NRO/RIR Reports
28 October 2016
10 a.m..
NICK HYRKA: Good Friday morning to you all. Welcome to the first session on Friday, the last day of RIPE 73 in Madrid. So far it's been a great week, hopefully we can wrap this thing up with smashing success. Before we start, I want to give a quick shout out to Marita back home, thank you for your steady hand and help and also to the staff at the base in Amsterdam for keeping things humming.
We are going to start our session with the reports, but prefacing that we're going to get an update from ICANN from Ron da Silva. So, Ron, come on up
RON DA SILVA: Thank you, Nick. I have the lovely privilege of greeting the few of you who managed to wake up after last night's dinner and party, so a good morning to you. I am Ron da Silva and I am bringing a report this morning on a continuation of something similar that was done in Copenhagen, and this is part of an effort to increase the engagement of the ICANN board with the RIR communities and I hope you will see more of us not only here at RIPE, but if you participate in any other RIR meetings you'll see us there as well. And similarly, we have been encouraging participation from the RIRs in the ICANN meeting, so this is an ongoing effort and this is a follow‑up, like I said, to Copenhagen.
But first, there is something has happened since Copenhagen, I loved the simple message from the IETF, transition happened. Well, it did. Plenty on that from others so I'm not going to add to it.
So, why here? The intersection between ICANN and the RIRs comes through the NRO, the NRO will have a ‑‑ will have a number of slides topology and presentations on other RIRs and the NRO itself, but it is really there for two things. One, is facilities the global policies between the RIRs, but then secondly it appoints a number of the ‑‑ two of the ICANN board members, and as, you know, there is an election ongoing for one of the seats to the NRO, and these are the members of the NRO from the RIPE region. If you haven't done so already, I think there should be an e‑mail somewhere in your inbox to register for the NRO election process, do that by today and please participate. These are the folks, these 15 members that select the two ICANN board seats.
But let me take a moment, I think this slide was shared in Copenhagen to talk about the structure of the ICANN board. If you look at this diverse picture at the top of the different board members, there are 20 of us, and the four on the far right, the red board members are not voting liaison roles from various bodies and the orange people along the top row come from the nominated committee. There are eight of those and seven that come from the different SOs and ACs, two here from the NRO or from the RIR regions and then the other five come from the DNSO, the country codes and the at‑large communities, and then lastly our CEO is part of of it. So here is where I come into the picture. I am here not just at RIPE but in all the regional registry meetings and communities as a representative of you on the ICANN board and I'm happy to do that and delighted to be able to advocate on behalf of the community in ICANN in that capacity.
Joining me there is Kuo‑Wei Wu. Kuo‑Wei Wu has been on ICANN board for 16 years he is completing his second term which expires in a couple of weeks and Ochinori has been elected to replace him at that time. So this is your RIR representation in the ICANN board, but there are others that I thought I'd point out. As part of this effort to continue to increase the impact and the involvement and engagement between the board and the numbering community, I am delighted to see a couple of newcomers into the ICANN board who are already part of the community. One you know, Kaveh, who comes from RIPE, will be joining us; and then secondly Leado joined last year he comes from the LACNIC region. And then one shout‑out for Lousewies, she is here again, I have been encouraging members of the board to participate in regional meetings where they reside and I believe we had a number of board members in Copenhagen that are here from Europe, and Lousewies is here from Europe. Similarly, when we have meetings in APNIC or AfriNIC or the ARIN regions I have been reaching out to the rest of the board members and encouraging them to be present and to participate and to get to know what are the things that matter to the RIR community.
So, one slide and on a couple of interesting topics. Then I'm done. I always hear this, ICANN is awash in a pile of money and I thought I'd put it in perspective a bit. This arguably would be a pile of money. We had operating revenues of 124 million and then an additional 70 million over the budget that was part of the new DTLD programme. So last year's 2016, which our financial year end on June 30. We had total revenue close to $200,000,000 and staff of 340. If you think about the five regional registries and you add up the revs of each of those it's in the 80 million dollar range and you think of the number of staff of each of the registries and add that up, it's a more here at ICANN but if you think of the two things that ICANN does that are relevant in this context, it's really one, they run the databases for numbering resources for Internet protocols and for the DNS. And then secondly, they facilitate just like we're doing here in Madrid for numbering resources they facilitate the policy process around domain names and domain named resources. So, a lot of what ICANN do you see is focused on that. About a third of our, a quarter to a third of our resources and staff in effort is focused on conducting meetings, like this one, and travel support and translation facilities and those things to enable the policy process for domain names.
That's part of the 124 million. And then the additional 70 million, that gave us a total of close to 200 million in revs last year. But the cash that the organisation is sitting on is 340 million, and that is comprised of these four categories. And you can see this bar chart down the right‑hand side to depict that breakdown, an operating cash of 30 million dollars, auction proceeds of about 100 million dollars, the new gTLD is about 140 million dollars. That extra stuff that came in went into at that fund. We have about 70 million in reserves. I'll talk about the auction.
As part of the new, the current gTLD programme, if a particular new string is not resolved with different applicants privately. Then it goes into this public auction process. And the proceeds from these public auction goes into this fund that today is rather undefined how and what we will do with that money and that was actually by design. When the GNSO put together its proposals for how we would go and conduct this auction process for this round of gTLD, it was set aside as if we get a bunch of money then we'll later go figure out what we're going to do with. We are trying to figure out what this do with it. I'd encourage you, if you are interested, to get engaged and participate. It aligns nicely with the certain outreach that was shared I think on Wednesday, here in the RIPE community on how can you impact your community in ways with resources that are available here. I know APNIC is doing system similar. So this is definitely a pool of funds that could be used for similar goodwill to the Internet community at large.
So I say who needs 240 million will dollars? I mentioned last year we had in the auction proceeds about 100 million, or 110, something like that. We have added in one of the last major strings that was resolved through auction, dot web, another 130 million. So there's 240 million dollars in cash waiting to be sorted out on what do we do with it. That is interesting.
Another interesting topic, PTI, if you missed Elise's update on Wednesday on the structure for the new NTT graded for part of the transition to house the IANA functions, this is done. There is governance in place temporarily and now the various constituencies, the SOs, ACs need to put in over the next year a process for how we are going to continually update the board of directors etc. So that's in the works.
Elise provide the a lot for detail. Go back and look at the presentation from Wednesday if you are interested.
One other topic I thought would be fun, from here I go to hydro body and we were originally supposed to be in port reek owe, we got scared by a bunch of mosquitoes so we didn't go. And that's all I have. Thank you.
