Cooperation Working Group

11 May 2017

At 9 a.m.:

CHAIR: Good morning. And welcome to the Cooperation Working Group session. I am Joseph ‑‑ I have been around for a bit. I am really happy to see so many of you here even after the whiskey BoF last night, we always wonder what we done wrong to actually get the session after the whiskey BoF, oh, well. Lets get things started. We have a pretty packed agenda and we will try to get through it. First look at the administrative matters, I said welcome already. We have scribes and everything sorted out. You see the agenda on the screen, does anyone have anything that they want to sort of change on the agenda, feel very strongly about something that shouldn't be there or they want to add something, there is of course the usual any other business point if you want to bring up something. No. We can move on.

And the minutes of the previous one has been published on the web, probably also e‑mail but I know they have definitely been on the web, any remarks on that? No. Great. I am going to hand over to my co‑chair, who is going to say a couple of words and then introduce the first proper speaker.

CHAIR: Good morning from me also. So let's go directly to the first point of substance in the agenda about the carrier graded network address translation, and first of all to thank Chris Buckridge who signalled to the Working Group the work that Europol has been doing on that, and also to Gordon Lennox that picked up and we had already some interesting information in the work group list about it, so may we have Gregory Mounier from Europol that is a known figure from the previous meeting, to start with his presentation. Thank you.

GREGORY MOUNIER: Good morning everyone. Thank you, thank you, Mr. Chair. Thanks to the RIPE community, to Chris and everyone for inviting me again to present today to the RIPE community. I am not going to talk about the RIPE database accuracy, at least not today, that is for another Working Group, I am going to talk about carrier grade NAT from law enforcement and judicial perspective, this is a non‑problem, you know this is all technologiy essential in the transition from v4 to 6 but from the public safety authorities it is ‑‑ it has always been a problem, so we knew about it in 2011, we anticipated a problem, but now, six years down the line we have done a bit of an assessment of how bad it is for us and it is very, very bad so I think the just useful to engage with you and to remind you, even if it is very central as a technology, it's a big problem for society in general.

What I am going to ‑‑ I will just give a brief overview of the problem of attributions we have from the law enforcement perspective, give you an idea about the scale of the problem as we see it and a few case examples of investigations that have been delayed or sometimes dropped because of the carrier grade NAT problem. Then I will suggest a few possible short‑term and long‑term solutions that we might have, that we ‑‑ we thought about and also I will be interested, and that is the point of me coming here to you is to get your feedback on those suggestions. I will present to you as well the European network of law enforcement specialists on CGN, a group of investigators specialised in cyber crimes and can record and document cases that are hindered by the CGN aspect and to try and find alternative solutions to have a constructive attitude in the discussion.

And then maybe just open the floor to see what you have to say and if you can contribute.

As a starter I would like to say a few words about our work and how we work when we investigate crime on line. What are the traces on the Internet that a cop which is not a network experts and not BGP route experts but still needs to do investigations related to evidence in the Cloud or on Internet, first of all if an illegal or harmful activity is reported to the police the first traces they will have to start an investigations will be often e‑mails, they will use information they can find in the headers, connection to the websites, post on social media platforms, really gathering all the evidence we can find, chat nicknames, channels, eventually if you find password as well sometimes it's useful, log files on the attack computer system so you do a bit of forensic to trace all that information that is directly available to the investigator. The next step is to request more information, so first of all we turn to the Internet content providers, so the web mail server, the social media platform and the rest, you will often ask for the log files or connection log. IPv4 most of the time and the time stamp of the connections and you turn to the Internet content providers, those who provide connectivity and you ask for the identification possibly of the subscriber which is using that IP address at the time. So that is really fairly simple. Once you get all that information you work together with the prosecutor together with investigative judge and present all the evidence and the steps ary validate the steps and then you start traditional investigation methods, can be interrogation of a suspect, you seize devices and extract information and the rest.

IPv4 and IPv6 transitions, I don't need to tell you about the problematic, in the old Davis the end‑to‑end principle of the Internet attribution and identification of individuals based on IP address was easy and that was ‑‑ that was good. Of course now IPv4 is depleting, we have the transition to v6, you need to find and use technologies that allows to you do this. We have the explosive of devices connected to the Internet, huge demand for v4 and the fact it's depleted and this is very well recorded and you all know about it and so there is a need to move to v6 faster and in Europe for instance, the v6 adoption rate is not very high, in most countries it's below 1%, there is one country that stands out at 49% that is Belgium and I will come back to this.

The interim work around, you know, CGN it's in all technologies, network address translations, first was used in private network and then moved to the ISPs level and the simple concept is you have one IPv4 multi pool users at the same time, and the only difference users and subscribers from the AS P perspective in order to identify user is to have the source port number, don't need for their operation.

So in the absence of source ports, the IP address cannot be traced back to a subscriber. So this is an interim solutions, again this is our perspective, maybe it's simplistic you will say there are more issues to and it and it's more complicated, we see millions of dollars are invested in CGN technologies and could be invested better, this is the case but ‑‑ we think there is a past dependency, probably irrational behaviour because there is no strategy, I can't really see Jan Zorz here, he has made a number of presentations and I am a fan of his push for v6 and I am taking a lot of his arguments and comments, the it's well‑documented.

That is a slide I have taken from a presentation from Jan and I find it depicts the situation very well, at least from our perspective where the CGN technologies is just providing life‑support to v4.

