Plenary session
Tuesday, 9 May 2017, at 11 a.m.:
CHAIR: Good morning. Welcome to the second session of the day. We have two beautiful presentations and three beautiful lightning talks today. And the first one is from Freifunk Rheinland, so if you would ‑‑
PHILIP BERNDROTH: Hello, everyone. Good morning. Nice to be here a little bit excited, big audience, but hopefully we will work this talk. Let's go. My name is Philip and I am here with max, a good friend and colleague and we are working together on non‑commercial Freifunk project, a few words about me. Philip, I am member of the board of Freifunk Rheinland, we are non‑commercial organisation in Germany. I run my own software with software company and we do some data centre stuff and it's great. And we tested last evening, you can find me on Twitter and Facebook as well, and max, you would introduce yourself.
MAXIMILIAN WILHELM: Senior infrastructure architecture ‑‑ so, I manage data centre stuff and networking enough and I am on the board of the Freifunk, also OpenSource hacker and really look forward to the whiskey BoF this week. You can find me on Twitter as well.
PHILIP BERNDROTH: What is FFRL and what is Freifunk. Maybe if you know what it is the idea is to set up free and mesh networks around Germany. We have a lot of people do setting up the infrastructure, deal with open infrastructure, OpenSource and open hardware stuff and for us it is important to empower people and give them the knowledge to build these infrastructure themselves. We have some international meetings, conferences, regional meetings and we especially providing IP transit for most Freifunk communities in Germany because in Germany we have problem with law, it's called sturfhafden ‑‑ it's a complicated situation when you provide free Internet access without authentication and authorisation to other people so we fix this because in Germany when you are a register service provider you get some benefits by the law and then you could do this and that is a reason why we have the Freifunk Rheinland and we provide the Internet access for a lot of Freifunk communities, who are building their wireless mesh networks.
Very special point for the last two years was to give Internet and connect socially disadvantaged people, for me it's one of the important things that the community does in the last years. We had a situation, the refugee situation in Germany and all Europe, a lot of people came to us from different countries and they had no Internet access when they arrived to Germany and we think it is very important to give them Internet access, to connect these people so that the United Nations report says the same, that access is a human right and we are fighting for this and we try to connect as many as possible to the Internet. So, I said that free wi‑fi for refugees was one of the biggest topics for the last two years. We think ‑‑ it is a government task to do this but in Germany the Freifunk community fixed it because government has not the possibility to grow up this infrastructure in decentralised way where we have a lot of Freifunk communities in all the cities, so they can very fast and quickly spin off small network deployment in refugee camp or some other situations we had and bring there the free wi‑fi for the people.
Communication with family and friends and when you didn't have any access you can do this. Other things, very important thing, access to education and information. When you have no connectivity, you couldn't reach these informations and when you are in a foreign country it is more harder than when you know everything where you are, but when you are in another country it is not so easy when you couldn't access any information.
We think it is better that these people came to us using their money for food and family and not for prepaid Internet access. We see that around about these refugee villages we had a lot of dealers with SIM and mobile Internet cards and they take more than 80% of the money the people get from when they come to us, they get some money, and a lot of money these people take to buy some prepaid Internet cards and we think it is better to use it for food and other stuff.
Problems, there is no DSL and fibre in refugee camp, it's very harder bring infrastructure, but other things there is no business model, we do this as our main job and this only free ‑‑ work for free. So we need do nations and it's not so easy when you have this with professionals, take care of the people and within community build up some infrastructure and bring these two groups of people together, it's not so easy but I think we find a good solution. We had a lot of technical challenge because wi‑fi for the masses is a big challenge but also later we will talk about it and the other things, about the tech stuff. But I am very proud that a lot of Freifunk communities accepted this challenge and said, yeah, it is important to connect the people and we must do this and then we had, after one year or one‑and‑a‑half year we had many thousand of people get them connected and bring Internet to these camps, we mostly had in Germany, and yeah, here we have some pictures to see deployment. This is in my home town, we used some ubiquitious stuff or some other hardware to build these shots, and the they entered same as in point‑to‑point link on fibre connection, but we do this with radio. So it is five gig and it's easy to use; you didn't need any licence for this, it's free. This is an old football place and on top of the lightening installation we bring our antenna and connect it to our wireless backbone and in a lot of cities we have these and get some Internet uplink from these stations. So, we are here ‑‑ selfie at the installation. These are the classical tents we had where the people live inside and you could think there is no DSL in here, no copper cabling and anything else, when you have power to connect your devices you are happy. And then you see this. This is for smartphone charging and when you see this, you could imagine how important it is for people to recharge your smartphone, you know, when you have your smartphone and half day or luckily one day and then the smartphone is empty. So, power is important. In Germany, almost power is stable, but problem is that we had here some antenna or some router stuff deployed and people came then and think it would be much important to drink some coffee or make some water hot and they plugged off our router or antenna and could you imagine what is going on then, when you have 400 people in the camp and Internet is going out. So, what we learn. VPN providers don't scale and that is now the second half from the talk, and I would let the stage for MAX and a few sentences how we deal with Internet connectivity from these locations.
MAXIMILIAN WILHELM: So Philip gave a background why we did it and what we tried to solve so we basically tried to build traffic washing machine to get out the legal problems and provide for all communities in Germany with Internet transit, and usually in the history these communities used some OpenVPN providers like perfect privacy and the like which all come down to, all were built for single users, which came down to using OpenVPN usually which is a user space daemon which is on the server side there is the theoretical limit. This does not scale if you put a lot of people behind such a connection. It costs money, and as Philip told us, we do this in our spare time so we would need donations for covering the monthly costs which is a problem. Abuse is a problem so we are not our own abuse handled because what will be seen on the Internet is the IP of the VPN provider. So, why not build our own infrastructure? It's not easy but we tried.
So we built a do it yourself ISP, we tried to, we had no budget, we had no number resources, no hardware, no co‑location no transit and no peering. So let's start there.
PHILIP BERNDROTH: Big problem.