(Applause)
NICK HYRKA: Thank you, Ron. And I did a bad thing, I didn't introduce myself at the beginning, I am Nick Hyrka, Communications Manager at the RIPE NCC.
Now, onto the RIRs. First up we have got AfriNIC. And with that we have got Arthur from head of member services.
ARTHUR CARINDAL: My name is Arthur. I am the head of member service. I am here to give you a quick update.
First of all, for those who are, who have a less knowledge about AfriNIC. AfriNIC is credited as the safe LIR in 2005 and so far, we have 46 full‑time employees working for AfriNIC. So, as to member statistics, we have more than 1,400 members, as of the end of September, and we have recruited for this here, 134 additional members.
As to resources numbers, we already distribute by end of September more than 10 million of IP addresses, equivalent to 0.61 /8, and more than 80 IP v6 address regardless of the size, and 128 ASN numbers. So far, 37% of our members has already been issued at least one prefix.
When we compare those numbers to 2015, we can say that last year was the highest annual allocation since the beginning of AfriNIC activities.
Quickly. We'd like to give you some statistics here. All the resources numbers we have has been issued more than 5.82 /8 and we have already received more than 9,000 /32 IPv6. We have already received more than 1.5, 25 ASN numbers. We also have in our database, 351 legacy holders, who are AfriNIC members. In total we have 0.5 /8 IPv4 addresses.
As you may know, AfriNIC is the only one of the five RIRs that can still allocate for addresses according to traditional policy. So far we have 1.5 /8 IPv4 addresses remaining in our address pool, and we expect, by mid of next year, the last /8 so we can start implementing the policies.
We have, so far, seven policy proposals under discussion in the community. A few days ago, you were told more information about that, but quickly we have the number resources transferred to ‑‑ transferred to facilitate the results transfers between members of AfriNIC but within our region.
We have also two policy proposals to update the soft landings policies. The first one is the IPv4 soft landing BIS that intend to describe how AfriNIC is going to manage the last /8 allocated by IANA. The second one is intending to completely replace the current one by introducing some term like new entrant, which will be assigned a /13 and to have them to get IPv4 addresses.
We have, legacy, the IPv4 resources transfers within AfriNIC region. That policy defines a condition under which transfers can occur in our region and help our numbers to get resources when AfriNIC with exhaust completely its IPv4 addresses pool.
The 6th one is the Internet number resources review. The community is debating about implementing an audit that we can, as AfriNIC staff, use to audit results being used by our members.
The next one is inbound transfers. That proposal intends to allow inbound transfers from the other regions into AfriNIC but not allowing transfer out of AfriNIC region.
And the last one is concerning training. We have already conducted more than 20 workshops in AfriNIC region, where more than 500 people attended.
So, we are promoting or IPv6 certification platform, and we are collaborating with local partners, that they can promote our platform where people with go and get their certification about IPv6.
And the last one is we are organising our last meeting for this year, which will take place in Maritius, so you are all invited. The meeting will be heard from 25 to 30 November in Mauritius, this is the summer season so this is a good time for you to visit Maritius; there is sea, sun and cigar, so you are all invited. Thank you very much for your attention.
(Applause)
NICK HYRKA: I don't see any questions. All right. With that, we'll go down under and we'll welcome Zen from APNIC, who is the Internet resource analyst down in APNIC. One of them. Welcome.
ZEN CHUAN NG: Hi. Good morning everyone, I'm from APNIC member services team. Before I start, I'd like to say thanks to RIPE for having me here because this is my first RIPE meeting and it's the first time for me to travel to the Europe region, so thanks to RIPE.
So today I would like to give you a quick update on what's been happening in the APNIC region.
So, at APNIC, we split our activities into three main areas, which is to serve our members, support the regional Internet development, and cooperating for broadly with the global Internet community.
As you can see, APNIC membership is growing steadily. Right now, we have about 12,000 members, which consists of APNIC direct members and members of NIR, and for those who are familiar with NIR, it stands for national Internet registries, they carry out the same role as APNIC except they are serving a particular economy. So, this number is projected to be at 13,000 by the end of this year.
So, for IPv6 delegation, there was a big increase in 2010 due to the implementation of IPv6 one‑click programme that we started. And moving to its 2016, there is another increase that shows that more and more networks in the region have started to deploy IPv6 address.
Moving on to v4 delegation, there was a marked increase in 2013 and 14 due to the availability of the recovered address space from IANA.
And for IPv4 transfers, on the blue is the transfers between APNIC region and on the yellow is the transfers between RIR region, and as of 1st October last year, RIPE has actually implemented v4 transfer policy with APNIC. So, as of now, there has been a few transfers from APNIC region to the RIPE region.
And as networks has continued to emerge, we continue to delegate AS numbers to these increasing networks. So, as of now, APNIC is delegating four AS numbers by default to all applications.
We have an ongoing Ready to ROA programme which we encourage members to register their ROA objects to MyAPNIC portal and, as of now, we have around 1% of v4 addresses that is covered by ROAs.
And one of the projects that we are currently working on is the WHOIS data quality project and this project is similar to the assisted registry check that RIPE is currently doing, and through this project some of the activities is we remove reference objects, we provide WHOIS check support for members and we have actually improved the invalid contact report form to make it more intuitive for members or users to report the invalid context back to APNIC. And we are also going to introduce a new organisation object into the APNIC WHOIS database in 2017.
We also work on a project called WHOWAS. So on this screen you can see this was a prototype that allows you to browse the WHOIS records that is related to a resource or the full history of the database, and we are currently working on the prototype now and it's due to release in 2017.
We also implemented a new resource stats directory, where it allows users to collect all kinds of stats in the region, sub‑region and down to economy level, so please feel free to browse to this link to test out the tool. So I think this is a very useful tool, especially for those who wish to collect the stats from the APNIC region.
We also have a security specialist, Atley, he is currently working with different teams within APNIC, to building a relationship with potential partners in the region, together with APNIC training team, Atley is also doing security training and area training to organisations and societies in the region. And APNIC will also be recruiting more security specialists in 2017.
For many years APNIC has been providing training and technical assistance using member funds, which is limited. So, we actually are trying to get more funds, collecting more funds from other sources. So, for instance, we have received funds from a few countries like Canada, Sweden, Japan, Singapore and also ITU and world bank for a few different training and technical assistance projects.
And something new for you. I'd like to proudly announce that we have helped to set up the TLIX, recently on 26th October, which is two days ago. And through this launch we have connected three major ISPs in Timor‑Leste. It's something big for us.
And APNIC has also funded a new entity in Hong Kong, which is called APNIC Foundation, and the main objective of this foundation is to continue to raise funds to support our development activities in the region.
