Archives

Cooperation Working Group session
27 October 2016
10 a.m.

CHAIR: Good morning everybody. We are painfully aware that this is the first session after the whiskey above last night. I am glad so many of you at least managed to crawl here.

I am Julf Helsingius, we are the new co‑chairs of this working group and as you might have gathered we are still in a bit of learning mode, but we're getting there.

So, just a few quick words about myself. My official title is Chairman of the board of BaseN, which is an IRT organisation. I work with a lot of RIPE people, so I've about around for a while.

I am also, for all my sins, on the GNSO Council of ICANN and I want to spend one minute on the fact that we thought that we were so done when we had done all the accountability stuff and finally got an independent ICANN. No, the bad news is it's now it actually starts. We had to actually keep ICANN accountable arable and suddenly we are the ones that are monitoring that. But also there was so many details that were left to be worked out after the transition. And for that, there's now a bunch of Working Groups under work stream two looking at all the details that weren't quite clear when we sort of put everything quickly in a package to get it through before the elections.

So this is a list of all the work stream 2 Working Groups in ICANN, enhancing ICANN accountability W stream 2, diversity, guidelines for good faith conduct, human rights, jurisdiction, Ombudsman. You can read them. The ones with the tick I am an active participant, the rest I am just an observer, and boy, is there a lot of work. I just wanted to say that if you thought it was done, no, it isn't.

So if you can go back to the agenda...

There's a couple of small administrative issues. We have to approve the agenda and the agenda we have here is actually not up to date any more. Unfortunately, Constance couldn't actually come, she is ill. So instead we have some replacements and that's going to be a panel, but I'll let Marco and Chris take care of that. So I assume we can approve a sort a tentative agenda with small changes to this. I don't see any protests and we have to formally approve the minutes from the previous meeting and they have been up there for a quite a while and I haven't seen anything against it, and if anyone has anything to remark about the previous minutes, please raise your hand.

Done with the formalities. Thank you.

So, let's get on with the actual programme. So, we wanted to have something slightly controversial on the programme, and we all know about Chinese webcams by now, and it is pretty clear that there will be some sort of regulatory reaction. So the better we can understand what's going on there, the better we can prepare for it. So, we are very glad to have Joanna to talk a bit about what that will mean.

JOHANNA KULESZA: Good morning ladies and gentlemen. Thank you for being here and having me here. It's my first RIPE. I have a sticker to prove that. It's been wonderful to listen to all the technical discussions. My background is in law, I am an international lawyer. I have dealt in my work with Internet governance, my most recent focus is on cyber security and human rights. This is why I am here. I will be referring to cyber security international standards for cyber security. I will show you some legal text but my main agenda here is to enhance the dialogue that RIPE has been so fruitfully engaged in. When it comes to cyber security and technical standards. I will try to explain more. I do.

ASAF SOMEKH: Legal text to show you. I don't have any graphs, I apologise. But I do have some pictures.

I'm hoping to get you engaged in a discussion I have some questions to follow up on. Let's just see how that works and I only have 15 minutes so I'll be brief.

I have a room full of professionals so I will not start explaining to you what the a cyber attack. That would be insulting. I want to show you a few cases that have proved significant when it comes to quantifying what cyber security means and what cyber attacks are. The most famous case to my eyes was brought the question of cyber security onto the international agenda was the Estonia attacks. When they happened in 2007, everyone, including the media, but also the politicians was this is like cyber war. And now years have passed people said no there was a minor disruption. So when you look at the scale and the significance of cyber attacks that also tends to defer as we move through time.

The second one, and this one is the most significant one to be most significant one. Alleged, that's the StacksNet attack. That caused to overheat the Iranian nuclear enrichment facility. We don't know how big the damage was because the Iranians won't admit it but it seems to be pretty significant. When we speak about protecting infrastructure, that is responsible for cyber security, I chose those two examples but I have one more that I find significant. I'm not sure ‑‑ I'm sure you witness that had but I'm not sure URL it, there's just a slide to show it, this was briefly after stack net was reported. This was lovely 75 year old Georgian woman who was able to cut off Internet access in the whole of Armenia. She was digging for copper and she was very successful, she found this lovely copper rod which thee dug out of the earth. The problem was that that was the only connection that Armenia had to the Internet. So this was a huge disruption. It was a direct ‑‑ I always argued it's the most successful cyber security in history. It's so cheap... Armenia authorities said it's not a big deal, this happens to us every few months. That was the reports that were there in 2011, I hope the situation improved since then. But when we are speaking about protecting critical infrastructure, I always like to contrast those two cases.

And this was the Ukranian case, that's just last year, where you would have people in would have people in southern Ukraine cut off power supplies for quite a few hours. Those were my motivations behind this presentation and embarking on this cyber security and due diligence.

When I engaged in that research, I tried to address three issues, three questions.

First what would be the potential targets of cyber threats? I have shown you that they can vary and I am certain we have people in hereof whom everyone is aware how raw that category can be.

International law knows the term of significant damage, that is a flexible term, I will refer to it as we move along. However there is little doubt that not every damage done to infrastructure should be subjected to international interest. It is just the one that is significant. With that we often refer to the infrastructure, the malfunction of which would result in significant disruptions, as you can see for example in Ukraine.

And with that, it's not novel, it's not new that we refer to the notion of critical infrastructure. Again nothing new in this room. That's a legal term that has been present in EU law that has been present in national law. It's usually safeguard with a certain level of secrecy, states are reluctant to show what the list of their critical infrastructure is for obvious reasons.

Then European Union has been engaged in protecting critical infrastructure. To give you an example, it's the 2008 derive on European critical infrastructures. I don't want to go into detail. I wanted to show those of you who have not looked into that legal act before what it does. On the one hand it has certain obligations on critical infrastructure operators. On the other hand, it obliges them to provide risk analysis, who does that? It's not the European Union, they obliges states to introduce appropriate laws. But this is old news, we have had that, we have had that in national laws as well. What I wanted to do is I wanted to link this old regulation that dealt for example with energy supply or banking services to the most recent changes that are coming when it comes to critical Internet infrastructure.

Topology the 2008 directive there is a platform that I am certain you are aware of. There is a platform that deals with protecting European critical infrastructure. The European reference network. What I find interesting about this it is seems to reflect the multi‑stakeholder environment that RIPE or generally speaking Internet governance is also a part of. So, here we have the cooperation of governments, critical infrastructure operators, that's business, research centres, universities and manufactures. So it is a very multi‑stakeholder environment for all the obvious reasons, governments cannot possibly regulate this area alone. They need the input of the technical community and of the civil society.

The platform that supports this form of cooperation is working based on them attic groups of Working Groups, they focus on various challenges that be faced. What might be of most interest to us here would be the industrial automated control system and smart grids. Again it's all the actors together that try to work and benchmark best practices and share experiences. I think this might be a sample to be used also for cyber security as you will see on the topology slide.