MAXIMILIAN WILHELM: The idea came up in November 2013. We tried to raise some funds. We became an LIR in August 2014. And we started our first deployment in September 2014. What happened? We had some connections to some nice people, some of them are here in the room, thank you, and which allowed us to place some into the Rec space and gave us free transit. You may wonder why these machines have four time rate one, that is a rather easy explanation: We didn't have any chance to access these machines ever again so it better not fail. Well, we were young, used arch Linux and Quagga, maybe a little bit later on that. So we had to two prospective in Frankfurt and Berlin and set up a third in Dusseldorf, and we ended up with this. All these six machines, the triangle are tunnels over the transits so that scalability issue maybe. And it worked quite well. All transit sponsored so traffic was for free from our point of view. And as you see, it was in use. But, the interconnections were query, on the circuit we had gigabit pipes so there is a limit to that. Transit is nice but peering would be way more nicer and does not provide ‑‑ does not add any costs to the transit providers. And well, cross‑connect are somewhat limited in the locations, they have been sponsored which is pricey thing. Quagga is a problem, a little bit later more to that, and arch is a problem for this type of installation, too, so we had to switch that, too.
What we did: We moved the Frankfurt POP to another location, where we now have free access. We moved the Dusseldorf POP to another location where we now have free access. B C IX sponsored us for 10 gigabit ports in Frankfurt, Berlin, Dusseldorf and Hamburg, for the Freifunk Hamburg people which are a separate community. The ECIX were kind enough to sponsor one gigabit so we don't to to use the ‑‑ NL IX sponsored us 1 G ports in three locations. We managed to come up with 10 in Frankfurt that happened magically. Last year the community in Berlin has emerged, Theo will elaborate on that. We replaced the Quagga daemon by BIRD which now runs perfectly fine. We replaced arch with Debian, and we have some offloading problems. But let's get into that.
So the first approach were 10 gig HP next X EN, and the kind people from B C IX noticed our port was flapping every second.
PHILIP BERNDROTH: If it is flapping on Internet Exchange, no fun.
MAXIMILIAN WILHELM: No, not good for reputation. We tried to look for ‑‑ we tried another approach. There is this thing called offloading, which is interesting feature. But if you are forwarding in some ware you want to disable it, but even then there may be some problems. So we found out that even if you offload, disable all the offloading features there is some path in the Linux kernel where it is try to offload GRE packets again and then this happens. So we tried hacking the kernel and patch out all the references we found for offloading, but it will only delay the crash a little bit, so we downgraded the kernel to a very old one.
PHILIP BERNDROTH: It works, to bring ‑‑
MAXIMILIAN WILHELM: Since then all these problems are gone so offloading is an issue still. Next up, Quagga sometimes had some problems keeping the RIP and Fitness to Practise in zoom so we were even to debug, so we went for BIRD, build a nifty routing policy and everything is fine.
We ended up with this, in the end. Which is a little bit more complex. But works fine for us. So how does this look like? The new POP in Frankfurt is I think I may tell this from IP H H from the Hamburg guise. We got some space, these are the two routers which are Linux boxes. Dusseldorf same thing, you may know this guy which is from a company who sponsors this so the machines on the downside are our machines. What is up? Use more bandwidth. We are currently at around 6 to 7 gigabits which we transport with this machine, and I think the capacity is way higher. So, all what is left to say is, it is possible to run a cheap ISP with no budget and just a little bit of hardware, but it's not possible without any sponsors so we would like to thank all these people listed here who made this possible, and who made many people in Germany really, really happy. Thank you.
(Applause)
PHILIP BERNDROTH: Thank you, max. Thanks. One sentence from me in the end: I am very proud as member of the board of Freifunk Rheinland, we run this backbone with these guys, some others, not here, that these guys accepted the challenge and we see in the end that it's possible to do this with purely Linux and a little bit, little service and for me it's great to see that it is possible and they accepted the challenge and not only say give us €10,000 run an MSA D and it will forward all the packets and ‑‑ this is the hard way but it's possible and you can do this. Thanks.
MAXIMILIAN WILHELM: Wouldn't mind some sponsoring of something like Philip mentioned. Kerr thank you. I think it's very inspiring for me at least and I am sure a lot of other people found it so as well. We have at least one person at the mic.
RANDY BUSH: IIJ. Great work. I live in Japan a, we don't accept refugees. That is another problem. But actually my daughter lives in Portland, Oregon where there are a lot of Syrian refugees and one piece of the equation that is missing is a computer, and there is a big thing there to get donated computers into the hands of these people, and I think that is important to mention, and especially in this crowd because how many people here have an old laptop that could easily be refurbished and donated?
PHILIP BERNDROTH: We have a great project, go to the website, take a look at it and it's possible to get sponsored for all laptops for people in the refugee situation. Thanks for comment and we think it is very important to connect these people, but I think we have other questions.
AUDIENCE SPEAKER: I am from the hungry. I would like to pose two questions. The first someone a technical one, whether you consider the inter DPDK for routing, for user space routing or it was out of the question? And the second one, whether you are operating as an ISP as far as I understand and I would like to ask if you have the obligation to provide local interception and how it is possible with OpenSource developed things? It should not be that easy, thank you very much.
MAXIMILIAN WILHELM: I go to the first one. We had a look at the DPDK, a colleague had a look I am not sure what the result was but we didn't put effort in it as that this represented scaling ‑‑ I think there is some headroom so we can grow with this installation.
PHILIP BERNDROTH: Second questions, at the moment we are in the lucky situation had a we doesn't deal with this questions, we hadn't any of these things, hopefully it would be same in future but at the moment we didn't have any interception or anything else.
AUDIENCE SPEAKER: Good morning. Thank you for the presentation. And I come from Lebanon. We host almost 2.2 million Syrian refugees in Lebanon, and we are trying to do what you guys did. However, we have some questions regarding scalability because we have massive refugee camps, right, and there is another thing: When it comes to the spectrum or the wi‑fi backbone, could you shed some light about not the technical details but like a procedure how, where to start in terms of legalities and stuff like that, and also, there is a new technology related to TV wide space for wireless transmission, is it something that you would consider in this case because when it comes to scalability it does scale?
PHILIP BERNDROTH: I think the scale you asked for is a little bit same as this in the picture. We get a lot of 2.4 gigahertz wi‑fi, and we try to fix this with all the others things you can to in the wi‑fi, to check how do you use your channels frequencies and so on, the normal thing you would do when you plan a large wi‑fi deployment, and second question was TV wide space, I think we did some research with the Freifunk Berlin with this and you could read about it and Vicky.freifunk.net, there we have a lot of research about this. I couldn't answer this in detail at the moment.