In terms of attribution, in the past we would come back ‑‑ we would come back with an IPv4 address to Internet access providers and they would give us the subscriber or at least home network and then as a police you use traditional police investigation techniques and it's easy to identify the end users. With CGN at the Internet access level then you get a least of sometimes 50 individuals, some thousand individuals and then what do you do with this? So, impact on law enforcement and judiciary investigations, no attribution, we have lost the ability to trace back to individual subscribinger and we need ‑‑ which were public IP and which is a suspect. Firstly it means there is an non‑compliance with existing legislations because in most European country you have domestic legislations saying must end identify end user subscriber information, technically this is not possible any more, there is a law in France and UK and Germany and so on. Even Budapest convention in article 18.3 talks about protection order and in theory competent authorities when they order information by service provider should be able to establish a subscriber's identity and because of technology standards you can't do that. So the scale of the problem, last summer I have done a bit of a survey with all the cyber division of all the policing in Europe and results were striking. All the Member States law enforcement and judiciary were affected to some degrees. In some 50% investigations they work on mobile IPs involved and as you know mow pile IP providers using at the rate of CGN use for mobile access is 90%. One in two investigations is related to mobile IP, and in those half of investigations we can't find anybody. So a lot of people are talking about Tor, talking about encryptions and the rest. For us and grass root investigator what it means if you want to stay anonymous on line don't bother using Tor just use your mobile phone to connect to the Internet, we won't be able to trace you is what it means.

So, in the majority of cases investigations are delayed and you need to spend use amount of resources to find one person. Academic researching the paper was presented in Madrid, last time, 95% of GSM providers are using CGN worldwide and it's getting crows to 50% for fixed line access so really the problem is from law enforcement perspective is really becoming very, very problematic.

Short‑term solutions, it has been documented already in the ‑‑ by the IETF in 2011, we are recommended and Internet facing service to log the ‑‑ if we want an SIM or Internet access provider we should give them the IPv4 time stamp and source port number, we don't get it, we ask for it, we have been doing an effort of trying to educate investigators whenever they make a request and they speak with prosecutor or investigative judges they have to ask for the source port but they don't get it.

So now just give you a few examples to put things into perspective. This is just a mild case, it happens was given to me by the French police about six months ago. It is a French website ads for secondhand hunting gears so you can find hunting rifle if you are a hunter, you can buy secondhand rifle. The police has reported there is an ad which has just been accomplished on the website, somebody selling A K 47 rifle, alarm bells are ringing for us, this is completely illegal, the first thing police does, go to the website, ask for the IP logs, it happened the somebody using a mobile IP with Swiss provider, so the French police will use our information law enforcement information action system in Europe and we send a CN R request to the Swiss authorities and they, with the IP, go and see the provider and the provider can't provide any information as subscriber because it's natted IP, the case is closed because the illegal to sell something but at the end there is no ‑‑ you can't prove this is super big but in the current environments if somebody is selling an A K 47 it's either because they are going to use it for violent interaction between criminal gangs In Marseilles or it's because it's going to be used for mass shooting in Paris and from a law enforcement perspective, you can't help thinking that this person is probably linked to other ongoing investigations and I don't want to scare people but it could be terrorist or other investigations, and so for us it is frustrating because we are missing investigative leads on this one.

Second examples, far more serious, distribution of child abuse material, again a case from 2016 from ‑‑ so child abuse material is stored on Cloud storage services and ‑‑ request a lot of log connection but no source port, and then we get from the Internet access providers a list of 15 individuals who were using exactly the same IP, what do do you in that case? You investigate everyone, every single person is being investigated for child abuse material. Think about the implication of privacy. You see the police coming into your place, seize all the devices and extract information to see whether or not you were connected to the website, it's really bad. And in terms of resources, of course that is minimum.

Counter‑terrorism investigations, Germany 2015 public prosecutor working on group of individuals that were probably providing active and inactive support up to eye SIS and they were communicating on platform to try to identify those people, we get a number of IP addresses but because CGN we can't identify those people so we drop the lead. In the case of terrorism investigations they will probably use different investigation techniques to try find out who was having a chat, we can't push this one which is pretty sad.

Tax fraud, in the UK last year as well just the customs, there was a big scam on their website and somebody entered the system and claim overpaid taxes and the customs were able to identify the IP addresses involved in the attack but because it was NATTed they couldn't find who was it. I could go on for ages and that is also the purpose of us having this network of law enforcement people so we can record more cases and put it into context. It's not only technical issues, v4 to v6, there is a social impact on that technology.

Alternative solution: In 2012 the Belgium authorities have decided to enter in a voluntary code of conduct with the Belgium paced ISPs. What they are saying is that you commit to restrict the number of users behind each IPv4 address in your network and they have negotiated that it should be maximum 16. They also voluntarily limit use of CGN and start adopting IPv6 as soon as possible. In 2012 nobody knew about it and it remained can have tension, it wasn't secret, but but now I spoke to most of the Belgian authorities involved, even the big ISP, the regulator, the police and they are happy if we use that case as a success story. The goal was really to guarantee the identifications and reduce the risk of non‑identifications, when we don't have source ports and so at the end of the day what happened is that in 2017, I have checked again on average when the Belgian police make a request for identifications on IPv4 address, to a Belgian ISP ‑‑ they get, on average, four person. It's not perfect, but in other countries, they would get a list of 50 to 100. If you have four suspects it's much easier for the police to cross match and to a bit more investigations instead of having to investigate 50 persons. The other interesting aspect is in 2017 Belgium has the highest IPv6 adoption rate in the world, 49%. I can't document it scientifically but I can't help making a connection between the two. So we are working on, at this spoke to some people in RIPE NCC trying to dig into it, the Belgian authorities think and I spoke to a number of providers and they say yes, for us it was a strategy decision, we knew we would have problems because we were commit doing these voluntary code so decided to invest more in v6 and provide native v6 connectivity to our clients. So I think that is the way forward. Long‑term solution: Increase IPv6 adoptions of European based ISPs, short‑term solution, eventually try to have these voluntarily code of code at European level to try to create ‑‑ there is RAGNAR ANFINSEN: Incentive to move to v6 as soon as possible.