The cyber security issue has been brought onto the European agenda quite a few years back but it resulted this year and the so‑called NIS directive, that is one of the I was happy to accept the invitation to speak to you today. The NIS directive includes criteria will Internet infrastructure into that sector of critical infrastructure you have just seen. There are many elements of the NIS directive. I am reluctant to speak of all of those in detail. I'd be happy to answer questions when the time comes. Generally speaking it's supposed to introduce a network of operators that will work together with the governments and based on truth share good practices or information about threats that they'ven encountered.

The NIS directive has the annex 2 list, directly includes digital infrastructures into what has thus far been known as European critical infrastructures. So digital infrastructures, and this is not the only category that you see there ‑‑ annex 3 has more ‑‑ has been included next to energy, electricity, oil, gas supply, transportation, banking, financial market infrastructure, health sector or drinking what you are supplies as critical infrastructures. That means what we have known thus far in protecting critical infrastructure, will have to be applied to cyber security and Internet critical infrastructures as well.

If has also in annex 3, that is even broader, it includes an open catalogue of other types of activities, online activities, that will also be connected to special obligations for operators and will, amongst others,en do you them with the obligation to provide risk analysis for example. Those include the very broad category of online market place services, online search engines and Cloud computing services.

What are the key challenges? Well the debate on the NIS directive has been very vigorous. The category of services that should be included have been heatedly debated. We will see how thatten rolls when the directive becomes binding and states introduce national laws but the question of identifying critical infrastructure when it comes to cyber security remains relatively open. It will come down to the practice who will have those new obligations.

Those individual obligations of critical infrastructure operators, to my eyes, are crucial to this debate that we are having here today because it is the technical community that will be able to identify what kind of obligations will have to be introduced to make sure that the critical infrastructure, Internet infrastructure is safe.

States have been reluctant to offer any financial support. The statement that comes from the States is, well, those are the costs that businesses will have to carry themselves. Whether an additional support will be offered remains still an open question. It is clear that industry will have to exchange information with the governments on threats and best practices. This has been done tremendously well by the RIPE community but has not been the usual practice throughout and across the world. So, the NIS directive makes it a legal obligation to exchange information effectively. Again we will see how that unfolds.

As I already said my background is in international law. What I wanted to do today is I wanted to kind of shed some optimism, and show you that this is not something new. This is not something that the cyber security sector will have to deal for the first time with.

International law knows the so‑called principle of due diligence, this is what I would like to speak about. The principle of due diligence is an element of State responsibility. It implies that not only is a State to refrain from certain activities that may cause significant trans boundary harm, but it is also supposed to take active measures to prevent such significant trans boundary harm. So, if an action originated within State jurisdiction may cause significant harm, a State is supposed to take all necessary measures to make sure that that does not occur.

This is a very flexible obligation. However, it has been quite well detailed in the work of, for example, the work commission. You have various quotations. The slides will be available to you and I will not read out of a slide.

But, you have all the quotations should they be of any use.

This applies to the obligations of conduct. So it's not an obligation where you have to prevent a certain harm from happening. It's just something that you have to do in order to prevent it. If you fail but you have done everything you could, then you're safe, you're fine you will not be carrying a responsibility.

All necessary measures is the key words. Every time you see all necessary measures as in article 14 of the NIS directive, that's when the due diligence obligation comes about.

As I already said, international law operates based on the term of significant trans boundary harm. What does that mean? As you can see here in very nice words, the international law commission emphasised that it's a flexible term. As already implied in 2007, we all saw that what happened in Estonia was war, was cyber war. In 2016 we reluctant to think that that was the case. This notion of significant transboundary harm is flexible enough to encompass for changing circumstances.

This duty of due diligence implies a duty of prevention. States are supposed to prevent as I already said significant harm from happening. They are ‑‑ this is the best efforts obligations. There are individual treaty regimes that put into much detail what that means for various sectors. You would have that various technically detailed in environmental law for example, when it is the technical community that tells the governments what due diligence is. Due diligence appears also for example in the protection of aliens, and space law, etc., etc. So you would have this obligation in various international law regimes. It's use refers to best available technologies. Again it's the technical communities that tell the governments this. It relies on numerous technological developments, but there are varius criteria, including economical stance of the country that allow to identify what the due diligence is. For example, when you look at oil transportation on nuclear power supply. There is State authorisation for those activities because they maintain and element of risk, of risk of significant transboundary harm. We don't have that for ISPs. We don't have that for the broad category of online services. I'm not sure this is the way we want to go, but when you look at international law this is what happens if you operate an activity it has an innate risk in it, then there is usually authorisation.

The principal of due diligence, I have done a lot of work on that but I have nine points just to give you briefly what that is.

It means you act in good faith. You actually do what you say you want to do. So you do want to prevent significant trans boundary harm for example.

It's an element of good neighbourliness. You are disposed to be good to your neighbours, prevent them interest harm, etc., etc..

It is usually applied within the limits of State jurisdiction. However, the jurisdiction does not add‑on state borders. It also is reflected on the territories where States actually have power.

As already said it refers to all necessary measures. I am just wrapping up. It refers to all necessary measures and those all necessary measures are based on hypothetical standard of a good Government, what would a good Government do in a given situation.
States are supposed to operate on technical expertise that advises them on current technical advancements. They are supposed to exchange information. This is what the NIS directive does as well. They are not supposed to criminal Nate against companies or individuals that are not there nature ones and this is a continuous obligation. Once you one a risk analysis, it's not enough, you are supposed to maintain a certain level of cautiousness and act against it.

I have more.

This due diligence is not unique to cyber security. This was the Council of Europe arguably that in 2011 introduced this obligation of due diligence when it comes to the free flow of information. It's paragraph 1.1.2 of the non‑binding recommendation that you can see there, that implies a no harm obligation and due diligence principle.

The group of governmental experts that, the GGE of the UN working on cyber security also refers to due diligence as a standard for preventing technical harm. There is the UN network of protecting human rights. So, businesses also is supposed to protect human rights with a due diligence. And then there is the GDP R, the privacy regulation of the European Union, there is also a risk analysis obligation there and also due diligence

What we need ‑‑ the questions to be answered ‑‑ what wee need to think about whether there is a standard for cyber security, a standard of due diligence for cyber security. Where are the limits of ISP liability. Every regime that I briefly described here has a liability fund at some situation it's obligatory. Some States offer now a possibility to acquire insurance against a liability.

And what are the consequences of the multistakeholder model. It's no longer States that will tell us or you what to do it's a multi‑stakeholder environment.

If you want more details on due diligence and international law I will be happy to refer to you a book.

And I will be happy to answer questions. I apologise for being out of time for a few minutes. Thank you.

I'm looking forward to questions. Thank you.

(Applause)

CHAIR: We can take a couple of quick questions now.

