Serious concerns about the RIPE NCC Cloud Technology Status
Hi all, As we have seen in the past several Information Services updates from Felipe, the RIPE NCC has been moving a lot of services to the cloud, this now also includes things like RIPE NCC email, calendars, chat and video conferencing. The follwoing page gives a helpful overview of these services and the relevant cloud platforms: https://www.ripe.net/publications/documentation/cloud-technology-status/ The page states that "all services pass an internal process of strict legal, information security, technology and privacy reviews". That all sounds very reassuring, doesn't it? However.. Even though the "Data Residency" column states "EU" for all these services, these cloud providers are a U.S. legal entity (or a foreign entity with an office in the U.S.), so the data stored on these platforms completely falls under U.S. legislation, such as the CLOUD act and numerous related acts and laws. It is completely irrelevant where this data is stored geographically. This also means that the data stored on these platforms can be subject to U.S. law enforcement warrants and subpoenas. As a concerned and privacy aware citizen, i find it very worrying that basically all my interactions with the RIPE NCC in some way end up in the hands of U.S. based cloud providers. But i can imagine that these concerns are much more serious for RIPE members in countries that have a less favourable relation with the U.S. (there are quite a number of those countries within the RIPE service region) What do other members think about this, and has the RIPE NCC taken these consequences into account when they decided to move all this data and services to U.S. based hyperscalers? Thanks for your thoughts, Timo Hilbrink Freedom Internet
Hey Timo I think ultimately the question comes down to whether RIPE NCC is either a juicy enough target for the United States government to mess with, or how much members are willing to pay to continue to have the NCCs data hosted by the NCC in their own colocated racks. I think reasonable people can argue around the subject of whether hosting with AWS (and other outsourced SaaS/IaaS providers) is actually a long term economical alternative, but ultimately I think as far as general privacy I suspect that I have a higher degree of trust in Amazon's own security posture (There are many billion dollars worth of revenue on the line for them if they screw this up) over the NCC's (not that I don't trust the NCC to run stuff securely, but the scale and degree of thoroughness required for Amazon is just different) I think it's important to be mindful of not becoming a strange form of xenophobic to the United States when it comes to data sovereignty and services, there other countries which I would find more disturbing to host data in than the United States. I would be curious to know what kind of situation you are thinking that the United States may be interested in with regards to your communications with NCC On Mon, 4 Nov 2024 at 13:33, Timo Hilbrink via members-discuss <members-discuss@ripe.net> wrote:
Hi all,
As we have seen in the past several Information Services updates from Felipe, the RIPE NCC has been moving a lot of services to the cloud, this now also includes things like RIPE NCC email, calendars, chat and video conferencing. The follwoing page gives a helpful overview of these services and the relevant cloud platforms:
https://www.ripe.net/publications/documentation/cloud-technology-status/
The page states that "all services pass an internal process of strict legal, information security, technology and privacy reviews". That all sounds very reassuring, doesn't it?
However..
Even though the "Data Residency" column states "EU" for all these services, these cloud providers are a U.S. legal entity (or a foreign entity with an office in the U.S.), so the data stored on these platforms completely falls under U.S. legislation, such as the CLOUD act and numerous related acts and laws. It is completely irrelevant where this data is stored geographically.
This also means that the data stored on these platforms can be subject to U.S. law enforcement warrants and subpoenas.
As a concerned and privacy aware citizen, i find it very worrying that basically all my interactions with the RIPE NCC in some way end up in the hands of U.S. based cloud providers. But i can imagine that these concerns are much more serious for RIPE members in countries that have a less favourable relation with the U.S. (there are quite a number of those countries within the RIPE service region)
What do other members think about this, and has the RIPE NCC taken these consequences into account when they decided to move all this data and services to U.S. based hyperscalers?
Thanks for your thoughts,
Timo Hilbrink Freedom Internet ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
Ben Well US entities cannot do business with a lot of countries due to various sanctions such as those under OFAC. RIPE NCC might be a Dutch legal entity, but its members include companies from countries that are subject to sanctions from the US and the EU. The argument that “sure it’s not that interesting for the US govt to look at” doesn’t really address the underlying concern. Personally, from the perspective of a small member in Ireland, I’m not overly concerned by RIPE NCC moving services into the “cloud”. We use a lot of cloud services, so I’d be a hypocrite to criticise their usage. However RIPE NCC is in a quite different position with respect to the overall internet ecosystem than that of member companies, so it’d be interesting to hear from them about what they’ve taken into account in making these decisions. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 I have sent this email at a time that is convenient for me. I do not expect you to respond to it outside of your usual working hours.
ben,
I think ultimately the question comes down to whether RIPE NCC is either a juicy enough target for the United States government to mess with
not exactly. ianal. but my read of timo's point is that community *members'* data, email, etc. become subject to US law. i.e. the members are the targets wich concern timo, not the ncc. and many of the community members are indeed "in countries that have a less favourable relation with the U.S." randy
Hi Ben, It is not so much the point wether or not i trust the RIPE NCC or $hyperscaler with the data. The point is, who may get access to this data. Especially after the revelations of Edward Snowden and Wikileaks, i do not have much trust in U.S. law enforcement and intelligence services. If you ask me what kind of situation i am thinking of that the United States may be interested in with regards to my communications with NCC, it sounds like you are asking why i care about my privacy (and the privacy of other members) when i have nothing to hide. I would like refer to this article from Bruce Schneier https://www.schneier.com/essays/archives/2006/05/the_eternal_value_of.html Bert Hubert also touched on the subject of U.S. based cloud services, in this podcast, that was (ironically) published by the RIPE NCC earlier thiis year: https://labs.ripe.net/author/alun_davies/bert-hubert-internet-privacy-and-th... The whole podcast is worth listening/watching, and also check out the show notes. The part most relevant to this discussion starts here: https://www.youtube.com/watch?v=FV5tPMvSbVQ&t=2071s Timo Hilbrink Freedom Internet On 04/11/2024 15:16, Ben Cartwright-Cox wrote:
Hey Timo
I think ultimately the question comes down to whether RIPE NCC is either a juicy enough target for the United States government to mess with, or how much members are willing to pay to continue to have the NCCs data hosted by the NCC in their own colocated racks.
I think reasonable people can argue around the subject of whether hosting with AWS (and other outsourced SaaS/IaaS providers) is actually a long term economical alternative, but ultimately I think as far as general privacy I suspect that I have a higher degree of trust in Amazon's own security posture (There are many billion dollars worth of revenue on the line for them if they screw this up) over the NCC's (not that I don't trust the NCC to run stuff securely, but the scale and degree of thoroughness required for Amazon is just different)
I think it's important to be mindful of not becoming a strange form of xenophobic to the United States when it comes to data sovereignty and services, there other countries which I would find more disturbing to host data in than the United States.
I would be curious to know what kind of situation you are thinking that the United States may be interested in with regards to your communications with NCC
On Mon, 4 Nov 2024 at 13:33, Timo Hilbrink via members-discuss <members-discuss@ripe.net> wrote:
Hi all,
As we have seen in the past several Information Services updates from Felipe, the RIPE NCC has been moving a lot of services to the cloud, this now also includes things like RIPE NCC email, calendars, chat and video conferencing. The follwoing page gives a helpful overview of these services and the relevant cloud platforms:
https://www.ripe.net/publications/documentation/cloud-technology-status/
The page states that "all services pass an internal process of strict legal, information security, technology and privacy reviews". That all sounds very reassuring, doesn't it?
However..
Even though the "Data Residency" column states "EU" for all these services, these cloud providers are a U.S. legal entity (or a foreign entity with an office in the U.S.), so the data stored on these platforms completely falls under U.S. legislation, such as the CLOUD act and numerous related acts and laws. It is completely irrelevant where this data is stored geographically.
This also means that the data stored on these platforms can be subject to U.S. law enforcement warrants and subpoenas.
As a concerned and privacy aware citizen, i find it very worrying that basically all my interactions with the RIPE NCC in some way end up in the hands of U.S. based cloud providers. But i can imagine that these concerns are much more serious for RIPE members in countries that have a less favourable relation with the U.S. (there are quite a number of those countries within the RIPE service region)
What do other members think about this, and has the RIPE NCC taken these consequences into account when they decided to move all this data and services to U.S. based hyperscalers?
Thanks for your thoughts,
Timo Hilbrink Freedom Internet ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
Hey Timo,
The point is, who may get access to this data. Especially after the revelations of Edward Snowden and Wikileaks, i do not have much trust in U.S. law enforcement and intelligence services.
This is fair, however at the end of the day it's all a game of "whos security agency do you trust more or less" surely, I (and I understand if this is not the prevailing view amongst others) trust the Dutch security services less than the various Three Letter Agencies in the US (well, I guess if the CIA is interested in my emails with RIPE then something has horribly gone wrong for the CIA, or me) The NCC has a large area of countries served under it, so the difference for, say as a example, a British person (hi!), and a Dutch person, I suspect
it sounds like you are asking why i care about my privacy (and the privacy of other members) when i have nothing to hide.
I suggest this because I believe that a company interacting with a company is very different in terms of privacy (I will conveniently gloss over the end-user LIRs, even though I am one of them) than say, my personal email and things that hold my personal correspondence, advertising patterns, etc. The NCC holds a database full of personal data out in the public (as in the post GDPR years has proven at least some debate around this), and ultimately in my eyes is a B2B system. I suppose a lot of this boils down to "Do commercial entities deserve outright privacy?", I understand that people don't have a unanimous view here. I may be missing something drastic, but as far as my data exposure to RIPE NCC I have boils to: A) What I have in the database (something that is almost entirely public) B) Know Your Customer documentation that I submitted, though I'm unsure if RIPE even have copies of that anymore C) Mailing list conversations (again, mostly public conversations, other than in my case the working group co-chair duties I do) D) I guess I run a RIPE Atlas probe in various places, I suppose there is some argument I should not have something like that running in my home if I don't trust the infrastructure that controls that I'm not really sure what else there is, as far as some of my other suppliers in business, the NCC holds relatively little data on my operations. (I will ignore the situation of what happens if a government agency forces something to be done, because I think that is not what we are arguing here, and also low risk) I would say that if there was a *viable* EU based AWS competitor then I would ask why the NCC did not choose it, but as far as I can see things, that option simply does not exist. So I think that RIPE NCC aiming to reduce costs by using said IaaS/SaaS providers is a good thing, but obviously only if it *really does turn out to be cheaper*. Don't get me wrong, I do have arguments against using IaaS services from hyperscalers, but the privacy angle is not a hugely compelling one for a B2B entity like RIPE that pretty only stores data about it's own customers (that are businesses)
... I hit send too early (and I'm still recovering from RIPE89 To complete the truncated section: The NCC has a large area of countries served under it, so the difference for, say as a example, a British person (hi!), and a Dutch person, I suspect there difference in view on what country/region you trust to look after data/privacy concerns On Mon, 4 Nov 2024 at 17:56, Ben Cartwright-Cox <ripencc@benjojo.co.uk> wrote:
Hey Timo,
The point is, who may get access to this data. Especially after the revelations of Edward Snowden and Wikileaks, i do not have much trust in U.S. law enforcement and intelligence services.
This is fair, however at the end of the day it's all a game of "whos security agency do you trust more or less" surely, I (and I understand if this is not the prevailing view amongst others) trust the Dutch security services less than the various Three Letter Agencies in the US (well, I guess if the CIA is interested in my emails with RIPE then something has horribly gone wrong for the CIA, or me)
The NCC has a large area of countries served under it, so the difference for, say as a example, a British person (hi!), and a Dutch person, I suspect
it sounds like you are asking why i care about my privacy (and the privacy of other members) when i have nothing to hide.
I suggest this because I believe that a company interacting with a company is very different in terms of privacy (I will conveniently gloss over the end-user LIRs, even though I am one of them) than say, my personal email and things that hold my personal correspondence, advertising patterns, etc.
The NCC holds a database full of personal data out in the public (as in the post GDPR years has proven at least some debate around this), and ultimately in my eyes is a B2B system. I suppose a lot of this boils down to "Do commercial entities deserve outright privacy?", I understand that people don't have a unanimous view here.
