Archives
CLOSING PLENARY
20 November, 2015, at 11 a.m.:
LESLIE CARR: Good morning, everyone. Nice to see everyone whose hangover isn't too bad. We just have a few announcements before we hear Geoff Huston's awesome talk, the first is that peeringDB is currently having elections for its board until November 30th so if you sign up for the PDB/gov list and you are a member of the peering PDB community you are eligible to vote, sign up so and vote by November 30th.
The second is we have Shane is going to be coming up a sealed envelope with the Programme Committee election results.
(Applause)
SHANE KERR: So I am very excited, we are all very excited up here. The first name is Jette Jansen. You are welcome to the Programme Committee.
(Applause)
AUDIENCE SPEAKER: Thank you. I will do my best to make it even better than last time, it was awesome.
LESLIE CARR: And the second name elected to the Programme Committee, re‑elected is Mike Hughes.
(Applause)
And now, Geoff Huston, if you are here. We are going to hear your talk on today's mobile Internet.
GEOFF HUSTON: Morning, all, those who could make it. Surprisingly many of you. And wow, don't you feel that is really odd room? Somewhere out there. This is a talk quite unlike I think any of the other talks I have certainly heard in plenary this and week and I am going to try and make it as light on tell calm detail as I possibly can. It's not really a technical talk but a talk about the industry we live in, and work in, and the nature of change, and exactly what that means for all of us, and perhaps some views about where it's going and why.
So, why is this an important question today? When I look around, I kind of think that I am in some kind of weird soon to be archeology museum, because all you old farts have laptops, and I reckon if I come to the same meeting in five years' time, just you three over there, you know, will have laptops, and the rest of you will have got over this crap, because it just doesn't matter any more. Everyone is on these, everyone. Everyone else is actually fully embracing a world that is phenomenally mobile. Stats: Tracking from their perspective, the number of kind of desk‑toppie lappy old thingies with key boards, which is the blue line, right, the blue line, and this is the snuff your pocket and that is the sort of the paddish stuff, never really took off. But look at that, look that. Over the last couple of years, mobiles are now 40% of the Internet. 40%. And it's pretty clear that that is going that way and this is going that way. It's obvious. How much do these things cost to make? 50 bucks. So there is something quite fundamentally changing out there. And you kind of go, oh, well that is just numbers. But it's money, it's money. Because when you actually look at average revenue per user from the access industry, and multiply the returns per sector, you find that the mobility sector including sort of all kinds of cellular and so on, is now 75% of the money. 40% of the subscriptions, 75% of the money. We need to make a change to the technology because some crap laptop needs it, boring. I need some food to make this good better, absolutely, you can have it by tomorrow. If you look at the focus that that brings now, in 2014, 1.5 billion of these units were shipped, 1.5 billion. We think the Internet has around 10 million end devices. Last year in 2014, they pumped out 1.5 billion of these. This year's numbers are higher. Are higher.
The unit cost of the fab of these things is below 50 bucks a unit. Volume is everything. And these days, the higher the production cost, the off tape costs start to plummet, we are managing to put the entire technology here on a single chap, no wonder the cost goes all the way down, the front expensive crap is the most expensive part, plus the battery behind it. What about the software? Android has killed software cost, open software, free, dump Android in it, the entire cost of getting a product out is rewritten by Google. Content, bullshit, there is a web out there. So there is no content development cost, just leverage off the entire panoply of what the web is doing. All of a sudden, everyone is looking at these devices and no one gives a stuff about your laptop any more. Production is focusing on this and not that. So now as we look to 10 nanometres circuitry and seven and five, we don't care about the clock speed. What we care a huge amount about is the power and battery life so it's not to make it go faster, it's to make it go smaller and make the charge last longer.
Who is driving Samsung? Inside that quote there is basically saying, we will do whatever Apple wants. As a chip manufacturer says Samsung, whatever we want. Intel is now getting really worried because their ten nanometre chip is behind on schedule, the yields are still way too low and it's a serious problem. So what is in your laptop is now five years old and probably not a new dye coming for years. What is in this is going to change by next year. Because what is in this will be a 10 nanometres and probably last for, with luck, two whole days of battery, wouldn't that be nice. It will do more power longer and that is where the industry is absolutely focusing on, so these things are now driving the supply chain like crazy; nothing else matters to those folk.