AUDIENCE SPEAKER: So you are using also microwave links as back bones coming up ‑‑ western
PHILIP BERNDROTH: Only using five big hertz.
MAXIMILIAN WILHELM: Basically it's all UBNT powered network so there are the two things, the user facing infrastructure which are access points with maybe HD scenarios so unified controller in the back which I think is the cheapest or the best and cheap solution you can get. And five gigahertz backbone links like Philip showed on the an then at thats. We use this this, I am in local community and this works quite well for some 100 megabits. If you put some more money into it you go for air fibre or something like that you can get up to a gigabit in the air.
AUDIENCE SPEAKER: Robert Kisteleki, the Internet has a question, specifically is asking do you consider to use FRR instead of Quagga? FRR seems to have GitHub ‑‑
MAXIMILIAN WILHELM: No, we don't.
PHILIP BERNDROTH: Never heard of... okay. But we are quite happy with BIRD today and I think we didn't change this in the future so we have any other tasks before.
MAXIMILIAN WILHELM: I guess the only thing to change something if we go for MPLS but let's see where this would lead.
AUDIENCE SPEAKER: Blake with I browse, a small hotel and restaurant chain wi‑fi provider in France. And have you considered the implications of German traceability law on this? I know in France, for example, on an open access point the law states that if you are going to be providing access, you need to retain some kind of data about that user, whether it's a phone number or address, you need some kind of traceable information about them or credit card number and so forth.
PHILIP BERNDROTH: At the moment in Germany we didn't need this. It's the law from this moment, but we get some new regulation for this and we are in discussions with regulators at the moment, how we could extend our service over this time, the new coming on, but at the moment we didn't have any answer from regulator to this point but we are working hard on it to get it fixed until the new regulation gets life status.
MAXIMILIAN WILHELM: We hope it won't apply to us, let's be honest.
AUDIENCE SPEAKER: Thanks, great effort by the way. We can chat a little more off‑line later.
SHANE KERR: I think that is the end of our questions and comments so thank you very much.
(Applause)
Our next presenter this morning is going to be Geoff Huston, and he is going to be talking about one of our favourite subject, Internet of things.
GEOFF HUSTON: Thanks and good morning all. I am with APNIC. You know it just wouldn't be a meeting about technology and computers without talking about the Internet of things this year, wouldn't it? It's just insanely fashionable right MoU to muse about this wonderful future with Amazon echoes everywhere that you tell your wishes and everything comes true. But I have my doubts, and you might, too. And the doubts sort of get quite fundamental. You sort of wonder in this day and age which is absolutely ridden with technology, and you kind of wonder who is in control, is technology driving us, are we kind of addicts to it and the number of eyeballs looking down at your screen I think this is a highly sort of addicted audience but in the broader world are we slaves to technology or is technology reacting to our needs? Is technology really reflecting our own inner desires? This is not a new question. It's not a new question. In 2050 BC it was reputed that Meng Tian invented the camel hair paintbrush. Chinese script is insanely complicated even with a brush, but if all you have is a reed and a bit of black suit writing chin ease characters is incredibly hard so the camel hairbrush kind of solved the problem, it didn't create Chinese characters, it made it easier. But characters existed long before the brush. So realistically, who is driving this change? The technology or our own desires?
The other thing to understand is that this is a very dense technology world of seamless technologies you don't even think about. To deliver drinking water to that tap requires a phenomenal amount, almost millenia of experience, how to trap water in large dams, how to keep it clean and deliver it to cities without tainting it, how to do piping in your house and the pressure systems and valves and taps, all that kind of work delivers water at the touch of a tap. You don't care. Or all you care is about I turn the tap and I want water. You just don't think about it. In some ways the most fundamental bits of technology disappear from view.
Most of us, I suppose we are talking about it again, but for a long time we never even worried about how our electricity was generated, we just wanted the socket in the wall to deliver fast electrons. It didn't matter. 100 years ago the topic of whether it was AC or DC was hotly debated in meetings of engineers such as we are having here which was more superior, which filled fewer people and so on. We accepted it and we moved on and it just disappeared. So let's look at the Internet of things. Is it a fad, is it just a topic of today and it's going to go away? Or is this something quite fundamentally profound? That sort of power of computing would change us and our children in ways that we will never even conceive about even now, the changes will echo on for years. So what is happening? Now, it might be useful to kind of pull back a bit and look at the history of computing a little bit, to try and understand at least where we came from and where we are being driven to or we are driving. What is going on with this sort of path of technology? Because, you know, computers weren't things on your laps as they are now; the original ones, imagine trying to get that on your lap, the major problem there was keeping the valves alive for long enough to actually do the computation, and that it had a bunch of worker bees whose predominant job was to find the dead valve and change it. The major computing problem was electricity, to supplying enough current to keep it working. I am not sure if anyone in this room worked on these, it is quite a long time ago. But what came from grand national projects where countries had one? Very quickly became a business tool where companies, not countries, had one, and, you know, this is a classic picture of the '60s, it's an IB N, I think it's 3060 ‑‑ Randy and I are both betraying our age here, there are a lot of dip switches because computers weren't computers unless you had thousands of switches. I never owned a suit like that, that is a check suit, it's just a classic. And this is sort of what was happening, they were a must have business tool, you weren't a real business unless you had one and the entire company rebuilt itself around that but you notice he is still reading a manual written on paper, there is though display screen. It's paper and computer going on. But from there it kind of went into a strange place, because the mainframe because bigger and faster until it became a statement of tech know power. I am really big, look at this computer that I own. It's cool, it comes in multiple colours and has a bench seat on it. This was sort of the extravagant statement of how many millions of dollars you can spend on these machines. So in one stage the mainframe model, and this was the biggest and best that ever got built, after that it was just all downhill. Why? Because of these guys. This was totally revolutionary, because could you buy millions of them to the extent of one, and it was aimed at the computer consumer, not the corporate or the government. It was just at the time, a hobbyist thing, 1976, but look at what happened in less than ten years; this is true design. It says "hello". It doesn't have arrow keys. But apart from that it's a fully functional keyboard. And I think at the time it even talked to you. But it's elegant. All of a sudden it's not computing, it's elegance. Its elegance and design were its hallmark and that is why it sold in the millions. But it's still had 104 keys, it didn't have arrow keys, 101. So within about another 15 or so years out came the ultimate computer. Has three