So, here I would like to spend sometime to talk to you about APNIC's survey results that we have conducted this year. I am aware that RIPE has recently completed their survey and announced the survey results two days ago, so I'd like to share some of the results of APNIC with you.
So, in a nutshell, this survey is conducted every two years and the purpose of this survey is to allow APNIC EC members and secretary to understand the needs of the community. So, as you can see from the graph, we have received equal correspondence from the sub‑region evenly, and APNIC members have rated this service quality very highly, with over 90% of the respondents rating this positively.
According to the survey, we have learned that the top three challenges that are faced by APNIC members all related to security. So, for instance, the top one is 41% of responses were network security intrusion and other breaches, so we can conclude that security is still the biggest challenge for APNIC members and it will be increasing challenges for APNIC members in the near future.
So, besides the survey, it also asked if APNIC has a role to play in addressing each of these challenges, with the majority of responses agree that APNIC can assist them in getting more IPv4 addresses, and followed by, you know, 67% agrees that APNIC has a role to play in routing security. So, if you wish to get a full report of this survey, you can browse to this link below, which is apnic.net/survey.
Okay. Before I end this presentation here, I'd like to invite all of you to our next conference, which is APNIC 43, which will be held in Ho Chi Minh City in Vietnam and this conference is held in conjunction with APRICOT 2017, so if you are unable to attend this conference you can follow the conference remotely from the link provided over here, and we are expecting one of the biggest participation in this coming conference. So I really wish to see all of you there, if possible.
And if you are not able to attend the conference, you can still keep in touch with us through the social media outlets and you can also participate in our award winning blogs at blog.apnic.net.
So, with that, that's the end of my presentation. Thank you.
Any questions?
(Applause)
NICK HYRKA: Thank you. We'll head on over to North America, and get an ARIN update from that. We have got Aaron Hughes from the ARIN Board of Trustees.
AARON HUGHES: Good morning. I am from the ARIN Board of Trustees to give an update on the ARIN RIR.
For those of you who don't know, the ARIN region is Canada, the United States and 22 of the 27 Caribbean islands, as well as a few of the other outlying US territories. As with everybody else, our number of organisations and members are growing; over 37,000 organisations served, 20,000 of those are paying and 5,300 and growing are a member of the organisations.
So, our current focus in the region is obviously to continue on v6 transition awareness. We have had a few different programmes over the course of the years, starting with the big 6 programme which was focusing on getting websites to enable v6 on their outside facing services. Targeting ISPs, content providers and various industry sectors, we have been to continue the advocacy of multi‑stakeholder policy development model and Internet governance and of course we're encouraging responsible Internet resource oversight in the IANA transition discussions which now obviously converted to post‑transition. There's been a lot of work done on the ARIN online platform and we're going to do more. We have done a lot with the interface, it's not a new portal and new features. We're moving on to even further that and enhance that interface.
And that software development specifically is focused on customer‑facing community‑suggested high impact features. This is all based on survey results and, if you look at the interface now, you'll see it's changed quite dramatically in the last couple of quarters.
V4 observations in the region, obviously the ARIN region is out of resources so we're seeing an increase in transfers and market activity and finally a decrease in the free pool v4 request. People have finally come to understood that getting on a waiting list is really not going to do them much good. There is a large waiting list that will never be served so that is all moving to market as expected.
There is a great deal of activity in hijacking and fraudulent activity in the region, so, v4 blocks specifically usually legacy resources where people are still going after contact information, and ARIN staff spends a great deal of time on those requests and trying to prevent hijacking and fraudulent activity.
V6 requests remain steady as expected. This is a graph showing that. The v4 requests are trickling down and needs based transfer requests are steadily growing up and to the right.
There are a great deal of ongoing training and educational efforts. There is now a bunch of material up at arin.net/knowledge and this is for v6 and technical information and statistics. There are a large set of video libraries now available up at youtube.com/teamarin. Then there are in‑person training and education programme, ARIN on the road, ARIN in NANOG in October ‑‑ ARIN on the road, ARIN and NANOG together on the road and, upon request, so effectively if you have 30 people you can get together, ARIN will fly a team out there and help you with education and getting part of the process.
And certainly there is also virtualised telephone consultations available as well. ARIN operates daily, Monday through Friday, from 7 to 1900 eastern.
There is a lot of outreach of community engagement. So we have been engaging members on the policy development process, the policy public meetings and consultations, and work closely with lots of organisations including NANOG, ISOC, other industry groups, really looking to ensure education, empowerment, engagement in the multi‑stakeholder process. We do a lot of collaboration with the Caribbean, so that includes things like CRIB and Internet Governance Forum, CARIBNOG and several more.
A good deal of international community engagement as well. This is focused on Internet governance participation. Obviously this is to foster relationships on a global scale which includes RIRs and other governance forums such as IGF. And participated in the Canadian, Caribbean and US Internet governance forums.
Recent service enhancements. As I mentioned earlier ARIN online has done a great deal of improvement. Things like resource transfer integration is now if there and online. It's got a very nice dashboard [audio skipping] so you can customise your view. We have something now available within the portal so you can do that online rather than using templates for the API. There is a new WHOIS guide available up at the URL below, and we have added a dedicated information page for law enforcement agencies. There's been inquiries about how to work with RIRs, there is a nice page on how they can interact with us to make their process more stream line. There are resource guides up for requests for v4 and v6 as there are a lot of new people that are coming in that are outside of the typical resource requester.
And dedicated registration services staff for fraudulent activity management. This is something we have had to do just simply for the large amount of incoming fraud.
This is a nice new slide for us, we have finally seen a tip in the scale where we're now more than 50% of all v4 resource holders have v6, so this is over the course of the years going from roughly 2080 to now a little over 50.
There are many policy proposals that are under discussion. Three recently implemented, this slide is a bit out of date because last week we finished up with a joint NANOG ARIN meeting, so many of these recommended to go forward have been discussed and managed by the Advisory Council and some will be dropped, some will be forwarded onto the board for ratification and a few are still in progress. Much of that can be seen on arin.net/policy/proposals.
As I mentioned, I just finished one up so our next meeting is going to be in New Orleans on April 2 through 5, this is a stand‑alone ARIN meeting, and then the topology one somebody will San Jose California in October as a joint NANOG ARIN meeting in the week October 3rd. Also, there is a fellowship programme available for ARIN, so if someone feels like they would be a good contribution to the process or like to join, they can apply at fellowship [at] arin [dot] net and ARIN will pay their flight and bring them in to participate with the programme.
And with that I open it to questions.