So, who is playing? We are back to a two horse race. There is only two folk in them, and Nokia and Windows aren't one of those two, neither is blackberry, it's gone. Android: 87% of all smartphone shims in 2014 were Android. Produced by Google, right? Google made, I don't know, a few ‑‑ 97 billion dollars in profit or something. 98% of all the profit that Google made was from advertising, as far as I understand zero percent of all the profit that Google made was from Android. So think about this for one second. 87% of all the smart phones out there last year were supplied in their software by a company that doesn't care about whether it makes money or not from that product. Their motivation is interesting. Charitably, it's destructive. The real job was to disrupt. And the victim was obviously Microsoft. Because Microsoft's entrance into the mobile world with windows phone unmitigated disaster is the nicest way one could possibly say it. You know, Nokia, the former gum boot manufacturer from Sweden will find that footwear is the new tomorrow for them as well because this industry is offering them nothing. Google have shut them out completely, so quickly, they are dead, and finished and gone.
So, the only one left other than Android, which is pushing that into the tablets and the large screens but quite frankly, again, it's just disruptive, this is where the action is. The only competitor is Apple. Apple, the most valuable company on the planet, multiply share prices by number of shares, Apple rule the world. But Apple are weird. Apple are a luxury good. So they charge 1,000 bucks for whatever everyone else charges 50. Because this is affordable luxury and they market it up appropriately so they are the most valuable company on the planet with only 12% share of sales and they couldn't care. They don't want 20, they want to sell people who can afford their product. And that is almost sort of where they deliberately aim themselves. Revenues for Apple: 182 billion, these guys make money, they are there as part of their business. Google are there because they choose to be. Not because they have, not because there is money in it because for them there isn't, they are not making money. Google are there because we can, strange attitude.
So this kind of looks at those devices, this is the device over time, probably easier on your laptop, I am not sure it says anything more than what we knew already, in terms of the raw device makers, Apple with this kind of integrated product is the highest selling out of all of that, but Samsung is now one of the new providers who have sort of jumped into the Android style at the vice world and is making a lot of money out of that. HTC and a few of the others have lost pace so right now it's basically Samsung and the Koreans who are trying desperately hard and Sony Ericsson still exist somewhere, somehow, this year; probably gone by next year.
So, mobiles came in with a completely different package, and it was actually in Europe that they revolutionised this business. Because prior to the entry of GSM, every country was doing it differently and badly, there was PCS in the US, there was some strange CDMA stuff in Japan, there was all kinds of sort of little bits and pieces of mobile services in telephony and largely concentrated in international markets and had large style offerings. The GSM association was truly revolutionary, kind of the Internet revolution into mobiles because all of a sudden as an operator you could kind get the box labelled GSM, it was a business plan and marketing plan and roaming plan and a device plan, it was the entire box and dice, you didn't need to have a brain or a GSM operator, which for the industry, was actually really convenient because it kind of matched suppliers to supply. You could just open the box and it was all done for you, thank God.
GSM was revolutionary and it also included that magic thing called roaming because everyone was doing the same standard. So your handset could cross the border and kept on working. But that was then, and this is now. That was few kilobits and these days, it's not real unless it does a few MEGS, until it's 4G, until it really pulls down serious coms. Do we have GSM in 4G? Yeah, right. We just can't do it, can we? We just can't all stay together in the same room and live the same dream, we just can't.
The only thing common with all these 4G offerings is the name 4G. Everything else about it is different. Every single country has decided to address the spectrum issues differently, different bands are opening up in different countries, your handset may or may not roam in different countries these days. The operators have different service objectives, and even the incumbent versus challenger, with very few exceptions there are four mobile operators in most countries. Not five, and not three. Only four. All the rest are virtual and use someone else's offerings. So somehow, those four seem to drive an incumbent cartel and they have all the policies and practices of incipient monopolists. The prices are astronomical, roaming has required massive political intervention to get the prices down to something you and I can afford. And these days, everything is falling apart. There was a time, many, many years ago, where the telephone company designed the specs and suppliers put their own employees into the telephone companies to understand what to build. So if you have Phillips or Siemens, you have people working for the Dutch and German phone company and to make sure your product aligned to their specs. In the early days of mobiles the operator told the device manufacturers what they needed. This has all changed. The balance of power has changed. The folk who make these, Google, Apple, and Samsung, have very, very different objectives than, say, Deutsche Telekom, or any of the other wireless network operators. So we have all gone down different directions, there is no single 4G other than the name. It's all different.