I may be missing something drastic, but as far as my data exposure to RIPE NCC I have boils to:
A) What I have in the database (something that is almost entirely public) B) Know Your Customer documentation that I submitted, though I'm unsure if RIPE even have copies of that anymore C) Mailing list conversations (again, mostly public conversations, other than in my case the working group co-chair duties I do) D) I guess I run a RIPE Atlas probe in various places, I suppose there is some argument I should not have something like that running in my home if I don't trust the infrastructure that controls that
I'm not really sure what else there is, as far as some of my other suppliers in business, the NCC holds relatively little data on my operations. (I will ignore the situation of what happens if a government agency forces something to be done, because I think that is not what we are arguing here, and also low risk)
I would say that if there was a *viable* EU based AWS competitor then I would ask why the NCC did not choose it, but as far as I can see things, that option simply does not exist.
So I think that RIPE NCC aiming to reduce costs by using said IaaS/SaaS providers is a good thing, but obviously only if it *really does turn out to be cheaper*. Don't get me wrong, I do have arguments against using IaaS services from hyperscalers, but the privacy angle is not a hugely compelling one for a B2B entity like RIPE that pretty only stores data about it's own customers (that are businesses)
"whos security agency do you trust more or less"
i trust them all to be doing their best to violate our privacy and subvert as much as they can. spies gonna spy. when my laptop fan comes on, i assume it is gchq, the israelis, nsa, russians, iranians, ... fighting over who owns me today. randy
Hi Ben, On 04/11/2024 18:56, Ben Cartwright-Cox wrote:
I may be missing something drastic, but as far as my data exposure to RIPE NCC I have boils to:
A) What I have in the database (something that is almost entirely public)
Yes, the data that is published in the RIPE database is obviously public
B) Know Your Customer documentation that I submitted, though I'm unsure if RIPE even have copies of that anymore
Only the RIPE NCC can answer that :)
C) Mailing list conversations (again, mostly public conversations, other than in my case the working group co-chair duties I do)
Of course, also public
D) I guess I run a RIPE Atlas probe in various places, I suppose there is some argument I should not have something like that running in my home if I don't trust the infrastructure that controls that
Yes, a no brainer, as far as i'm concerned
I'm not really sure what else there is, as far as some of my other suppliers in business, the NCC holds relatively little data on my operations. (I will ignore the situation of what happens if a government agency forces something to be done, because I think that is not what we are arguing here, and also low risk)
I'm glad your life as an LIR is so simple, but many members share a lot more information with the RIPE NCC. Like information about mergers and aquisitions, payment details, resource transfers, information regarding sanctions, etc. There are a lot of potentially sensitive details being shared with the RIPE NCC. Don't get me wrong, i could be easily convinced that storing hundreds of terabytes (or petabytes?) of RIPE Atlas measurements in AWS storage is a good idea as long as the right safeguards are in place. But i do for example, have serious objections against storing potentially sensitive member data (through e-mail) in Google. Not in the least because the savings here are negligible, running your own mail service for ~200 staff isn't all that complicated, and doesn't require a lot of resources (been there, done that). And with todays virtualisation technologies really doesn't demand much rack space either. The reason i have brought up my concerns, is because i believe we, as members, should discuss these fundamental decisions that are being made by the RIPE NCC. And i feel that, so far, these decisions have been made by RIPE NCC executives, without sufficient consultation from the members. Timo Hilbrink Freedom Internet
On Mon, Nov 04, 2024 at 05:56:38PM +0000, Ben Cartwright-Cox via members-discuss wrote:
I would say that if there was a *viable* EU based AWS competitor then I would ask why the NCC did not choose it, but as far as I can see things, that option simply does not exist.
Define *viable*. With all the things you have said, OVH comes to mind (I have no relationship of any kind with them).
So I think that RIPE NCC aiming to reduce costs by using said IaaS/SaaS providers is a good thing, but obviously only if it *really does turn out to be cheaper*. Don't get me wrong, I do have arguments against using IaaS services from hyperscalers, but the privacy angle is not a hugely compelling one for a B2B entity like RIPE that pretty only stores data about it's own customers (that are businesses)
Privacy is also a topic in a B2B situation, as at least the NSA is officially tasked with commercial espionage. Kind regards, Toni Müller
And. I would like to understand what RIPE NCC will do if, at the next round of sanctions, access to the cloud or mail servers becomes completely closed from a number of countries, for example Russia. We have already faced the fact that a huge number of Western services have limited access to their resources and as the war with the Russian Federation is lost, the number of blockages is only growing. Please give me an answer: WHAT IS THE PLAN FOR THIS CASE? ----------------------------- Serbulov Dmitry a-n-t.ru
Hey Timo
I think ultimately the question comes down to whether RIPE NCC is either a juicy enough target for the United States government to mess with, or how much members are willing to pay to continue to have the NCCs data hosted by the NCC in their own colocated racks.
I think reasonable people can argue around the subject of whether hosting with AWS (and other outsourced SaaS/IaaS providers) is actually a long term economical alternative, but ultimately I think as far as general privacy I suspect that I have a higher degree of trust in Amazon's own security posture (There are many billion dollars worth of revenue on the line for them if they screw this up) over the NCC's (not that I don't trust the NCC to run stuff securely, but the scale and degree of thoroughness required for Amazon is just different)
I think it's important to be mindful of not becoming a strange form of xenophobic to the United States when it comes to data sovereignty and services, there other countries which I would find more disturbing to host data in than the United States.
I would be curious to know what kind of situation you are thinking that the United States may be interested in with regards to your communications with NCC
On Mon, 4 Nov 2024 at 13:33, Timo Hilbrink via members-discuss <members-discuss@ripe.net> wrote:
Hi all,
As we have seen in the past several Information Services updates from Felipe, the RIPE NCC has been moving a lot of services to the cloud, this now also includes things like RIPE NCC email, calendars, chat and video conferencing. The follwoing page gives a helpful overview of these services and the relevant cloud platforms:
https://www.ripe.net/publications/documentation/cloud-technology-status/
The page states that "all services pass an internal process of strict legal, information security, technology and privacy reviews". That all sounds very reassuring, doesn't it?
However..
Even though the "Data Residency" column states "EU" for all these services, these cloud providers are a U.S. legal entity (or a foreign entity with an office in the U.S.), so the data stored on these platforms completely falls under U.S. legislation, such as the CLOUD act and numerous related acts and laws. It is completely irrelevant where this data is stored geographically.
This also means that the data stored on these platforms can be subject to U.S. law enforcement warrants and subpoenas.
As a concerned and privacy aware citizen, i find it very worrying that basically all my interactions with the RIPE NCC in some way end up in the hands of U.S. based cloud providers. But i can imagine that these concerns are much more serious for RIPE members in countries that have a less favourable relation with the U.S. (there are quite a number of those countries within the RIPE service region)
What do other members think about this, and has the RIPE NCC taken these consequences into account when they decided to move all this data and services to U.S. based hyperscalers?
Thanks for your thoughts,
Timo Hilbrink Freedom Internet ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
----------------------------- С уважением Сербулов Дмитрий ООО "Альфа Нет Телеком" +7(498)785-8-000 раб. +7(495)940-92-11 доп. +7(925)518-10-69 сот.
Hi, On Tue, Nov 05, 2024 at 01:15:12PM +0300, sdy@a-n-t.ru wrote:
I would like to understand what RIPE NCC will do if, at the next round of sanctions, access to the cloud or mail servers becomes completely closed from a number of countries, for example Russia. We have already faced the fact that a huge number of Western services have limited access to their resources and as the war with the Russian Federation is lost, the number of blockages is only growing.
I fully agree with Timo, but Dimitry brings up another important issue: Sanctions. Russia is not the only country in the RIPE NCC service area that is being targeted with sanctions, and I can imagine much more problematic scenarios for sanctions, too. In analogy to other sanctions, where eg a German drugstore chain suddenly found themselves without Paypal due to them selling some Cuban cigars, I could imagine the RIPE NCC being pressured to not serve those "unfriendly countries" anymore, or that RIPE NCC members who do have dealings with any "unfriendly country", eg. possibly China in the near future, will be blackmailed, or, if that fails, that RIPE NCC will be blackmailed to cut off those members. Just saying. From my point of view, RIPE NCC should operate as autonomous and as much based on Open Source, as possible. I'm not sure about how "the cloud" saves money, and how much, but for all the things that a RIPE NCC guy mentioned below, I am aware of imho low-maintenance Free Software products that could be used, and for fluctuating workloads, one could investigate whether batching might be a solution. There's Open Source software for that as well. Kind regards, Toni Müller
I absolutely agree with Tony!! Dmitry Serbulov.
Hi,
On Tue, Nov 05, 2024 at 01:15:12PM +0300, sdy@a-n-t.ru wrote:
I would like to understand what RIPE NCC will do if, at the next round of sanctions, access to the cloud or mail servers becomes completely closed from a number of countries, for example Russia. We have already faced the fact that a huge number of Western services have limited access to their resources and as the war with the Russian Federation is lost, the number of blockages is only growing.
I fully agree with Timo, but Dimitry brings up another important issue: Sanctions. Russia is not the only country in the RIPE NCC service area that is being targeted with sanctions, and I can imagine much more problematic scenarios for sanctions, too. In analogy to other sanctions, where eg a German drugstore chain suddenly found themselves without Paypal due to them selling some Cuban cigars, I could imagine the RIPE NCC being pressured to not serve those "unfriendly countries" anymore, or that RIPE NCC members who do have dealings with any "unfriendly country", eg. possibly China in the near future, will be blackmailed, or, if that fails, that RIPE NCC will be blackmailed to cut off those members.
Just saying.
From my point of view, RIPE NCC should operate as autonomous and as much based on Open Source, as possible. I'm not sure about how "the cloud" saves money, and how much, but for all the things that a RIPE NCC guy mentioned below, I am aware of imho low-maintenance Free Software products that could be used, and for fluctuating workloads, one could investigate whether batching might be a solution. There's Open Source software for that as well.
Kind regards, Toni Müller
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
----------------------------- С уважением Сербулов Дмитрий ООО "Альфа Нет Телеком" +7(498)785-8-000 раб. +7(495)940-92-11 доп. +7(925)518-10-69 сот.
Hi, He brings up another one not less important issue. And therefore I would move services to the clouds. Preferably intercontinental, or with data centers not only in the EU. This is what saved Ukrainian banks during blackouts and destruction of data centers. If someone thinks that I am exaggerating and this will never happen, then we also thought so until February 24, 2022. Just saying. P.S. Sorry, if too toxic for your pink world.
On 9 Nov 2024, at 00:28, Toni Mueller <ripe@oeko.net> wrote:
Hi,
On Tue, Nov 05, 2024 at 01:15:12PM +0300, sdy@a-n-t.ru wrote:
I would like to understand what RIPE NCC will do if, at the next round of sanctions, access to the cloud or mail servers becomes completely closed from a number of countries, for example Russia. We have already faced the fact that a huge number of Western services have limited access to their resources and as the war with the Russian Federation is lost, the number of blockages is only growing.
I fully agree with Timo, but Dimitry brings up another important issue: Sanctions. Russia is not the only country in the RIPE NCC service area that is being targeted with sanctions, and I can imagine much more problematic scenarios for sanctions, too. In analogy to other sanctions, where eg a German drugstore chain suddenly found themselves without Paypal due to them selling some Cuban cigars, I could imagine the RIPE NCC being pressured to not serve those "unfriendly countries" anymore, or that RIPE NCC members who do have dealings with any "unfriendly country", eg. possibly China in the near future, will be blackmailed, or, if that fails, that RIPE NCC will be blackmailed to cut off those members.
Just saying.
From my point of view, RIPE NCC should operate as autonomous and as much based on Open Source, as possible. I'm not sure about how "the cloud" saves money, and how much, but for all the things that a RIPE NCC guy mentioned below, I am aware of imho low-maintenance Free Software products that could be used, and for fluctuating workloads, one could investigate whether batching might be a solution. There's Open Source software for that as well.