I think I have to stop here, I have got more stuff but we can talk

CHAIR: Very quickly, thank you Gregory for the presentation. If I can ask in a way before handing the floor over to giving away a bit about the context of this presentation, if you can put the two slides. So, as was said in January we had discussion people that Europol sent to the council of the European uniJohn to the delegations of the Member States, and also at the it end of January there was a meeting organised by Europol of European law enforcement cybercrime specialists and then if I can have the second slide, please. Then the other thing that I wanted to do ‑‑ bring to the knowledge of the group, it is the apartmentry question for written answer by member of the European parliament, John Stuart ago knew, who is a member of EF D D Europe for freedom and direct democracy and he is a member of UK IP in the UK so the question of the honourable member of Europol, recently, held a meeting to discuss CGN technologies, have long been used by ISPs to delay the cap ex required to ex ten the current pool of IP addresses. Does the Commission agree that restricting the continued use of CGN, simply on the ground that Europol finds tin convenient to Monday store a receipt row grade step and an unacceptable interference with current commercial practice and freedom of technological choice?

The commissioner is going to send an answer, I would like to share it with you, I checked the parliament site and I don't see it published there so I will keep you informed once the answer is public. So, that is all I wanted to give ‑‑ giving the broader context in a way, the communication from ‑‑ the note was Europol was going to Member States directly, but now we see the other institutions at European level are involved so I think that we can go on by opening the floor for questions, comments and so on.

AUDIENCE SPEAKER: Alain Durand. I am the author of RFC 6302. I would like to make a couple of quick comments, in the good old days we had a problem, back in the late 80s or mid‑90s we had servers in universities that saw people access the Internet and I remember I was part of an investigation to do attribution back then and 2000 users, which is exactly the same problem you are facing now. So this is not exactly a new problem, this is just a new version of an old problem. Second point is, I am afraid that your life is going to become much, much more difficult in the future, because CGNs are going to stay and v6 doesn't solve your problem because most of the time people with deploy IPv6 only, we go for carrier grade NAT and you have exactly the same problem. Actually worse. With some other new technologies and mobile using things like quick from Google or multiple address TCP from Apple or some of the other multi‑homing techniques you may hop from IP address to IP address so simply and you have a session ID so looking at things from an IP address perspective is going to be less and less relevant in the future. So, I would like to encourage to you maybe look further and try to find some other ways to identify people than just IP address, and even if you have IP address for now, one of the things that did I not see listed in your recommendation which I will a little surprise, as a push for people to log the ‑‑ number instead fighting, try to convince people it's really, really important to log the port number. That was my comment.

AUDIENCE SPEAKER: Google. Speaking for myself and with the hat of having run a facilities based network in the US, just an observation that one of the problems that you may run across with the like the Belgian example of trying to enforce a ratio, is that the v4 space is an active market space therefore it's not just pure cost avoid arranges it's a cost shift and providers will still be experiencing costs so law enforcement interactions in the US carriers were traditionally reimbursed for expenses that were taken purely for assisting law enforcement so you should be aware that that may be a precedent that you want to look at for non‑physical assets like v4 required to it maintain a strict ratio.

AUDIENCE SPEAKER: Jan Zorz, Internet Society. Don't worry, well your life may become more difficult but everybody else's life will become less difficult. Lots of people was wondering what happened in Belgium, why over 50% of IPv6 adoption, and yeah, you just provided the new killer application for IPv6. And thank you for that.

AUDIENCE SPEAKER: RIPE NCC Dubai office. First of all, I wanted to thank you for the presentation, and also for the document that came out in January, I can tell you for a fact that at least three governments in the Middle East now are pushing for less CGN because of that document that came out, so while I understand your perspective as Europol but again the Internet is a network of networks right, so that is a cool thing that came out of that document, but I would echo something I heard earlier when the governments sat down with the operators they talked how the CGN boxes are become better at keeping logs so that may not be an issue. Part that have digger dialogue of coming up with better excuses of why this is actually needed. But other than that, thanks.

AUDIENCE SPEAKER: If I am in the position of the European Commission and I recommended this to several governments I will really put a deadline for using carrier grade NAT, I think it is not just bad for you, it's also bad for users, it breaks things. So as soon as governments realise that that is going to break, we could say ‑‑ neutrality in some sense, and also the freedom of the users because they are not really getting Internet, they are getting a restricted Internet as better for everybody. Applause

ALAIN DURAND: Good morning. Currently work for ICANN in the office of the CTO in the research group and I would like to share with you some observation that we have made when we looked at technology known as DOA for digital object architecture.

So you may have heard about DOA and I would like to make a quick poll in the room. Who has heard about it? Wow, I am very impressed. Who knows exactly what it is and how it works? Okay. So that is kind of a challenge ‑‑


ALAIN DURAND: I will claim that I know a little bit. So that is really the challenge that you are facing here. So I started to look at this in two years ago in 2015 and I tried to find some documentation about it and I tried to find some documentation about it, I went to the source, I went to Robert Kahn who invented this technology and I had a number of discussions with him to understand what it was and I would like to thank him and people from CN R I to get to the bottom of this or to manned what it is.

However, a bunch of caveats: So as I was hinting to, complete and up to date documentation of the DOA data format does not appear to be publically available. I choose every single word carefully here. There is a documentation of an earlier version 2.16789 it was documented back in 2003 in RFC 3650, 51 and 52. It was proposed back then at the IETF as part of discussions and the IETF denieded not standardise it but still publish the documents, just to document it.