So, what does this mean for the Internet? Well, the first thing is, the PC and laptop industry has no more say any more, Levono's day in the sun has gone, even the whole issue of Windows is long since yesterday. It's just finished, it has no pull any more; that is not where the action is. The action is in mobiles; it's the highest revenue sector and highest growth sector, it's where the money is and everybody knows it. And it was born and raised on NATs. From day one GSM was behind NAT walls. For these guys, it's not a post fix hack, it's where they were born, it's their DNA, and they loved it. They loved it for the control it gave, clear end‑to‑end was never in their genes. Intervention, proxies, assistance and tight control over what happens to their precious device. There was a bug years and years ago in SNMP. Ericsson handsets use that had code, their machines were incredibly vulnerable but they did nothing about it? Why? Because at the time you could never get an IP packet from the outside near this device. All the firewalls, proxies and every other crap made sure whatever stuff was on that phone you couldn't exploit it because it just wasn't visible. So their DNA is different to yours and mine. They weren't brought up on an Internet that even had the word end‑to‑end in it. These guys always were the middle boxers. They were the folk who populated the middle and made the middle the centre of their universe. The network was everything, the devices were just attached.
So, when you think of that genetic heritage and you think about v6, that is kind of getting an interesting line of thought. If the mobile industry doesn't do v6, it's not going to happen. That is simple. Because the mobile industry is the Internet. So, whether they do it or not, is v6 do it or not. Nothing anyone else can do will make any difference.
So, what is the story about v6 and mobiles? Like I said, there is no 4G as a single unifying technology, there is no v6 in mobiles as a single unifying technology.
There are a number of reasons for this, and one of them is this weird world we live in where capital is all of a sudden a different thing. Most airlines evidently, as it turns out, don't own their engines, they lease them from Rolls Royce or Pratt & Whitney, but they don't lease the engine, no, no, that is far too easy, they lease the service of propulsion in foot pounds, so the wider the throttle gets opened the more they pay. No wonder the bloody things go so slowly so cost because it'll cost them more if they use more thrust. When you are a 3G operator you don't buy it, that is so yesterday. You don't even lease the box, that is so yesterday. You lease channel minutes. The more connections you have open, the more you pay, when the connections aren't open you don't pay anything. What is dual stack? Two PPP sessions, hang on a second, I am paying per PPP session per minute, isn't that right? Yes, that's right. If I open up two I am paying you double, yes, that's right. Why should I open up two? So you find an awful lot of folk going, I can run v4 or I can run v6, what about both? No, you can't do that. Well, I can, but I have to pay double. Will customers pay they double? Of course not, don't be stupid. Some folk are still persisting in doing IPv4 and tunnels IPv6, tunnels are bad and don't work, particularly in mobiles. You can go the other way and T mobile in the US went the other way, and a few others, instead of doing v4, you do v6 everywhere, that is the future. The app folk aren't holding your hand, the app folk have still got v4 everywhere, the DNS has got v4 everywhere, it's a very, very v4 world. So what do you do if you are doing v6 only in the access, you have got to take it. And if you are Android and have very little control over the apps, you have got to make sure the apps still have a friendly v4, but you are mobiles, right, your mobiles, you have got that this thought that this isn't sign, what bullshit, this is a network device owned and operated by the network provider so this little module does the v6 to v4 translation as part of the network function because after all this is the network, it's not really fine, I have just got the use of it for a while, it's inhabiting my pocket, that is where you get the 464 XLAT model, I will hack more and more stuff into the network to fake it out. Or you do the Apple job, Apple kind of say, that sure, you can put applications on to our box if we let you. And quite frankly, we are rich enough that we don't care whether you get there or not, it's our rules. So when they say for iOS 9 unless your AP works on a v6 environment, it won't be in the AP store any more, they mean it. But I am the most valuable AP on the planet, right, look at kindle. You can't have kindle book buying on the AP in Apple because they want 20%. And Amazon said bit bit bit and Apple said I am richer than you, piss off. When Apple say have you known v6 they mean it, by having the AP run v6 and we don't care how much pain it costs because we are Apple and you are not, piss off. So that is the model advocated by Apple, they don't do 464 XLAT, maybe it's a good thought but that is sort of arrogance of Apple ‑‑
AUDIENCE SPEAKER: Geoff, I have never told you to piss off.
GEOFF HUSTON: Thank you.