AUDIENCE SPEAKER: Jim Reid. One of your slides was talking about the ways of identifying critical national infrastructure and I think you have actually missed one or two key points. Particularly in the Internet context. Critical national infrastructure or critical infrastructure is often difficult to identify because it's not like, for example, the phone system where you can talk to two or three big phone companies and you pretty much got it covered. There are many, many different actors involved and the way in which they interact with each other also has to be part of understanding what is this critical national infrastructure all about; what would happen if some component failed. And I have actually done some studies and work in this particular area already before, and the sort of things that become very, very hard to identify, explain to policy makers are things like key pieces of software which are Open Source, and I'm talking about things like, for example, the open SSL libraries which underpin everything like certificate handling and secure DNS and all sorts of other stuff. That actually has a critical national infrastructure component to it. But it's not nothing to to do because they don't run any infrastructure themselves. But if that software was to collapse or fail for whatever reason, that would have serious implications and I'm trying to explain that is very, very difficult to somebody that's coming from a background that says, well, I understand CNI and the context like a gas pipeline or the electricity grid, it's easy to understand that, but trying to explain to people what this whole Internet thing is about and how these things are much more complicated and very, very subtle, and a good example of that is what happened at the weekend. We had this an attack on Dyn the DNS provider. Does that have any impact on national infrastructure? Well, maybe, maybe not. But who would know? How that would be explained?

JOHANNA KULESZA: Well, there are a few points in your presentation with a couple of them I agree completely. A couple of them I would like to comment on.

First of all, I agree with you completely that the list of critical infrastructure is open, B) uncertain what it actually includes. I completely see your comment about it including various elements that were not mentioned here. I'm not certain though that that opinion would be too popular when the NIS directive was being discussed because I believe that it was in the best interests of businesses to have their business outside of those new obligations. So, kind of to keep safe from those new obligations. So I'm not sure that including for every new elements into the critical infrastructure scheme that we have in the NIS directive would be in the best interest of business. However I fully see your points and I think this is where we go back to the technical expertise that I was referring to here at the beginning. So it is down to the technical experts to tell the governments what A) critical infrastructure is and B) I purposely did not put all the recent attacks on the slide because I don't think we have enough expertise yet to qualify or quantify T any mission comments on that because I think there was a question on these recent attacks there, my initial comment on that is that first as already said, due diligence is not about successfully preventing the attack but about doing everything you can to prevent it. If and again I apologise for referring the question back to you, the technical community says, nobody expected it, right, it's something new, we could not act against it. Then you're fine. It's kind of like with a doctor who is supposed to operate and save your life if he does everything he can then he is safe from liability because he did everything he could, he acted with due diligence. But if he knew that there was something he could have done and he didn't do it, well then, we enrol into certain legal questions.

So, yes, I agree with you that critical infrastructure when it comes to the Internet is a very broad term. B) I would argue it might not be the best solution to include every element into this very particular obligations; that directly result in financial obligations. There is money to be paid to make sure that your infrastructure is secure, who is going to pay continued and where are you going to take it from? I think those the arguments that were behind the reasoning of the European Commission when it made this catalogue quite broad, whether it was good or bad I think we had a discussion in the European realm. Three, due diligence does not mean you have to prevent the attack and it is the technical community that needs to tell the governments or the judges, I'm excited to see that debate, the judges whether it was possible to prevent a certain attack. My initial understanding that what happened on Friday was new, nobody knew it; nobody expected it. So I don't think you could expect the technical community or the governments to have prevented it. But then again, I'm not an expert here. So this is why we go back to the technical expertise.

CHAIR: We have one remote question and I would like to actually cut the discussion there and postpone a full discussion for later and I think we have a panel where we can also touch on some of these issues, if you guys are okay with waiting until then. We'll take the remote question.

AUDIENCE SPEAKER: Natalie, remote chat monitor. I have a comment from Alex Smirnoff from the open set. He said we information security specialists know well things that do not work this way. If you are responsible to provide efforts, not results, the results will never be good. And then he adds: If we want the results, we need something we can measure or evaluate.

JOHANNA KULESZA: I think this is something courts would love, if there is a certain effect that you can require from an IT specialists, oh this is brilliant. I'm not sure this is the remote participant is playing for this team that's here in the room. I think the judges would love that response. I'm just saying what we have in different sectors of international relations. I'm not here to preach. I'm here to show you what I think might be of use. So how it works in different sectors is that you know you can't prevent everything. You know you can't be 100% secure. The question is how secure you want to be and what you want others to do to achieve that level of security. So, I think that's a brilliant comment. I think every judge would love that. But fortunately I think for the technical community in other sectors, it has been shown that there is a certain level of uncertainty or of uneffectiveness that has to be calculated into the risk.

CHAIR: Thank you.

Well, thank you, Joanna.

(Applause)

Now, this is my co‑chair Achilleas.

ACHILLEAS KEMOS: Thank you. Good morning. I am Achilleas Kemos, I am a programme officer at the directorate general of connecting European Commission and I would like to talk to you about the action plan which is a part of two big EU packages we had in 2016.

First, we had the digital tiding European industry package, reaping the full benefits of a digital single market. In this package, there was a staff working document on the Internet of things. In this document, there was a clear reference to the role RIPE has in IOT numbering and addressing. I am very pleased that RIPE picked up this reference and sent Marco and Athina to participate to the work of the alliance for IOT innovation and we have all a very useful document on IOT numbering and addressing introduced by the alliance.

So, this is I think a very good example of the cooperation and collaboration between technical expertise from RIPE and us.

Then we have now the 14 September package, which includes the 5G action plan. In fact it is quite a big and ambitious package which has four main elements already.

First, the new 2025 gigabit objectives for broadband. There is a commission communication. These are a reference point and a common vision. It is the 35 G action plan another communication with aim to support the European industrial leadership.

Then we have a targeted voucher scheme for Wi‑Fi for Europe, which is a regulation amending the connecting Europe facility. The objective is to bring direct benefits to the citizens, and it concerns more than 8,000 communities.

Also, but very important, the review of the telecoms regulatory framework. It will now be called, the European Electronic Communications Code.

All these are mutually supportive elements, harvesting commitment and providing longer term reference point and objectives to and from policy makers, market actors, regulators and investors.

Also, on that date, 14 September, we had the state of the union address by European Commission president Jean Claude Juncker, who in this address stated that connectivity should benefit everyone. That is why, today, the commission is proposing to fully deploy 5G, the fifth generation of mobile communication systems across the European Union by 2025. This has the potential to create a further 2 million jobs in the EU.

So the videos that President Juncker stated about the potential of a 5G came from a study on 5G impact, the exact title is identification and quantification of key social economic data to support strategic planning for the introduction of 5G in Europe. Which I managed. And the main features, the main estimates that it had is using an input /output analysis estimated that we could have a 2.4 millions jobs created from 5G and by sutdying the introduction of a 5G in some strategic sectors, this could raise benefits of above 113 billion euros.

Let's see a little bit about the methodology of the study. This identified the 10 key 5G capabilities, like almost zero latency, or to have in a way, specific rates available like 50 megabit per second available for everybody. And then use this benefits in specific sectors like ought motive, health care, transport and utilities, which would prefer in a way direct first order benefits, like a strategic operational and user benefits but also these would provide enhanced products and services, which will provide benefits in environments such as the smart cities, non urban areas, smart homes and smart work places which would provide and produce second order impacts as well.