It was version 2.1, the very first investigation was back from 1995. The version is to the 10 did I TCP dump on the wire to figure it out. There is a big difference between 2.1 and 2.10, which is ‑‑ there is one implementationitation that is readily available from CN R I, I have not found any other implementations. So we had a case where it's hard to separate what is in the protocol V what is in the implementation. So what is next is my best understanding of what is there.

So what it is. First thing is DOA is a distributed name resolution system. You can look at this as a federation of local name resolution systems, so you have some local things that do name resolution so name resolution means you have a name and you associate it with something. And with DOA you fed rate all those things together. This is not a directory, there is no search function. So this is not like a database where you can say search for all the record that start with a D. This is not like X 500, or L D AP. This is very much like DNS, there is no such function in DNS but you can associate name with some attributes like IP address or something else.

In DOA you store data and about digital objects. This is not about enabling or contouring communication with digital object so one day somebody came and asked how can we use DOA to actually resolve the DDOS attack coming from the IoT devices? I said you can't because DOA is not part of a routing. This is simply like a name that associate to something else, to some attribute, this is not part ‑‑ we route packets on IP addresses, there have been proposal to route packets on other things but today on the Internet that is not the case, we route packet on IP addresses and that is it.

So, about the technology. As I said invented by Robert Kahn, first it was described in 1995, and it has multiple names that you can encounter, DO I, DOA, DOA is the name of the architecture, DO I one of the use name case in the publishing industry and DONA is the foundation behind it. Establishing the governance around it.

So, it's used actually, it's very deployed, there are three very well known use case for this. One is in the publication industry, just like an IS B N number and except that something being printed on the back of a book it's something that looks like, I will show some example, and you can associate this with number of things like in a book you can associate with the offer, you can associate it with the different format that book exist, hard cover, soft cover, is it available on‑line and different places. So publication industry is using this a lot, actually the IETF is using this to catalogue RFCs. It's used by TV and movie industry, in the US the MP MA with movie and TV association use to catalogue assets and when they exchange data between studios and third parties use it as a tag for their assets. Max plank institute using it to catalogue experimentation results. Common in all of this, this is to catalogue things.

One of the aspect of DOA that is promoted a lot is about persistence. And it is use case that usually comes along, let's say that you are a researcher at university A and you publish a bunch of paper and you want to reference your paper. So if you are to reference your paper, by putting some URLs point doing university A servers, the day change university, change job and you move to university B, those links will fail. But not good if you have published with some printed paper. If you put DOA identifier that will resolve first university A when you change you have got to change it, now it points university B. So that is the use case. You can control the identifier remains the same, where it points to changes under your control.

One could claim actually that you can achieve exact same thing with your ‑‑ the same research could have his own domain name and ‑‑ about many other ways to deal with that.

In fact if we look at how it's done, there is nothing about the technology itself that provide persistence, for persist sense a result of a naming convention. That naming convention says use numbers, not names, because names are associated to organisations, organisations may change. So if you use numbers then you are less likely to change. When use flat name space, especially at local level because if you use structure name space that structure is very likely to reflect the organisation structure, if the organisation change then that will change, if you don't want this to change over time use a flat structure.

And at the end the name of the object instead of putting something very descriptive but also may reflect some structure, use something like hexadecimal hacks ‑‑ 5240/and looks like ‑‑ it's not a hash, it's a random number being generated that associated to a particle asset. So this is a tag that is going to not change over time because the number on the left‑hand side will never change and right‑hand side just random, there is no reason to change it. So this is, this naming convention that is really at the heart of the persistence of object.

So, let me give you some examples of the syntax of a DOA. So, you have a prefix, slash, local name, it's a federation of local name system, so it is whatever is known locally and the prefix is what can look at this as network part that points to your local name. So the prefix is numbers, actually there is nothing in the protocol that is restricted to numbers, it can be any uni code encoded in U T F 8, but as of today they only use numbers, most of the time, they use numbers. And there can be zero one, or multiple dots and if there are no dots, they call this zero delimiter prefix. There is one dot, there is one delimiter prefix. Two dots: It is two delimiter prefix. So, we have obtained a prefix which is 11738. There is some other prefix, like 1038. So that is an example to not to use this. They point you... The first one first one point to my website, the second to a nature journal and some article published there.

How do you get a prefix? You you get your prefix from registration MP A, multi primary authority. Nine of them has a point and that is something new that started in 2006, before that it was only CN R I. I don't really know where besides CN R I I can go to today to get one of those prefixes, they might be private organisations only dealing with members, but CN R I is the only one that is publically documented as allocating prefixes to anybody. If you want prefix cost 50 dollar registration, one time registration fee plus another 50 per year.

All this is governed by the DONA foundation, so that has been created by Rob ICANN and all the intellectual property when they created this technology has been transferred to this foundation. Now the DONA foundation, it assumes the role of evolving the protocol, you may decide doing to version 2.11 or version 3 or put whatever encrypt owe so that is a similar role you will find in IETF with DNS protocol. Also have a role of policy development, like deciding who gets ‑‑ for registration prefixes, maybe they will decide one day to not use numbers but go back to letters, this is policy development is akin to the role that ICANN does into designing the top level domains and the policies around them. They also supervise the operation of what they call the GHR for the global handle registry which is record database which is very similar to what the route server, DNS route servers do in DNS world. So those three roles that in the Internet world are somehow separated are combined into the DONA organisation. There is an MoU between do. O NA foundation, it was put in place in 2015 it was not known to the public for a long time, it has been a lot of questions about that, eventually some of it came public and MoU, the ITU provide two things to the foundation: The first one is: It provides some secretariat function to help them to organise meetings. The second one is, the ITU will provide reconstruction in the case of a failure of a DONA foundation. Let's say they go belly up because of lack of money then the ITU will be in lace to decide where all the ass etc. Will go, which maybe an interesting conflict with some of the directors of the foundation, board directors, but so it's also maybe in conflict with the ITU not having technical operational role but this is actually what the MoU says.