keys. Volume up, volume down, a home key ‑‑ power key. It has four. That is all it has. Fully functional computer. And all of a sudden it's mass‑marketed as a luxury and it changed everything, because this fitted in your pocket, it changed the way that you and I thought about computing and what you and I do and how we do computing. The change is truly awesome. Most of you had one of these, your room, you had a comfortable chair that you sat in and had lighting that was just right and multiple screens because you are a professional. You had wired bandwidth, you had privacy, this was your computer den, it was mine too. We all had one of these. Does anyone still have them? Some of you do. Guilty pleasures, right. I have one, too. Everyone else left the room. They are on the train. Everyone else is doing whatever they are doing with their lives and for them, the Internet is incidental, where am I? What is my shopping list? Who is calling me? It's not an activity, it's not a destination, something else is the destination, this is incidental on the way. Because now it's just anywhere and everywhere. And this is when you start to think of whether it's a thing or a computer. What is its role now? Where is it going? Because as far as I can see, the traditional computer is dead and these guys using laptops use them well and quickly but you won't be buying another because in some ways I think this idea of a dedicated machine has the general purpose engine is dying. We are not doing it that way. Dedicated things replace it that do just one job. And where we are going is somewhere that I think we didn't recognise even in 1990. There was an Australian Simon Hackett who decided he was going to wire up his remote control to the Internet and control his CD player from somewhere else and it worked, dam it, and John Ronkeele also of Epilogue did a similar thing he wired up a host toaster on to the Internet demonstrating the power of SNMP, it's not a very got a protocol, get over it, as far as I tell from the reports all it does do is burn your toast. Very effectively but it does indeed just burn your toast.
So IoT new? Is it a new concept? It's not. This is an Intel 4004, I think almost every lift on the planet uses one of these to control where it's going, but, you know, this stuff is old hat. The cheap chips is old as chips themselves, and these days the modern chip might have 3.9.8 billion gates on it but it's still just a chip and in some way it's the same old IoT except the silicone industry understands volume the way we don't. Any car today, 150, 200 separate micro processes. From the lighting to the windscreen wipers, to the radio, entertainment system, gearing valve time, you name it there is another processor. Booting a car is a major exercise and you should indeed pray to the gods of computing that every time you turn it on everything comes up because at times it won't and that will be interesting.
Almost every single consumer appliance these days has micro processor control. They have all divorced ‑‑ it's not analogue controls any more, there is electronic interface and I think over this generation and coming years you are going to find most of the devices in your home are controlled by your phone, they dispense with the controller on the device itself and run the thing over some kind of Internet control system. So you can see all this happening right in front of your eyes, the entire industrial process, you name it, it's all going that way. Border control these days, you don't talk to a person, you shove your passport in a slot and the gate opens. In some ways this is all old stuff, there is nothing new about this Internet of things. And although the hype is brilliant and every time the CES show goes to Nevada someone is trying desperately hard to give you the latest and greatest. Your dog needs control obviously, you name, it from your car to the smart home all of a sudden it's getting smarter and martyr and smarter or so claims the show because in some ways IoT is everything, it's a generic term that almost encompasses awful digital life. There is nothing in common there other than the one thing, the one thing you have really got to worry about, it's unmanaged. Now maybe your laptop sun managed too and you think you control it but in some ways these things overtly are unmanaged. So, you know, when we talk about this stuff, it is a highly generic conversation about things. But why now? Why today? Why is this all of a sudden a thing? I suspect the first issue is, we make way too many silicone chips, and the chip manufacturers aren't stopping. So all of you own one, two, three, four five, you you are all surrounded by this and the factories aren't stopping. And because you wanted a battery power all of a sudden we are producing billions of low power high capacity silicone chips every single year, just pumping them out into a market, but you don't want PCs, you don't even want more are laptops, you only have one pair of high balls and hands. Where do I put all these excess chips, into the microphones, into whatever I can find because I am producing them and once I have designed the chip it's just process sand. The cost of manufacture is slight. So in some ways that production facility won't stop, we don't know how to stop it. The second thing is, we have got so good at electromagnetic radiation, some where between wi‑fi Bluetooth, I don't need wires any more, I don't need wires. I can put stuff out there and it just communicates. So all of a sudden we have the ability with really good analogue digital converters to create high capacity completely wireless things. And so all of a sudden you get chips in your passports and on clothing tags, Apple ear buds, home controllers, you name it it just works. Because we are really, really good at radio these days.
And lastly, all the other players are seeing their market /SHEUFRL, telcos are different people because you don't have a telephone and don't pay your phone bill any more because you don't have a phone, these folk still have employees and bills and still want new markets. We are being told 5G is the future, I am not sure if it's mine but it's there, they get there or they die. Cars need it, cars need Apple play or Android car. All of a sudden all of these traditional suppliers are trying to enter new markets relying somehow that these kind of chips will save their bacon. Because you only can have so many laptops and so many phones, PC sales are plummeting, even smartphone sales. Apple is the richest company in the world but it's unlikely to get any richer. Because in some ways unless they invent a totally new market, once everyone on the planet has one of these phones where do they go from there? So, in some ways the computer industry is trying to execute a U‑turn and instead of doing thousand dollar things they are trying to do one dollar things, trying to meet very very high volume, very, very low price. So the way you get there is use the word smart so if it's mart power, smart labels traffic, you know, you name it it's smart so therefore it's got to be the Internet of things. But if you pull apart all that marketing bullshit then it doesn't easily put into a single category. Does the thing talk over millimetres or kilometres or both? Sometimes my passport is readable but some of the things I use have, full 3G chips on it and they will talk over kilometres. The bandwidth of these things from tiny massive. The data volumes these things generate if it's a webcam it's up in the megabytes as you can probably understand, I can even push it into gigs, it sits there and generates data, it can push data or accumulate and pull data. All these varieties are possible but I think there are two things this common: One, we are lazy as hell, and no one invents new operating systems if they can get away with it and UNIX is convenient, it's well understood, cheap, OpenSource, doesn't have much IPR, huge set of application libraries, why do anything else? And the other thing is IP, why? Exactly the same set of reasons. It's just there. Why invent something else?