All right. Thank you very much for your time.
(Applause)
NICK HYRKA: Thank you, Aaron. I understand that we're having some camera issues, they are misbehaving so those of you who are following remotely, please be patient. Let's go to Latin America, and, with that, we welcome Laura Kaplán from LACNIC, the development cooperation manager, so Laura.
LAURA KAPLAN: Good morning everyone. My name is Laura Kaplán, I am the development and cooperation manager for LACNIC and I am going to share with you the update for the LACNIC region.
So, I'm going to update you about four aspects of LACNIC work. First of all, related to the excellence Internet number resource management, this chart shows the membership evolution throughout the last 15 years. As you can see, the average growth in the last three years has been around 1,000 members per year and we will close this year, 2016, with 6,100 members. All this growth is because, or you can explain this growth of the smaller medium end users agree as we are now at phase 2 of the exhaustion of IPv4 in which we can only assign bar 22 for ISPs or a bar 22 for end users.
In this chart, you can see how it looks, the projections on the second exhaustion phase. Today we have around 650,000 IPv4 addresses left, and according to the trend, we expect to hit the end between February or March 2017. And then we're going to start Phase 3, and there we will be able to assign IPv4 only to new members.
This is some information about the board of directors elections. Two vacancies were renewed last week. Elections closed and now the electoral commission is doing the process and the results are going to be public in November.
Well, LACNIC also dedicate a lot of work and resources to the training of security, stable and open continuously growing Internet. Among this I would like to emphasise the implementation of RPKI in Mexico. Also, the IXP promotion activities throughout the region. And the installation of a K‑root which is managed by RIPE. And the first AI in the region managed by NetNod. They are both in Montevideo. And also an L‑root installed in Bolivia, which is managed by ICANN.
Here we have the IPv6 network that shows that around 20% growth in the region. There are around 1070 announcing IPv6. Which ‑‑ sorry, which is the larger ‑‑ it is the larger than any other regions.
Building community. Working in Internet and stability in the region requires to develop technical capacities as well and LACNIC is very serious in that regard, allocating a good amount of energy into training initiatives. This year, 2128 members of the LACNIC community received personal training throughout 11 countries. This includes IPv6, RPKI security and special initiative,s with a capacity building programme especially made for professionals in IT.
Online training is also growing significantly. 2,008 different students from 24 countries chose LACNIC campus to take IPv6 courses. This is how it looks, the distribution from students for countries.
Also, I wanted to share our, some results about our FRIDA programme, this is originally found for digital innovation, and this year we had a record year in terms of volume. We received 551 proposals. The election process was highly competitive. And in the end, two projects were selected and a total of 235,000 dollars were distributed among them.
You can see more detailed information on each of these projects available in the FRIDA website.
Regarding the policy development process. Three proposals were discussed at the policy forum during LACNIC 26 in Costa Rica. Only one of them gets consensus, the one about critical infrastructure. And LAC 2016‑3 and 2016‑5 went back to the list for further discussion.
Well, there were a few presentations during this event about IANA transition, so I just wanted to mention that the LACNIC region has already selected three members that are going to show in the Review Committee. And these members are there on the slide. They are representing the community.
LACNIC is very engaged into quality and continuous improvement, so this year, this year, three core processes were certified in the new ISO 9001, with absence of no compliance, that is really a good indicator, and we have two processes, we always certify the registry management of number resource process and, this year, the policy development process and the events process were certified as well.
And in the end, I would like to share the results of the strategic planning 2017‑2020. LACNIC does this planning every three years. There were only a slight change in the vision and the mission. We emphasise some concepts strengthening and development and promoting the collaborative Internet model. And then in the mission, we include some specific mentions of the PDP, and also the transparency concept in our mission.
This is how the strategic plan looks like now. As you can see, our main objectives are at the top. And they are related to the members and community service. And then we have a process and infrastructure internal capital and financial stability that are a process that support the first one.
So. That's pretty much it. Thank you. If you have questions, I'd be happy to answer them.
(Applause)
NICK HYRKA: Thank you, Laura. And now we'll move onto the reports from the Number Resource Organisations, and, with that, I invite Paul Wilson, my favourite director general, from APNIC.
PAUL WILSON: Good morning. Thanks very much for being here at what they refer to as the red‑eye session of the RIPE meeting, first session after the dinner. I know why Nick and co schedule us here. It's obviously because we're the only people who can pull a crowd here, right, Nick!
So you couldn't stay away but thanks anyway.
So, I'm Paul Wilson, I am the secretary of the NRO ‑‑ sorry, the Treasurer of the NRO. I am here third in line to present this after Oscar, the Chair, and John, the Secretary. And they are not here, so here I am.
The NRO, the mission is to be the flagship and global leader for collaborative Internet number resource management as a central element of an open, stable and secure Internet.
That's the mission statement.
What we actually do is we serve as the coordinating body for the five RIRs. We were established as a lightweight unincorporated structure back in 2003, simply through an MoU amongst the five RIRs. The mission in more detail is to promote a coordinated Internet number registry system, to promote the multi‑stakeholder model of our policy development process, to coordinate and support joint RIR activities, to act as a focal point for those who want to input into the system, and to serve the role of the ICANN Address Supporting Organisation.
In 2016, we have this rotational system for office‑holders, so this year, Oscar, Chair, John, Secretary, and myself here before you as Treasurer. Alan and Axel, as the two remaining EC members, are relieved of format duties this year. That will rotate around next year. So the secretariat this year is ARIN. Next year it will be APNIC. The secretariat is supported by German Valdez as the executive secretary and we have a number of coordination groups that bring RIR staff together to talk about and to work on joint communications, engineering, registration services activities.
So, as Treasurer, I suppose I can talk to you about finances. The NRO is a lightweight body but we do have a few expenses so we pay our executive secretary, of course, that's a full‑time position. We also cover travel for him and for the share of the ASO AC. We have communications, coordination, outreach activities. We make a regular contribution of around 100,000 dollars to the Internet Governance Forum, and we also make what we call a voluntary contribution of currently 823,000 US dollars to ICANN.
That budget is funded by the RIRs. We have got a proportional formula which apportions responsibility for the budget according to the relative registration services, a revenue from each of the NRO members.
We also recently established a stability fund which really consists of pledges from the RIRs to a total of 2.1 million US dollars, and that's to ensure the reliable operation of the RIR system in case of any unforeseen circumstances that might affect any one of us.