So, I have a bunch of slides I am going to skip on how this works technically. Two step resolution process, you have a client and want to learn about an object you ask the global end registry where is my prefix and the global handle registry is going to send you to a local server. So this is very much like DNS, along the exact same model as DNS resolution. It's on UDP or PCP protocol, fall back to PCP on port 2641. There is also an interface on port number 8,000 of http and http S. When they started to include MP A instead of being two‑step process it's three, global handle process points back to MP A and points back to you. They have solutions to actually scale this, so you can have data that are replicated in different sites, no different than ‑‑ something a little unique is that each site can be sliced, and they use a hash function to decide on which slice the data is going to reside on the serve side. On client side they use the exact same function to figure out which slice they need to connect to. Of course, the two are going to must be in sync. If, one day, the servers were to change and protocol were to change, the clients will have to change, too.

In order to validate the data, they have security protocol in place that is very much like DNSSEC where have a chain of trust that start from the global handle registry itself and they sign every single delegation. Except that floss protocol to go and update the keys anywhere. So if the root key were to be compromised or lost or damaged, at some point, then they will have to be a manual rekeying of just about every single thing. But might cause some operational problems.

There is also an inbound management protocol. So if you want to go and connect to an object, you can actually, if you have right credential, inbound go and change with object so you can have public/private read or public execute or private execute different hash function that can be associate negotiated you can negotiate it back down to MD 5.

An ‑‑ there is very, very few DOA clients that exist. It's not implemented in any web browser and it's not implemented in any commercial operating system. As a result it's a little bit difficult to use it. There used to be a plug in that you can download for Firefox and could you type something like HT L, short for handle ‑‑ it was actually not really a native client; it was a proxy sending that to ‑‑ even that plug in stopped working last month, because Firefox changed their APIs and it's not supported any more, so as a result the recommendation that the DONA foundation itself is doing is not try to do native resolution for this protocol, but to use a proxy, so first you have to use DNS and then http doing a proxy and from that do heytive resolution. So, for example, the American psychology association changed recommendation from something like DO I colon something to http colon/and the URL. The users proxy creates some privacy contents because in the log of a proxy you have all the user resolution history.

Now, I have a couple of tables to compare ‑ DOA and DNS, so you will see that there are a lot of similarities, bits on the wires, I will leave that for you on reading further. But a lot of things have an equivalent from one system to the other, if you are confused about what is GHR what is LHR you can associate it with route server or authoritative servers.

So my analysis on security and privacy, well ‑‑ a few relatively mild security concerns, the one I am reading personally concerned about is there is no automatic key roll‑over mechanism, we have heard about in ICANN world and rely on RFC 5011 that automatically update the keys on all servers, no such thing there, it's all manual. The second concern I have is about privacy that I mentioned a moment ago with use of proxy servers. And in terms of governance, as I mentioned earlier, the different roles that are distributed on the Internet through registries versus registrar separation that was done many years, ICANN doing the policy, the however being somehow independent and the top level server being independent all this is more concentrated into the DONA foundation and if but it to the websites you will not find much information.

So, that is about it. I think I have exhausted my time. There are two websites where you can find some information about it. Questions?

CHAIR: Thank you. My first comment on this is somehow I have a bit of a déjà vue here. Back to the '80s when let's ‑‑ we had a decent working Internet protocol and ITU tried to replace it with something better and really nice thing that at the time it Daniel Karrenberg of all people produce this had wonderful transition document for, I was involved with EU Internet at the time for how we are going to migrate everything to X 400. We had to have that document, we knew we were never going to touch it. So yes. A bit of a déjà view here.

AUDIENCE SPEAKER: Can I just say thank you that was really informative.

PETER KOCH: I would like to echo those things. On the X 400 note, late victory if you look at D kick, D mark and everything looks like it. I have a question or a request for clarification because you have referenced this DONA foundation and it is probably not clear how big this is and who are they? Can I join, can I go there and work on the standards and how does that work?

ALAIN DURAND: I do not know. I tried to find out. I do not know.

PETER KOCH: So what you are saying is what you are not saying, there is no documented membership, right, so this is not a membership organisation and it doesn't have any ‑‑
A. I would put it this way: From an external observer that is trying to look into it, it looks fairly opaque.

PETER KOCH: All ‑‑ is reflected in the website, you can go and look into the by‑laws and statutes and so on. But you haven't gotten any further than I did?

So, I will make two comments. The first one is, yes you can go and read the statutes and the by‑laws in the meetings minute but doesn't really tell you much how you can participate. I understand you can participate if you are either cooperated by another director to replace current director or if you are an MP A. How do you become MP A is not necessarily the clearest way. Now, all this said, my second point; DONA foundation is a new organisation. They just started, essentially, a year‑and‑a‑half ago. It might be that in the current state of technology that is an adequate thing. It doesn't mean if ever this technology were to take off that this the structure will have to remain the same so there is a push to open up that model, governance model, things may change, I don't know. As of today, that is the only thing we can say, it's fairly opaque.

PETER KOCH: Great response, thank you.

CHAIR: Any more questions? If not, thank you.

MARCO HOGEWONING: I work for RIPE NCC, you have probably seen me before, I work in the external relations department. The ITU and IoT, it's a thing, and IoTs everywhere so also in the ITU. Well, I mean, let's be honest ITU is relatively close but RIPE NCC has a membership so we can access those meetings. It's not easy, it's not expensive. I mention IoT is really big and I just looked at it just to give you a bit of scale. As of October last year, this particular group in the ITU that is looking at IoT produced 119 contribution documents and 248 extempore documents. How do you deal with such a workload, you organise a meeting. That meeting is two weeks, it was in Dubai and somebody decided you go and investigate what this is all about. So I went. This is my report, I will try to be brief.