Now of course there is this entire issue of v4 V v6 and it's kind of interesting v4 is still, I would argue, the application of choice for the market. Ubiquitous support, everyone does it, well understood, widely available ‑‑ pull or push but v4 is kind of there. Lots of hype about v6 but the numbers say otherwise. So even though the IoT is meant to be the killer AP somewhere we have between 10 and 25 billion devices connected to today's Internet using v4. We don't know because they are NATS but it's an awfully big number. Somehow we have squeezed all of that into less than two billion active addresses so somehow v4 still is holding out, still managing to be the vehicle of choice for this.
So do things pull or push? If things pull, the device is always on line and people pull data, it's like a webcam, you can log into it. Pull is amazingly brave in this day and age in v4, the device is discoverable and going to get attacked, the device is going to be co‑opted so it better be a dam good device if you are operating a model that has these connected to the open Internet. Unfortunately, that is not really the case most of the time. The other way is push. Push says, I send the data to a data centre, you the consumer can go and figure out what is going on, the device hasn't really got a problem. This is largely becoming the model of choice in many ways. It's slightly more involved but it's certainly NAT friendly, you tonight need to have the device as well defended as did you for openly connected device and only needs limited defence, and so, you know, in some ways push is the way we are going with this. But this brings us to the really big issue with the Internet of things, all those billions of devices. I kind of like this slide because it says almost everything you need to know. And those up the back, the S in IoT stands for security. Now, I don't know if this is your home, but it's probably as close to mine, it was a presented of mine told me, he reckoned he had 43 devices on his LAN, he can log into less than a third of them, the rest are just embedded systems and he has no idea about they operate or no idea if these embedded systems are snooping on the LAN to otherembedded systems. He doesn't understand where they are talking to and how and which they send their data. But what he doesn't do and what you probably don't do and what I don't do is assume that my local LAN is a hostile environment where people are constantly eavesdropping on me and it's not people, it's things because they are and they do. So, all of a sudden your home is now the battle front. Why? Because we are seeing incredible stupidity, devices with the telnet port open. Didn't we stop that 20 years ago? Open DNS resolvers on the WAN side. Yeah right. All of these things exist here, now and today and get exploited again and again. So how did the one terabit attack work on Dyn? By Telnet. By Telnet. Not even sophisticated. I city there busy box and use less than 62 passwords and it cracks open. What I like about that particular box, it went and secured the busy box against everyone else, hands off everyone, I own this device, let me do it the way it should have been done in the first place. How to you get to the point where the largest attack ever was done by insanely stupid software on web cams. This is where we are today. Why? We don't know how to upgrade them. No one field upgrades. The economics don't work for the manufacturer and literally, no one is responsible, nobody. So all of a sudden it's an Internet of neglect. It's an Internet where two‑thirds of the devices connected are forgotten. They are insanely stupid, they are not maintained, and, you know, it's not even avoidable. The price sensitive market says, here is a 20 dollar webcam and two dollar one, the difference is that one uses this thing called busy box and the other one doesn't, it uses a decent piece of software inside it. They are both web cams and they both work cheap or by cheap every day and so will every other consumer out there because the quality difference is not a discriminator for the consumer, so all of a sudden a high clock speed industry, commodity components, low margin equal complete market failure. And it gets bad. I don't know if you noticed this, this was two years ago, this was Samsung with the ultra smart television and the BBC put out a warning, don't have private conversations in front of it because it's listening. And it's not just your television, there are the dolls that speak to you, all kinds of things are listening. No matter where you look these devices are just constantly listening and sending your data, your conversations elsewhere. So all of a sudden this isn't the Internet we thought we had. Now, we don't know where this is going. We don't know if it's going to consolidate or whether it's still going to be diverse in the coming years. Will it be like content with a small number of players or ton see new enrants? Will we ever get to v6 in the IoT? I have no idea. Will we ever get quality in this market? Tough question. Will we ever make them secure? Yeah, right. We make a few billion of these a year, and not just a few, more than 10 billion a year. And I would argue with this point with such massive volumes and huge diversity, because there is no market for quality security is now unachievable. Literally unachievable. Privacy like the Samsung TV is a ghost concept, you have none. Your conversation is being listened to and sent to third party players to analyse and you don't know. You are just hoping I suppose the conversations just don't matter. Because somehow, this is now pervasive world of digital pollution. The Internet is not what you think it is, it is largely chaotic and decidedly hostile and that is just today. It's not a good news story.
We don't understand how to make high quality software and the prognosis from the economist was, you have to look for markets, because the technologists will never write perfect software, we are never going to get that right so hopefully markets will discriminate between what is good and bad. Bruce Schneier says the oposite, markets aren't going to help you either because the buyer nor seller care about this kind of quality. If they don't care then we have got a problem, we don't have the tools about how to improve the quality, we don't understand who is regulating this. Do we keep on ever building D‑Dos castles? The Chinese only make reliable routers for ten dollars? Yeah right. So, why will this get any better? Why will this environment improve in the coming years? The alternative is, it's not going to. What we have today is more secure than where we are tomorrow, and that will keep on applying it sufficient recursively for as long as we go down this insane path. Thank you very much.
(Applause)
CHAIR: Thank you.
AUDIENCE SPEAKER: Tim ‑‑ great to talk, fashionably doomist. I love the Marxist twinge of a crisis of over‑production of chips that somehow autonomously keep going produced like out of a horror movie. It's great. But is it true?
GEOFF HUSTON: In some ways runs you recoup the R&D cost on a chip the cost of manufacture is insanely low. The materials involved are really commodity materials called sand and as long as you can make a fracture of a cent per chip why stop? They still make Z 80s, God bless them, they make all kinds of crap chips because the silicone industry is geared up to do this at whatever price you are willing to nominate so it's not going to stop.