Kind regards, Toni Müller
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
— Serg Galat
Moin, to scratch of some more color-scraps of that little remaining pink in the world... if this is your threat model (and, don't get me wrong, I may or may not have recently noted to someone that a 2y-budget sized reserve may be reasonable for some essential association... in case of a full loss of fees for an extended time period... and replied to the "ah, that would never happen" with "well, imagine full scale invasion"... which just triggered a rather somber "oh..."): A big issue with the use of clouds is the loss of capability (read: Mostly _knowledge_ and people _who know how_) to built and maintain. Under your threat model, binding oneself to 'some big clouds with controlling entities all in one jurisdiction' bears similar risks. The example you bring out worked under specific political conditions. Consider instead---purely hypothetical example---a change in a country's foreign policy that motivates policies to restrict access to cloud infrastructure used by another country to 'motivate' said other country to take unfavorable steps in negotiations with an invading neighbor, after that country moved essential infrastructure into clouds controlled by the country experiencing a change in foreign policy. In that situation, it will be essential to have the capability to-- worst case--fill a couple of racks and pull up infrastructure in another location (on potentially extremely short notice). "Moving to the cloud" nibbles on said capabilities. In the 'best' case, cloudification leads to an economic dependence on the cloud provider(s). In the worst case, it opens oneself up for (in severity varying levels of) blackmail by either the jurisdiction the cloud provider is located in, or by the cloud provider itself (we had some arguments about lead in the environment a few decades ago... companies also didn't always play fair then). In the end, the question is which risk-appetite for these things can be found in the membership (that has to provide the funds necessary for the certainly more expensive path to resilience; With people usually being the most expensive part); If we want to have said resilience, we need to pay for it. Otherwise, the NCC will look for ways to cost- optimize (leaving the argument whether the cloud is _actually_ cheaper out of scope). If shit hits the fan, though, and we find us unable to keep infrastructure running... for one reason or another... well, that is then what we chose by loudly calling for the cuts we called for (as a more general we, not me personally). With best regards, Tobias On Sun, 2024-11-10 at 00:39 +0200, Serg Gal wrote:
Hi,
He brings up another one not less important issue.
And therefore I would move services to the clouds. Preferably intercontinental, or with data centers not only in the EU.
This is what saved Ukrainian banks during blackouts and destruction of data centers.
If someone thinks that I am exaggerating and this will never happen, then we also thought so until February 24, 2022.
Just saying.
P.S. Sorry, if too toxic for your pink world.
On 9 Nov 2024, at 00:28, Toni Mueller <ripe@oeko.net> wrote:
Hi,
On Tue, Nov 05, 2024 at 01:15:12PM +0300, sdy@a-n-t.ru wrote:
I would like to understand what RIPE NCC will do if, at the next round of sanctions, access to the cloud or mail servers becomes completely closed from a number of countries, for example Russia. We have already faced the fact that a huge number of Western services have limited access to their resources and as the war with the Russian Federation is lost, the number of blockages is only growing.
I fully agree with Timo, but Dimitry brings up another important issue: Sanctions. Russia is not the only country in the RIPE NCC service area that is being targeted with sanctions, and I can imagine much more problematic scenarios for sanctions, too. In analogy to other sanctions, where eg a German drugstore chain suddenly found themselves without Paypal due to them selling some Cuban cigars, I could imagine the RIPE NCC being pressured to not serve those "unfriendly countries" anymore, or that RIPE NCC members who do have dealings with any "unfriendly country", eg. possibly China in the near future, will be blackmailed, or, if that fails, that RIPE NCC will be blackmailed to cut off those members.
Just saying.
From my point of view, RIPE NCC should operate as autonomous and as much based on Open Source, as possible. I'm not sure about how "the cloud" saves money, and how much, but for all the things that a RIPE NCC guy mentioned below, I am aware of imho low-maintenance Free Software products that could be used, and for fluctuating workloads, one could investigate whether batching might be a solution. There's Open Source software for that as well.
Kind regards, Toni Müller
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
— Serg Galat
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
-- Dr.-Ing. Tobias Fiebig T +31 616 80 98 99 M tobias@fiebig.nl
Moreover RIPE NCC is hide information about - what are cloud provider - what are services will be used from this provider - what are data will be stored in cloud and WHERE will be stored physically - how RIPE NCC select this cloud provider? (because from 3rd party its looks like a some corruption things...) - why RIPE didnt want to use local cloud? (40M EUR per year is small for these???) - how much hardware from colocation will be replaced in cloud and what are excatly will be moved to cloud? - how much in finance its will be cost? On 10.11.2024 9:31, Tobias Fiebig via members-discuss wrote:
Moin,
to scratch of some more color-scraps of that little remaining pink in the world... if this is your threat model (and, don't get me wrong, I may or may not have recently noted to someone that a 2y-budget sized reserve may be reasonable for some essential association... in case of a full loss of fees for an extended time period... and replied to the "ah, that would never happen" with "well, imagine full scale invasion"... which just triggered a rather somber "oh..."):
A big issue with the use of clouds is the loss of capability (read: Mostly _knowledge_ and people _who know how_) to built and maintain.
Under your threat model, binding oneself to 'some big clouds with controlling entities all in one jurisdiction' bears similar risks. The example you bring out worked under specific political conditions.
Consider instead---purely hypothetical example---a change in a country's foreign policy that motivates policies to restrict access to cloud infrastructure used by another country to 'motivate' said other country to take unfavorable steps in negotiations with an invading neighbor, after that country moved essential infrastructure into clouds controlled by the country experiencing a change in foreign policy.
In that situation, it will be essential to have the capability to-- worst case--fill a couple of racks and pull up infrastructure in another location (on potentially extremely short notice).
"Moving to the cloud" nibbles on said capabilities.
In the 'best' case, cloudification leads to an economic dependence on the cloud provider(s). In the worst case, it opens oneself up for (in severity varying levels of) blackmail by either the jurisdiction the cloud provider is located in, or by the cloud provider itself (we had some arguments about lead in the environment a few decades ago... companies also didn't always play fair then).
In the end, the question is which risk-appetite for these things can be found in the membership (that has to provide the funds necessary for the certainly more expensive path to resilience; With people usually being the most expensive part); If we want to have said resilience, we need to pay for it. Otherwise, the NCC will look for ways to cost- optimize (leaving the argument whether the cloud is _actually_ cheaper out of scope).
If shit hits the fan, though, and we find us unable to keep infrastructure running... for one reason or another... well, that is then what we chose by loudly calling for the cuts we called for (as a more general we, not me personally).
With best regards, Tobias
On Sun, 2024-11-10 at 00:39 +0200, Serg Gal wrote:
Hi,
He brings up another one not less important issue.
And therefore I would move services to the clouds. Preferably intercontinental, or with data centers not only in the EU.
This is what saved Ukrainian banks during blackouts and destruction of data centers.
If someone thinks that I am exaggerating and this will never happen, then we also thought so until February 24, 2022.
Just saying.
P.S. Sorry, if too toxic for your pink world.
On 9 Nov 2024, at 00:28, Toni Mueller <ripe@oeko.net> wrote:
Hi,
On Tue, Nov 05, 2024 at 01:15:12PM +0300, sdy@a-n-t.ru wrote:
I would like to understand what RIPE NCC will do if, at the next round of sanctions, access to the cloud or mail servers becomes completely closed from a number of countries, for example Russia. We have already faced the fact that a huge number of Western services have limited access to their resources and as the war with the Russian Federation is lost, the number of blockages is only growing.
I fully agree with Timo, but Dimitry brings up another important issue: Sanctions. Russia is not the only country in the RIPE NCC service area that is being targeted with sanctions, and I can imagine much more problematic scenarios for sanctions, too. In analogy to other sanctions, where eg a German drugstore chain suddenly found themselves without Paypal due to them selling some Cuban cigars, I could imagine the RIPE NCC being pressured to not serve those "unfriendly countries" anymore, or that RIPE NCC members who do have dealings with any "unfriendly country", eg. possibly China in the near future, will be blackmailed, or, if that fails, that RIPE NCC will be blackmailed to cut off those members.
Just saying.
From my point of view, RIPE NCC should operate as autonomous and as much based on Open Source, as possible. I'm not sure about how "the cloud" saves money, and how much, but for all the things that a RIPE NCC guy mentioned below, I am aware of imho low-maintenance Free Software products that could be used, and for fluctuating workloads, one could investigate whether batching might be a solution. There's Open Source software for that as well.
Kind regards, Toni Müller
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
— Serg Galat
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
Moin, not able to speak for the NCC here; But the answers are most likely rather obvious.
- what are cloud provider Rough guess given a (conceivable) multi cloud strategy: AWS and Azure for PaaS/IaaS and Google workspace for 'groupware'.
- what are services will be used from this provider See the activity plan for what is being migrated. Somewhere between 6 and 12 months ago there were some rather vocal voices re: the costs of those rack rows.
- what are data will be stored in cloud and WHERE will be stored physically Now, that's the thing; The thing is called 'cloud' cause you no longer know exactly _where_ it is. Out of simple operational reasons (read: latency) I would bet on 'Europe', though; And i am relatively certain that the NCC put some GDPR related constraints in place as well.
- how RIPE NCC select this cloud provider? (because from 3rd party its looks like a some corruption things...) Given the size of the market(tm)+the relatively low budget (see below), I doubt that any cloud provider would resort to corruption here. Beyond that, nobody ever got fired for buying Ci... er AWS. So, I doubt that there was any corruption involved here; Which, btw, is a rather serious accusation you made there.
- why RIPE didnt want to use local cloud? (40M EUR per year is small for these???) Well, because they usually lack all the fancy 'cloud-y stuff'; And you are quickly at the point where you are--essentially--outsourcing self- hosting.
- how much hardware from colocation will be replaced in cloud and what are excatly will be moved to cloud? - how much in finance its will be cost? If my memory does not fail me, there were some rather extensive presentations about this at the last meeting.
With best regards, Tobias
You could check out this link: https://www.ripe.net/publications/documentation/cloud-technology-status/ For the rest I remember seeing something in the budget, maybe. - R On 10.11.2024 12:34, ROSKOMNADZOR LIMITED wrote:
Moreover RIPE NCC is hide information about
- what are cloud provider - what are services will be used from this provider - what are data will be stored in cloud and WHERE will be stored physically - how RIPE NCC select this cloud provider? (because from 3rd party its looks like a some corruption things...) - why RIPE didnt want to use local cloud? (40M EUR per year is small for these???) - how much hardware from colocation will be replaced in cloud and what are excatly will be moved to cloud? - how much in finance its will be cost?
Hi!
https://www.ripe.net/publications/documentation/cloud-technology-status/
All of those clouds do not solve the CLOUD-Act problem. https://en.wikipedia.org/wiki/CLOUD_Act [...] The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil [...] That's the reason to oppose this solution. -- MfG/Best regards, Kurt Jaeger Now what ? Dr.-Ing. Nepustil & Co. GmbH fon +49 7123 93006-0 pi@nepustil.net Rathausstr. 3 mob +49 171 3101372 72658 Bempflingen
Hi Kurt, I did not say that I agree with RIPE moving to somebody else's computers, I just pointed out where some of the "to what clouds" info is. Best, Radu On 10.11.2024 21:28, Kurt Jaeger wrote:
Hi!
https://www.ripe.net/publications/documentation/cloud-technology-status/
All of those clouds do not solve the CLOUD-Act problem.
https://en.wikipedia.org/wiki/CLOUD_Act
[...] The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil [...]
That's the reason to oppose this solution.
Yes! Moreover USA have "hidden court request" what with CLOUD-Act can result a mandatory data exctraction even with violation of EU rules, and cloud provider will not be reveal information about this data was been provided. When RIPE store this information in his own racks - okay, we are at least know about what are law will be control it, when you move to cloud, moreover U.S. based company clouds - its make a less sense. On 10.11.2024 19:28, Kurt Jaeger wrote:
Hi!
https://www.ripe.net/publications/documentation/cloud-technology-status/
All of those clouds do not solve the CLOUD-Act problem.
https://en.wikipedia.org/wiki/CLOUD_Act
[...] The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil [...]
That's the reason to oppose this solution.
Am Sonntag, 10. November 2024, 20:28:25 schrieb Kurt Jaeger:
That's the reason to oppose this solution. Yes, keep it simple as transparent - including jurisdication as responsibilities.