Very brief update on what is the ITU actually because we often think that is that big organisation N fact when I talk about the ITU there are three, there is ITU‑R, people who deal with spectrum, D, the people who do development, help capacity build and progress the world, and then there is the ITU‑T, the standardisation sector. These are kind of three individual bodies and outside of the ITU Plenipotentiary that governs it all each of these group have their own four year cycle and throw a massive meeting that kind of looks at everything that is being done, in ITU we call that world communication standard assembly, it was in October last year, in Tunis, it overlapped so we couldn't join.

Now underneath this big thing, the work is difficultied up in what the ITU calls study groups. Every study group has a specific purpose. These things officially can come and go, usually they stick around for quite long and they are quite broadly chartered. For instance, you have got S G2 and the ITU calls it lead study group because sometimes work overlaps, on names, numbers, addresses and identification, you have got S G 17, that is the lead study group on security, and study group 20 is the lead study group on IoT. Now, underneath that study group and I think you can kind of see it as sort of the IETF area is what they call working parties. That is just an admintive structure just to channel the workload a bit and make sure you can do things in parallel. All the way on the bottom is what in ITU terms is called a question. This kind of similar to what we would call a Working Group, questions are relatively narrow chartered and come and go and you go and look at this specific thing, usually they have a list of work items and deliverables that they will produce, those are time‑lines that usually go into two years, that is sort of the aim to produce a recommendation. So this just is a reference, as a go further and you will see things pop up like S G Qs etc. And you know how this is structured.

So study group 20, over the last study period, 2013‑2016. Well, it was established in 2015, normally there is a parallel process, the IoT was coming, people were in a hurry so somewhere in 2015 via a site channel established a study group to study the Internet of things, smart cities and communities. Let me clarify, in this presentation when I am talking about communities, when the ITU talks approximate communities, they are basically making a reference to geographical term, anything that is not a city is a community. They are not talking but as a RIPE community, this just is just a bunch of villages. As a structure goes, we had one question reporting directly to the plenary, that is pretty unique but research and emerging technologies, definitions etc. And we had two working parties and they kind of divvied it up between that piece is going to look at Internet of things, the other one is going to smart cities. This works started in 2015, they had three meetings, they produced about 1,000 documents, I think, in those two years.

October. First time which I could touch this Working Group or study group. They had fun. Basically study groups exist by having a resolution that instructs the director and instructs everybody. They completely shuffled everything around, cut and paste it, everything together, by the time we had got to Dubai, March, the first meeting, we were left with this. Two working parties, no longer have a specific name or a specific reference, it's just called one and two. If there is anything doing by I think working party one is sort of the more looking at the more concrete things, the things that to do now and then working party two is slightly more at the meta level, looking further ahead so you see emerging technologies moved to two. Normally questions, the rough questions are defined at ‑‑ level, they ran out of time, three weeks wasn't enough I believe so basically we were sent in with there is going fob a Q 6 on security privacy trust and identification and a Q 7, and you can build those terms of reference, you can charter those questions yourself. And we also started or they started some regional groups: Africa, A R B, Latin America, there is no European subgroup here. I guess we didn't need one.

So this was our starting point for Dubai, March. You walk into a room, there you go, here it is, wave study group, great. New question, Q 6. Love it. Security, privacy, trust, and identification. For the IoT. What is there not to like about that. It's very broad. It can be anything. It's always something: It took a bit of time to clarify it, the terms of reference of reference, the charter calls that T U R, it's quite broad and quite a bit of potential lap with other questions and other study groups because there is a lead study group on all sorts of identification and there is on security. You can see the things get rather complicated there but we got somewhere, you can look up all these descriptions on the ITU website, the actual Working Group descriptions are open, you don't need a login so you can just go and find out. A couple of highlights then, what is there to charter, identify the risk, threats and mitigation techniques the overarching team you see coming back, counterfeit goods, figure out what is happening, can we do something about it, etc.. authentication technologies in relation to identification, I particularly highlight that had because a lot of people saw that as quite a controversial step linking the two, that is a biggy, and I literally cut and paste the text identification of IoT objects in particular non‑IP based and non‑web based. This was the original text, I believe it came from Russia. It's not entirely exclusive, in particular it doesn't exclude anything, but people felt it was necessary to include IP here, hold on, hold on, why are you now in my turf, in my territory? So we can do non‑IP and IP based and at some point some people realised wait a minute, that is all, that is everything. It might be a bit too big, so, we reverted our trace back to the original text so in particular non‑IP based. Think for now we are safe. It's not exclusive so it still be could be related to IP.

Where are we? IPv6 then. Because whatever got us into S G20 was somewhere in 2015 they started some work on IPv6 and people, the ITU is stepping into IPv6 territory and were like maybe we should be there. There are currently two recommendations as they call them and one supplement being drafted, I have got different classification of documents. There is a reference to an addressing plan and that is kind of the big one, why do you need one spell if you don't have a network plan, these things are obviously related. Reference model for the protocol IPv6 inter‑operability, not exactly sure what they are going with that or what the purpose; apparently it works but not good enough. And then there is IPv6 potential for the Internet of things. That is a lot of potential, sure.

This all originally started on under question 1, emerging technologies. IPv6 not really an emerging technology, it's been around for 25 years, right. In the new structure people looked at it and Q3, assessed management, protocols, that sort of things, administration, kind of fits into that area. So it was decided let's move this under Q3 /20. This is where we hit the next bump, because IPv6 and identification and this is not particular to the ITU, this is a common mistake that happens in many venues, even in this meeting occasionally, there is a very silt but very important difference between an identity and an address. You being you, living at a particular place, these things often get linked, just to make sure that they know, usually they combine part of your address with your identity etc., the important bit is when you move house, move even to another country you are still being you. Your identifiy doesn't change. You might pick up a few local habits, or a different passport, but essentially it's you. Your address changes, sure.