(Applause)
I feel loved by Apple. And I am not sure whether that is a good thing or not. The other way, and I have heard Dutch telecom is doing this but someone can correct me, is either swallow the cost, you run dual stack all the way on the PPP sessions and do run two things all the way through. Horizon do had a in 4G and aren't using PPP contexts so the particular phone that only works on Verizon networks does dual stack but only works on their networks. Roaming, PA. So this is the kind of thing there is no v6 plot in mobiles. So where do we go from there? Because you would think there is a future that sort of one technology, this is going nowhere. It's just a bunch of ad hocs and ad hocry without any particular thematic consistency. What does that mean? We are all growing differently in different directions and different devices, there is different phones for different networks and different regularly regimes. This means that the business gets more complex and more costly, there is more cuss misation going on for each different operator. All this means dollars and all that means, nobody wins because you have to pay for it.
So, it's kind of fine to have all this wonderful diversity as long as you are willing to shell out the big bucks, but if not, this is a mess. There is no one wins from this fragmented kind of scenario.
Let's have a look at the only two that matter, iOS and Android because the rest are irrelevant. In IOS,
A. will this thing prefer v6? Well until iOS 9 the answer was no. It just said, look, whatever is out there, if it's dual stack I will throw up the coin and do one or the other. Browsers could do differently, the apps could do a choice, the phone itself was make making absolutely no selection. There was a bit of back pressure on the team inside Apple and you kind of see, though, what was going on very little v6 in there, we were measuring this back in August, we saw 1.2 million of these iOS devices pre 9, and of those 1.2 million we only saw 64,000 doing any v6 at all, 5%. And of those I must admit an astonishing 46,000 responded in using v6 in preference but, you know, it's hardly an overwhelming result. IOS 9 has changed things. You have got 25 milliseconds so it will start the timer and do the queries if v6 manages to get itself up within 25 milliseconds of v4, you are there. Chrome does 300 milliseconds, and you kind of wonder with Apple if they are not shaving it really tight but there you go. The big thing about these is you can never use them in T Mobile, it has no built in 464, Apple believe it's evil, they simply say go and use NAT 64 over in the DNS and the apps need to cope with v6 only, we are Apple, you can piss off, just do it this way..
Android, again oddly enough, no preference. Out there in device land where money matters, no preference. And that is interesting. Where money matters, there is no preference for 6. So, there is no public commitment to change this. Neither, you know, Eric and Lorenzo that you have seen or anyone else have made any commitment to change that basic rules. Browsers and apps can do their own things, but the underlying operator system, no particular commitment. And that is kind of right, the numbers are much the same, more Android than Apple out there, 3.3 million devices this August, 175,000 responded in 6, about 5%, still pretty low, 151,000 preferred v6 anyway, so good enough.
It has 464 XLAT, so i'ts heavily used but of course the big thing is and everyone bitches it does no DHCP in v6. Why not? Because it prefers the whole RA and PD. Why? Google's dreams are different. They are seriously are very, very different. This is not a handset. It's a personal hub for all the rest of the devices, it's the thing that attaches to my wrist and clothing and this and that. It has its own cloud of connectivity, it wants to be its own router and forwarder, the hub of another network and Google are going straight there by saying don't give me a single address, give me networks, make this the hub of another personal network. Google's dreams are much, much bigger. And they might well be right but right now it doesn't do DHCP v6. Maybe they are right.
But it's not just v6, these things are back to a different kind of device, because all of a sudden these things are multiple interfaces with multiple networks, cellular radio, and Wi‑Fi and Bluetooth and USB, everyone has all of these four interfaces. Most of the time we have been pretty lazy so far, it only ever has one active at any one time but you can do more. And it's actually becoming a bit of a battle ground because the thought is now, can we take advantage of this to use the best thing going, if Wi‑Fi is faster and cheaper use that, if Bluetooth is faster and cheaper, why can't I use both at once. That would be fascinating.
