RIPE 46, Amsterdam
Working Group: Ripe NCC Services Chair: Kurt Erik Lindqvist Scribe: Isabel Pinto Coelho Sena
Slot 1, Tuesday 2/9 14.00-15.30
1. NCC Services WG Charter (Kurtis) 2. RIPE NCC Services Direction (Axel Pawlik) Service level and activities 2004 3. RIPE NCC Information Services 4. Discussion & input time / Open Mic session
Slot 2, Thursday 4/9 11.00-12.30
5. Presentation on X.509 and certificates (Dirk-Willem van Gulik). Discussions around the x.509 implementation of the RIPE NCC and what other RIRs have done. 6. DNS Services - Modification Plans 7. Proposals from the community 8. Discussion & input time / Open Mic session X. AOB Z. Close ________________________________________________________________
1. NCC Services WG Charter
WG Charter presented. No objections were made to it's content.
2. RIPE NCC Services Direction (Axel Pawlik, Managing Director RIPE NCC) Service level and activities 2004
See Axel's presentation at
http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46- nccserv-ncc-services.pdf
Kurtis Lindqvist : Who has read/seen the Member Update? [~20 people raised their hands] Kurtis Lindqvist : Who here are Members? [~60 people raised their hands]
3. RIPE NCC Information Services
See Axel's previous presentation from slide 27 onwards
http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46- nccserv-ncc-services.pdf
4. Discussion & input time / Open Mic session
Kurtis Lindqvist : Are there any questions for Axel? [No one had questions]
Kurtis Lindqvist : I have one myself: You spoke of the data you have that can be used to educate journalists, where do you want to push them, just as a general awareness?
Axel Pawlik (MD RIPE NCC): We want them to know that we are working well, we want the industry to tell them "do not interfere, they work well". As an example: name servers
Kurtis Lindqvist: Any other questions? [None were raised]
Kurtis Lindqvist : please register for the GM
Axel Pawlik : there was a heated discussion on the mailing lists? None now? [None responded]
Rob Blokzijl (RIPE Chairman): I'm surprised that there is no one that is willing to discuss the issues off the mailing-list, so I will bring up 2 issues that were often discussed. First one is: Whether all these services that the RIPE NCC offers are needed? I would like also to point that there was no discussion on whether they are _useful_ however. Then there was the issue of a flat free financial contribution versus a supermarket scenario? Meaning that one could pick and choose the services one is willing to pay and have use for.
Wilfried Woeber (Vienna University - ACOnet): I've observed through the years another organization where the same discussion was going on for years, started out as a flat free and then some started to object to this model. In the end, they found the most reasonable solution: you buy all or nothing. It is difficult to find out which activities are optional and which mandatory. Individual amount, increasing the administration overhead that goes along with keeping up with this supermarket model, this will not come for free... The complexity that we might inject into the subject is not going to be easy. It also splits the RIPE Community into 2 / 3 / 4 camps. Copyrighting on certain Services, making people pay for copies. It will de-stabilise the RIPE NCC and the Community.
Kurtis Lindqvist: Well, a number of people are questioning the order and priority of the activities.
Rob Blockzijl (RIPE Chair): I hope that one of the results of having this WG is to make people remember why certain services were created in the past, as the NCC did not just came up on a idle afternoon with: "let's create an activity". The NCC has always listened to the Community's input. It might not have been clear as to where and when the decisions were taken, that's why I'm glad we have this WG. Having it, it is possible to revisit the past and re-evaluate current services, although it might be more constructive to look at the future and we can improve.
Kurtis Lindqvist : How many of you have read the Activity Plan? [~10 max raised their hands] I'm concerned because some people on the mailing list indicated that they can not influence the AP, but most here have not read it.
Kurtis Lindqvist : If there are no other questions I'll see you all on Thursday.
Slot 2, Thursday 4/9 11.00-12.30
5. Presentation on X.509 and certificates (by Dirk-Willem van Gulik - apache) Discussions around the x.509 implementation of the RIPE NCC and what other RIRs have done. 6. DNS Services - Modification Plans (Olaf Kolkman) 7. Proposals from the community 8. Discussion & input time / Open Mic session X. AOB Z. Close
5. Presentation on X.509 and certificates (by Dirk-Willem van Gulik - apache) Discussions around the x.509 implementation of the RIPE NCC and what other RIRs have done.
Kurtis Lindqvist: As there were quite a lot of questions on the mailing list about X.509, we will have a presentation about it and also invite the other RIRs to explain what they are doing in their region. Also, at the last session I forgot to mention that we might require a co-chair, as it is mentioned in the charter.
Dirk-Willem van Gulik: This presentation focuses mainly on the issue of trust, not as much on the technical aspects of X.509
http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46- nccserv-pki-x509.pdf
Kurtis Lindqvist : any questions ? [None]
Presentation by Andrei Robachevsky, Chief Technical Officer, Ripe NCC
"PKI development at the RIPE NCC" http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46- nccserv-pki.pdf
Kurtis Lindqvist: any questions?
Taiji Kimura from JPNIC: are there plans for non-repudiation of the query, validate queries to the DB?
Andrei Robachevsky : no, this is not about the DB itself, but more about correspondence with the NCC.
Wilfried Woeber (DB WG Chair): We have been discussing whether we want to introduce a system to tag objects in the DB with the auth method that was used for the last update of the object. This is an idea that we have been playing with, if the community wants this, then please come forward with a plan.
Wilfried Woeber: About integrating a Certification Authority across RIRs, I would recommend to first try it in our region, find out if it works well. I'm not a fan of having hierarchy in the trust model. Individual registries should do it in their region, then we find out what we need to cross the borders. I would not like RIRs to all go to Verisign for instance.