IP addresses are addresses, they should not be used or cannot be used as a permanent identifier but the common misconception is, they are and you said this, Greg, as well. I can see where it's coming from. If the only lead you have is an IP address, that is the one you are going to use to identify who it is, Greg explained this earlier today. So many people seem to not really grasp the actual relationship with routing and network structures. And because of that, and because of all these kind of misconceptions, the decision to move IPv6 to question 3 was immediately challenged because raised their hand, oh, no, we do the identification and IP addresses are identifiers. Okay. Took us a few days, we explained it and finally luckily there were enough people in the room that eventually understood what we were after and we kept it in Q3 but then they said like we want to reserve the right, if somebody links IP addresses to identifiers, it should be us. Why am I telling you this? Well actually, Q3, doing IP work, I don't think that is that big a monetary ‑‑ that sort of carries on. The one to watch out for is this one. It's probably going to be spent more time looking at what Q 6 is developing rather than Q3 because this one could still throw a curve ball and say okay IP addresses are identifiers and we are back to square one.

The future of the IPv6 drafts then, that is the first time, that is why we moved in there. Well, the original plan time‑line was to have the address references, the address model to be posted for what they call consent so to finalise it at the March meeting. The whole restructure that stopped it dead in its tracks, they are still ‑‑ we never actually opened the text because it was sort of late, last minute addition, there were no contributions to the text so the chair of Q3 decided lets postpone this to the next meeting and give it time to sink in and look at it. From what I sense in the rooms, in the hallways, there is still quite a lot of people who question whether the text is mature enough to move to consent. We will see how that goes. They updated the time‑line saying it's going to be September this year. Realistically, that is not going to happen. It will be 2018 at the minimum. Meanwhile what they did do and we posted this to the list and Chris mentioned it in the last meeting, we did get a liaison response, we are working on IPv6 would you help us and we sent a response back, we don't think think the ITU venue is good venue, better done by the operational community and better duplicating stuff already there. That was read out and it was acknowledged so they sent us a nicely as I enback, thank you for your kind response and we took note of the concerns raised in the statement. That is it. We will see thousand goes and on and keep monitoring this.

Digital object architecture there, the other big one, I am not going to repeat what Alain Durand said, it was a wonderful presentation on how digital architecture works. This is my impression from sitting for two weeks in the room which is discussing digital object architecture.

DOA at layer 8. Politically, this is a really controversial topic. Alain mentioned MoU still being challenged at the upper layers of the ITU and council etc.. well above study group level. When you look at it at S G 20 level a lot of delegates, kind of the ship has sailed, let's deal with it because let other people handle the real high level politics here.

There are actually very few manufacturers presented in S G 20. The ones that do, think what is your opinion about it, my sense, my gut feeling is that they are kind of just betting on all horses, they want to be there in case DOA becomes into existence or becomes mandatory, you can be one step ahead of your competition. A number of governments give strong support, and I recently in informal session kind of made the impolite comment and I compared DOA to snake oil. It will solve all your problems. Nobody knows what is in it but it's a cure for everything. And just as in real life there is always a few gullible people who believe you who buy into it. Some people are big strong supporter because DOA is going to solve everything: Child abuse, counterfeit, DOA will solve T DOA at technical level and that is basically summary of what Alain said, the digital object identifier exists, recognised ISO standard and it's in use, we have got working prototype, it's libraries, it's document, media files as Alain explained, even RFCs have DOA assigned because they are seen as academic works it's useful to have that. They use the handle system to resolve DO Is, Alain explained how it works so thank you for that. But the dual DOA, the digital object architecture does not exist. It's extremely abstract layer and so abstract that it's always a possible solution. You can build it, it works, which efficient time and money, pigs might fly.

At which point it probably gets us where we are now: 10 years, millions will get to point where we probably have something we call the DNS. DOA discussions at S G 20 then, many proposals make reference to DOA, they are kind of easy to deal with, there are many more that basically refer to it simply as an identifier. And all of these documents are referenced architectures, they are extremely high level. You can't debate that on technical arguments, there is no protocol to scrutinise or prototype it shows it works or not. Maybe it works or maybe it doesn't, we can go running in circles forever. We have to work on this on higher level so basically most of ‑‑ the defence people play there is leave options open for competing standards and competing solutions. Basic message: Use the right tool for right tool, DOA, DO I works for a specific niche, keep it there, fine we are not going take it away. We have got the DNS, works for us, don't force one or the other. That is essentially what we are after here.

So, as I said, when the only tool sufficient a hammer everything looks like a nail. If DOA is your only tool everything is possible. IoT is the big promise, DOA will solve every problem you can throw at it, bring these two together, fun. Anything can be brought into scope like this. Stake piece of silicone in it, RAGNAR ANFINSEN: Ten in a on it, it's the IoT we can do it in DOA, probably solved. You can of course glue a ‑‑ chip on a drone and give it to DOA N3, does that really make it a topic for S G 20? I don't know, and Mann many people in the room ask the question: Are you sure flying objects is really our thing, we are a telecommunications body? They still popping up, by March, spent two weeks there, everything. So our future, RIPE NCC and S G 20, as I said the IPv6 work items, we still believe the ITU is not most appropriate venue to do this. I am not sure we can stop it completely it, won't disappear so the best we can do is try to sort of informally get people to a point where there is output at least in line with our policy and go back to the RIRs and solve it with the operational community. Really stay on top of IPv6 as identification, I am really sure this will pop up in this study period somewhere, not sure how and where. And of course there is a lot of community concerns about DOA, it's not really completely in our remit and our mandate, we tried to get to grips with the subject, monitor progress and we will do our bit in trying to make sure it stays open for competing standards, that is the best I can do at this level.