So all of a sudden the debate is going on thousand do multiple interfaces to optimise the experience for the customer. And the key word there and, it's all about live hand‑off. That means can I keep talking and change networks again and again and again and again? Go from cellular to Wi‑Fi, back into Bluetooth and keep on talking, keep the sessions running end‑to‑end. Which is a hell of a challenge. So, can you do that? Why is it important, though, is a question? Well, the issue is, that folk look at the carriers money and want a slice of it. If I can actually steel the carrier's money, if I am Comcast and I have got this massive network of Wi‑Fi base stations then maybe I can participate in the same economy as you. All of a sudden, the spectrum has competition, and the cellular provider is kneeling competition. So this question is a bill dollar question, into the slight question. Who controls when the device switches? Becomes a really interesting question. So here is the basic model of a machine, application OS, bunch of services below it. And we are all familiar with the way VPNs work, kind of tunnel through. What about Facebook, they are paranoid, don't trust the phone, don't trust anyone else, they don't trust, their application doesn't open TCP as you know it, it comes with its own application library, talks raw IP to its own data centres. It hides itself from the phone, it hides itself from Apple, because they probably think Apple are evil and they don't want to divulge their applications, and this is not unusual these days. What about Apple? They have just done multipath TCP on Siri, taking both Wi‑Fi and cellular at the same time, opening up multiple channels and using it. Who is in control of the switch? Not the carrier. Apple is. Apple is in control of where the money goes. The cellular operators would like to use Wi‑Fi but only as a PPP medium. Their wet dream is to move on to Wi‑Fi but keep on you paying cellular charges. So basically they make even more money, they are trying to inhabit the device, and ATT is well down this road, to its own PPP hand‑off into Wi‑Fi. Google have different ideas. Google‑fi is truly revolutionary. For 20 bucks a month unlimited roaming worldwide, they connect you with a VPN to the closest data centre and keep it running no matter what. This is one of the biggest impacts we are being to see in the mobile world because all of this says is that the gold mine that used to be mobility is now utility, there is no margin left, it's being eroded. And all of a sudden now no battle ground going on where the carriers are getting squeezed and paranoid, mutual trust issues are emerging, iOS 9 is now doing ad blocking; Google are evil is what it really means. So apps are turning on paranoia, Facebook's I trust nobody. What we want is simple: We love ads ‑‑ sorry we hate ads we love free services. You should love ads because that is what is paying for it. We want the free service but not the ad. We want streaming in multiple gigs and much more downloads and higher caps and pay less. It is putting pressure on the providers to go and deliver this. What they can't do is deliver it in exclusive use radio spectrum so they are starting to invade the unregulated space so they are trying to charge premium prices for using Wi‑Fi. And that is a conundrum because what is does the Regulator do? Open up more exclusive use spectrum or unregulated spectrum they don't get money from. Huge public policy issue. Right now what consumers want and exclusive spectrum want are at odds with each other. What do you do? Well, the cellular providers are going into Wi‑Fi big time and will continue to do so. Deutsche Telekom, Telstra, AT&T they are doing this, this is not unusual. At the same time the traditional wired folk are putting up pay stations to compete with spectrum, this is not unusual. The handset itself is trying to exert control of the handover. Google and Apple are trying to be in control and the applications like Facebook are trying to exercise control. This becomes a little bit of a mess, just a little bit. There is one loser: The cellular carrier is dying quickly. They are losing control and unless they get into utility volume economics they are not going to be alive any longer. It's get big or get out. They are getting big as the only way of avoiding or get pushed out. The OS platforms, the conflict is on. Google and Apple think they are winning, probably are, some of the most valuable companies on the planet and much more efficient as monetising me as a consumer than Deutsche Telekom will ever be. And these guys are coming along basically saying if I am going to stay in the mobile world I have to be in the Wi‑Fi world too. Interesting conundrum. If I was a regulator, what am I meant to do? Open up the 700 megahertz spectrum, sell it to spectrum for exclusive use. I am going to get money straight in the pocket but if I open up for Wi‑Fi will I get a richer economy, will I actually get more activity and more networking, drop prices, if I drop prices in coms, will folk use my network and be productive? Will this be a good thing for the economy if I open up more unregulated space? That is the current debate and it's a difficult kind of debate because mobility is certainly here to stay and we are starting to talk gigabits, whether it's 60 gigahertz in Wi‑Fi or doing the whole 5G ends up in in cellular radio, this isn't a killer bit game any more. This is trying to deliver massive services to this because those laptops are a piece of old historic shit. So, mobiles are just too good, we love them. Chips will get smaller, we will be down to 7 nanometres within two years, the power drain will get smaller, it might even last for two days without a recharge. Interestingly, the general purpose computer model is probably, this is the last incarnation, we are going to specialise our chips. How it will change is difficult but the clues are out there, these days the silicone industry is not making general purpose processing but quite particular packaging and selling you 30, 40, devices, Toyota 32 ‑‑ 172 boot operations, I wonder if it goes forward let alone stop using the brakes, 152 processors, Christ, I can never make that work either. This is dramatic change to our world and going to happen now over the next couple of years. Who emerges as winners? IBM was big 20 years ago. Right now, Google and Apple are big, they are very, very big. What happens in five years? Hard to say. Very, very hard to say. But I hope we are here to see it.