Quantifying a bit these results. We come to these two tables. First are the vertical benefits, a total of 62.5 billion. With automotive being the most important having more than 42 billion benefits and then going to environments another 50 billion euros with the work place being the more important with over 30 billion euros benefit.

A word also about the cost. The study had examined and found empirically a link between the cost per subscriber for every mobile system so from 2G, 3G, 4G, then made in a way a projection for 5G. And assuming this linear realisation, this would represent a total cost of about 58 billion euros for new member states in 2025. This does not flu the fixed broadband infrastructure investments, but it is only in a way with the extra effort that is needed for the mobile network.

So, the study clearly demonstrates some motivations like the new EU market potential usages and actors. Other motivations that we can mention is the support to the digital single market. The fact that the technology is becoming now more mature. That in the international context, that there is an acceleration of the 5G agenda, with the US, the FCC announcing that they will allocate a spectrum for 5G and also in Asia, in Japan and Korea, announcements about 5G introduction before the 2018 Olympics and also for us, learning our lessons from 3G and 4G introduction.

So, what is this action plan?
It is an industry deployment of advanced 5G networks as from 2020 in a coordinated manner throughout the DSM P as a strategic driver for EU competitiveness.

How to do that?
By proposing to member states the timely implementation of a comprehensive set of operational steps to accelerate investments in the areas of very dense cellular coverage, super fast back hauling, vertical industry driven connectivity services, a new digital innovation Ecosystems.

So, also, just to briefly see the measures and the proposals of the action plan.

So, it is a common road map for coordinated deployment of 5G in 2020. Keeping the EU ahead of the race important by implementing a common EU calendar and coordinated national plans for commercial loans. Prepare for a 5G ready Europe. The strategic prerequisites are the availability of spectrum, so there should be a Fastrack for EU spectrum decisions with respect to 5G. The availability of fibre connectivity, so, the fibre capacity for 5G back hauling. And also to reduce the cost for 5G deployment for emission limits or a local taxes etc.

So in support of the growth for 5G, the commission can act as facilitator of cross‑sectoral business synergies and also about the Ecosystems and collaboration. Also finally for preserving 5G global trials like the driving corridor.

Last but not least the importance of global common standards, to ensure a 5G global interoperability for customers.

Let's see a little bit more graphically the timescale.

So, we have a coordinated quite a similar launch throughout the single market by having first an early 5G launch in selected areas by 2018, and commercial launch of 5G services in at least one major city in every member State by 2020. So by then, we would have in a way start an aggressive roll out with the geographical and secretary role foe Gus with the objective being 5G in all urban areas and along main transport paths by 2025.

Here is a little bit more detail about the 5G action plan timeline. So, we are here in a way and we have three very intensive years before us to achieve the goal of 2020, of 5G launch in all member States.

So, the big blocks are national 5G road maps, spectrum allocation and assignment. 5G standardisation and cross border pre‑commercial trials. We see also the venture capital support to innovative start‑up in 5G key user sectors. Also the best practice for fibre planning to boost the small cell deployment. As we say in a way commission target is the 5G launch in all member states by 2020 and then 5G everywhere by 2025. Then, we'll also mean that we will continue with the best practice of fibre planning to boost the small cell deployment and continue the investments in fibre infrastructure and small cells.

Another nice graphic presentation of the 5G and the perception with the vertical as a pervasive fixed and mobile connectivity. So, we see in a way the 5 sectors that vertical sectors that we use, the automotive factors of the future, energies, health, media and entertainment.

So, as I supporting actions for that, we have already established the 5G public/private partnership which was launched in 2013, which is ab objective driven. There are technical, economic and social objectives and there are contractual KPIs. In this context the commission is engaged to put 700 million euros of public funding for research between 2014 and 2020. And there is matching the private investment of 3.5 billion euros.

We have in a way launched already last year started in July the first round of 5G research projects, there are 19 research projects, and I provide also the reference there of the white papers and the 5G collaborative achievements.

So, important word about the verticals. In the mobile world congress in Barcelona, the 5G PPP produced in the presence of Commissioner he had ininjury, the document on 5G empowering the vertical industries. So, this is important in a way to show our attachment to the use, and the relationship with the verticals and the fact that the commission is working also on that.

From this white paper, I just show you very quickly here the requirements for the five verticals, the vertical requirements for the five sectors that we have identified.

So now in a way we are in the Phase 2 of 5G PPP. There is in a way a call open which will ‑‑ till the beginning of November and then we will start working on the evaluation of the proposals. So, we have a research innovation actions of 106 million euros. On critical technologies and systems on radio network and architectures, optical core, SDN, architecture and network management and also there is a research and innovation action on accents network with Taiwan of 5 million euros, also 1 million euros the other actions, makes a total of 106 million. There are also innovation action and innovation and support actions. As we say, the keys for this Phase 2 will be the verticals, experiments and demos.

Finally, in terms of the agenda, there is the second 5G global event in Rome, Italy, in November 9th and 10th, where 5G is co‑organising with the other 5G associations in the world, you would be very welcome. Thank you.

(Applause)

JULF HELSINGIUS: We can take a couple of quick questions...

AUDIENCE SPEAKER: Tasha, consulting for German Government, speaking for my own, for this question. I follow the programmes of the European Commission concerning broadband connectivity for years now, and I'm quite surprised by this focus on 5G, because the more you go forward in the broadband wireless technology, the nearer are the cells, the cells are getting smaller and smaller. And this 5G is only, from my perspective, not of such important snippet of connectivity because if you want toen roll 5G to get the EU connected, you need to have a real huge optical network to connect all the cells. And this is the main problem. If you have the fibre connectivity for such a huge amount of little cells, then it doesn't really matter which technology you use on the last mile. And so I'm really surprised about this huge focus on 5G from my perspective to get the European connected, you need to have this backbone of connectivity in fibre. So, perhaps you can explain this.

ACHILLEAS KEMOS: No, I fully agree, that you need in a way the backbone, an optical backbone and I don't think that it is something that is not mentioned in the presentation or is not in our plans. This comes in a way as a compliment and I think in the package, there were the two foreseen. So, I agree with you, but I think that these are in a way complimentary. One to the other, and also, from what I demonstrated in the presentation what was clear, it is in a way, that we are in extreme pressure also in an international context to go for 5G, and in Europe, we have chosen to have a collaborative model and to link with also the other industries and really identify needs and markets and where is the prospect for this technology.

AUDIENCE SPEAKER: Hi, Luas which is from ILAN, I am a member of the ICANN Board this is just out of my personal interest. I am assuming that the European Commission consulted quite broadly before launching this programme and that it's still being discussed in the Council and the apartments I'm wondering were those discussions are at and what kind of political fireworks are you expecting? What are the contentious issues which countries or political parties do you think are going to throw up obstacles or blockages? Or is it going to be let's go for it and you know make this all happen by 2025 without problems?