If anyone is "in the cloud" - means: in the hand of 2 to 3 big (US) cloud operators - real competition as the diversity for technology alternatives will get lost over time, because a lack of commercial NOCs, experienced techies / staff and a broad diverse market to fetch solutions from. The RIPE - as in the past - should stand for the opposite. just my .02€ niels. -- --- Niels Dettenbach Syndicat IT & Internet https://www.syndicat.com PGP: https://syndicat.com/pub_key.asc ---
Timo Hilbrink wrote: [...]
https://www.ripe.net/publications/documentation/cloud-technology-status/ [...]
Thank you, Timo, for raising this important topic. I fully share your concerns, and I believe it’s essential for us as RIPE NCC members to critically consider the implications of moving to U.S.-based cloud providers. While data may be stored physically within the EU, the issue of extraterritorial application of laws like the CLOUD Act remains. This means that personal and sensitive data could still be subject to U.S. jurisdiction, regardless of local data protection standards or the GDPR. For many of us – particularly those from countries that need to handle data carefully due to geopolitical considerations – this presents a significant risk. It would be valuable if RIPE NCC could clarify how these potential legal implications were factored into their internal privacy assessments and whether alternative providers were considered. Data sovereignty and privacy are foundational values, and I believe RIPE NCC, as an organization committed to internet security and integrity, should especially take these issues into account. I look forward to hearing other members’ views and hope this prompts a constructive discussion. -- nemox.net Rudolf E. Steiner r.steiner@nemox.net http://nemox.net/pdat/res/
Hello, On Mon, 2024-11-04 at 15:42 +0100, Rudolf E. Steiner via members- discuss wrote:
Thank you, Timo, for raising this important topic. I fully share your concerns, and I believe it’s essential for us as RIPE NCC members to critically consider the implications of moving to U.S.-based cloud providers.
I also share those concerns. Isn't there any european actor rather than US actor which could take some of that sensitive business ? I do not really want to go into a fight regarding the level of service which could be provided by US $bigactor versus EU $smalleractor, as I believe stuff which were previously home made before could be outsourced elsewhere in order to save money... but not within a patriot act (and any extraterritorial laws) perimeter. Regards, Clément Cavadore
On 04.11.24 20:09, Clement Cavadore via members-discuss wrote:
Isn't there any european actor rather than US actor which could take some of that sensitive business ?
Well, those of our customers who have a strong opinion that the(ir) German PostG's Briefgeheimnis is best kept where that national legalese applies get their outsourced (to us) services hosted on the OTC. https://www.open-telekom-cloud.com/en We're using their German sites, but they *do* have infrastructure over in the Netherlands, too. However: a) Why would people someplace *else* in the RIPE's service area appreciate German - or, for that matter, the Netherland's - privacy protection as "good enough", assuming (as they themselves will *definitely* do) that their wish to deflect nothing less than part of the Five Eyes has a tangible reason? b) I can vouch that the OTC's APIs that your cloud management solution may want to use aren't 100% up-to-latest-specs / compatible with what you may know from the big U.S. cloud providers. c) I can also vouch that when problems arise (in our case, with the storage layer), they call in vendor support from That Third Continent like everyone else. On 05.11.24 07:15, Alexander Leefmann wrote:
I would be very interested to see the plan of action in case Google decides to suspend the RIPE NCC account for “violation of TOS”.
Even if you don't go multi-cloud (where said management APIs become relevant as soon as you *actually* want to do "move everything over to [not-Google], stat!"), having *backups* off-cloud is a must. Of course, I don't have the foggiest how much downtime the RIPE can or cannot survive, but ... Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
Timo Hilbrink via members-discuss <members-discuss@ripe.net>:
things like RIPE NCC email
Oh wow, that's getting better and better, now even emails are migrated to Google? This and *.ripe.net now resolving Cloudflare IP addresses, with tls certificates issued by Cloudflare and hosted at Cloudflare! This means that Cloudflare has full access over the traffic in clear! So the RIPE is no longer able to operate websites and mail relays on its own anymore, that's quite concerning.
Pavel While I think it’s a good thing for us as members to ask the NCC questions you’re taking it a lot further and twisting things around quite a bit. RIPE NCC is perfectly capable of operating infrastructure, but has chosen not to. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 I have sent this email at a time that is convenient for me. I do not expect you to respond to it outside of your usual working hours. From: Pavel Polyakov <p.polyakov+ripe@urdn.com.ua> Date: Monday, 4 November 2024 at 15:41 To: members-discuss@ripe.net <members-discuss@ripe.net> Subject: [members-discuss] Re: Serious concerns about the RIPE NCC Cloud Technology Status [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. Timo Hilbrink via members-discuss <members-discuss@ripe.net>:
things like RIPE NCC email
Oh wow, that's getting better and better, now even emails are migrated to Google? This and *.ripe.net now resolving Cloudflare IP addresses, with tls certificates issued by Cloudflare and hosted at Cloudflare! This means that Cloudflare has full access over the traffic in clear! So the RIPE is no longer able to operate websites and mail relays on its own anymore, that's quite concerning. ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
michele,
RIPE NCC is perfectly capable of operating infrastructure, but has chosen not to.
i suspect part of the ncc's motivation is perceived cost savings in the presence of members telling them to reduce spend. rock - hard place. randy
Could you please explain how moving the large scale project to "cloud" can theoretically save the money? Well, there are no clouds exist. There are some other people's servers. They need to be bought, maintained and administrated, which costs something. If you sell that as the service, you need also to get some profit from it. AWS is a way *NOT* a cheap solution. I know some projects that spent $XXXXXX monthly on Amazon, and after moving to their own infrastructure became to spend $XXXXX. And there are a lot of room to optimize even more. So for me it will be very interesting to see the details. How many and for what exactly is paying to "clouds". I believe move to cloud is not about cut of costs. It is only about shifting the responsibility for the infrastructure to someone else. That's not our fail so everything down, that's a cloud fail! Sorry, we are not in charge for that! Give us our yearly bonus! That how it is really works. And also, look at the Boeing case... 04.11.24 19:28, Randy Bush пише:
michele,
RIPE NCC is perfectly capable of operating infrastructure, but has chosen not to.
i suspect part of the ncc's motivation is perceived cost savings in the presence of members telling them to reduce spend.
rock - hard place.
randy ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
Could you please explain how moving the large scale project to "cloud" can theoretically save the money?
i suspect that the theory is that the hyperscale cloud providers have sufficient savings due to scale (leverage with oems, ability and talent to highly automate, ...) that they can afford to share some of those savings with the customer. color me skeptical. randy
I can agree with this theory for small projects, i.e. when you can have a server and share it with thousands web hosts. It is cheaper than buy a whole server. Everyone is happy. But of you need a racks of servers for yourself... On Thu, 07 Nov 2024 11:47:13 -0800 Randy Bush <randy@psg.com> wrote:
Could you please explain how moving the large scale project to "cloud" can theoretically save the money?
i suspect that the theory is that the hyperscale cloud providers have sufficient savings due to scale (leverage with oems, ability and talent to highly automate, ...) that they can afford to share some of those savings with the customer. color me skeptical.
randy
Hyperscalers don't actually share any savings with customers. In fact, they spend more because they maintain idle capacity for availability, which customers ultimately pay for. While hyperscalers are more expensive by definition, they provide two unique advantages: )Rapid scaling up and down capability )Cost savings on managed infrastructure, eliminating the need for large sysadmin teams managing thousands of servers Cloud PaaS/IaaS makes sense in specific cases: )Startups with high burn rates needing fast scaling and lacking resources for their own datacenter )Services requiring rapid scaling (e.g., when normal load fits in one VM but rush hours like Black Friday need 100-1000s VMs). This often leads to hybrid scenarios - own datacenter for base load, cloud for peak demand )Cases where supporting particular applications in-house becomes too expensive (especially mail servers or big data solutions like BigQuery) Worth noting some relevant terms: "Cloud repatriation" describes moving data/applications back on-premises after cloud migration. Its good if RIPE engineers get familiar with it and stories before moving to cloud, to not regret later. "Cloud cost overrun" refers to unexpectedly high cloud costs. We saw this on a sister project where an automated crawler running BigQuery queries generated a $50k bill instead of the usual $600/month. Some issues are more cloud platform bugs than user mistakes and just ticking bomb. For example, historically with S3 buckets, you'd pay for queries even with access restrictions in place (this may be fixed now, but it was a known issue). Unfortunately, processes at RIPE appear completely non-transparent, relying on just a few people's competence and trust. Experts in RIPE community IMHO can't properly assess what technical challenges the RIPE team faces or what relevant experience they might share. And thats sad. On Thursday, November 07, 2024 21:47 EET, Randy Bush <randy@psg.com> wrote:
Could you please explain how moving the large scale project to "cloud" can theoretically save the money?
i suspect that the theory is that the hyperscale cloud providers have sufficient savings due to scale (leverage with oems, ability and talent to highly automate, ...) that they can afford to share some of those savings with the customer. color me skeptical.
randy ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
Michele Neylon - Blacknight <michele@blacknight.com>:
RIPE NCC is perfectly capable of operating infrastructure, but has chosen not to.
I think there's also a shift from skills and ethics towards more trivial stuff, so I don't totally agree with this.
Inbound email to ripe.net goes to ripe's mail servers. Just do a mx lookup and you’ll see. They probably run Gsuite with an "inbound mail gateway" (Google term) config. That way email that isn't going to personnel - like mailing lists - can be router elsewhere and will bypass Google. Perfectly normal. Kaj Sent from my iPad ________________________________ From: Pavel Polyakov <p.polyakov+ripe@urdn.com.ua> Sent: Monday, November 4, 2024 5:25 PM To: members-discuss@ripe.net <members-discuss@ripe.net> Subject: [members-discuss] Re: Serious concerns about the RIPE NCC Cloud Technology Status [You don't often get email from p.polyakov+ripe@urdn.com.ua. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Timo Hilbrink via members-discuss <members-discuss@ripe.net>:
things like RIPE NCC email
Oh wow, that's getting better and better, now even emails are migrated to Google? This and *.ripe.net now resolving Cloudflare IP addresses, with tls certificates issued by Cloudflare and hosted at Cloudflare! This means that Cloudflare has full access over the traffic in clear! So the RIPE is no longer able to operate websites and mail relays on its own anymore, that's quite concerning. ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.ripe.net%2Fmailman3%2Flists%2Fmembers-discuss.ripe.net%2F&data=05%7C02%7C%7C79a675e33e0946b3747608dcfce4e2e6%7Cd0b71c570f9b4acc923b81d0b26b55b3%7C0%7C0%7C638663307212362784%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C4000%7C%7C%7C&sdata=gQ%2BULPUAY81gtiexTzppox8eK4w7NBBYCuvO3YzXKMo%3D&reserved=0<https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/> As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ripe.net%2Fmembership%2Fmail%2Fmailman-3-migration%2F&data=05%7C02%7C%7C79a675e33e0946b3747608dcfce4e2e6%7Cd0b71c570f9b4acc923b81d0b26b55b3%7C0%7C0%7C638663307212392627%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C4000%7C%7C%7C&sdata=9BDyvESgNnuHdOoQJDMnujugtkkfdlq%2FgPnJyLgaJKQ%3D&reserved=0<https://www.ripe.net/membership/mail/mailman-3-migration/>
Yes, inbound mail to ripe.net goes to RIPE mail servers, but all mail to and from staff passes through Google servers, and that is also where their mailboxes are stored. I don't consider that perfectly normal for an organisation like the RIPE NCC. Timo Hilbrink Freedom Internet On 04/11/2024 18:17, Kaj Niemi wrote:
Inbound email to ripe.net goes to ripe's mail servers. Just do a mx lookup and you’ll see.
They probably run Gsuite with an "inbound mail gateway" (Google term) config. That way email that isn't going to personnel - like mailing lists - can be router elsewhere and will bypass Google. Perfectly normal.
Kaj
Sent from my iPad
------------------------------------------------------------------------ *From:* Pavel Polyakov <p.polyakov+ripe@urdn.com.ua> *Sent:* Monday, November 4, 2024 5:25 PM *To:* members-discuss@ripe.net <members-discuss@ripe.net> *Subject:* [members-discuss] Re: Serious concerns about the RIPE NCC Cloud Technology Status [You don't often get email from p.polyakov+ripe@urdn.com.ua. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification <https://aka.ms/LearnAboutSenderIdentification> ]
Timo Hilbrink via members-discuss <members-discuss@ripe.net>:
things like RIPE NCC email
Oh wow, that's getting better and better, now even emails are migrated to Google?
