential employer, would you find this interesting or adding value? The feedback we received was very positive, very useful as well, most people agreed that it is essential to validate the skills, also that some of the content related to the RIPE NCC is quite complex and we are the right people to offer that content, being vendor‑neutral adds another layer to that. And several people mentioned yes, they could see this as being part of the hiring process; however, they would need to be sure that these badges or certificates proved that the person who did the test actually can to something. So not just theoretical knowledge but also practical knowledge which is again where the job task analysis come in. And finally, the university collaboration, as I mentioned that will add a lot of value to the certificates, but it will also encourage younger people into the community. I am not saying you are old but it's good to have some more young people participating in a community.
So what are we looking for? We would love to have your input. We are building a stakeholder group because we ‑‑ there is lots of [tests] that we heed to make, levels of credentialing, pricing, should we charge people, how much should we charge for these certificates, so these are things we would like to agree in a kind of a bottom up process.
Job task analysis: Are you an expert or do you employ experts? Please talk to us, we would love to do an interview with you or your staff.
Content review. It is crucial that our content is of top‑notch quality and especially that the tests we link to the content are all of good quality so we would love to have people help us with that and love to have a pilot group. So if you are interested in working with us and collaborating on this please come to me or to Sandra and I look forward to working with you. That was it.
(Applause)
KURTIS LINDQVIST: Any questions for Rumy? Comments, thoughts? No. Okay. Thank you very much. There was one, sorry.
ERIK BAIS: I was not previously informed about this whole project and I think it's a very, very interesting process that you are taking on here. So kudos.
RUMY KANIS: Thank you.
KURTIS LINDQVIST: Thank you.
(Applause)
So, with that done, we then have a policy proposal as you probably all know, and we are going to let Sara from Europol present the proposal as being discussed on the very actively on the mailing list and we will then have a brief discussion on what to do with this or how to proceed, rather. And then we will take it from there.
SARA MARCOLLA: Thank you very much for hosting us. I am Sara, I come from nearby, the Hague, so where Europol is based, and today I am here to discuss with you further our policy proposal which I know had been very lively discussed last week, if I remember correctly, more than this week actually but I think because everyone is busy here this week.
But before go into the details of the proposal, I would like to walk you through where we are coming from with this proposal, actually, so maybe you can just go out of your shoes of engineers and people that work in companies and ISPs and try to fit my shoes that today are sneakers so you might well fit into them, and see where we come from with this proposal. I'm saying this because Europol is a law enforcement agency, we are not really law enforcement agency per se we are helping the coordination of all the enforcement agencies across the EU. And one I think that we do is, we listen to them because they are our customers, and one thing that they help us build is intelligent and intelligence picture of what is happening across the European Union, in this case because we are based here. And what you can see on the screen actually is the top threats and trends that our law enforcement agents have been seeing throughout this past year, that had been built into product that we call [eye] October at that and you can find it online, it's publically available information so you can read it if you like to understand what law enforcement seize. If you look through these different pictures you will recognise some of the crimes that you might hear in the news everywhere or that you might have bumped into in your daily work. And this is exactly what we are trying to do.
So we are trying to help law enforcement agents in the Member States to come together to fight these crimes that are all cross‑border and have one thing in common which you can probably understand, it's the presence of an IP address and here is the place where we discuss IP addresses as well as in the IETF, but we are here to discuss this, and this is basically the picture that we have.
So there are a lot of crimes that are increasing. There are a lot of crimes that are continuing, like in the case of DDOS or card‑not‑present fraud and all of this have the need for an IP address which is misused, which is malicious in some cases or just going to be not used for the greater good which is significant really believe in, the greater good I mean, not the malicious activity, of course, just don't quote me wrong, and I honestly hope that this community is aligned with me on these. I know we might have our own differences in terms of how we want to implement it and the policy proposal discussion probably is one of these places but I would like all of you to be here with me on this, because this is important for all of us, and for our parents and our children and everybody else that is in the world and is using Internet, because what we try to do is to make Internet a safer place for everybody and I really, really hope that you are on board with this with me.
Otherwise we might have a problem in understanding where we go next.