I am coming to a close. This was ITU but Gordon raised something on the mailing list earlier, A IoT so just one brief slide if I may, dear chairs, the alliance for IoT innovation, recently set up under the European Commission is now completely separated off, they are big enough to be an independent, it's a Belgian association, we signed and we paid our membership fees so we are there. They had a high level strategy retreat last week, last night I got first draft report, it's 30 pages long, sorry I haven't had time to read it yet. If there is anything important I will take it back to the list. We are waiting for the reports to come in and that roadmap to be updated. A few ongoing work items that might take your interest, there is an identifier task force and that specifically scoped out addressing, looking at identifiers, set out a survey, investigating industry needs that they invite to that survey was relayed to the RIPE community, we post it had to the list. The results are currently being processed. I am not aware of anybody in this room actually responding to the survey. Did anybody? Okay. Thank you. We will continue to monitor this, monitor the work in other groups. Right now there are no big items on the docket that I say that is really relevant, that is where we are going to spend a lot of time doing it. Kind of keeps on IPv6 is sometimes mentioned but not really brought into scope. So that is it for me. Happy to take any questions either here or find me later in the hallways or over lunch, more than happy to give you more details, as I said it was a two‑week meeting. It's a long time to discuss DOA. Thank you.

CHAIR: Questions? Clearly we should have some coffee in this room inside. I see some people went to the whiskey BoF.

CHRIS BUCKRIDGE: There was actually one comment or question in the chat room, less for Marco and more for Alain asking about Marco's description of DOA snake oil and whether that was something you concurred with?

ALAIN DURAND: I don't know what snake oil is. That is probably my best answer. More seriously, you cannot say DOA is a standard because it has not been standardised anywhere.

CHRIS BUCKRIDGE: I will say one more thing, Chris budge Rick RIPE NCC speaking not as chat monitor now. Possibly it would be useful to put this into a little broader context of what is going in the ITU and cycles, so stepping a bit away from just the IoT thing and more to the RIPE NCC's involvement in ITU generally, as Marco mentioned there is the cycles that happen in the ITU in their different structures, and so there is important meetings that come up each year and different cycles work differently. The one thing that is moving towards now is that next year there will be the next Plenipotentiary, which is the sort of very highest level meeting of the ITU which sets a lot of direction there so a lot of this is sort of building towards that. And one of the other perhaps notable things that is building in that discussion a return to the topic that was at the heart of the WICKD process back in 2012, the I touch. Is looking at getting international telecommunications regulations off the ground, that is the document that in the WICKD in 2012 caused a lot of controversy in trying to revise those regulations, and essentially broke the sort of ITU consensus in a significant number of the ITU Member States declined to sign those regulations, so now the IT it U is trying to remedy that through expert group which is talking about some sort of compromise that people could sign on to and that is also building there towards discussion at the Plenipotentiary. So this is all sort of playing into a much bigger political picture in the I touch. And we will be following that and updating you on that.

CHAIR: Doesn't seem to be any other direct questions here so before I actually declare totally open mic, Chris, you had some stuff any other business that you wanted to bring up, might be a good opportunity now.

CHRIS BUCKRIDGE: The other point ‑‑ so completely divorced from this that I wanted to note is that in Europe this year there are a couple of significant Internet governance events going to be happening, the first and closest is next month in Tallinn, the EuroDIG, which is the European IGF essentially, is going to take place and that will be the 10th annual event of that and so there will obviously be a lot of different discussions over the two days, I think it's 6 and 7th of June looking at issues like IoT, cyber security will be a very strong focus for this meeting, which is particularly significant given it's taking place in Estonia which has a very strong cyber security culture there. But the other event is the global Internet governance forum will take place this year in Geneva and that is at the end of the year, the week before Christmas, somewhat unfortunately, but that will be ‑‑ obviously opportunity maybe for those who don't usually want to travel to far‑flung corners of the world doing to an Internet governance forum event, to maybe come along, make a contribution, certainly the RIPE NCC believes and is pushing very hard to sort of get as many as the operational community, people with that technical clue along to take part in these discussions and contribute and I think keep things as grounded as possible. I think it's an important thing in those discussions. Fur more interested in that, there is obviously a fair bit on line, please feel free to come and talk to me, I am happy to tell you, well, anything you want to know about Internet governance forums and events. Also, linked to that and for those in the NCC Services Working Group yesterday, you would have heard see ‑‑ the plan that we have had for these is to try and hold those in the weeks proceedings euro DIG and the IGF as well hopefully and the goal essentially will be introduction to what Internet governance is, but also then a bit of a discussion of okay what are the hot topics at the coming events, euro DIG and IGF, how can you get involved, how are they directly relevant to your interests as operators, as ISPs as people in the technical community. We have had had very strong response to the first webinar, I think we had 60 people registered to take part in the first 48 after we announced it, so please, if you are interested or think that would be interesting, talk to me or have a look on the website, we have more information there.

AUDIENCE SPEAKER: Constanze Buerger from Germany: I support your suggestion because we see in the political field the ‑‑ framework discussion is coming up. You are going to code your work from your country, from your roundabout, and if I work for Cisco, there are other codes and security issues, for instance, in your products than if you code in Germany and in my opinion the technical community is to less represented in these Internet governance thing and we should push more our issues, our ideas, so I can, yeah, make some advice or pushes to follow Chris's suggestion. Thanks.

CHAIR: Thank you. Any other comments related to this? If not, I declare open mic, if there is anything you want to discuss, we still have a few minutes but of course you are keeping people from the coffee. Well, in that case, let's go for a coffee, thank you, everybody.