This and *.ripe.net now resolving Cloudflare IP addresses, with tls certificates issued by Cloudflare and hosted at Cloudflare! This means that Cloudflare has full access over the traffic in clear!
So the RIPE is no longer able to operate websites and mail relays on its own anymore, that's quite concerning. ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.ripe.net%2Fmailman3%2Flists%2Fmembers-discuss.ripe.net%2F&data=05%7C02%7C%7C79a675e33e0946b3747608dcfce4e2e6%7Cd0b71c570f9b4acc923b81d0b26b55b3%7C0%7C0%7C638663307212362784%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C4000%7C%7C%7C&sdata=gQ%2BULPUAY81gtiexTzppox8eK4w7NBBYCuvO3YzXKMo%3D&reserved=0 <https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/> As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ripe.net%2Fmembership%2Fmail%2Fmailman-3-migration%2F&data=05%7C02%7C%7C79a675e33e0946b3747608dcfce4e2e6%7Cd0b71c570f9b4acc923b81d0b26b55b3%7C0%7C0%7C638663307212392627%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C4000%7C%7C%7C&sdata=9BDyvESgNnuHdOoQJDMnujugtkkfdlq%2FgPnJyLgaJKQ%3D&reserved=0 <https://www.ripe.net/membership/mail/mailman-3-migration/>
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
Its not important what other thinks. Ripe managment do what they want, when and where As well. We are small cockroaches, and what we should do is to pay our fees immediatly (so ripe can realise their dreams and very needed events) and dont ask any questions. Pobierz aplikację BlueMail dla systemu Android W dniu 4 lis 2024, 15:28, o 15:28, użytkownik Timo Hilbrink via members-discuss <members-discuss@ripe.net> napisał:
Hi all,
As we have seen in the past several Information Services updates from Felipe, the RIPE NCC has been moving a lot of services to the cloud, this now also includes things like RIPE NCC email, calendars, chat and video conferencing. The follwoing page gives a helpful overview of these services and the relevant cloud platforms:
https://www.ripe.net/publications/documentation/cloud-technology-status/
The page states that "all services pass an internal process of strict legal, information security, technology and privacy reviews". That all sounds very reassuring, doesn't it?
However..
Even though the "Data Residency" column states "EU" for all these services, these cloud providers are a U.S. legal entity (or a foreign entity with an office in the U.S.), so the data stored on these platforms completely falls under U.S. legislation, such as the CLOUD act and numerous related acts and laws. It is completely irrelevant where this data is stored geographically.
This also means that the data stored on these platforms can be subject to U.S. law enforcement warrants and subpoenas.
As a concerned and privacy aware citizen, i find it very worrying that basically all my interactions with the RIPE NCC in some way end up in the hands of U.S. based cloud providers. But i can imagine that these concerns are much more serious for RIPE members in countries that have a less favourable relation with the U.S.
(there are quite a number of those countries within the RIPE service region)
What do other members think about this, and has the RIPE NCC taken these consequences into account when they decided to move all this data and services to U.S. based hyperscalers?
Thanks for your thoughts,
Timo Hilbrink Freedom Internet ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
There are probably many takes on this. I think it is quite all right to rely on SaaS and cloud to some extent where it makes sense [for you]. Like in a case where the purchased service would be more cost effective or superior to what you could achieve yourself using reasonable commercial efforts. Like email and groupware. Besides, many racks in a data center are really a fixed cost while (at least theoretically) your cloud cost is a variable that can increase or decrease depending on usage. As for the age-old question of who looks at your data… again what should be commercially reasonable to protect it? All the big cloud providers have a ton of certifications (SOC2, various ISO, CSA, etc.) with a ton of controls attesting to privacy, security, processing integrity, availability, etc. it seems to be good enough for large multinationals. Nonetheless, none of this helps if the purchasing organization doesn't internally adhere to good security practices themselves. Also, commercial organizations should really assume that if someone really wants to peek at some proprietary data it won't matter whether it located is in the cloud or on premises. :) It’s a whole another - big - problem that EU doesn’t have a convincing alternative to Google Suite or O365. Or alternatives to the most popular services in general. That cannot be solved on this mailing list, unfortunately. Kaj Sent from my iPhone ________________________________ From: Timo Hilbrink via members-discuss <members-discuss@ripe.net> Sent: Monday, November 4, 2024 4:26 PM To: members-discuss@ripe.net <members-discuss@ripe.net> Subject: [members-discuss] Serious concerns about the RIPE NCC Cloud Technology Status Hi all, As we have seen in the past several Information Services updates from Felipe, the RIPE NCC has been moving a lot of services to the cloud, this now also includes things like RIPE NCC email, calendars, chat and video conferencing. The follwoing page gives a helpful overview of these services and the relevant cloud platforms: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ripe.net%2Fpublications%2Fdocumentation%2Fcloud-technology-status%2F&data=05%7C02%7C%7Cc643a87399ef4229d62908dcfcdc9c8a%7Cd0b71c570f9b4acc923b81d0b26b55b3%7C0%7C0%7C638663271679865096%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C4000%7C%7C%7C&sdata=AggOh2r0lInad%2FT6uMrUJPNUp%2BWzsT%2FRdYD9m5diRjc%3D&reserved=0<https://www.ripe.net/publications/documentation/cloud-technology-status/> The page states that "all services pass an internal process of strict legal, information security, technology and privacy reviews". That all sounds very reassuring, doesn't it? However.. Even though the "Data Residency" column states "EU" for all these services, these cloud providers are a U.S. legal entity (or a foreign entity with an office in the U.S.), so the data stored on these platforms completely falls under U.S. legislation, such as the CLOUD act and numerous related acts and laws. It is completely irrelevant where this data is stored geographically. This also means that the data stored on these platforms can be subject to U.S. law enforcement warrants and subpoenas. As a concerned and privacy aware citizen, i find it very worrying that basically all my interactions with the RIPE NCC in some way end up in the hands of U.S. based cloud providers. But i can imagine that these concerns are much more serious for RIPE members in countries that have a less favourable relation with the U.S. (there are quite a number of those countries within the RIPE service region) What do other members think about this, and has the RIPE NCC taken these consequences into account when they decided to move all this data and services to U.S. based hyperscalers? Thanks for your thoughts, Timo Hilbrink Freedom Internet ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.ripe.net%2Fmailman3%2Flists%2Fmembers-discuss.ripe.net%2F&data=05%7C02%7C%7Cc643a87399ef4229d62908dcfcdc9c8a%7Cd0b71c570f9b4acc923b81d0b26b55b3%7C0%7C0%7C638663271679886742%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C4000%7C%7C%7C&sdata=DFo%2BGQloZ8lW00gxZBjPuMt4Juhk7%2BcSvhnizh7GLH8%3D&reserved=0<https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/> As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ripe.net%2Fmembership%2Fmail%2Fmailman-3-migration%2F&data=05%7C02%7C%7Cc643a87399ef4229d62908dcfcdc9c8a%7Cd0b71c570f9b4acc923b81d0b26b55b3%7C0%7C0%7C638663271679902701%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C4000%7C%7C%7C&sdata=4NG3bSB3tsMa5RWJABluY9hAWYVEdsEcJdN6M1iDaNE%3D&reserved=0<https://www.ripe.net/membership/mail/mailman-3-migration/>
Kaj Niemi wrote:
Also, commercial organizations should really assume that if someone really wants to peek at some proprietary data it won't matter whether it located is in the cloud or on premises. :)
No. That is not the case. The question is whether I can take responsibility for it or whether I have to hand it over. -- nemox.net Rudolf E. Steiner r.steiner@nemox.net http://nemox.net/pdat/res/
On 2024-11-04 14:30, Timo Hilbrink via members-discuss wrote:
What do other members think about this, and has the RIPE NCC taken these consequences into account when they decided to move all this data and services to U.S. based hyperscalers?
Thanks for speaking up Timo. It's important this gets raised at every opportunity. Yes, other members are concerned about data sovereignty and the use of 3rd party providers, to the extent that it was highlighted in the 2023 RIPE NCC Survey. I wrote[1] at the time "Aside from obvious issues like IPv4 hoarding and security threats, I find it interesting that the following points were raised by enough members to warrant mention in the report:" followed by some quotes from the report: "A perceived rise in goverment influence, both democratic and authoritarian, and geopolitical tensions that threaten Internet neutrality are also seen as a challenge to Internet stability … comments indicated that threats from governments (very much including the EU) to control the Internet" will lead to "fragmentation due to differing regulations, censorship, and geopolitical tensions" and "Comments also highlighted concerns about "over-reliance" on 3rd party vendors, particularly "large, US-based cloud resources", with some members instead wanting ... "greater use of open-source software" In general I've found RIPE to be well run and focused compared to other similar organisations, but over-reliance on 3rd party services particulaly (US companies which undermine EU law) and a willingness to use suppliers that don't even support IPv6 (such as the voting platform for the past AGM) are concerning. It makes little sense IMHO to outsource the physical hosting, but keep the more expensive and technical skills required to maintain these servers in-house. To my knowlege Amazon and Google aren't providing managed hosting - just the servers, which is by far the easiest part to maintain. I'm dubious that there are any significant cost savings to be had by moving things to the "cloud". There are a variety of colo providers in the Netherlands and elsewhere in Europe more than capable. Cheers, Brett [1] https://blog.brettsheffield.com/ripe-ncc-2023-survey Brett Sheffield Gladserv
On 04/11/2024 15:30, Timo Hilbrink via members-discuss wrote: Last I checked, none of my interactions with the NCC nor anyone via any NCC mailing list nor RIPE ATLAS involved drug running, pedophilia, human trafficking or terrorism. For the purists, I would be more concerned about your Gmail or O365 mail and that rant you might have sent to a local neighborhood mailing list, or some off color or non-PC meme you shared via Whatsapp - all of which is being scooped up by ____ (fill in favorite spy agency). In the meantime, RIPE NCC is doing a fine job in the realm of moving services to the cloud. Regards, Hank
Hi all,
As we have seen in the past several Information Services updates from Felipe, the RIPE NCC has been moving a lot of services to the cloud, this now also includes things like RIPE NCC email, calendars, chat and video conferencing. The follwoing page gives a helpful overview of these services and the relevant cloud platforms:
https://www.ripe.net/publications/documentation/cloud-technology-status/
The page states that "all services pass an internal process of strict legal, information security, technology and privacy reviews". That all sounds very reassuring, doesn't it?
However..
Even though the "Data Residency" column states "EU" for all these services, these cloud providers are a U.S. legal entity (or a foreign entity with an office in the U.S.), so the data stored on these platforms completely falls under U.S. legislation, such as the CLOUD act and numerous related acts and laws. It is completely irrelevant where this data is stored geographically.
This also means that the data stored on these platforms can be subject to U.S. law enforcement warrants and subpoenas.
As a concerned and privacy aware citizen, i find it very worrying that basically all my interactions with the RIPE NCC in some way end up in the hands of U.S. based cloud providers. But i can imagine that these concerns are much more serious for RIPE members in countries that have a less favourable relation with the U.S. (there are quite a number of those countries within the RIPE service region)
What do other members think about this, and has the RIPE NCC taken these consequences into account when they decided to move all this data and services to U.S. based hyperscalers?
Thanks for your thoughts,
Timo Hilbrink Freedom Internet ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members- discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/ mailman-3-migration/
I would like to understand what RIPE NCC will do if, at the next round of sanctions, access to the cloud or mail servers becomes completely closed from a number of countries, for example Russia. We have already faced the fact that a huge number of Western services have limited access to their resources and as the war with the Russian Federation is lost, the number of blockages is only growing. Please give me an answer: WHAT IS THE PLAN FOR THIS CASE? ----------------------------- Serbulov Dmitry a-n-t.ru
And so, we just started discussing it and it happened: Roskomnadzor recommended that owners of Internet resources in Russia abandon the CDN service (content delivery network) of the American CloudFlare The agency claims that the company uses technology to provide access to prohibited information, which violates Russian law CloudFlare... In October, the TLS ECH (Encrypted Client Hello) extension was enabled by default on its servers. This technology is a means of circumventing restrictions on access to information prohibited in Russia Roskomnadzor assures that CloudFlare was among the Biotech companies that the State Department gathered in September to discuss a comprehensive and organized counteraction to countries actively defending their information sovereignty WTF
I would like to understand what RIPE NCC will do if, at the next round of sanctions, access to the cloud or mail servers becomes completely closed from a number of countries, for example Russia. We have already faced the fact that a huge number of Western services have limited access to their resources and as the war with the Russian Federation is lost, the number of blockages is only growing.