ACHILLEAS KEMOS: This is a communication, so basically in a way, it is a communication from the commission to the other institutions. It's not in a way that in the case of a regulation, that they have in a way to vote on that and so on. So, it is a less of a conflict. But, clearly in a way, we have been consulting with a way the 5G public private partnership. There was also, because of time pressure, a consultation before launching the 5G action plan this summer, as as you see in a way, we are trying also to convey this, the message in all for possible. My experience of working with RIPE and how good results we had in the case of Internet of things, tells me that here also in the case of network management and the elements that 5G can have on SDN and F v could be of interest also to the RIPE community to follow this more attentively.

(Applause)



CHAIR: Now, the I'm going to let the RIPE NCC people with their show, so it's Chris and Marco, I am sure you all know them, but he can talk further what they have been arranging for the rest of our session.

MARCO HOGEWONING: I'm going to stay up here so I can at least see you for a bit. On the stage we'll have three people, I don't have a clicker... so, a quick update on IPv6 and governments. As said we were working with Constance Berger who fell ill, happy to see Taher, replacing her. So, the three people on stage, Jordi, speaking here regarding his work with the Spanish Government, although I noticed he will also mention Equador and Columbia.

Tahar working for Cassini and here on behalf of the German Government explaining what they are doing, and finally, we'll have Andrea Cima here who works for the RIPE NCC registration services, who will explain a bit how we see it and how we work with governments. This is, this is about introducing IPv6 in the national administrations. So, building national number plans and getting the governments and especially the Government internal systems IPv6 ready. So, with that I'll leave the floor to Jordi to quickly explain how it goes in Spain.

JORDI PALET: Basically, I'm going to do a very, very quick introduction of what has been done in the Spanish Government and also mention other similar cases. On April 2011, the Government, the Spanish Government approved a plan for the deployment of IPv6 in the public administration. That was the plan main points actually connectivities. Basically racing awareness, creating a specific information website, mandating IPv6 support in public positions, doing also trainings for the public administration, those trainings were actually open to the private sector as well encouraging also public private partnership, and well a few other activities like topology international IPv6 activities, and also deploying IPv6 in the dot ES. Okay. So that was the main aspects.

And this of course included the generation of what we call the support of IPv6 in the public sector network which is called Sarah including an addressing plan.

One of the difficulties we had ‑‑ well one thing here is just to show a map of the main cities where we did this training. The training was attended basically an average of 250, 300 people in every city, 20 cities in total. It's not a complete training but it's a starting point for the people to get awareness about IPv6 from the technical perspective, and also starting to get the first knowledge and probably trying to help as much as possible to change their mind from IPv4 to IPv6, which is one of the main difficulties that we found. Not just in Spain, in every place where we are working.

Okay, so one of the main activities was designing the addressing plan and working with NCC to acquire the prefix that was needed. I am not going to explain the details of the addressing plan, but just, we had different levels in the public administration, and we had the idea to make sure that they come one which bun to NCC for a /32, we can still doing that in having 40 /32 working in a totally aggregated single prefix, so that was main idea. And one of the difficulties was the policy at that time didn't support that. Fortunately this changed in the last year and we are working now in on the final prefix. Just to give a very simple idea.

We have been working with other governments, worldwide, mainly in Latin America, I guess speaking Spanish helps a lot so we have a similar plan in Equador and Columbia, and in some cases like the case of Equador, this helped a lot because the operator is incumbent and is the measure one in the residential sector to actually succeed in increasing the IPv6 traffic and actually Equador is one of the main countries in the world in this situation. It's not the same in other countries because the lack of, let's say, pressure to the private sector.

So, again, this is the Columbia plan.

And just the final slide, a lot of people, even in governments and Private Secretaryers still say, IPv6 is not relevant. And I want to show you the actual traffic in the cellular networks in the US. This was at the end of September. It's already 60% now. I think it's clear that we need to move over there.

MARCO HOGEWONING: Thank you Jordi. We are going to keep the questions for the end. I think that's more fair to just run on at that hardware. The German Government, tell us, you have mentioned you have got two specific problems you want to talk about. So.

TAHAR SCHAA: In Germany we already have an address space, we have an addressing plan, but we are facing two other problems, we go on with the introduction of IPv6 and we have to do something with the addresses.

So, the first thing we have to make our mind about was the routing, because in Germany we have a law since two years that the communication of the Government has to be kept in separate networks of the Government. So, the Government organisations, the authorities also communicate with the Internet, and so there has to be made a routine contact which is able to do the decision which traffic will go over the Internet and which traffic has to be kept within the governmental networks.

This was a huge discussion, and was not so easy. The first thing we had to do was we needed to make clear what other goals are, we want to reach with routing, and this is of course, we need to enable communication. It sounds simple. It isn't like this, because our security authorities sometimes appear to say okay, we need to announce only little, little snippets of address space because then we have a more ‑‑ a less chance to get attacked. But these fights that aim to be reachable. And so we had these principles declared, and after that we derived from this a routing concept for the public administration in Germany. It's, I think, an interesting thing. Also from a technical perspective, because it scales and it could be a blueprint for other countries with also internal governmental networks and external Internet connection, and it even would scale to European networks like test a NG. So we had made up our mind about two scenarios, one is the routing internally, we made a clear technical concept which leads to a simple routing policy in normal routers, which keeps the traffic between the authorities within the governmental networks.

And we have another scenario. The routing towards the Internet, and there the aim to ensure the reachability, because as a Government, we have address space, but we don't have the infrastructure to use it. And this leads to little snippets which many providers announce into the Internet, and this is not ‑‑ the other providers are not really happy with it because it blows up the routing tables, and so we have to announce aggregated spaces also to ensure the reachability of the governmental addresses within the Internet.

And we made this concept, had a huge discussion with all the Federal levels in Germany, it's really complicated, but now we have an official decided routing concept for Germany in IPv6 and I'm really happy about it because now we have a way to go for everyone and we can say okay, if you do routing policies in your router and your infrastructure, follow these rules, it's decided and it's official.

It's quite new, the decision was two weeks ago or something like this.

Another thing is, we were some of the early adapters of IPv6 in the governmental area and so we made an address plan in 2009 with a complete different IPv6 policy and after some years, we found out when we allocated a /48 to all our sites, we will have a problem with the space we got. So, we need a subsequent allocation, and the subsequent allocation needs to be based also on classifying of networks, regional expansion, longevity in all the stuff. We have this criteria included in the IPv6 Address Policy in the initial allocation criteria list, but still not in the subsequent will allocation criteria list, so it is a disadvantage for us because we are not able to use these criteria and as discussed yesterday in the Address Policy Working Group, everyone somehow thinks it's a mess that the initial allocation criteria are not instant with the allocation criteria, so we decided initially to develop a policy proposals which fixes this. So we engage as a normal member of the community, to bring the things forward and perhaps some other governments will have the advantage of it.

So, the status and somehow the activities we are focused on in Germany currently.