Now, publications: We publish a regular Internet number status report which I think you have seen here this week. It's updated quarterly and it's available on the NRO website. We also publish a comparative policy overview, which is a global reference point for all of the RIR policies for anyone particularly who wants to look at how the policies compare, how a particular policy or like policy would compare across the regions, that's updated quarterly and it's recently been updated with new information on the membership policies access to delegation registration services at each of the RIRs. So both of those are a living document, and as they are updated quarterly I hope they are also improving on at least a quarterly basis as well.
Another more recent publication is in the area of RIR accountability where we have got a similar sort of matrix form which provides the global reference for all the different aspects of the governance for the RIRs, things like our by‑laws, policy development processes, dispute resolution processes, how we manage member information, budgets, activity planning and so on. That's also a comparative matrix where you can see in one place how each of the five RIRs address each of those different topics and that again is evolving. It's a new thing that is there to show and improve transparency in RIR governance and improved accessibility of that information. And it really came out of the fact that over the last couple of years there's been a lot of focus on ICANN's accountability and we felt that, in the same way, we can show an ongoing improvement in the accessibility of our accountability and governance information.
So there is a Q&A, an FAQ‑type document there on accountability and independent review currently underway across the RIRs to go on improving that information.
Now, a few words here about the IANA transition. So, there's a bit of a timeline that goes back to something called the Montevideo Statement in October 2013 and that came out of an ISTAR retreat where we got together with different Internet organisations, ICANN, IETF, ISOC, IAB, ccTLDs and the five RIRs and we decided at that time to issue a statement about the need actually for what we refer to as strengthening the community involvement in a bottom up multi‑stakeholder policy development process and in particular we called on the US Government to accelerate the process of bringing IANA and ICANN to independence, as had been planned for 15 years or so. I'm glad to say actually that it was the RIRs ourselves who instigated that statement. We did bring that idea to the meeting and the meeting produced the statement which has been said to have at least played some role in the NTIA announcement finally said they were ready to transition the IANA out of US Government oversight into a new multi‑stakeholder process.
So, you know, long story short. The IANA coordination group, the ICG, worked for a year‑and‑a‑half on producing a plan, the transition plan had a contribution from a group called the CRISP team, which was the combined RIR IANA stewardship planning team, and all that work went together into a transition plan which went to firstly to ICANN and then to the US Government in March 2016, and there was a whole process which you may have followed. It was sort of a nail‑biting event towards the end of September, when we had the culmination of US Senate hearings, we had US budget discussions, which could have put a stop to the IANA transition, we had a last‑minute court injunction against the transition, just two days before the deadline, and finally and surprisingly actually by that stage, the transition, the injunction was rejected, the transition actually did go ahead as planned on the 1st October. So, it kind of means we're on our own when it comes to looking after IANA with ICANN and that's what the whole thing was all about. So now we can look forward to a new post‑transition world.
Just in summary, that involves ICANN providing the IANA services for the foreseeable future under a service level agreement or a contractual arrangement for the provision of those services by ICANN to the RIRs. That's an agreement which can be renewed and can also be terminated in line with the interests of the community.
There is sort of a smaller issue of IANA intellectual property rights which have now been transferred to the IETF trust and licensed back to ICANN. And part of that transition process was improving ICANN accountability, as I mentioned before, and that's something that actually continues in what's called a second work stream of accountability for improvements to ICANN's accountability from this point onwards.
A bit more about the service level agreement. As I said, it's the contract of the provision of IANA services. It was ‑‑ the requirements of that agreement were provided by the community through the CRISP team and the CRISP process. We finally signed the contract, the SLA, in fact before the transition happened but in anticipation of the transition, we did that at ICANN 56 in Helsinki. Also as we have heard from a couple of RIR colleagues, the Review Committee under that, under that SLA, has been set up, and that's for the oversight of IANA's performance under the agreement, 15 members, three of them per RIR, a large intersection between that group and the Address Council actually but not exactly. And there's more about the Review Committee on the NRO website there.
The intellectual property rights another part of that transition process. That's, as I said, transferred over to the IETF trust under a set of agreements. There's one agreement, called the community agreement, which has the RIRs as signatories. We have a role in overseeing the proper use of the IANA intellectual properties. There's something called the CCG, the community coordination group. So again, we have members on that group as a result of this, well under this new structure. So, at this time, the NRO EC office holders, chair, secretary and treasurer, are serving on that community coordination group.
ICANN accountability. Nick is telling me to wrap it up and I'm about to. The ICANN accountability, as I said, it's been underway as a discussion up until the transition in something called Work stream 1. Work stream 2 is continuing and it's looking a bigger set of issues, such as diversity, human rights, jurisdiction, SO /AC accountability, staff accountability and others. There is an ongoing discussion and I think the whole point of ICANN is to be a living organism and to be evolving and so that evolution improvement of that accountability will go on.
Just before I finish, I want to thank very sincerely for their efforts towards the IANA transition the CRISP team members. There were 15 members, but in this region, Nurani was the co‑chair of the CRISP team. From RIPE Andrei and Paul Rendek, were your members of the CRISP team. We had ‑‑ the CCWG had five members from the RIR, so Athina served there. And the RIR legal team did a lot of work on the agreements, and by law revisions and all sorts of stuff and Athina was there as well. So those people served you, the RIPE community, very, very well and I think they all deserve a round of applause. I'm not sure who is in the room, but really, together with the RIR communities, I think, as you know by now, I think we have achieved something pretty important.
That's all. Thank you.
(Applause)
NICK HYRKA: Thank you, Paul. Next up for the NRO statistics, we have got Ingrid.
INGRID WIJTE: Good morning. I'll be presenting the NRO reports. It's a quarterly report that's produced by all the RIRs together. And this one is hot off the press, it's from the end of September.
To start off with the overview of the IPv4 address space. The RIRs together have received 130 /8s, which they are distributed to their members. Central registry, 91. That's the so‑called legacy space that was distributed before the Internet registry system. And 35 were preserved by the technical community for special purposes.
At this moment, AfriNIC still has 1.4 /8s in their inventory. When we look at the report exactly one year ago, AfriNIC had 2.4, so they are at about one /8 a year, so it's going quite fast. The RIPE NCC has almost one /8 left, despite we have reached our exhaustion moment. And this is partly due to address space that was received back from our members following closer or from the pool that IANA recovered and distributed on a regular term to the different RIRs.
When we look at the distribution over time, we can see the moments in time that every RIR has reached their moment of exhaustion. In 2011 we can see that IANA and APNIC reached their last address space in 2012 it was the turn of the RIPE NCC. And last year it was LACNIC and ARIN, and at this moment, it's AfriNIC that is still distributing most IPv4.
So these are the numbers. I see that the pie cuts are a bit jumbled up. The green part for RIPE NCC cannot be as small but the numbers are correct. So we'll work on this pie.