Please give me an answer: WHAT IS THE PLAN FOR THIS CASE? ----------------------------- Serbulov Dmitry a-n-t.ru
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
----------------------------- С уважением Сербулов Дмитрий ООО "Альфа Нет Телеком" +7(498)785-8-000 раб. +7(495)940-92-11 доп. +7(925)518-10-69 сот.
Hello. I honestly believe it’s not and should not be related to RIPE in any way. If RKN wants to ban certain resources, TLS ECH or entire tech stack - that’s their right and you can ask them directly what to do. What is point to ask RIPE about it? RIPE is not required to comply with RKN demands.
On 7 Nov 2024, at 19:22, sdy@a-n-t.ru wrote:
And so, we just started discussing it and it happened:
Roskomnadzor recommended that owners of Internet resources in Russia abandon the CDN service (content delivery network) of the American CloudFlare The agency claims that the company uses technology to provide access to prohibited information, which violates Russian law CloudFlare... In October, the TLS ECH (Encrypted Client Hello) extension was enabled by default on its servers. This technology is a means of circumventing restrictions on access to information prohibited in Russia Roskomnadzor assures that CloudFlare was among the Biotech companies that the State Department gathered in September to discuss a comprehensive and organized counteraction to countries actively defending their information sovereignty
WTF
I would like to understand what RIPE NCC will do if, at the next round of sanctions, access to the cloud or mail servers becomes completely closed from a number of countries, for example Russia. We have already faced the fact that a huge number of Western services have limited access to their resources and as the war with the Russian Federation is lost, the number of blockages is only growing.
Please give me an answer: WHAT IS THE PLAN FOR THIS CASE? ----------------------------- Serbulov Dmitry a-n-t.ru
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
----------------------------- С уважением Сербулов Дмитрий ООО "Альфа Нет Телеком" +7(498)785-8-000 раб. +7(495)940-92-11 доп. +7(925)518-10-69 сот.
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
Hello, You didn't understand, colleague, Sanctions, blocking of RKN, Obama urinated on the entrances of houses in Vorkuta, Orange Revolution in Ukraine, presidential elections in Moldova, oil for $50 RIPE NCC MUST solve all the problems of russians!!!! Because everyone owes the russians, and those who don't owe it just don't know about it yet. And the United States is to blame for everything. It's obviously
On 7 Nov 2024, at 20:00, Mihail Fedorov <mihail@fedorov.net> wrote:
Hello.
I honestly believe it’s not and should not be related to RIPE in any way. If RKN wants to ban certain resources, TLS ECH or entire tech stack - that’s their right and you can ask them directly what to do.
What is point to ask RIPE about it? RIPE is not required to comply with RKN demands.
On 7 Nov 2024, at 19:22, sdy@a-n-t.ru wrote:
And so, we just started discussing it and it happened:
Roskomnadzor recommended that owners of Internet resources in Russia abandon the CDN service (content delivery network) of the American CloudFlare The agency claims that the company uses technology to provide access to prohibited information, which violates Russian law CloudFlare... In October, the TLS ECH (Encrypted Client Hello) extension was enabled by default on its servers. This technology is a means of circumventing restrictions on access to information prohibited in Russia Roskomnadzor assures that CloudFlare was among the Biotech companies that the State Department gathered in September to discuss a comprehensive and organized counteraction to countries actively defending their information sovereignty
WTF
I would like to understand what RIPE NCC will do if, at the next round of sanctions, access to the cloud or mail servers becomes completely closed from a number of countries, for example Russia. We have already faced the fact that a huge number of Western services have limited access to their resources and as the war with the Russian Federation is lost, the number of blockages is only growing.
Please give me an answer: WHAT IS THE PLAN FOR THIS CASE? ----------------------------- Serbulov Dmitry a-n-t.ru
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
----------------------------- С уважением Сербулов Дмитрий ООО "Альфа Нет Телеком" +7(498)785-8-000 раб. +7(495)940-92-11 доп. +7(925)518-10-69 сот.
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
— Serg Galat
Please give me an answer: WHAT IS THE PLAN FOR THIS CASE?
That's a problem between you and your government, the RIPE NCC has nothing to do with that.
Hi Timo, hi members, On 4 Nov 2024, at 14:30, Timo Hilbrink via members-discuss wrote:
What do other members think about this, and has the RIPE NCC taken these consequences into account when they decided to move all this data and services to U.S. based hyperscalers?
I think, that privacy is only one concern. You might argue, that Alphabet and Amazon have the highest level of security you can buy from the shelf. And I tend to agree to that. So I am not very afraid of people outside of these companies or the U.S. government getting access to the data stored with them. People like to say that the U.S. Government has no interest in RIPE and does not see it as a target. Many targets thought so before Edward showed us otherwise. But privacy is not the only concern if you outsource your business critical services. I would be very interested to see the plan of action in case Google decides to suspend the RIPE NCC account for “violation of TOS”. Sure a suspension would be a “mistake”. But even those mistakes can take a few days or weeks to get resolved. Ask me how I know. If you think I am paranoid, take a second and think about the fact, that he can win the election today. In addition to that concentrating all of your critical services to a few big players on the market is a declaration of bankruptcy for a organisation that is dealing with decentralised infrastructure a.k.a the internet. To be honest I do not expect many of you sharing my concerns. The internet and therefore the RIPE is all about the money nowadays. So why would you invest in infrastructure that is not directly beneficial to you and your net worth? I am not blaming the responsible persons at RIPE NCC. They are just giving in on the pressure from the members who want to save money at all costs. At the end of the day you get what you pay for. — Alex ‘arl’ Leefmann
Hello Alex 'arl' Leefmann You are absolutely right in your thinking, (where is the cloud) and who has access. Michael Baasch Med venlig hilsen Best Regards Michael Baasch MitCom Engvej 18 9700 Brønderslev Telefon: +45 9815 5675 -----Oprindelig meddelelse----- Fra: Alexander Leefmann <alex@nycro.de> Sendt: 5. november 2024 07:15 Til: Timo Hilbrink <timoh@freedomnet.nl> Cc: members-discuss@ripe.net Emne: [members-discuss] Re: Serious concerns about the RIPE NCC Cloud Technology Status Hi Timo, hi members, On 4 Nov 2024, at 14:30, Timo Hilbrink via members-discuss wrote:
What do other members think about this, and has the RIPE NCC taken these consequences into account when they decided to move all this data and services to U.S. based hyperscalers?
I think, that privacy is only one concern. You might argue, that Alphabet and Amazon have the highest level of security you can buy from the shelf. And I tend to agree to that. So I am not very afraid of people outside of these companies or the U.S. government getting access to the data stored with them. People like to say that the U.S. Government has no interest in RIPE and does not see it as a target. Many targets thought so before Edward showed us otherwise. But privacy is not the only concern if you outsource your business critical services. I would be very interested to see the plan of action in case Google decides to suspend the RIPE NCC account for “violation of TOS”. Sure a suspension would be a “mistake”. But even those mistakes can take a few days or weeks to get resolved. Ask me how I know. If you think I am paranoid, take a second and think about the fact, that he can win the election today. In addition to that concentrating all of your critical services to a few big players on the market is a declaration of bankruptcy for a organisation that is dealing with decentralised infrastructure a.k.a the internet. To be honest I do not expect many of you sharing my concerns. The internet and therefore the RIPE is all about the money nowadays. So why would you invest in infrastructure that is not directly beneficial to you and your net worth? I am not blaming the responsible persons at RIPE NCC. They are just giving in on the pressure from the members who want to save money at all costs. At the end of the day you get what you pay for. — Alex ‘arl’ Leefmann ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
Dear Timo, all, First off, I want to let you know that documents containing potential confidential member information - company registration papers, network plans, any document sent to the NCC in order to justify additional resources, etc. - are stored on premises in our Document Management System (Alfresco). Registry information - including the history of all Internet Number Resources, plus all current and historical information about our members (legal address, company registration number, etc.) - is stored on our in-house-developed software, running on premises. Ticketed communication with members is stored in Zendesk, which runs in the cloud using AWS infrastructure. No documents are stored directly in Zendesk, and any documents sent as attachments are automatically removed and stored in Alfresco. For copies of IDs and passports, we use a third party (iDenfy) to identify our members. We don’t store any copies of IDs as part of this process, and IDs are deleted after 14 days. For staff email we do use Gmail, and I note that copies of some Zendesk tickets might end up on staff email accounts. This came from an internal decision to fully use Google Workspace, which we were already using for other productivity tools. We also recently stopped paying for licenses for Zoom and now use Google Meet for video conferencing. Using Gmail for staff brings several benefits for us, including better spam and malware filtering as well as integration for staff with the rest of the Google Workspace tools. As has been noted here, these decisions are largely cost- and resource-driven. We have undertaken serious efforts to reduce costs on the technology side of the organisation over the past two years, and this has resulted in some of the compromises that have been noted on this thread. An example of this is our recent efforts to reduce our data centre footprint, which have focused on providing quality services in a cost-effective way [1]. However, it's important to note that for most email we do in fact run our email infrastructure, including MTAs, community and membership mailing lists, and the ASO and NRO email systems. We operate on-premise MX servers, which handle all emails directed to ripe.net and route them accordingly. Emails sent to staff and role accounts are forwarded to Gmail, while those intended for support go to Zendesk. Emails directed to mailing lists are routed to our on-premise Mailman instances. For outgoing emails, we use various services: Gmail for staff emails, Zendesk for support, AFAS for invoicing, and Brevo for some announcements. Any remaining emails, such as those from mailing lists and NCC services (like RIPE Database updates, RIPE Atlas, etc.), are sent through an on-premise mail server. It is difficult to run our operations if we have to speculate on what governments can and cannot do. Instead, we apply a risk-based approach, paying close attention to the contracts we sign with these providers and ensuring that the obligations described in them give the highest possible level of privacy and security for our members. Kind regards, Felipe Victolla Silveira Chief Technology Officer RIPE NCC [1] https://labs.ripe.net/author/felipe_victolla_silveira/reducing-the-ripe-nccs... On Mon, 4 Nov 2024 at 13:33, Timo Hilbrink via members-discuss < members-discuss@ripe.net> wrote:
Hi all,
As we have seen in the past several Information Services updates from Felipe, the RIPE NCC has been moving a lot of services to the cloud, this now also includes things like RIPE NCC email, calendars, chat and video conferencing. The follwoing page gives a helpful overview of these services and the relevant cloud platforms:
https://www.ripe.net/publications/documentation/cloud-technology-status/
The page states that "all services pass an internal process of strict legal, information security, technology and privacy reviews". That all sounds very reassuring, doesn't it?
However..
Even though the "Data Residency" column states "EU" for all these services, these cloud providers are a U.S. legal entity (or a foreign entity with an office in the U.S.), so the data stored on these platforms completely falls under U.S. legislation, such as the CLOUD act and numerous related acts and laws. It is completely irrelevant where this data is stored geographically.
This also means that the data stored on these platforms can be subject to U.S. law enforcement warrants and subpoenas.
As a concerned and privacy aware citizen, i find it very worrying that basically all my interactions with the RIPE NCC in some way end up in the hands of U.S. based cloud providers. But i can imagine that these concerns are much more serious for RIPE members in countries that have a less favourable relation with the U.S. (there are quite a number of those countries within the RIPE service region)
What do other members think about this, and has the RIPE NCC taken these consequences into account when they decided to move all this data and services to U.S. based hyperscalers?
Thanks for your thoughts,
Timo Hilbrink Freedom Internet ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
Felipe Silveira wrote:
It is difficult to run our operations if we have to speculate on what governments can and cannot do. Instead, we apply a risk-based approach, paying close attention to the contracts we sign with these providers and ensuring that the obligations described in them give the highest possible level of privacy and security for our members.