Basically, we are here in this moment, we are in a discussion phase, which is very, very animated and very exciting for me to be here, because I really hope that going home after this meeting you are going to be participating in this mailing list. Because I will tell you a secret. In this mailing list there are 20 people participating actively and that's it. I see a lot more faces in this room and a lot more faces I cannot connect to the names so I think that there is room for more participation. I really like this mailing list system because it allows everyone from the comfort of their couches to type in something and a thought. And a policy proposal in my opinion, and I think you might share this opinion with me, is something that comes from the community and we are all part of the community, as we are all part of the ecosystem. I was speaking about before which is an ecosystem we try all together to keep safe and again we might not agree on the way we keep it safe but we agree on the baseline that we want a safer Internet for everybody. And more resilient and more proactive in fighting threats and in the end, an Internet that we would like to leave as citizens and that is on top of what we do on a daily basis.
So this is where we are. You still have some time actually, until 26th of October, for commenting in the mailing list and please, have a look at the discussion that has been made because there are some points that are of valuable discussion in the past and you might not want to repeat them again and again but you might maybe to chip in with some different perspective which is exactly what I'm looking at because when we throw this policy proposal out in the wild we were trying to do a good thing or trying to do something and we were trying first and foremost to give the community the opportunity to comment. This is why it's out there and not a secret something somewhere.
So, this is the policy test and text, I am not going to read it for you because you have eyes and you can read it as well but I am just going to leave a thing here: Is this is a proposal for the community, which means that if the community doesn't agree with a proposal, of course the proposal doesn't go further but if the community agrees that there is something good in the proposal they can and they should come back and come forward to discuss what can be improved in this proposal. Because there are a couple of things that I think we can ‑‑ I can tell you that where is ‑‑ where the proposal comes from, is I'm very conscious of the time of people and one of the things that this proposal is trying to do is trying to really, of all the engineers that are trying to do their job on the Net, to respond to legal inquiries, which is something that they don't like it and they know it because I work with a lot of engineers and I adore them but they really hate this paperwork and legal things so this was one of the reasoning behind this policy proposal.
Why now you see a little box there? Because this was one of the most valuable contribution I think during the discussion, the preliminary discussion that we had, because the proposal was trying to push forward the legal address and these caused a lot of uneasiness in the community concerning personal data, which is perfectly understandable and in the wake of the GDPR we are all enthusiastic about having the control back as citizens of our own data, which is fantastic, I think, but of course this has some impact on other things and our colleagues at ICANN know something about it. In this case, we try to protect the citizen that is a resource as well, by using a different methods of identification of such resources by means of something that is already existing which is registry of enterprises, which more or less every country has. And we have been discussing about this for a while, there are different opinions on this as well, but I think that this could be a good starting point because on one hand it is something that protects the privacy of the individual and on the other hand still keeps this need for identifying who we have legally to contact in case of certain things and the jurisdictional framework especially on where these can happen without hampering the privacy of an individual which is something we don't want. So, I think the best for this session is, I am conscious about the time, so I probably open for some questions, some comments and some proposals. Actually, if I may ask you, because I am on this side of the table this time and I can ask you a favour, is it just try to be proactive as well and propose something. I see that perhaps you might have questions or very strong comments, I really appreciate the comments that are constructive and I really do not think that they do any good to my proposal or to any proposal the comments that are like curbing the thing and saying this is not useful full stop, please argument it because I will learn it as well, we can learn a lot from all of you.
KURTIS LINDQVIST: Thank you. From the chairs as well I would like to stress if you have constructive criticism for how it can be improved, that is welcome, it doesn't have to be progress as it is, you can work together.
RUEDIGER VOLK: Deutsch Telecom. I have limited time following that mailing list discussion. What I get is there have been questions raised to the exact intent and meaning of stuff and in particular I think I did see from one of the well‑known sources of considered reason in this community, Dr. O'Reilly, a statement that I think very clearly pointed out some weak spots and more questions and kind of I would like to know do you think you will be doing a next version of the proposal sometime soon so that I get something that makes actually sense to read? I have something like very few bullets that I would like to point out that for amendments of our database schema, I think we should demand that proposals for doing this always come with a draft description of what will go into the manual telling the people who are supposed to provide the data what it is supposed to be. And then of course also very clear ‑‑ very clear statement about the intent and the use and that is actually something that is usually a legal requirement to be provided in databases and I do ‑‑ I think those questions so far have not been addressed really explicitly and they need to be addressed explicitly and very clearly.