So that is all. Thank you very much.
(Applause)
SHANE KERR: Thank you, Geoff. That was very interesting. I am sure you will get a lot of comments in the hallway. I guess we do have time for maybe one question or comment.
DAVE WILSON: You are singing my song, Geoff. There was some chat in the RSCP when you were saying laptops are rubbish and mobile was a way forward and someone was saying that RFC doesn't work well in mobile and of course the problem there is persistent state in this world, connections are just crazy. And I look at IPv6 and I am going well what was IPv6 designed to do? It was to restore the end‑to‑end principle. Have we solved the wrong problem?
GEOFF HUSTON: That is a really good question, exactly what problem IPv6 solves and why. And there is certainly no doubt that in 1990, there was still 20 meg disc drives that were the size of a washing machine. It was a different world, and the requirements around end‑to‑end the semantics of addressing were different to today's mobile world. Addresses these days are a femoral rendezvous tokens, they are not end point identifiers, IMEI and not IP addresses, the battle between the soft SIM and hard, are SIMs virtual or real? IP addresses, no. Will the mobile industry embrace v6? I have no clear idea. They don't need to, and that is a really telling observation. They might choose to, but it's not a need, and that, I think, is part of this debate about where this industry depose. Because what mobiles do is where we all have to follow, thank you Apple, thank you Google. And thank you, Dave.
SHANE KERR: I think we are going to have to leave it there because we do have a couple of lightning talks that we would like to get to. Unless something really quick Daniel?
DANIEL KARRENBERG: No.
SHANE KERR: No. Thank you.
(Applause)
So yes, we have a couple of lightning talks, I would like to ask Ondrej Caletka to come up and going to be hearing a talk about a measurement of SMTP over TLS. Thank you.
ONDREJ CALETKA: From CESNET, the only one Ondrej that is not from CZ.NIC, just to show myself, how I look. And I will keep it really short, this is just a follow‑up to a presentation that was in closing plenary on last RIPE meeting about DANE 4 TLS. I actually deployed as well and did some measurement and so I will just like to present the results of this measurement, so just quick to get in the picture. This is the picture from Wikipedia, I understand how the e‑mails are sent now and what we are trying to solve here is actually this transmission between SMTP servers of organisation A to SMTP server of organisation B. The problem is that in the scenario anybody on the wire is actually able to read the e‑mails which are delivered in plain text which is probably not the best thing we should have, BCP 188 saying pervasive monitoring is an attack. What is currently running quite well is the opportunistic encryption where you just, the server announces start TLS, clients open, identity is checked, if there is broken ciphers are allowed and if there is anything goes wrong fall back to plain text. This is quite good, anything more sophisticated like man in the middle is really trivial to mitigate this kind of encryption. So what you can do, you can actually optin for security by storing a certificate, fingerprint and DNS record, you have top DNSSEC and not only this TLS record stores the fingerprint of your serve certificate, it also presents the state that you care for security and you don't want the other parties to deliver mail to you unencrypted. So this is the most interesting part of it.
It's actually already standardised in RFC, already ‑‑ working software for more than one year in currently, post fix, and there is also utility that comes with post fix called post TLS finger that you can use to check any domain name whether it has the DANE records so you can see untrusted in case of normal, opportunistic TSLA and verified in case of forced TLS using the DANE RR. So what have I made? I have just measured ‑‑ I was just curious whether if it's safe to enable validation of it. LSA records in our mail server, whether it's safe ‑‑ whether nothing breaks or only small things breaks so. I collected more than 4,000 domain names from our server so it's valid domain that are used by our employees, and I did some checks, so first thing is not that opportunistic, actually ‑‑ I mean, optimistic, sorry, only 21% of them are DNSSEC secured and this have to be strengthened that without DNSSEC there is no secure e‑mail delivery because without DNSSEC the MX records can be sent to other servers without anybody noticing anything. Yes, so the other picture shows actually support for the TLS on the mail servers and this is quite good only one‑third ‑‑ one‑fourth of serves still are the legacy ones that doesn't support TLS, all others somehow support it and 1%, about 50 serves or 50 domain names actually already have this TLSA record deployed so they are in this secure opt‑in mode.