Thank you for the detailed explanation of your data protection measures and technical infrastructure. External Cloud Usage for Ticketing (Zendesk on AWS): While I appreciate that no documents are stored directly in Zendesk, sensitive information can still be included in ticket content. A fully on-premise alternative could help avoid this potential vulnerability and provide more transparency regarding storage location and access policies. Use of Gmail for Staff Emails: Using Gmail for internal communication brings additional privacy risks. With emails and internal communication running on Google servers, there’s a chance that metadata and content may be accessible to third parties. A self-hosted solution for internal email communication could offer greater control and might reduce long-term costs, even though the spam filtering and integration with Google tools are understandably appealing. External Service for Identity Verification (iDenfy): Relying on a third party for identity verification, particularly when it involves sensitive documents like passports and IDs, introduces potential data privacy concerns. Although the data is deleted after 14 days, an in-house solution—such as a privacy-compliant, self-hosted service—could mitigate this risk. Cost and Resource Efficiency vs. Data Privacy: I understand the challenges of cost and resource reduction. However, I wonder if, in the long run, adopting more on-premise solutions and open-source software might lead to greater independence, reduced licensing fees, and enhanced security. There are many privacy-friendly, self-hosted alternatives that might initially require more setup but could offer significant long-term benefits to members. Risk-Based Approach and Contractual Control: I appreciate your risk-based approach, yet a stronger self-hosting strategy could reduce reliance on third parties and the need for contractual assurances. Moving towards self-hosting could even become a positive message to RIPE members, showcasing that RIPE actively prioritizes data privacy. In principle, I see no need to use servers from "big tech" for such simple services. -- nemox.net Rudolf E. Steiner r.steiner@nemox.net http://nemox.net/pdat/res/
Hi Felipe, Thanks for your extensive reply to my concerns. I am aware of the efforts the RIPE NCC makes to store documents and registry information safely, and with the appropriate data retention policies. From what i can see, this has been implemented very well, and i have trust in the security of these applications. But as Rudolf has already pointed out, apart from attachments there is still a lot of sensitive information and meta data in both Zendesk tickets and staff e-mail. And this data is being stored under U.S. legislation. You mention that "the RIPE NCC applies a risk-based approach, paying close attention to the contracts we sign with these providers and ensuring that the obligations described in them give the highest possible level of privacy and security" That is what is called the "administrative firewall"; the legal, security and compliance teams go through these contracts and make sure that all risks and responsabilities have been covered. But in reality these contracts don't actually guarantee any level of privacy, security or reliability, they merely provide us with someone to point at when things go wrong. I consider the RIPE NCC to be a neutral and independent organisation that supplies critical services to a very large service area outside of the U.S., an organisation with a huge amount of highly skilled staff. And i find it very disappointing that such an organisation with the ~40M budget that it has, is not able to run its own, on-premise infrastructure for communication with its members. I have already mentioned it in a previous reply, but if you haven't done so already, please check out the RIPE Labs podcast with Bert Hubert, as it touches on several of these subjects: https://labs.ripe.net/author/alun_davies/bert-hubert-internet-privacy-and-th... Timo Hilbrink Freedom Internet On 05/11/2024 16:06, Felipe Silveira wrote:
Dear Timo, all,
First off, I want to let you know that documents containing potential confidential member information - company registration papers, network plans, any document sent to the NCC in order to justify additional resources, etc. - are stored on premises in our Document Management System (Alfresco).
Registry information - including the history of all Internet Number Resources, plus all current and historical information about our members (legal address, company registration number, etc.) - is stored on our in-house-developed software, running on premises.
Ticketed communication with members is stored in Zendesk, which runs in the cloud using AWS infrastructure. No documents are stored directly in Zendesk, and any documents sent as attachments are automatically removed and stored in Alfresco.
For copies of IDs and passports, we use a third party (iDenfy) to identify our members. We don’t store any copies of IDs as part of this process, and IDs are deleted after 14 days.
For staff email we do use Gmail, and I note that copies of some Zendesk tickets might end up on staff email accounts. This came from an internal decision to fully use Google Workspace, which we were already using for other productivity tools. We also recently stopped paying for licenses for Zoom and now use Google Meet for video conferencing. Using Gmail for staff brings several benefits for us, including better spam and malware filtering as well as integration for staff with the rest of the Google Workspace tools.
As has been noted here, these decisions are largely cost- and resource-driven. We have undertaken serious efforts to reduce costs on the technology side of the organisation over the past two years, and this has resulted in some of the compromises that have been noted on this thread. An example of this is our recent efforts to reduce our data centre footprint, which have focused on providing quality services in a cost-effective way [1].
However, it's important to note that for most email we do in fact run our email infrastructure, including MTAs, community and membership mailing lists, and the ASO and NRO email systems. We operate on-premise MX servers, which handle all emails directed to ripe.net <http://ripe.net> and route them accordingly. Emails sent to staff and role accounts are forwarded to Gmail, while those intended for support go to Zendesk. Emails directed to mailing lists are routed to our on-premise Mailman instances.
For outgoing emails, we use various services: Gmail for staff emails, Zendesk for support, AFAS for invoicing, and Brevo for some announcements. Any remaining emails, such as those from mailing lists and NCC services (like RIPE Database updates, RIPE Atlas, etc.), are sent through an on-premise mail server.
It is difficult to run our operations if we have to speculate on what governments can and cannot do. Instead, we apply a risk-based approach, paying close attention to the contracts we sign with these providers and ensuring that the obligations described in them give the highest possible level of privacy and security for our members.
Kind regards,
Felipe Victolla Silveira Chief Technology Officer RIPE NCC
[1] https://labs.ripe.net/author/felipe_victolla_silveira/reducing-the-ripe-nccs... <https://labs.ripe.net/author/felipe_victolla_silveira/reducing-the-ripe-nccs-data-centre-footprint/>
On Mon, 4 Nov 2024 at 13:33, Timo Hilbrink via members-discuss <members-discuss@ripe.net <mailto:members-discuss@ripe.net>> wrote:
Hi all,
As we have seen in the past several Information Services updates from Felipe, the RIPE NCC has been moving a lot of services to the cloud, this now also includes things like RIPE NCC email, calendars, chat and video conferencing. The follwoing page gives a helpful overview of these services and the relevant cloud platforms:
https://www.ripe.net/publications/documentation/cloud-technology-status/ <https://www.ripe.net/publications/documentation/cloud-technology-status/>
The page states that "all services pass an internal process of strict legal, information security, technology and privacy reviews". That all sounds very reassuring, doesn't it?
However..
Even though the "Data Residency" column states "EU" for all these services, these cloud providers are a U.S. legal entity (or a foreign entity with an office in the U.S.), so the data stored on these platforms completely falls under U.S. legislation, such as the CLOUD act and numerous related acts and laws. It is completely irrelevant where this data is stored geographically.
This also means that the data stored on these platforms can be subject to U.S. law enforcement warrants and subpoenas.
As a concerned and privacy aware citizen, i find it very worrying that basically all my interactions with the RIPE NCC in some way end up in the hands of U.S. based cloud providers. But i can imagine that these concerns are much more serious for RIPE members in countries that have a less favourable relation with the U.S. (there are quite a number of those countries within the RIPE service region)
What do other members think about this, and has the RIPE NCC taken these consequences into account when they decided to move all this data and services to U.S. based hyperscalers?
Thanks for your thoughts,
Timo Hilbrink Freedom Internet ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ <https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/> As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/ <https://www.ripe.net/membership/mail/mailman-3-migration/>
Felipe This all seems logical and sane. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 I have sent this email at a time that is convenient for me. I do not expect you to respond to it outside of your usual working hours. From: Felipe Silveira <fvictolla@ripe.net> Date: Tuesday, 5 November 2024 at 18:26 To: Timo Hilbrink <timoh@freedomnet.nl> Cc: members-discuss@ripe.net <members-discuss@ripe.net> Subject: [members-discuss] Re: Serious concerns about the RIPE NCC Cloud Technology Status [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. Dear Timo, all, First off, I want to let you know that documents containing potential confidential member information - company registration papers, network plans, any document sent to the NCC in order to justify additional resources, etc. - are stored on premises in our Document Management System (Alfresco). Registry information - including the history of all Internet Number Resources, plus all current and historical information about our members (legal address, company registration number, etc.) - is stored on our in-house-developed software, running on premises. Ticketed communication with members is stored in Zendesk, which runs in the cloud using AWS infrastructure. No documents are stored directly in Zendesk, and any documents sent as attachments are automatically removed and stored in Alfresco. For copies of IDs and passports, we use a third party (iDenfy) to identify our members. We don’t store any copies of IDs as part of this process, and IDs are deleted after 14 days. For staff email we do use Gmail, and I note that copies of some Zendesk tickets might end up on staff email accounts. This came from an internal decision to fully use Google Workspace, which we were already using for other productivity tools. We also recently stopped paying for licenses for Zoom and now use Google Meet for video conferencing. Using Gmail for staff brings several benefits for us, including better spam and malware filtering as well as integration for staff with the rest of the Google Workspace tools. As has been noted here, these decisions are largely cost- and resource-driven. We have undertaken serious efforts to reduce costs on the technology side of the organisation over the past two years, and this has resulted in some of the compromises that have been noted on this thread. An example of this is our recent efforts to reduce our data centre footprint, which have focused on providing quality services in a cost-effective way [1]. However, it's important to note that for most email we do in fact run our email infrastructure, including MTAs, community and membership mailing lists, and the ASO and NRO email systems. We operate on-premise MX servers, which handle all emails directed to ripe.net<http://ripe.net> and route them accordingly. Emails sent to staff and role accounts are forwarded to Gmail, while those intended for support go to Zendesk. Emails directed to mailing lists are routed to our on-premise Mailman instances. For outgoing emails, we use various services: Gmail for staff emails, Zendesk for support, AFAS for invoicing, and Brevo for some announcements. Any remaining emails, such as those from mailing lists and NCC services (like RIPE Database updates, RIPE Atlas, etc.), are sent through an on-premise mail server. It is difficult to run our operations if we have to speculate on what governments can and cannot do. Instead, we apply a risk-based approach, paying close attention to the contracts we sign with these providers and ensuring that the obligations described in them give the highest possible level of privacy and security for our members. Kind regards, Felipe Victolla Silveira Chief Technology Officer RIPE NCC [1] https://labs.ripe.net/author/felipe_victolla_silveira/reducing-the-ripe-nccs... On Mon, 4 Nov 2024 at 13:33, Timo Hilbrink via members-discuss <members-discuss@ripe.net<mailto:members-discuss@ripe.net>> wrote: Hi all, As we have seen in the past several Information Services updates from Felipe, the RIPE NCC has been moving a lot of services to the cloud, this now also includes things like RIPE NCC email, calendars, chat and video conferencing. The follwoing page gives a helpful overview of these services and the relevant cloud platforms: https://www.ripe.net/publications/documentation/cloud-technology-status/ The page states that "all services pass an internal process of strict legal, information security, technology and privacy reviews". That all sounds very reassuring, doesn't it? However.. Even though the "Data Residency" column states "EU" for all these services, these cloud providers are a U.S. legal entity (or a foreign entity with an office in the U.S.), so the data stored on these platforms completely falls under U.S. legislation, such as the CLOUD act and numerous related acts and laws. It is completely irrelevant where this data is stored geographically. This also means that the data stored on these platforms can be subject to U.S. law enforcement warrants and subpoenas. As a concerned and privacy aware citizen, i find it very worrying that basically all my interactions with the RIPE NCC in some way end up in the hands of U.S. based cloud providers. But i can imagine that these concerns are much more serious for RIPE members in countries that have a less favourable relation with the U.S. (there are quite a number of those countries within the RIPE service region) What do other members think about this, and has the RIPE NCC taken these consequences into account when they decided to move all this data and services to U.S. based hyperscalers? Thanks for your thoughts, Timo Hilbrink Freedom Internet ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
Agreed - this all looks fine to me. And speaking as a member, what's important is that all these areas have received explicit consideration in terms of the balance between cost, convenience and security. We pay the RIPE NCC to carry out a specific set of mandates and it's good to see that they do it. The fact that as members, we have visibility right down to this level of granularity is a bonus in terms of seeing what we're paying them to do. In the more general case of security risk management, there are plenty of cases out there where it would be appropriate to assign a high or critical risk rating to using US based cloud providers, as a result of the US Cloud Act. In those cases for sure, in-house might be an option, or a cloud provider in a gdpr-based jurisdiction, or data-at-rest encryption, or whatever style of risk mitigation was appropriate for the case in hand. But I can't see that the RIPE NCC falls into this category in general, and specifically not in relation to the categories of data that Felipe said that the RIPE NCC stored on AWS. Nick Michele Neylon - Blacknight via members-discuss wrote on 12/11/2024 13:55:
Felipe
This all seems logical and sane.