KURTIS LINDQVIST: Can I make one thing about the ‑‑ Address Policy had a discussion this belonged more in ‑‑ abuse, and we decided to accept it here and we fully acknowledged there were parts of this, the actual implementation of database that would have to be complemented to this but that was decision we made, to start the discussion. So I think from the chair's point of view we are aware that was missing but still accepted the proposals. I want to clarify that, that was well‑known.
SARA MARCOLLA: If I can chip in and I try answer is there will be a new version of course because we have3 been working on trying to incorporate as much comments as we can and again, please if you have specific remarks, I think that the new version we can go in the coming weeks, if you have specific remarks send them via the mailing list because it's easier to merge them with similar remarks we receive.
ERIK BAIS: So let me start with this, the intent of the policy. You want to find an easy way where the specific LIR or resource holder is located, correct? The NCC has that information on an internal database which is called the registry, not the Whois, that was not what the intent for the Whois was.
Secondly, in your proposal, you state, well, it's not mandatory, we would like you to register your customers' information in the RIPE database. Are you out of your mind?
SARA MARCOLLA: Not that I know.
ERIK BAIS: Do you have any ideas how many objects in the RIPE database are out there for us to manage? And you are not paying us enough to be able to do that. In fact, we, as citizens, are paying Europol and you are not doing your job. Because you want us to do your job.
(Applause)
So what I would propose is, if the police, if Europol, wants to have a legal ‑‑ has a legal requirement for an inquiry for that ‑‑ that is not publically available, the RIPE NCC has the data, with the information currently in the database there is information about the country, and you can get the information from the Chamber of Commerce of that specific country. If there are specific things that you are missing out of that match, then, yes, that's what an investigator needs to do from my perspective. What is your comment on that?
SARA MARCOLLA: My comment is again, please forward your comments and feedback via the mailing list because apparently the mailing list is a place where the decisions are made.
ERIK BAIS: I know, but this is where we are having the discussion here as well.
SARA MARCOLLA: You are welcome to join the discussion.
ERIK BAIS: I am on the discussion, trust me.
SARA MARCOLLA: That's good.
ERIK BAIS: Are you going to comment on this on here?
SARA MARCOLLA: I am not going to comment on this on here. I say I am gathering feedback and urge people to go on the mailing list and present their feedback there.
KURTIS LINDQVIST: Can I ask a question, Erik, what you are saying you don't think there is any role for this policy proposal at all because the data is already available either through the registry of the RIPE NCC or the company registry?
ERIK BAIS: Yes.
KURTIS LINDQVIST: Do you mean there is nothing to be done at all?
ERIK BAIS: The usage for Whois ‑‑
KURTIS LINDQVIST: That is ‑‑ I tried to ask you a question, what are you saying that today is fine?
ERIK BAIS: Yes, so the policy in itself should not be here, in my opinion.
SARA MARCOLLA: If you can please put it in the mailing list it will be captured, thank you very much.
ERIK BAIS: I will do again.
JIM REID: First of all, Sara, I would like to say thank you very much for presenting here and I can understand you might have a degree of apprehension about that given some of the comments on the list.
(Applause)
And I should also say that I am probably partly responsible for that apprehension.
There are a few things I would like to say here. I think this policy proposal shows an impedence mismatch what law enforcements' expectations are and the RIPE community's understanding of those expectations and the fact you are here to have a dialogue with us is very welcome, we should do more of that. I wish some of this had taken place before the proposal was put forward. There are one or would things which I think need a lot more work and consideration, for example the discussion about information about an address holder, are we talking about LIRs? You clarified that on the list but the proposal as it stands is now an address holder so that means anybody that has got any IP address anywhere in the RIPE service region. I think that is rather impractical. We need to come back and think about this. My own personal opinion is anything to do with Whois is completely and utterly broken and if Whois is the answer, the wrong questions are being asked. So, in my view, what you really need to do is to be given access to, I suspect what law enforcement really need to do is get access to that internal database that the NCC maintains about all the LIRs, I think that's probably what you are looking for. And if that's what you really are looking for, Whois is not the place to try and get that done, and I don't think adding more functionality to Whois is either going to be helpful in the lrong run either to what you are doing or to what actually what the NCC is trying to do in the data it's providing. Whois is a stinking horrible mess and the sooner we can put that on the one way path to [dig] /TPHAS the better.
SARA MARCOLLA: I feel more sorry for the Whois than myself.