AUDIENCE SPEAKER: Surely then there is other explanations why things get produced because they can still make profit out of it, if it ceases to make profit they will cease to make it. You are just saying there is a kind of supply push that will inevitably cause the penetration of everything by these chips, is that correct?
GEOFF HUSTON: It's like spam, if the cost production is low, what is profit is an insanely amount of money and you keep on making it until you sync below that.
AUDIENCE SPEAKER: Collect an problem with no knowledge of it and very little will to solve it?
GEOFF HUSTON: Correct.
RANDY BUSH: First I was wrong, that is a 36040.
GEOFF HUSTON: Oh, right. He is older than me.
RANDY BUSH: Don't get nasty. Secondly, is my home network has a fair number of VLANs with all the devices on their own VLAN.
GEOFF HUSTON: Right so you are now doing rocket science in your house?
RANDY BUSH: I understand, but there is a lot of people here who could and should be doing that, so that is a nice warning. Thirdly, this isn't a computer, it doesn't run EMACs.
(Applause)
AUDIENCE SPEAKER: Matthijs Mekking, Oracle formerly known as Dyn. Great presentation, I think you nailed it, it was a very pessimistic but also realistic thing that ‑‑ the market, yeah, I really ‑‑ we have been talking about economic incentive a lot in these communities when we are talking about security, and the incentive is at the wrong balance. But how can we fix that and that is a hard problem. I was thinking that is playing right now in the climate, also nobody cares about the climate, until they do maybe, but there are now markets that see opportunities in investing green energy and so there is actually money to be made there. I am wondering if we can convince markets people, customers, that there is something in security that is worth having and so it's worth investing money in and so we can actually have the secure devices long, long, long from now when we are all dead. Sorry to be pessimistic. Just have one further, do you see something like that on the Horizon?
GEOFF HUSTON: I am old enough to be pessimistic without even the chance of saving it. I really am bleak on this one. We have unleashed a set of forces I think are unstoppably bad, but I am also old enough if you will not have have hope any more and I think you are young you have no still think there is a way out and more power to you and I will watch your career with interest and I hope you grapple with this. I am out of ideas. I have no understanding from law enforcement, regulators, supply side to consumer, how we stop Samsung TVs listening to your conversation, how we stop this insane desire to see everything about you and your spending habits to the extent that I know you so well better than yourself and I am willing to tell everyone else, to the extent that I I don't give a stuff about security as long as I get what I want, dam everything else. And I am pessimistic enough to think those forces are terrible and unstoppable. I would like to think you can change it. So good on you and go forth.
AUDIENCE SPEAKER: I am actually also pessimistic because just with climate I think something really bad needs to happen before we are going to change it and I think something really bad in security, privacy‑wise probably needs to happen before things get better again. Thanks.
CHAIR: That took way longer than I hoped. I am going to cut the lines as they are standing already. Everybody at the mic you will still get a chance, Robert, since he is the Jabber scribe. I would like the rest if you are third in a line or second then please sit down again. You can talk to Geoff later at the break.
AUDIENCE SPEAKER: I have been in security for well over 20, 25 years, and I am actually an optimist and the reason I am is because I have seen slow movement, and actually people caring and it starts with people caring first and foremost. I also have seen a lot of efforts right now globally where people are working towards certifications and looking at what are the minimal security requirements that these kind of devices should be working towards. It is my hope that the people who care will participate so that we don't have 20 different minimum security requirements that are similar but different. And so I just encourage people to get involved and for technologists that really think policy is boring, I am sorry, be bored but participate in it because everybody has a role to play.
GEOFF HUSTON: In response, for as long as I can buy for five euros an power board from somewhere deep in China, that is controlled by software and processes I have no knowledge, whose quality is obviously dubious, for as long as I can do that, imyour worst nightmare. And me and everyone else buying these five dollar power boards, I admit there is a certain folk out there who think quality is necessary, we need to actually create high quality devices that protect themselves, but the downside of this industry is an uncontrolled supply side that uses whatever shit is available on the floor, puts it together with silicone and goes, five euros, I am marketing on Alibaba or where else and we can't seem to stop them if, we could there would be a vague glimmer of hope, but the dark side out numbers folk trying to do the right thing. That is why I am get depressed at night.
AUDIENCE SPEAKER: Marco, RIPE NCC, I am going to cut your ‑‑. What can we do, what can this community do, what can the people do who provide connectivity to these devices? We hope to explore a bit of that tonight at the BoF session at 6:00, so if ‑‑ I know you don't have any answers, Geoff, but maybe somebody in the room does so by all means come and join us and we can continue the discussion there.
GEOFF HUSTON: The first step to solving is understanding you have a problem. To deny it is horrible. We have got to understand we are in a really bad spot so, yes, well done.
ANNA WILSON: Funny thing happened with personal computers, there were tons of manufacturers and operating systems and now there is tons of manufacturers and operating systems. A funny thing happened with phones, same thing. The security situation in those isn't great but would be a lot worse if we had many people writing the operating systems for them. Is it too much to hope Internet system will go the same way?
GEOFF HUSTON: If you look at food, only two kinds of wheat and one banana. If they get a generic virus that goes straight to the DNA of that, the world has a feeding problem. Once you get down to mono cultures, if you have a vulnerability you are so at risk, and so in some ways diversity was meant to be the fall back, that if you knocked off A there was still B, C, D and E. If all we have got is Android or iOS, then I think we should be more concerned than not, somehow the mono‑cultures aren't any better than the old diversity but it makes our lives a lot riskier so the argument might well be the other way.
ANNA WILSON: Oh man!
AUDIENCE SPEAKER: Robert. The Internet wants to know more ‑‑ Philip Duke NetAssist LLC. How do you see the current divergence of SOC system on chip platforms, how important the Linux support concerned for you is free software fixed to this problem, maybe a little bit?
GEOFF HUSTON: I have no idea, I do know that this device from Apple that uses a variety of third party libraries is jail broken within weeks of every single release, yet the business case for Apple relies on this device having integrity, so even when there is a billion dollars worth of business case to seal it up, somehow the device is not impervious to attack, no matter what you are doing out there in the industry, we seem to be able to break these things apart with ease. And that is disturbing. Even the folk whose business case relies on it not getting broken, the device gets broken. The quality in the software industry is dubious and questionable at best. High quality software is a myth we all believe but never actually write. And the more complex the system, how many millions of lines of code in here? The more likely it is it gets broken again and again and again. I really can't offer you glimmers of hope here, you have got to go and find them for yourself. Thank you.