Regards
Michele
--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
Intl. +353 (0) 59 9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
I have sent this email at a time that is convenient for me. I do not expect you to respond to it outside of your usual working hours.
*From: *Felipe Silveira <fvictolla@ripe.net> *Date: *Tuesday, 5 November 2024 at 18:26 *To: *Timo Hilbrink <timoh@freedomnet.nl> *Cc: *members-discuss@ripe.net <members-discuss@ripe.net> *Subject: *[members-discuss] Re: Serious concerns about the RIPE NCC Cloud Technology Status
*[EXTERNAL EMAIL]*Please use caution when opening attachments from unrecognised sources.
Dear Timo, all,
First off, I want to let you know that documents containing potential confidential member information - company registration papers, network plans, any document sent to the NCC in order to justify additional resources, etc. - are stored on premises in our Document Management System (Alfresco).
Registry information - including the history of all Internet Number Resources, plus all current and historical information about our members (legal address, company registration number, etc.) - is stored on our in-house-developed software, running on premises.
Ticketed communication with members is stored in Zendesk, which runs in the cloud using AWS infrastructure. No documents are stored directly in Zendesk, and any documents sent as attachments are automatically removed and stored in Alfresco.
For copies of IDs and passports, we use a third party (iDenfy) to identify our members. We don’t store any copies of IDs as part of this process, and IDs are deleted after 14 days.
For staff email we do use Gmail, and I note that copies of some Zendesk tickets might end up on staff email accounts. This came from an internal decision to fully use Google Workspace, which we were already using for other productivity tools. We also recently stopped paying for licenses for Zoom and now use Google Meet for video conferencing. Using Gmail for staff brings several benefits for us, including better spam and malware filtering as well as integration for staff with the rest of the Google Workspace tools.
As has been noted here, these decisions are largely cost- and resource-driven. We have undertaken serious efforts to reduce costs on the technology side of the organisation over the past two years, and this has resulted in some of the compromises that have been noted on this thread. An example of this is our recent efforts to reduce our data centre footprint, which have focused on providing quality services in a cost-effective way [1].
However, it's important to note that for most email we do in fact run our email infrastructure, including MTAs, community and membership mailing lists, and the ASO and NRO email systems. We operate on-premise MX servers, which handle all emails directed to ripe.net <http://ripe.net> and route them accordingly. Emails sent to staff and role accounts are forwarded to Gmail, while those intended for support go to Zendesk. Emails directed to mailing lists are routed to our on-premise Mailman instances.
For outgoing emails, we use various services: Gmail for staff emails, Zendesk for support, AFAS for invoicing, and Brevo for some announcements. Any remaining emails, such as those from mailing lists and NCC services (like RIPE Database updates, RIPE Atlas, etc.), are sent through an on-premise mail server.
It is difficult to run our operations if we have to speculate on what governments can and cannot do. Instead, we apply a risk-based approach, paying close attention to the contracts we sign with these providers and ensuring that the obligations described in them give the highest possible level of privacy and security for our members.
Kind regards,
Felipe Victolla Silveira
Chief Technology Officer
RIPE NCC
[1] https://labs.ripe.net/author/felipe_victolla_silveira/reducing-the-ripe-nccs...
On Mon, 4 Nov 2024 at 13:33, Timo Hilbrink via members-discuss <members-discuss@ripe.net <mailto:members-discuss@ripe.net>> wrote:
Hi all,
As we have seen in the past several Information Services updates from Felipe, the RIPE NCC has been moving a lot of services to the cloud, this now also includes things like RIPE NCC email, calendars, chat and video conferencing. The follwoing page gives a helpful overview of these services and the relevant cloud platforms:
https://www.ripe.net/publications/documentation/cloud-technology-status/
The page states that "all services pass an internal process of strict legal, information security, technology and privacy reviews". That all sounds very reassuring, doesn't it?
However..
Even though the "Data Residency" column states "EU" for all these services, these cloud providers are a U.S. legal entity (or a foreign entity with an office in the U.S.), so the data stored on these platforms completely falls under U.S. legislation, such as the CLOUD act and numerous related acts and laws. It is completely irrelevant where this data is stored geographically.
This also means that the data stored on these platforms can be subject to U.S. law enforcement warrants and subpoenas.
As a concerned and privacy aware citizen, i find it very worrying that basically all my interactions with the RIPE NCC in some way end up in the hands of U.S. based cloud providers. But i can imagine that these concerns are much more serious for RIPE members in countries that have a less favourable relation with the U.S. (there are quite a number of those countries within the RIPE service region)
What do other members think about this, and has the RIPE NCC taken these consequences into account when they decided to move all this data and services to U.S. based hyperscalers?
Thanks for your thoughts,
Timo Hilbrink Freedom Internet ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
Exactly- nicely articulated. I don’t think we as members should be micro-managing the NCC. Surely people have enough on their plates with their own businesses? Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 I have sent this email at a time that is convenient for me. I do not expect you to respond to it outside of your usual working hours. From: Nick Hilliard (Network Ability Ltd) <nick@netability.ie> Date: Tuesday, 12 November 2024 at 15:14 To: Michele Neylon - Blacknight <michele@blacknight.com> Cc: Felipe Silveira <fvictolla@ripe.net>, Timo Hilbrink <timoh@freedomnet.nl>, members-discuss@ripe.net <members-discuss@ripe.net> Subject: Re: [members-discuss] Re: Serious concerns about the RIPE NCC Cloud Technology Status [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. Agreed - this all looks fine to me. And speaking as a member, what's important is that all these areas have received explicit consideration in terms of the balance between cost, convenience and security. We pay the RIPE NCC to carry out a specific set of mandates and it's good to see that they do it. The fact that as members, we have visibility right down to this level of granularity is a bonus in terms of seeing what we're paying them to do. In the more general case of security risk management, there are plenty of cases out there where it would be appropriate to assign a high or critical risk rating to using US based cloud providers, as a result of the US Cloud Act. In those cases for sure, in-house might be an option, or a cloud provider in a gdpr-based jurisdiction, or data-at-rest encryption, or whatever style of risk mitigation was appropriate for the case in hand. But I can't see that the RIPE NCC falls into this category in general, and specifically not in relation to the categories of data that Felipe said that the RIPE NCC stored on AWS. Nick Michele Neylon - Blacknight via members-discuss wrote on 12/11/2024 13:55: Felipe This all seems logical and sane. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 I have sent this email at a time that is convenient for me. I do not expect you to respond to it outside of your usual working hours. From: Felipe Silveira <fvictolla@ripe.net><mailto:fvictolla@ripe.net> Date: Tuesday, 5 November 2024 at 18:26 To: Timo Hilbrink <timoh@freedomnet.nl><mailto:timoh@freedomnet.nl> Cc: members-discuss@ripe.net<mailto:members-discuss@ripe.net> <members-discuss@ripe.net><mailto:members-discuss@ripe.net> Subject: [members-discuss] Re: Serious concerns about the RIPE NCC Cloud Technology Status [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. Dear Timo, all, First off, I want to let you know that documents containing potential confidential member information - company registration papers, network plans, any document sent to the NCC in order to justify additional resources, etc. - are stored on premises in our Document Management System (Alfresco). Registry information - including the history of all Internet Number Resources, plus all current and historical information about our members (legal address, company registration number, etc.) - is stored on our in-house-developed software, running on premises. Ticketed communication with members is stored in Zendesk, which runs in the cloud using AWS infrastructure. No documents are stored directly in Zendesk, and any documents sent as attachments are automatically removed and stored in Alfresco. For copies of IDs and passports, we use a third party (iDenfy) to identify our members. We don’t store any copies of IDs as part of this process, and IDs are deleted after 14 days. For staff email we do use Gmail, and I note that copies of some Zendesk tickets might end up on staff email accounts. This came from an internal decision to fully use Google Workspace, which we were already using for other productivity tools. We also recently stopped paying for licenses for Zoom and now use Google Meet for video conferencing. Using Gmail for staff brings several benefits for us, including better spam and malware filtering as well as integration for staff with the rest of the Google Workspace tools. As has been noted here, these decisions are largely cost- and resource-driven. We have undertaken serious efforts to reduce costs on the technology side of the organisation over the past two years, and this has resulted in some of the compromises that have been noted on this thread. An example of this is our recent efforts to reduce our data centre footprint, which have focused on providing quality services in a cost-effective way [1]. However, it's important to note that for most email we do in fact run our email infrastructure, including MTAs, community and membership mailing lists, and the ASO and NRO email systems. We operate on-premise MX servers, which handle all emails directed to ripe.net<http://ripe.net> and route them accordingly. Emails sent to staff and role accounts are forwarded to Gmail, while those intended for support go to Zendesk. Emails directed to mailing lists are routed to our on-premise Mailman instances. For outgoing emails, we use various services: Gmail for staff emails, Zendesk for support, AFAS for invoicing, and Brevo for some announcements. Any remaining emails, such as those from mailing lists and NCC services (like RIPE Database updates, RIPE Atlas, etc.), are sent through an on-premise mail server. It is difficult to run our operations if we have to speculate on what governments can and cannot do. Instead, we apply a risk-based approach, paying close attention to the contracts we sign with these providers and ensuring that the obligations described in them give the highest possible level of privacy and security for our members. Kind regards, Felipe Victolla Silveira Chief Technology Officer RIPE NCC [1] https://labs.ripe.net/author/felipe_victolla_silveira/reducing-the-ripe-nccs... On Mon, 4 Nov 2024 at 13:33, Timo Hilbrink via members-discuss <members-discuss@ripe.net<mailto:members-discuss@ripe.net>> wrote: Hi all, As we have seen in the past several Information Services updates from Felipe, the RIPE NCC has been moving a lot of services to the cloud, this now also includes things like RIPE NCC email, calendars, chat and video conferencing. The follwoing page gives a helpful overview of these services and the relevant cloud platforms: https://www.ripe.net/publications/documentation/cloud-technology-status/ The page states that "all services pass an internal process of strict legal, information security, technology and privacy reviews". That all sounds very reassuring, doesn't it? However.. Even though the "Data Residency" column states "EU" for all these services, these cloud providers are a U.S. legal entity (or a foreign entity with an office in the U.S.), so the data stored on these platforms completely falls under U.S. legislation, such as the CLOUD act and numerous related acts and laws. It is completely irrelevant where this data is stored geographically. This also means that the data stored on these platforms can be subject to U.S. law enforcement warrants and subpoenas. As a concerned and privacy aware citizen, i find it very worrying that basically all my interactions with the RIPE NCC in some way end up in the hands of U.S. based cloud providers. But i can imagine that these concerns are much more serious for RIPE members in countries that have a less favourable relation with the U.S. (there are quite a number of those countries within the RIPE service region) What do other members think about this, and has the RIPE NCC taken these consequences into account when they decided to move all this data and services to U.S. based hyperscalers? Thanks for your thoughts, Timo Hilbrink Freedom Internet ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/ ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
participants (27)
-
Alexander Leefmann -
Ben Cartwright-Cox -
Brett Sheffield -
Clement Cavadore -
Denys Fedoryshchenko -
Felipe Silveira -
Hank Nussbacher -
Jochen Bern -
Kaj Niemi -
Kurt Jaeger -
Max Tulyev -
Michael Baasch -
Michele Neylon - Blacknight -
Mihail Fedorov -
Nick Hilliard (Network Ability Ltd) -
Niels Dettenbach -
Pavel Polyakov -
Piotr Karwowski -
Radu Anghel -
Randy Bush -
ROSKOMNADZOR LIMITED -
Rudolf E. Steiner -
sdy@a-n-t.ru -
Serg Gal -
Timo Hilbrink -
Tobias Fiebig -
Toni Mueller