JIM REID: Get rid of it. I think we have to sit down and have a dialogue between law enforcement and members of this community to find out what the problem is and come up with a workable solution on that [raises] that problem. We obviously have a requirement and also a moral obligation to ‑‑
SARA MARCOLLA: I really appreciate this comment and I think it's very worth what you just say, I think law enforcement is very new to the community and this is one of our ways of interacting with you and working on this policy proposal is just one of the ways so we can go further and try work on something that is a workable solution for the whole community because I think that law enforcement by now it's part, a little bit part of this community as well and we feel at least a part of this community because we are trying to participate with it.
(Applause)
KURTIS LINDQVIST: I'll ask people to be a little bit shorter, in 20 minutes we are going to start the GM, you have to be out of here and back in.
AUDIENCE SPEAKER: [Ray] but speaking on my own name. We had a chat just over a coffee, I really have to say appreciate the work Europol is doing for making life of people more safe. There is no way around that. But if you could go back to a few slides back where you make a distinguish between ‑‑ that is the one. The one with the two blue dots. Stop. So, there is one part where it says where the company is legally located. The Chamber of Commerce handles all that kind of information and that they have their own databases worldwide and in Europe. And there is the other thing where the engineers are located, that is the RIPE database. And no, we don't have anything to do with the legal paperwork, we don't handle the owners or the shareholders, we don't handle any of that. And we would like to keep it that way, no matter how much we would appreciate the work you are doing. So I think it's not a good idea. Thank you.
SARA MARCOLLA: I agree on that, that the engineers don't want to do it and that is exactly the point of this proposal. One of the points was like taking this away because if I need to know as law enforcement where something is happening, and the only contact point I have is the engineers, I will bother them.
AUDIENCE SPEAKER: It's not the only one you have, you have the Chamber of Commerce where all the legal matters of the company are registered, find it there.
SARA MARCOLLA: In some cases it's not so clear and you are just finding these ‑‑ this information down here. So it's just a matter of one step less.
AUDIENCE SPEAKER: It's not. It's information that is not being updated, it would be extra stuff, it will be a delay in your important work.
SARA MARCOLLA: Can be.
AUDIENCE SPEAKER: Hello, Niall from Sabre in Greece. Thanks for your presentation. I have a question and comment. In the first slide from IOCTA ‑‑ I think I have noticed [‑‑] so probably this is the cases for most notably in Europol, right?
SARA MARCOLLA: Well this picture is like general picture, so yes.
AUDIENCE SPEAKER: I do not see any child porn or extortion issues ‑‑
AUDIENCE SPEAKER: Bottom right.
SARA MARCOLLA: It's not child porn. Porn ‑‑ I cannot say it's not a good thing but this is child sexual exploitation because children are not doing pornography ‑‑
AUDIENCE SPEAKER: The second comment, it's about the presentation, so I am really happy first of all that I am here and it's my first meeting and I try to figure out the way that the policy is going on, it's developed. And I feel that we should have a good ‑‑ we should attain a good presentation because in this room I feel that many of us, many of guys here are mostly network engineers so network operators etc.. but in real life about 80% or 90% of people using Internet in Greece are normal people not network engineers. So probably these people are almost always the victims of ‑‑ various crimes and I think today or with these policies have a very serious thing to develop proper policies because if this guys right here have four develop all policies for all the users of the Internet so it's a very serious task.
Alexander: I am from a country which does not ‑‑ which is not member of Europol. So I will continue Erik's comments about why should a country which is not in Europol pay for Europol's job? It's one point. So second, I will send the mailing list, a example, unfortunately this is not translated into English well, how bypassing of standard investigating procedures done by paper, how ‑‑ hop by hop helps Russian police to chase human rights defenders, political oppositions or even create fake criminal cases against random people? So, you have possibility to send queries on a paper to police department of related country and so your rationale for this is completely void and we have completely opposite examples. So then, since you are missing and the scheme increased and have not found this objection, a resource holder might be a private person, it doesn't require to be a legal entity and immediately after you fall into GDPR hell and for example, personal data of private persons in Russia protected by a law which is completely opposite to GDPR, so you immediately went into international problems with private data. So ‑‑ thank you very much.
And the last comment, sorry, I really remember that when your previous colleagues from Europol come into this meeting and showing pictures like this, I was ‑‑ shown number of crypto hijacking, investigated and not investigated because you failed to find the address correctly with RIPE database, show numbers behind this. If you are not you are just imitating your activity. Thank you.