This is the total overview of assignments made by the RIRs, so about 16‑bit AS 32‑bit. RIPE NCC is still the RIR distributing most AS numbers of the five. But when we ‑‑ these are the numbers. When we look at the 4 byte ASN, it's quite interesting that the RIPE NCC is almost 50, 60% of the ASNs that were distributing, more 60, 70, is 4‑byte. White other RIRs are at 90% and some even a bit higher. We believe this is due to the fact that they have but one year ago, they have all started to issue 4 bytes by default, and we're looking into why those numbers in the RIPE region are slightly lower because we have been doing that for quite sometime already as well. So we're monitoring and we'll let you know what we find.
These are the over views again. Moving on to IPv6. Each RIR got one /12 to distribute to their members. You can see that the number of allocations issued per region is growing quite significantly. So that's a good sign. Again, the global overview.
And the IPv6 PI assignments. The view is similar. The RIPE NCC is quite, compared to the other regions, distributing less assignments than allocations. Probably due to the fact that the PI policy in this region is quite restrictive and at this moment they are ‑‑ a policy proposal started to make it less restrictive for organisations to receive PI. So we should be seeing a difference here when and if that policy proposal gets, reaches consensus.
And then finally, the percentage of members that have both IPv6 and IPv4. LACNIC region is doing quite well in this area, almost 90% of their members have both. Followed by RIPE NCC with 75%, and then we have ARIN with, who is now crossed the border of 50%, so the numbers are getting quite good.
All this data is published online on the NRO.net page, so if you are interested, to look at those, this is where they are.
And than I'll take questions if you have any.
NICK HYRKA: There is a question. Gert
GERT DÖRING: Hi. I'm curious. If you go back three slides to the percentage of members that have v6 already. This is an impressive number, and I noticed when I did statistics about how many percent of whatever has v6, that at some point, I need to be very careful about comparing, because the underlying assumption that everybody also has v4 starts to break. So I'm curious if you have members already that have only v6, and in that case, that slide is mathematically dangerous.
INGRID WIJTE: That's a good point. We do indeed have members that only have v6. And we are actually working on reviewing the full slide deck. So we will also be looking at this one maybe introducing a slightly adjusted or additional slide.
GERT DÖRING: Cool, I'm curious to see what the numbers will be.
INGRID WIJTE: We have an address space that mainly open their LIR account in order to get more IPv6 space, but that ‑‑ in relatively speaking the number is quite low.
NICK HYRKA: Before we move onto the next item I want to thank all of our RIR colleagues who travelled here this week, you have been great and thank you for sharing your knowledge with us all week.
Moving on, we have the NRO NC election results. With that, I have got Hans Petter for you.
HANS PETTER HOLEN: Thank you, Nick. We had an election for the NRO NC and we had three candidates and the electronic poll were closed at 10:30 this morning. The way we did this was to send out an invitation by e‑mail to all registered participants. 123 participants registered to vote. The results were Engor Piscini, two votes; Paolo Bellorini, five votes; and Filiz Yilmaz 68 votes. So that 75 votes cast out of the 123 registered. So Filiz, congratulations, three more years on the NRO NC.
(Applause)
Any questions?
SPEAKER: A few very nice lightning talks for you, to wake you up even more after all these night talks. And the topic of this small lightning talk session is abuse. First of that is Carlos.
CARLOS FRIACAS: So this is the title of my presentation. So let's start by explaining what is CSAM, CSAM stands for child sexual abuse material. It used to be a long the years, the terminology most used was child pornography, which was found to be negative to victims. So, here the work being done around this problem, the victims are what are the priority.
So, what is in hope? This is a collective of networks, is a collective a network of hot lines all around the world. This was an initiative that started in Europe, but it quickly spread out to all other regions. So this is about hot lines working together, and it's important to know how each hot line operates.
So, basically every hot line receives reports which the general public thinks it shouldn't be on the Internet, which are illegal content on the Internet, either be CSAM or another type of illegal material which is by definition something that varies a lot from each country's laws, so it's always subject to discussion. But, the hot lines are basically report sends, they perform an analysis according to their local laws, and then if the report is found to be accurate and valid, its content is forwarded to a platform of this association.
So, how is this ecosystem is operating? So each country receives each hot line in each country and there are also some countries which have more than one hot line, but each country evaluates and feeds all the reports which are considered that need some addressing into this global platform managed by in hope. And locally, what the hotline does is notifying the law enforcement agencies if the content is found to be local, and also it notifies the ISPs so that take down and as fast as possible.
So, this is the diagram for our INHOPE and the hotlines work.
About the outcome. It's also important to note that the hotlines don't really receive any feedback from authorities. They are just filtering the reports and after the evolution, they perform, they are handing out the filtered reports to authorities. Of course, there are a lot of success stories, but the details are rarely made public, and the hotlines themselves don't have any special insight about it.
But it's important to keep in mind that the first priority is to protect the victims.
A bit about our local contacts. We manage the hotline, we own the hotline for Portugal in the Iberian Peninsula, so we are just neighbours of Spain where we are. We have been doing this since 2007, so, almost ten years operating. The brand for our hotline is this, which stands for the hotline, and these are some numbers from last year, so we did receive more than 1700 reports from which we have evaluated from our specialists about 100 cases as potentially illegal. So these cases were ‑‑ those were forwarded to the law enforcement agencies, and generated also notices to ISPs.
So, this was a short awareness raising talk, so if you want to learn more about INHOPE, these are where to start. I am happy to take questions if this is the case.
CHAIR: Any questions for Carlos?
AUDIENCE SPEAKER: Robert Kisteleki, concerned citizen. Considering the illegality of what's happening out there, I would assume that the bad people are really wanting to hide and move to like hidden services. What can you do about such things?
CARLOS FRIACAS: Well, it's really not our mandate, so the hotline just receives reports and deals with it. Why did I think it was important to raise awareness here in this community? Well, it's because when the evaluation is performed accurate WHOIS data is very important, and all the information that can be gathered and sent together to authorities, and of course it's also important to contact the correct ISP. So it would be very strange for an ISP to get a take‑down request notice for some IP which doesn't belong to him. So...
ROBERT KISTELEKI: I fully agree that the correctness of registration data is important here, but when we look at services like Onion where you don't even know where the service is, that's difficult.
CARLOS FRIACAS: That's really one of the ‑‑ during the last year, that is really one of the biggest hurdles the hotlines are facing.
ROBERT KISTELEKI: Tell us how we can help.