MARCO HOGEWONING: Thank you Tahar, Andrea, I don't think you have any slides, but what would you say from your ‑‑ you have been, from registration services basically sitting on the other side of Tahar's request and Jordi's requests. What's there to add from our side.

ANDREA CIMA: Yes, as registration services team, our role is to evaluate the requests for IPv6 that are being made, and we have to make sure that the requirements of, in this case, the public administrations, match the policies that are set in place by the RIPE community.

Those type of requests are quite different from the ones that we receive, for example, from the ISP that provides Internet service to say my home. There are additional layers of hierarchy, additional layers of security, and for us, it has also been of the years working together with the public administrations a big learning experience.

Which has sometimes resulted in changes of policies, policies that were not fitting the needs as they both mentioned before. And in this case the public administration, together with the private sector, has been working together to change the existing policy, so that their needs can be taken into consideration in an easier way.

Apart from this, we, as registration services operational department, we think we can still do more to support the governments. As I mentioned before, we are learning from this as well, and we are planning to try to be in touch with them at an earlier stage than what we do now. At the moment, we receive the requests and it's a formalised request and our aim is to get chatting at an earlier stage so that we can actually help the governments or the public administration to calculate how much address space they need, to calculate how much address space they can justify according to current policy and what kind of documentation is needed, so that once the request is submitted, this can be dealt with in a much smoother way.

MARCO HOGEWONING: Thank you. How are we doing on time? Good. Okay. So, if I can get the house lights I'm going to open up to the floor for questions for all our panelists but I have got one question for Jordi to kick it off because you like okay you have got a bit of sort of a slow mover advantage that you came in with your request after the policy proposals were done, so...
That routing issues that are mentioned, do they also play a role in the Spanish Government?

JORDI PALET: Yeah. Actually, with with all the governments we are working we have similar situations, and the situation is very country dependent because in some countries, there is a strict routing policy, as in the case of Germany, and you need to aggregate all the traffic in just one connection or have multihoming in different locations and so on. So, definitely there are different cases but most of the time especially as much bigger is the country, more aggregation is required and more strict are the Government regulations regarding how to route this traffic. But in some cases, and this is something that is happening most typical in smaller countries, sometimes there is not a real network for the Government, for the public administration. Maybe there is a network for the research and education like universities and so on. And that imposes a small difficulty, which is we may need to get a single prefix from the NCC, but maybe we need to be more relaxed in the deaggregation of the routing, which is not recommended in IPv6 but fortunately will be big channel so it should not be a big problem.

MARCO HOGEWONING: Anybody in this room, if you have any questions, we're going to stick to the regular etiquette, to please raise your hand and wait for the pushing of the buttons. I have got two here.

AUDIENCE SPEAKER: Maria. Actually Jordi was cutting a bit on what I was going to ask. Maria, I am the CEO for the Swedish University Network, so I was asking both of you whether your collaboration is touching upon also the university academia sector, what you are doing in your countries both in Germany and Spain, so you mentioned a bit about it, what about it in Germany? You have for instance your national research and education network and I guess, and I know they have some struggle in that space as well with IPv6 deployment. So, do you have any collaboration with them because it's ‑‑ the universities, they also part of the Government. So...

TAHAR SCHAA: The academia part is somehow separateed in Germany from the organisation. From the perspective of the authorities, it's a simple, simply an ISP for us. It's a DFN network, and it's not seen as an internal governmental network, because all of these students are doing some weird stuff there, and so, from our perspective, we see DFN as much further in the development and enrollment of IPv6, but on on the other hand, they don't have so strict rules they have to follow. So it's easier for that to do all this, and we are a little bit slower, but we have to follow more strict regulations and more requirements.

JORDI PALET: In fact, in Spain, the National Research Education network, has been supporting IPv6 for ages, and one of the things that actually I'm encouraging to governments is why you need to have two networks, because at the end, Sarah, which is the public administration, are two different networks that are interconnected. So, in terms of public money, I am encouraging governments to look into sync he will infrastructure. That doesn't mean that all the traffic should be the same in bot networks, both networks, there are different security measures. That can be done technically. This is my point. But up to now governments have not reacted into that. I know it's sometimes depending on different institutions of the Government. But at the end, everything is public money, right?

AUDIENCE SPEAKER: Alexander: Well, I would like to thank you for this presentation and especially I would like to mention that this is an excellent example of our accountability of which we are talking from the beginning of this meeting. I'm still sure that this is the only possible way of accountability from governments to RIPE community and it exists as a way for governments and accountability. I would say thank you very much. I hope much more governments will report to the RIPE community in future. Thank you.

MARCO HOGEWONING: Thank you. And I have got one question in the back there.

AUDIENCE SPEAKER: I am Carlos from the Portuguese ENREN, currently with security. My comment is about if all the Government stuff should be under the same prefix or if it will be beneficial if the several ministries became LIRs and managed their own stuff or not?

JORDI PALET: In my perspective, if we want to make the network as cheaper as possible, that means a single infrastructure instead of different infrastructures and each one being a different LIR and having a single prefix and a single LIR don't take out, let's say, autonomy of each institution, because this is the main concern for governments, they believe that being under the single prefix they loose part of their autonomy, but it's not true, it's a routing question tend, right. And they can still have their own ISPs if necessary and deaggregate the big prefix in small chunks as I just mentioned for the smaller countries. I don't think that's a requirement.

TAHAR SCHAA: In Germany, we discussed this issue a lot, and but now at the end, we have now a little bit more experience, so all the aspects and it is, if you have an address space, as a country, or an authority, you have to take care about security in a complete other way than a company. In Germany, we are facing abuse of addresses of authorities which are not announced, we had the case, one Russian provider used an unannounced space and took it for himself for some not good stuff, and if you have separate prefixes, separate LIRs for separate authorities, they are not able to do it in a high quality way to secure this address space and under these aspects of cyber war and all these fancy buzz words, you have to prevent all these things by people who are knowing what they are doing and even in Germany, it is not able for each authority to employ so many qualified people to take care about it. So, it's, I think for us, it's a wise decision to use one aggregated prefix, and another aspect is that this routing concept would be much more complicated if you have completely separated prefixes. For us it's a real advantage to have one prefix to be able to identify what is public administration in Germany and what is not. And then we have a simple routing policy and it's really important because in Germany, even in Germany we have so different authorities, we have small Mondays pallets there, they are not able to buy a huge Cisco router who is able to keep a huge routing table, they have small, somehow, products and you have take this into account, and make concepts which enrollable also for these small take holders.

MARCO HOGEWONING: Andrea finally, then, I guess, big or small, what would you say? It's all about the preparation? Is there a difference between sort of like the one big LIR or running small ones?

ANDREA CIMA: From our experience what we see is that in concern countries there is, there are different ministries, different parts of the public administration that request their own block of IP addresses. They have their own LIR, but the tend sea, especially in IPv6, that we see is that for public administration, there is at least a search, a research from the public administrations themselves, to look into the possibility of one large aggregated block, exactly as Tahar was mentioning before, that is the trend we see at the moment in IPv6.