Janos Zsako (RIPE NCC Executive Board): about message signing, we live with the assumptions that the db is in a secure server, so whether after the modification/update with PKI the data is still stable is questionable. We can store the update method, again assuming that the db cannot be corrupted in the mean time. So we need a system that verifies that the db has not been corrupted.
Kurtis Lindqvist: in conclusion, issue is if queries and/or DB entries must be signed, and whether the content of the DB is secure, but this is maybe more a topic for the DB WG.
ARIN - Ginny Listman:
http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46- nccserv-arin-x509.pdf
APNIC - Anne Lord: we are doing the same as Ripe NCC, issuing certificates for our equivalent of the LIR Portal, MyApnic. We have issued 500 certificates so far.
LACNIC Raul Echeberria: we would like to implement a certification system before 2004. Right now we are still working on the budget that would be needed for it.
Kurtis Lindqvist: Thank you all.
6. DNS Services - Modification Plans (Olaf Kolkman)
http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46- nccserv-rdns.pdf
Kurtis Lindqvist : I like the idea, any questions ? [None]
7. Proposals from the community 8. Discussion & input time / Open Mic session
Kurtis Lindqvist: Now we have the open mike session: floor is open. In future sessions I would like to have people's presentations or proposals in writing on the mailing list before they are presented at RIPE Meetings
Hank Nussbacher (IUCC): I have been asked by many people to speak up during this WG as I have sent some emails to the mailing list. My view is that a lot of the members had their budget cut and the NNC has not had their budget cut in the same fashion. We are apathetic, 2250 euro is not that much to warrant that people can spend 250 euro/1 hour of their time on the mailing list. There are many good things in the NCC: DB group is the world leader. But to evaluate how the NCC is spending their money we need a more transparent Activity Plan. For instance for the trainings, they are free of charge. I would like to know the budget and man-power needed for these free trainings. Instead, it's budget is incorporated in the RS budget, there is no way to know how much of that is used for the trainings, there is no break-down of the costs. The TTM group, IRT - there has been nothing mentioned about it at this meeting BTW - there is nothing about it in the AP, therefore we do not know the manpower and budget it needs, the only way to know for the membership is to have a break-down and it does not exist. 10 to 20 people have responded to my mails, which is not really enough to know what the majority of the community thinks about these issues.
Kurtis Lindqvist : yes, people do not care, like we saw at the last session on Tuesday, that only a handful read the AP. I guess the majority is happy, but that is difficult to double-check, people do not go on the mailing list only to say that they are happy. Next year at the RIPE Meeting in May, the NCC will give more insight on the budget & AP and there will be more time for comment before the Annual Meeting 3 months later.
Axel Pawlik: The level of detail we give in the financial report, question is: how deep should we go into detail? For the trainings yes, not so difficult. I will work together with the Board to see what we can adapt. And I would like to clarify that the IRT is not really an incident response team, it is not a separate team as such. It is an activity.
Hank Nussbacher : let's say that the TTM group costs a 300.000 euros/year, but we can get the same service from a commercial company. Why not do a market survey before introducing a new activity?
Axel Pawlik: About the TTM, there is a lot of info about it in the AP.
Daniel Karrenberg: I worry because of economic problems. Training, if the membership wants more transparency, OK, but whether it is really necessary? Why train New LIRs, what do I care? As one of the persons who started with these trainings, I would like to clarify that they are not done only for the benefit of the trainee, but to the whole community as well. Creating a well oiled community. The better things work, the less interaction at the NCC. Also, the NCC would not be as accepted without trainings. For many people, it is only by attending the courses that they understand and accept the NCC's role. Just looking at it from a financial point of view, if you do that too much, you might risk the NCC as a whole organisation. You want and need the NCC to be more stable than the rest of the members. The impact of the NCC crumbling is a whole lot different. I also would like to remind people that one of the ways for us to ensure impartiality and neutrality is by hiring international staff, this is expensive. Were we to be driven only by financials, we would not hire from Turkey or Africa. Yes, lets have a look at the financials, but lets us not be driven by it. Because it might be good for today, but not for tomorrow.
Kurtis Lindqvist: I agree, but showing the members the budget is not saying that you are doing things bad. There are 2 issues: 1) transparency on costs and 2) evaluation of activities and how they benefit the community.
Hank Nussbacher: Some services are excellent. But whether it benefits the community that someone goes to all the ICANN Meetings, it is needed, but the members might think it is not. In the same way that the Membership would live, accept to still have mail-from auth, but we have it better.
Kurt Kayser (N-IX Nurnberg Internet eXchange) : About the trainings, a while back I proposed to find partners in countries, we could offer the service to train people in German, since we are very familiar with all the policies & procedures. But I never heard anything about this from the NCC.
Axel Pawlik : We are looking at better ways of doing our trainings. People like our trainings but it does not scale, your proposal does scale. But how do we do it, how is that training standardised, do we need to certify trainers ??? But we are definitely looking at it.
Daniel Bovio (RIPE NCC Board): Hank said that the "silent majority" do not care to show up at meetings, or communicate on the mailing-list. This is a problem, they do not know what the activities are. We, the RIPE Community, have always been the main source for ideas to the NCC and their activities. The Board needs to go on with these activities anyway, try to involve members, find out what they want, the survey was good in this respect. This group is the main source of the main ideas, there is a vast group that don't care, others do and those end up leading were the ship is going. We do not get enough feedback.
Kurtis: Thank you all for coming