(Applause)
CHAIR: And please do stop knocking ‑‑ that is the best chip ever. Next up are the lightning talks, first one is by Thomas.
THOMAS KING: So exactly, welcome, I am from DE‑CIX and we as a community have worked on RFC7999 and thank you for contribute to go that. I will quickly motivate we now as RFC7999 is alive, we should implement it. And for that, I have to switch to the next slide. I don't know how to do that.
So, this is about blackholing and we have a well‑known blackhole BGP community to signal if somebody wants to have a blackhole, and in the past we didn't have that so different signalling mechanisms were available like BGP communities and next hot IP addresses and that was actually a mess and very annoying for all of us who were using blackholing so we as a community decide we should, we worked on RFC 7999 which defines a well‑known blackhole BGP community and which allows to signal a blackhole at all the different locations where you can do that, it's just one signalling mechanism.
And so, if you offer blackholing service and you probably know if you do that, then please go ahead and implement RFC 7999, it's easy to do that and it is doable in addition to the existing signalling mechanisms you already have implemented.
So, please go ahead, have a look at RFC 7999 and implement it and if you want to be on the list of the /KPEUPS and ISPs who have already implemented it please let me know because I have a GitHub side where I summarise all the networks that support that so just to give a quick overview, we have ‑‑ networks Berlin, Fusix networks and on the ISP side we have the colleagues from Moscow, we have net, Nick cz, TP, France IX, I can nicks, all support RFC 7999, 6 HR and DE‑CIX, so if you want to be on the list, let me know because you could be next and the list is avail on my GitHub account, just modify the WIKI page by yourself or drop me a mail. And please implement RFC 7999, that is pretty much it, thank you.
(Applause)
SHANE KERR: Don't run away yet. Are there any questions or comments about this? I think it's a really great thing I think having a standard way to do this will make everyone's life easier and it seems so obvious it's amazing it didn't happen years ago.
RANDY BUSH: IIJ. I think it's a really great thing too because I can send a fake IP announcement with the blackhole community halfway across the planet and watch you sync his prefix.
SHANE KERR: What is his prefix again, just so I know. Just kidding. Just to be clear, you are concerned about security of propagating this ‑‑ the security issue of this standard?
RANDY BUSH: Yeah, it's a big hole, it's a blackhole, it's a well‑known community which right now are, until this came along, many people did blackholing but they all used different communities, and I had to know a lot and, now, here is a big sign, screw me.
SPEAKER: We have discussed it already many times but again, the thing is, in the past I just to had to look up all the different mechanisms and put all different communities on announcement, UI P prefix and blackhole it the same way. Now we have blackhole community that makes it a bit easier but makes also signalling blackholing easier and we should fix the security issue on the announcement with BGP second RPKI then wave secured routing system.
SHANE KERR: I think we are at the back.
MARTIN LEVY: Large user of blackholing. At the beginning of your talk aye just want to clarify this, you essentially assumed that you could go from a draft to an RFC to implementation. And you said it with such conviction as if every RFC should be implemented and I just wanted to clarify, as you said this in a public place, that that is what you really meant for every RFC or for your specific RFC, because writing an RFC and implementing it are two very different things.
SPEAKER: That is true. That is for my ‑‑ it's not mine but that is for RFC 7999, this ‑‑
MARTIN LEVY: Okay. Thank you.
RUEDIGER VOLK: Deutsche Telekom. You missed to communicate that this RFC is not standard ‑‑ not standard, it is just information, so that is kind of one of the things where implement it, kind of really should come with some additional thing. Kind of I am always worried about applying sufficient authorisation on this kind of stuff, and kind of I never see, I never see discussion of that satisfies me. I am not expecting you to tell me and in particular I am not expecting you at the moment to provide a document or an explanation of what you expect everybody you are asking for implementation, what to do on the authorisation side, but actually, actually, that should be the first consideration. A word for Randy, it looks to me that unfortunately your complaint about the old world was nicer is an argument that is pointing into the direction of security by obscurity and I think we agree that has not been a good thing, either.
SPEAKER: Just one final remark about the routing security issue: First of all, I think if you accept blackhole announcements make sure that you have a decent filtering system in place that tries to figure out if this announcement comes from a legitimate origin, and second, consider implementing RPKI as well as BGP Sec as soon as possible.
RUEDIGER VOLK: As you are pointing at RPKI, I wonder do you think that RPKI actually provides you at the moment a mechanism that can be used for authorisation on this?
THOMAS KING: In some limited cases, yes.
RUEDIGER VOLK: I don't, I actually do not think so. And kind of, kind of, what I think there is, that we would need a a blackholing authorisation, and actually for getting it all right we will have to wait until BGP Sec is implemented and deployed.
THOMAS KING: I agree BGP Sec is also crucial here.
SHANE KERR: Okay. Well, thank you, it sounds like there is some controversy here but that is always good. So next up we have newer Nurani talking to us about the number services Review Committee.
NURANI NIMPUNO: Apparently Nurani, and I am just here to give you a very short update on something that is called the IANA numbering services Review Committee. And it's really just a quick sort of update to let you know that this work will be going on, so some of you might have been aware of the fact that over the last few years we worked on this project called the IANA stewardship transition and which culminated last year in basically the IANA services being transferred from a contract from having had a contract with the US Government to the community, and for this community means that the IANA numbering services so the allocation of IP addresses and AS numbers and now being managed through contact with the RIRs. And as part of this group, the CRISP group that came up with the proposal for the IANA numbering services one part of that proposal mentioned this Review Committee. And the idea was basically that because this was a new arrangement, the IANA numbering services would be managed through contract with the RIRs, the ‑‑ we came up with the idea of creating this Review Committee which was, say ‑‑ which was a community‑driven committee that would help the RIRs in reviewing the IANA numbering services. So that is where this came up from.