MARCO HOGEWONING: With that, thank you guys for helping out and explaining what you did.

JULF HELSINGIUS: I'm going to hand over to Chris.

CHRIS BUCKRIDGE: Good morning, my name is Chris Buckridge, I am external relations manager with the RIPE NCC.

My apologies upfront, these are some pretty blank slides. They are just some words. I can blame the whiskey BoF for that but when you try to illustrate it, it's quite difficult, particularly since Geoff Huston used all those train crash images all those years ago.

But, the international telecommunications, these guys have something of a bogey man for the RIR community for a few years, we have certainly had discussions really going back to sort of the 2008, 2009, where there have been the ITU and the governments in that ITU structure looking at what role they have in Internet governance, administration, trying to perhaps increase that role. And so this has been, there have been sort of high points and low points, busy times and not so busy. I think Maria mentioned the wicked conference in 2012 and that was obviously a very significant one.

Actually as we speak there is another quite significant event going on, and it's the World Telecommunications Standardisation Assembly and this is something that happened every four years and so the last one happened immediately prior to that wicked event in Dubai.

So what this is is the sort of supreme decision‑making body for this ITUT, the standardisation sector and the RIPE NCC is actually a member of that ITUT standardisation sector. Every four years they have these meetings where they consider resolutions, many of which roll on from year to year ‑‑ four year to four year, and edited or changed and taken away by the member States. Of particular interest to us are resolution that is include references and discussion of IPv6, Internet of things, cyber security, and actually domain names.

The key areas of interest for us in these discussions, the main one here is the ITU's role in management of the Internet and Internet governance. The Internet of things has been quite a priority for the ITU in recent years.

Obviously also is of interest is the management of IPv6. There's a resolution that talks specifically about this. And has in the past included a discussion of whether the ITU itself should become an IPv6 registry, an additional regional Internet registry you could say. That doesn't seem to be going anywhere. We don't think there is any movement currently on that sort of discussion.

Digital object architecture, DOA, is another topic that's been sort of going around a lot in ITU circles recently. And that realities to the IOT discussion, it sort of very quickly gets into the weeds and a lot of argument has been about ITU process.

And the ITU's role in domain name management. This is not perhaps directly of relevance to us, but it's again at this particular WTSA been one of the more contentious issues because come of the governments have said the I much more of a role.

This meeting is going on as we speak, so lot of what I'm talking about here is the resolutions that have been gone into this meeting, but the discussions that are ongoing will find out the results of those at the end of two‑week period, which is the end of next week.

But so I wanted to jump back there to the point that I made initially about the IOT and that being a particular significant area for the ITU at the moment. One of the things that we established a little while back, I think in 2016, is the new study group and so this is how the ITU actually does its work in various study groups. Study group 20 was established to look at the IOT and its applications including smart cities and communities. So, basically this was, this is a specific group looking at Internet related issues, which is something that many member states, I think the US, the UK, many western European states have been very wary of and tried to push back on saying the ITU is not the venue for these kind of discussions. Other member states, UAE is chairing this, so many Arab states, Russia some of the countries in that area, China, Korea, Asian countries, have said networks actually this is something we do want the ITU looking at and so ITU) this is a Working Group or study group that the other RIRs have been paying attention to and going along to the meetings of and the discussion has led into areas which are of direct relevance to us, including IPv6.

There was a recent draft recommendation on a reference model of IPv6 sub‑net addressing plan for Internet of things deployment, which from the title alone sounds very much like something you would see in say a RIPE community discussion or a NANOG discussion, not so much in an ITU discussion. The ITU study group did send out a liaison statement and the RIPE NCC along with several of the other RIRs wrote responses to that, essentially saying, this is not the venue for this discussion. These kinds of discussions about IPv6 sub‑net addressing plans need to take place with the operators in question, and with the RIRs in question because they are obviously implications and intersections with RIR policy.

But, there are sort of bigger issues surrounding this SG20 and the IOT in an ITU context generally.

Because I think there is a bit of a space here where there's an open question hanging in the air about is IOT different or distinct from the Internet? Does it pose such unique or new challenges that it requires completely different administrative processes? If it does and if there are different administrative processes, should it be the same actors, the same bodies doing or should someone new, say the ITU, step in and take more of an active role there.

There is also a question about whether that digital optical architecture fits into this IOT scheme.

Then, can, should, will the ITU services standardisation hub for IOT?

I mentioned that we did a response to the earlier liaison statement about IPv6 and we said this is a discussion that should take place in these venues, in RIPE and other venues like that. That sort of the easy stuff for us. We can certainly push that argument and say this is something that the RIPE community should be looking at. What we need I think is bit more input and discussion from the community on are these questions about IOT because I don't think the RIPE community and many of the other technical communities like RIPE have really engaged so much on this question of IOT and where we fit into it, where we see the Internet technical community fitting in and whether we seal tee IOT as a distinct, different new thing or whether we just see it as a continuation of business as usual.

And if we do see it as a continuation of the Internet at large, then we need to work out our arguments to come back to those people who are saying no, this is unique, this is new, this is something different.

So, this is where I get to the advertising parts of this. We actually do have a BoF session at the end of the day about the Internet of things and talking about the RIPE community and where it fits into IOT. So please, 7 o'clock today, I know it's getting late at that point, but it would be great to have as many of you in that BoF to discuss that and sort of hash out some of these ideas as possible.

Last slide. Just because there is also some other ITU stuff we're involved in. This Council Working Group on Internet related public policy issues, it's actually a closed Working Group to member states, but with some efforts, since the last Plenapententiary, to be a little bit more open and these open consultations is part of that. The most recent one was building and enabling an environment and we made a submission to that which essentiallily highlighted the importance of IPv6 for enabling Internet access. But also pointed back to the work being done by the IGF pest practice forum on IPv6. So trying to sort of close that circle where we say okay, it's welcome that the ITU is trying to be a bit more multi‑stakeholder, but this is this actually whole other actual multi‑stakeholder forum which is producing this work. So, it's sort of our message there is, let's do this work in the appropriate venues and maybe for a lot of this Internet stuff, ITU is not necessarily the appropriate venue.

I'm now going to read out each of these URLs. No, you can go back, I just wanted to provide a bit of additional reading material Tor anyone that's interested. That I road to I can't say minute ham ma met is a document that ISOC has produced which goes into a lot more detail on some of the issues that I mentioned going into that WTSA discussion.

Actually, I think two days ago, the Internet Society also produced this overview of digital object architecture and why that's an issue of such interest and discussion to many people. So I'd certainly recommend people looking at that.

And, that's it really from our current ITU perspective, but I'm happy to answer any questions.

(Applause)

CHAIR: Just a quick comment, those eye cock documents are really worth reading, but don't read them if you actually need to sleep the next night because you will have a sleepless night after reading them. Questions, comments?