KURTIS LINDQVIST: Just the discussion about GDPR and ‑‑ was discussed at length on the mailing list, there was quite a few mails about it.
PETER KOCH: I see this slide I think nobody is denying the existence of cybercrime or however you name this. The question is how does that relate to the actual database and to this proposal? As some others have said, I am a bit confused by the recitals to be in EU parlance like the reasoning for the proposal is not really in alignment with what the proposal text says, that is something that needs to be clarified in terms of what is optional and mandatory and so on. Also I fail to see a clear problem statement, while I understand that Europol has a certain need to deliver warrants or have some local police send a swat team somewhere, again the gap that needs to be filled here isn't obvious to me. That said, the purpose of the RIPE database and we should not talk about Whois because there is no such thing as Whois, we have a database and various publication methods of this. The purpose of the RIPE database is to deliver a register of the resources we have, that's the purpose, the mission statement. There might be other demands like you are bringing forward and I am not questioning the purpose or the legitimacy of that, however that is not something that can be brought into the RIPE database by means of policy proposal. I believe we are far too deep in the details here. If there is any need for a register where you feed in an address and need something, some legal adverse out of this, that is a separate discussion to have, instead of trying to add things to the RIPE database I think we need to step back and have that particular discussion because I think these purposes are not in line with what the purpose of the RIPE database is. That doesn't mean though that the use of the database per the terms and conditions wouldn't be justified but you can't have justified uses that would be cross‑purposes with the basic mission of the database. And one point that hasn't been mentioned yet is, you are saying that oh, yes, this should also all apply to legacy resources. I doubt that that is correct approach, the special handling of legacy resources kind of a constitutional thing and not a check box that you would pick. I would prefer to see an explicit justification why this has to apply to legacy resources. So if this moves forward, there seems to be special consideration for that part.
KURTIS LINDQVIST: It's actually more than one database, to Erik's point.
PETER KOCH: Technically speak, yeah, fine.
RANDY BUSH: IIJ and Arrcus. First, we have discussions on list and here. Both are valid. I wish to complement you first of all for showing up, thank you. I was going to compliment you on not having this slide include terrorism and child exploitation but it's only because I didn't know the acronym. As Rudiger pointed out we have two databases, the purpose of Whois is for engineers to be able to do
Internet operations, and as Jim said, it's not doing so well on MAT. As we all know. Adding this burden is, that's the reason for half the resistance, it's already broken serving your needs, it's not going to work better for us, we are the paying customer. There is a database which comes probably somewhat close to what you want and I don't know, I have never actually seen it, because it's inside the NCC and it contains much PI ‑‑ personal information. If you want ‑‑ and those are the data you want, and if you want those data, there is a very simple way for you to get it: get a warrant.
SARA MORCARRA: Now that I have you on the mic, I wanted to ask the question on the mailing list, the Whois is not really doing well, but isn't it the case that we should make it better, like improve it or try to resuscitate it or ‑‑ save it?
KURTIS LINDQVIST: Can I remind you we have to finish in ten minutes.
RANDY BUSH: Yes, if Europol has the magic dust to do that, boy have we got an opportunity for you, we will pay you. Okay. We have been pushing this boulder up the mountain for 25 years. So don't be too optimistic. And better for what? Your need is really different from ours. It really is. I don't want to know, you know, Arnold's address. I know where to send email.
KURTIS LINDQVIST: I think we can explain that afterwards where many people sit down and explain to you why Whois is broken and can't be fixed
RANDY BUSH: I don't think she or any of us have the time to go through very thoroughly.
JORDI PALET MARTINEZ: Thanks for the proposal. I am trying to read from everybody here, I am following also the discussion, I had the chance to review an early version of this, I am a bit changing my mind, I told you I support your proposal and I support the idea of it but I see what are the proposals, trying to go that direction and I think that at the it end what you want to have is a direct access to the I think the name is the NCC registration database which has this data already, right? So why not, and I am maybe being too optimistic saying that here, why not changing the direction of the policy proposal into a community agreement to get a direct access without the need for a court order? Because I understand that the problem is that in many investigations you don't have the time and it may delay too much the investigation and create problems or additional abuses of children and things like that. That is the thing. You understand what I am meaning?