CARLOS FRIACAS: Well, the hotlines in several countries are run by the telecom authorities, the regulator in some countries they are run by ISP associations. I'm aware that notably in Germany, Echo are the ISP association also runs a hotline, so in Ireland, that's also the same case. In other regions, there are organisations mostly related to child protection, there are organisations like Save the Children, so what I think is that awareness needs to be raised, so in future people from RIPE if people also started attending those INHOPE meetings, which almost occur with almost the same frequency as the RIPE meetings, and in fact it was curious because at this year the INHOPE meeting was in Copenhagen two weeks before the RIPE meeting. But I guess that it could ‑‑ that cooperation with this community should be enhanced.
CHAIR: Okay. Thank you very much. We are running a little bit late. But that shouldn't stop us from enjoying the next two lightning talks. First up is Leslie.
LESLIE CARR: Good morning. I am still amazed to see anyone else here in this room. So everyone's favourite speaker, Geoff Huston, is giving a lightning talk right after me about how we can try to mitigate future DNS DOS attacks so I figured I'd give everyone a little summary about what it if I remember a. But a little disclaimer: I am not an expert, I am not a security expert, I am not a security expert, I am someone who is super curious about what the heck is killing the Internet right now.
So, did anyone notice a little outage last week? An it's not DNS. There is no way it's DNS. It was DNS. I highly recommend everyone to go to Dyn's blog, and read a little more. For those of you who have about too focused on the meeting this week, there was a huge DDoS with about 100,000 infected Internet of things devices. And this DDoS was from some software called Mirai. Now, Internet of things devices are not necessarily the most secure items. Interestingly to note a lot of these passwords here, not only are these default passwords, they are not changeable. They are set in firmware for either support purposes or because the devices weren't well‑programmed. Plus, also, I mean let's be honest here, how many people when they get a random webcam even bother to really look and see and change. I see some hands out there, but do you think that all of your friends do? Of course not. No one does, I'm sure some people there. Very few people do. But people will plug it into their router.
So, this ‑‑ basically, does a huge I punish scan on Telnets and different locations on the Internet. Using Telnet on port 23 and 2323 and it also is a little more intelligent than just starting from 0000 to 255, 255, 255. It skips the blocks of internal IP addresses and the Department of Defence addresses I am guessing to try to take a little longer to be discovered.
And it uses multiple types of attacks. You might be thinking I'm going, I don't run DNS, I have got multiple providers. No. Look at all these. Straight up UDP floods, valves so you can kick off your opponents when you are playing a game. DNS. Number 8 was most interesting to me. Minecraft Server. Who wants to attack Minecraft Servers? I don't know. These are very mean people.
Another interesting thing about this virus is that it uses DNS load balancing, it's sort of a very load tech. So, when the controller is ‑‑ your box has been owned, the controller is started up, it uses actual host name and DNS lookup instead of a hard coded IP, and what the controllers are doing, they are using DNS A records with low TTLs and then changing the IP. So that means, they are using old‑fashioned form of DNS load balancing. That also means they are commanding control servers are more distributed which means that even if you kill one, you're not knocking out the whole botnet and they can go back to the same devices, reinfect them with the new host name.
And if you're not scared right now. This is freely available. I'm not talking on, you know, Tor Onion DarkNet; I'm talking Internet. Look at this. This person, Anna Senpai, it's hard to tell if they are the person who actually wrote this software or not, but they did make this post and released all of the source code. You may see they were saying that they were pulling about 380,000 bots, and now according to this person, they are only pulling 300,000 bots. This means that any one of us here, I'd say 95% of us here, could start a botnet attack right now and the other 5% needs to go to our rooms to grab our laptops.
So, there's some possibly the situation is better, this botnet tracker is only seeing over 166,000 bots. This was from last night. Of course, this botnet tracker just may be really bad at seeing them since Arbor claims that they saw, as of yesterday, about 400,000 infected devices. There is other little tiny possible bit of good news: Jonmy Technologies are one of the manufacturers of one of the many webcams who have this problem are issuing a recall, but then again, how many people will pay attention to all the recalls, and how many think that of all your of of your friends and family are going to look on the back of their cheap webcam to see if it's been recalled. So basically, you're next!
And please keep any mitigation questions 'til Geoff comes up to speak. He is trying to teach us all how to not sever from this next time, or suffer as badly.
CHAIR: There is one question.
AUDIENCE SPEAKER: Hello, my name is George. I have seen that news on the Internet. But everything that's said of the Chinese company, there are no trademarks showing what the products are that are defective or recalled, they are probably disguised under many trademarks or something like that. How widespread are they in Europe? Do you have any data on that?
LESLIE CARR: You can see there, there is a lot of these in Europe. It's possible if you look at the bottom, you know, in that little tiny, the little super tiny print, see the manufactured by, but it's pretty tough.
AUDIENCE SPEAKER: Good morning, Leslie, and it seems like it's time... I use a lot of ‑‑ Filippe from NETASSIST. I use a lot of hit regions in my work in jobs I do I usually make some... for some people, but what should I do? Usually I don't even forward ports on the open Internet. I use VPNs. I never infer never allowed access, open access to my devices. I use because I know that it's really ease to pull and anybody can do it with the proper skills finding passwords. The issue we have encountered here is that we can't make software mostly, manufacturers do, more reliable, we can force them to, don't use for definite passwords to gain vendors and devices and so on. It's nearly impossible. Maybe make some recommendations, that's what I want to ask. But it's a question for the next panel. Okay. Sorry.
LESLIE CARR: Yes, my big take away is just, be very afraid!
(Applause)
CHAIR: Yes, be very afraid, but don't worry, Geoff will tell us what to do.
GEOFF HUSTON: Good morning all. You know, the last time I spoke here, the spot lights were higher, the lights were dimmer, I couldn't see you, it was all really hard. I have asked them to leave the lights up. Hopefully, we can see everything.
When I first submitted this talk earlier this week, I was doing a fair deal of speculation about what this attack was about, and how you could mitigate it. But, actually, there's been more information coming out from Dyn and now it's less speculative because we kind of know what was going on and why, but now I suppose the issue is around how one would respond to this attack and what we can do about it are slightly clearer.
Thanks, Leslie. We're now understanding what's going on. It is this Marai source‑code. It uses a collection of compromised devices. It encompasses a lot of the history of attack. So, there is TCP SYN flooding, there is TCP ACK, where basically you two‑thirds of the three‑way handshake and you withhold the final ACK, leaving the other side with a hanging TCP connection status, which is subtly different to a SYN attack, same result. All the usual techniques. One of them tried to hit DNS against a victim. So only one. And also remember, it's not a reflection attack, it's not an amplification attack. It's the direct compromise device towards victim. But one of them was the DNS.