And it was formed last year and the members from the RIPE community are me and Filiz Yilmaz and one of the RIR staff members, Andrew, and we were all simply volume untold to be on this committee so we said thank you very much we will be on this committee. And I am ‑‑ I was also told to chart this and the idea is simply that it's a very lightweight Review Committee. If you are at all aware of the process where the RIRs get allocations from the IANA, you know the a very simple process. Over the last 20 years or so where at least that I have been aware of, there have been no incidents, there have really been nothing that needed community involvement or anything that needed escalation of any sort. But the idea is simply that once a year the RIRs will produce a report and say, well, these are the requests that we have sent in and this is... we were happy with them or not and there were these incidents and our idea was simply that the Review Committee will just publish that and allow the community, the public, to provide input on that, comments or any suggestions, and the Review Committee will gather that and summarise it and then produce a report, and so this all goes into the public record, so it also provides transparency to the whole process. So the idea is not add block see to the process but to ensure transparency. And we are currently defining our work and the first report will probably come out at the start of next year, and I don't have anything more exciting than that to report on.
CHAIR: Going once, going twice. It was too clear, I guess. Thank you.
(Applause)
CHAIR: And our final lightning talk today is about the sponsoring a community by Theo.
THEO VOSS: I am trying to keep it as short as possible. I would like to present the community IX to you, and I have worked for ISPs in the past and also now, which are engaged in sponsoring, for projects like Freifunk at the presentation in the beginning and during the last, the RIPE meeting in Copenhagen, together with other ISPs who were doing sponsoring we talked about those projects and as you might guess, Freifunk Rheinland is not the only one. There are more than 10 projects needing sponsoring worldwide and especially in Germany, and we talked about the energy and time, we are spending on those projects because every project needs a cross‑connect and a BGP session, and this binds a lot of resources. So we started a discussion about how to simplify sponsoring, makes it usier for us to get IP transit and we started with in a discussion together with some ISPs from Berlin and we had a look on House how sponsoring works in the past and we found out that all those projects having a hard way of finding sponsors for their projects and as you might know, the communication congress is heavily relying on sponsors and it's a service and also for Freifunk we are all using. So we three, Christian, Lyon and me, talked to RIPE NCC about the possibility of building up an Internet Exchange platform and getting IXP resources and the idea behind this building up the connectivity platform where sponsors can directly connect to communities by simply having one cross‑connect. We also talked to all major IXPs in Germany, for example, DE‑CIX, E kicks and BC IX about the project because for us it was crucial to have a decent policy about who can connect to the platform and who not. We also needed legal entity for the project which is in Berlin, a local project in Berlin and we got AS 57555 and a /24 and /48 allocation from RIPE and started the project in 2016. We also defined the policy, which is you have to have an ASN, IP addresses and router and cross‑connect. You must be a nonprofit project or community. And you must support the interests of the global Internet community and you must have no political or religious engagement.
The first point of presence we started is located in Berlin, data centre called speedbone, two two 10G switches and started in mid‑2016 connecting the first communities. To get access to more sponsors and communities we also built a second POP in Berlin where we got a Juniper Q F X 5100 and we carried about 5, up to 5 gigabit of traffic. We also set up a Peering DB record for more easier deployments and more configuration management, to be an IXP like all of the ones in Germany. So after around six to seven months when we look at how sponsoring is working today, we have about, we have more than 5 sponsors connected, also Vodafone and some other means which means we have about 70 gigabits per second and more on the way and I am not sure if there is any place in the world we can have 100 gigabit transit capacity for non‑profits. And this is possible because we found a lot of sponsors because the idea behind community IX was to spread the efforts and sponsoring on as many shoulders as possible, also for redundancy. And as you can see, there is some I think very common and very big players who decided to sponsor the platform. And we also have a lot of peers, currently more than ten which is for example, the Tor server which is AS 250 and a lot of Freifunk networks especially in Germany.
And for today we are carrying more than 10 gigabit of traffic heavily growing since September 2016. And we have also 3 PoPs which is in Berlin, a smaller one in Berlin and DE‑CIX in Frankfurt. And this is pretty new, we also agreed on a partnership with BC IX and open partnerships with IXPs to reduce their efforts on connecting such communities, by being like a reseller and transport VLANs over our platform to one big ‑‑ more than 10G ports on the bigger IXP platforms and this will start in Berlin within the next weeks and there will be a new country, this is Austria, we found a data centre sponsor in Vienna who will provide space and power for us because there is one big Freifunk community in Austria, which will be connected within the next weeks.
Is this a concept that can be supported or carried out in other countries, I would be interested if there are any sponsors who would like to connect and I would be interested in are there any communities or community projects who would like to connect to the platform? Thanks.
(Applause)
SHANE KERR: So, I don't see anyone getting up to the microphones. Someone is running up.
AUDIENCE SPEAKER: Hi, I am Will, I am ‑‑ I am a community project and I will need sponsoring and on the other side, I am also representing a new, an IXP that will be coming in Switzerland and I think there is something to do with you for that so we can try to think about that. Thank you very much for this.
THEO VOSS: Definitely.
SHANE KERR: Great. Okay. Thank you.
(Applause)
So, before everyone runs off, I have a few announcements from the PC. The first is that there is a net girls, a table at the lunch today, or tables, if you want to join that, then just look for the signs. This is basically a group of women who get together at various conferences, at least the RIPE meeting, so please be aware that is going on.
Also, we are currently ‑‑ we have two seats that are open for election on the RIPE Programme Committee itself, if you'd like to join, there is information on the RIPE 74 website. Please consider putting yourself forward. It's a volunteer job and we need everyone we can. And also, we have the ability to rate the talks, if you go to the meeting site and you go to the schedule of the talks and everything, if you signed in with your RIPE NCC access code, or login, then you can rate all the talks. So please do that, it helps us know on the Programme Committee which talks are good and which ones you think shouldn't have been approved, to help us guide our decisions in the future. And I think that is about it.
CHAIR: If you do submit yourself for the PC, then the deadline is today at 3:30 and please be present then in the afternoon session to quickly introduce yourself to the rest of the community. Please do not go to the RIPE quiz because I want that for myself.
SHANE KERR: We discourage everyone from this contest.
(Applause)
LIVE CAPTIONING BY AOIFE DOWNES RPR
DOYLE COURT REPORTERS LTD, DUBLIN IRELAND.
WWW.DCR.IE