SARA MARCOLLA: Yes, the thing it's not only for law enforcement because in this case we are being the under‑represented minority and even more under‑represented to my understanding minority which is the sister community because if it's through that in principle law enforcement can knock on [a] /TKWAOR a warrant, a C certificate cannot because they do not have that power because that is a different set of powers they have and the reasoning behind this proposal was not only trying to tackle crimes, but security issues underlying and that is why it was coming like this, but I think that perhaps via our [recrying] some of these concerns, some colleagues before have said might be addressed, in principle I see an opening for a further discussion and if not, this is a policy based organisation. So it's the community deciding.
AUDIENCE SPEAKER: But did you think this possibility if the community can reach consensus on giving a direct access without the need of a court order, to that data, it could solve your problem.
KURTIS LINDQVIST: I discussed this last night with some of your colleagues as well, what we are talking about is not necessarily when you say getting access to the tat, it's not they have a direct access but that the NCC will pass on the information and be helpful in providing a connection between the resource holder and law enforcement so it's not always serving a warrant as a criminal activity, it could be victims and you need to get hold of them.
AUDIENCE SPEAKER: I understand that. Let's talk.
AUDIENCE SPEAKER: Tasha, working for German government. One organisation of German government is federal police. I am in contact with them okay. And I always have this discussion you brought up here now and usually the thing is, the law enforcement authority always we need this data and we need direct access and the data has to be accurate and all this stuff but my advice is [always], /H*PL, I am not quite sure that you really want this. Because if you do this, it applies to yourself too. And then they rethink normally about this. And my advice is, rethink about this because I'm quite convinced that our federal police is not happy having their data in this database in an accuracy form. You know? So it's really ‑‑ you know?
AUDIENCE SPEAKER: Thank you for this proposal, it's ‑‑ I support it, it's a really good idea and I want to tell everybody that it's not a big issue about this proposal, it will help to keep database cleaner and we need to keep in mind that almost all information about companies across the Europe are available and public registries but from time to time some issues, it's not possible to identify the company with Whois information, so such kind of proposal will solve this if it will be enough information about the companies. So thank you for this proposal.
HANS PETTER HOLEN: Putting on several different hats. I have been here for a long time, I happen to be RIPE Chair but right now I am speaking as chief information security officer of a large Nordic company and we have had several ongoing investigations this year which made me start to think differently about things. So, putting my historic knowledge here in perspective, I think that seriously, guys, we have made this mess, we need to clean it up.
(Applause)
So, first going back in time. It's not that many years ago that address space were registered to an admin‑c and a text‑c, if I kept the admin‑c on the eight, ten /16s I had over time, I would have been rich. They were not assigned to me personally, while it looked like that personally, they were assigned to the companies we worked for so we made some kind of change at some point in time, not a person a company, I am not really sure how that is in the database structure behind the Whois but that is what we need to do Erik ‑‑ Erik, where are you ‑‑ if you want to sell and buy addresses you want to know which company has the right to that data. So the registry in RIPE NCC needs to know the company that has registered the data. The only thing they need to store is the company ID, forget about the addresses, you can look it up in the company registers and it will be accurate. And then as an engineering community or operations community, we need a technical contact to solve technical problems and we have seriously overloaded that because the text‑c never answers. We have added abuse‑c and I don't know how many other fancy ways of doing that. The problem is nobody answers these operational requests because there are way too many. Today we have a service where we don't really necessarily have the right registration information, while we should do and that and the RIPE NCC has contracts internally so they probably have that and we have some technical stuff that doesn't work because most of the data in the database is not managed by the RIPE NCC, it's actually the customers' databases that are in there already, we have put the customer databases of all of us in there already and that looks like a mess. So, maybe that should just be taken out and the data that is left should actually be accurate and look at what data do we need in there. Maybe that is the task, and I think this policy proposal actually points at that problem.
KURTIS LINDQVIST: Thank you, Hans Petter. Sara, from the Chairs, thank you very much for coming and I think we had an interesting discussion, people have highlighted a lot of issues. Please participate with the discussion on the mailing list and we will talk about Sara in the 26th ‑‑ 25th, whatever date it was.
SARA MARCOLLA: 26th.
KURTIS LINDQVIST: I think we might continue this discussion in Reykjavik.
(Applause)
So with that, we are done, and please leave quickly because you have minus one minute before we starting the GM.
LIVE CAPTIONING BY AOIFE DOWNES, RPR
DUBLIN, IRELAND