Now, DDoS attacks have been around for a very long time. There is nothing new about this. And, in fact, our response has been hideously crude, because all we do is build the wall bigger, every single time the wall gets bigger, now this has two outcomes. The bits that aren't defended by walls are now toxic wasteland, because nobody who isn't behind fortnightly [audio] /RES can withstand any kind of attack. So the toxic wasteland now glows in the dark. Secondly, building walls is now a professional activity done by a small number of folk, and if you are not buying their services, you are a victim. So, oddly enough, content is corralling behind bunkers, because that's what happens when the attackers start to attack. The walls get higher, not all of us can afford to build our own walls. A small number of folk do, they corral the content folk value. Oddly enough, the Internet changes shape as a result of these attacks and what's out there when you are not behind a bunker isn't worth living, you are so vulnerable.
But let's not worry too much about that, if you can. And let's just focus a little on the DNS. Because I found that part of the attack to be interesting insofar as the possibilities it opens up because you don't necessarily simply have to try building a bigger wall. So, by the look of it, this was an attack against an authoritative name server. Someone who is, if you will, the origin authority for that particular DNS name. So, the attack queries look perfectly normal, like every good attack, it's just normal traffic at a higher volume. So, saying let's corral our normal traffic, kind of shoots your own foot off. Let's blackhole the authoritative name server, other foot shot off. So all the usual kind of responses about let's try and remove this from the picture won't work because they are normal queries. And what's highly likely and if you look at the source code there are bits of clues around there, what you actually do is load it up with a random string followed by your target name. When you run Chrome, that's what it does. What's the difference? Only in volume. So, trying to filter out random name target, even if you could, won't exactly work if you could. It's what other folk do anyway. One of the things is this is normal traffic.
The victim. We are trying to take out the authoritative name server, right. But what goes on is if you are trying to take out the name as distinct from the name server, you have to hold the attack long enough for the recursive resolvers that normally [audio] to exhaust their cache. It's okay if an authoritative name server dies for a small amount of time, as long as the recursives are still holding it, most of the folk will see most of the names most of the time, but once recursives can't get back in touch with the authorities, the lights slowly go out and the name dims away, so it's a funny kind of attack and result. The reason you are taking out the authoritative won't shut the name down. It's when the recursives lose that name that the name becomes, if you will, unavailable again.
The first reaction is like banging the rocks together guys because you are really good at it is just go a bigger begun, in order add more foo, add more bandwidth, ad more CPU, make it more expensive to host a domain name. If you are like me, [audio] are you really willing to pay the large amount of money to put your name behind those fortress and firewalls? This is a tough kind of game and it shuts out the little man out of all of this. So more foo has its own consequences and we have been playing that game for what, 15, 20 years, how successful has it been? We know how to build bloody great walls but the attackers know how to build bloody great guns. You have no idea how big you need to get. This is an endless loop. You lose.
We could try making the recursives remember longer, which means the attack not has to overwhelm but overwhelm for extended amount of time. The recursives will remember long so the name will take a lot longer to fade out. The recursives are not all synced, [their] positions differ, so as soon as you tag the authority, one or two might lose it, but the rest will linger on in a slow decline, longer TTL, slower decline, but none of you like long TTLs because none of you like cementing the DNS in place so the other thing is recursive resolvers don't even like you saying that anyway. So it's a nice idea. Ain't going to work.
Tail chasing. Develop a filter for this attack. Great, next attack is different. Develop a filter for that attack. Next filter. There is no end to it. You don't win. Random patterns are infinitely variable. That ain't going to work either.
So there is no two questions that I have and there is two kinds of results and both of them interest interesting. One of them is, you say to the device, here is the IP address of the authoritative name server, go and ask it a question. So if I say that to a hundred thousand devices, a hundred thousand different things go and ask that authoritative address server a question. Why don't we filter those IP addresses? You go, well, that's crazy. No, it's not. Because, if you actually look at what you and I do, and I have, then all of your queries as users get passed through a remarkably small number of resolvers that ask authoritative name servers. 8,000 different IP addresses account for 90% of the world's user base. That's a really small number serving most of us. So, why don't we put those in a list of addresses we like. Now, we can do filtering. Because we filter the folk we like and put the rest in a lower priority queue. When there is no attack. You won't notice the difference. It's like QoS, when you spend all that money, you don't notice the difference but you feel good about it. This kind of stuff, when you have an attack, things will go different. Because if the attack is these devices directly asking you, they go on a low priority queue. You don't [audio] /KHRAG your authoritative name server, the recursives stay primed, the name is still available. That could kind of work and you go well, who else is doing this? Think about SMTP, sending mail and think about the friends and strangers lists and go, wow, they have been there before. We can do this. So, if the devices are asking the authoritatives directly, we have an answer, and maybe we should think about deploying it. They might not do that, they might just send the stuff through the recursive so it looks like every single other query. But hang on, there is one other answer. A few of you sign your zones with DNSSEC, there should be more. A few of you run recursive resolvers that actually do DNSSEC validation, there should be more. And a very small number of you, including Google, do a thing called DNSSEC NSEC agressivication. It's a mouthful, when you say that name doesn't exist, it tells you a range of names that do. Every single time you get random pattern inside that name, you don't need to ask the authoritative, you answer directly. All the recursives become your front‑end buffer against the attack and that means you have got a huge number of friends and allies. Now, I know I am dreaming and I none of you have will do this but think about it, if you want the DNS so survive maybe DNS and NSECation is your friend.
Piecemeal solutions like we do, building bigger walls, it's a joke, you are never going to win. We can think about these attacks in the protocols and infrastructure they use and actually apply those same techniques back to the defence. And quite frankly, we do have better ways of doing it in the DNS. We just need to talk to each other a bit more and find out to orchestrate signed zones, recursive resolvers and use tools like DNSSEC to arm our DNS to make it more resilient. Like the lion chasing its prey, you don't need to out run the lion any faster than the person beside you. All the DNS has to do is just be a little bit faster than the others, and at least in that path the DNS will work.
Thank you.
(Applause)
CHAIR: Thank you very much, Geoff. Unfortunately, we are running quite late and we need to finish here, we can't take any questions at this point. So, thanks a lot for the very interesting presentation. We can have a discussion in the hallway or maybe later on lunch on the mailing lists. And now I have to give over to the RIPE NCC General Meeting I guess. Thank you very much.
(Applause)
LIVE CAPTIONING BY
MARY McKEON, RMR, CRR, CBC
DUBLIN, IRELAND.