AUDIENCE SPEAKER: Hello, Steve Nash. I think the Internet of things, I think the two key words in there Internet and things recollect and Internet I don't see changing that much. Things, I think are something that we could investigate handing over to ITU in that clearly what we saw last week was vehicles being put on the Internet highway that were completely unfit for the purpose. And if we want international ‑‑ minimum international standards for what gets plugged on connected to the Internet then the ITU might be a good vehicle to deliver that.

CHRIS BUCKRIDGE: I think that does sort of security issues are really, yeah, central to this discussion and central to the interests that many governments have, even beyond sort of perhaps the interest of just giving the ITU some continuing relevance. I think they are looking at events like that and they are certainly concerned, so, yeah, absolutely. It's a cushion and hopefully something that will come into this BoF this evening.

AUDIENCE SPEAKER: This is Yap. I want to make a comment about the domain discussion there in the ITU. I mean this is all about resolution 47. And if you read that resolution, you will notice that the people who wrote it don't understand what they talk about. And especially they refer to ISO 3166 and I am part of that committee as well, and they have complete misinterpretation of what effort standard means. At best this is an interesting fantasy, and I hope that ‑‑ I mean, if people are going to rely on that they are living in a complete parallel world, but if you want to know details, I mean just find me and I'll tell you.

CHRIS BUCKRIDGE: I believe also that it's very closely, close to the same wording that was used four years ago, so, yeah, there is a reason that I'm here and not in Tunisia which is I think that we haven't seen anything in really any of the resolutions there that is immediately concerning or urgent. And it's much more about the sort of, at this point, the positioning and what the sort of further discussion and evolution is, but, yeah, being on site to sort of listen to these resolutions discussed probably wasn't the most efficient use of our time.

AUDIENCE SPEAKER: Alexander, open net. It seems I ask you this question, but during coffee break in Copenhagen. Why do not we have kind of spy organisations because, well, they have strange plans, maybe terrible plans, which could affect our community and everything which was built by this community, but again, no one there, as you have seen, no one who could report to us maybe regularly. As previously Yap said, yes he is a member of kind of ‑‑ and we could contact them but that's no good. It's much better to have kind of an overview of where one is going in this under world, so, it's a suggestion to make for NCC maybe have more activities in of this kind and present it back to the community.

CHRIS BUCKRIDGE: What I would say to that is, I don't think we have any spies in there, but I think also it's less an organisation, I think we're less concerned about what's, say, the ITU is doing, than about the ecosystem around it, so it's about what many different governments are doing and I think the other point there to make is that we are, obviously having some involvement in the ITU global discussions, going to study group 20, we are also very involved in the CEPT discussions, which is the European coordination group of countries where we are going to get more involved in the RCC, which is the XEIS countries, and obviously with the Arab group where we have a number of connections there, so I think it's also at that regional level where a lot of the ‑‑ you see a lot of what's driving people's positions and you can talk to them and say, you know, maybe this is not the best avenue to achieve what you are trying to achieve here.

CHAIR: And I would also like to say that's actually why we have this Working Group, and we really should use it much more to sort of drive things like this so we'll try to do our best on that.

AUDIENCE SPEAKER: Alexander: Actually I'm using the spy language because, but I also have some contacts with representatives of this terrible organisations. It was related to standards and there was winning the IETF, because they are representatives in government's and something like a blocking their work on standards, so it's a very interesting opinion to be heard from this kind, and it was about an organisation, but maybe okay during RSS and something else, we could, as a community, as a very good forum community, try to effect. Thank you.

AUDIENCE SPEAKER: Thanks very much Chris, and I'm happy to see that we actually have a BoF on this IOT bit here. I think, you know, some people will say is it interesting? Is it not interesting for the RIPE community? Certainly in the transport layer, it's very, very interesting for this community. I think everybody is running around at the moment trying to find out who is the player, where is this all going to take place? We see different actors there, IETF, is jumping up with certain things. IEEE an organisation we probably haven't had so much to do with in the past. They are part of this game. ITU also, I think one of the things that's important for this community to realise is that currently, the ITU is actually quite loud in the IOT space. And they do want to be the kind of all compassing body where all these IOT discussions will take place, whether it's on standards or anything else kind of related to IOT, this is the feeling that we have. And what has been said to me by quite a lot of governments is that if there aren't discussions taking place for instance, like in the RIPE community or elsewhere, member states really don't have any other option but to put their focus on what's happening in the ITU. Now, this is the part that starts to get slightly dangerous for something like the IETF or even for the RIPE community. So, I'm happy that we're having this BoF. I think that in time, as things kind of unfold, I hope RIPE will find its spot in seeing where we would lead or where we want to be part of the IOT discussion and part of the debate. So I'm happy to see Alexander mentioning those bits. We are, as Chris said, we are sector members, so we are invited to all of these bits. We do follow it quite closely and all the other groups surrounding the bits that feed into the ITU. So, we have our fingers there and we certainly should step up our reporting here and I think that's very important. So thank you. Thanks Chris.

CHAIR: Thanks. I'm actually going to let Jim ask his question but then I think we need to wrap up and move the rest of the discussion to the mailing list.

JIM REID: I don't have a question. It's just an observation. Chris, I think there is an important part of the work that you are doing with the ITU is information exchange and it's actually in both directions. It's good for you to come back and report to us about what's happening at things like study group 20 and who are the players there and what they are up to and the agenda that's comingment that's very valuable. It's also very important I think that we have got people with a degree of understanding of how things work in the Internet to try and explain that and articulate that to the people inside study group 20 and in our ITU study groups because there is a great deal of uncertainty that goes on there, and you get the craziness like the sort of thing that Yap was mentioning earlier because people don't understand how the Internet works and then they build all sorts of things on top of those suppositions, and so from that point of view, some of the things that you are doing is essentiallily harm reduction. Some of these bad ideas or crazy ideas can be captured at an early stage and nipped in the bud. That stops them going into things that become much much more difficult to contain and deal with. So I think we have to realise that this is not just a job for you and other people in the NCC but also for other parts of this community and I know that ISOC is involved to, but to an extent, this is something we all have to deal with. It's not something that we can just rely on you and other people like you and the great work that you are doing.

CHRIS BUCKRIDGE: Thanks. I think the other thing and this sort of relates to your point there, I wouldn't want to give the impression that study group 20 is just member states. At the moment it does have quite a bit of industry working in it. But it's not this industry. It's the things industry basically. It's those consortiums and those companies that are actually doing it in a things stuff and we don't really see a lot of direct connection between that side of the industry who are obviously keen to sort of get this all up and running, and maybe this side of the more, traditional Internet industry. But I think there is really, there is an interest here, or there should be an interest here, because what happens is going to affect this community.

JULF HELSINGIUS: Thank you. Okay. I think we have to wrap up here, but I'm really looking forward to continuing this discussion on the mailing list. So. Thank you.

ACHILLEAS KEMOS: If I may I think this is a clear point to have an agenda point in the next cooperation working group meeting.

JULF HELSINGIUS: So thank you everybody and seeing on the mailing list.

(Applause)

Coffee break.

LIVE CAPTIONING BY
MARY McKEON, RMR, CRR, CBC
DUBLIN, IRELAND.