I just out of curiosity, I have made a deeper look into what kind of certificates are deployed on these servers that supports start TLS so this is the graph showing that various certificates also quite advising for me was that actually most of the certificates deployed on SMTP servers are trusted certificate, the problem is that they are usually not made for the domain name of the domain that you are delivering mail to, so I have ‑‑ even though most of them are trusted it's still have no real feature of the trusting ‑‑ of the deploying trusted certificate, actually the same value as any self‑signed certificate.
So, for the end of this lightning talk, this is the Hall of Fame of this 50 domain names that already deploy TLSA records, I understand that this is quite biased, to check and economic environment so it's not (economic) certainly something like comparable to other ‑‑ to some global measures. OK, and this comes to my conclusions, I would like to ask everybody if you didn't ‑‑ haven't done that yet, to enable start TLS support on any servers, you can deploy self sign certificate, it's the ‑‑ it's OK completely, there is no problem with that. The thing is that you really should deploy DNSSEC for your mail domains because without DNSSEC the mail cannot be secure and once you have DNSSEC which is probably painful, the deploying of it. LSA records costs nothing more. After that you can check it on the site, DANE SIS 4 dot D E and I can say it's safe, you have seen in the graph that I have measured no domain that would be broken and that would not validate by using this TLSA validation, but still, it's good idea to check mail server for errors stating that somebody did something wrong because sometimes people just have this operational problems that they change certificates and don't change TSLA records but it can be solved quite quickly bay phone call or something like that. This is everything from me, if anybody has a question?
(Applause)
LESLIE CARR: Any questions? All right. Our next and final lightning talk presenter is Christian Scheele about forced firmware lock down.
CHRISTIAN SCHEELE: Hi, I am from Germany and I am mostly work as a context of DDWRT but also lots of open development. This is about wireless routers. So, what happened in the past, something like some days ago, even some years ago, is that the FCC/ETSI put it out some regulations that normally this kind of institutions should and this is what they tell, look for hardware, what hardware does, and the latest documents from FCC tell that there is no ‑‑ something bound together between hardware and software. With FCC they cleaned it up a little bit some days ago, but the ETSI stuff, which was ‑‑ is now already out and was done in 2014 by the European parliament, and is it becomes effective in 2016. So, the FCC right now only affects 5GHz unit but these are ‑‑ doesn't work without 5GHz. As far as we can tell now and I really brought up this lightning talk like from scratch in the last three days, is that the ETSI stuff is covering all frequencies. So, there are ways from Windows to lock down the frequencies and the power of devices that let's say software can just use it and use it as some kind of Ethernet device so everybody would be happy. The talks we had with Windows, even with most of the OpenSource departments of Windows, and the talks they had internally with the guys who talk to the ODMs, seem to be that practically, whatever is done here could lead to a complete firmware lock down on wireless devices, so that means it could, the future could be that you get whatever your vendor or your telco is giving you and you have no chance, for sure hopefully people will find chances to put OpenWrt on it or, if you like, DDWRT but I am not talking for that here, I am talking privately.
So, this is for just what the FCC is here, I put it in here. Don't start to read, download it and go to the links and see what they have done. And this stuff which the ETSI did. So the ETSI ‑‑ FCC is already set. ETSI is also set but has to go through the governments of all the European countries so we might see many, many different flavours of what the European parliament did here.
So, which devices are affected? Wi‑Fi access points, and smartphone, tablets, because even some or many smartphone tablets are able to put up an AP mode so if you want to place ‑ on your Android you might get into trouble in the future.
So here is just an incomplete list. What I personally see as a problem, and mostly this is why things like OpenWrt, DDWRT exist. Normally Windows are really lazy in providing security updates after a certain time, so if we can't replace the firmware on units any more then this will lead to a huge, huge bad units which can be affected by security attacks. The only option then you have is to thrash this unit.
So, here is just some examples of innovations that came through OpenSource firmware. The whole bufferbloat project was built and tested on OpenWrt and spread it out. Many IPv6 deployment rely in the back of OpenWrt and even the guys like the last talk, you had Stephen Bart talking all the problems with Linux and IPv6 and so all this should be put down to the thrash can. Open mesh networks, so if you ask a vendor for access point, be able to do client mode, then you might be happy if he does it but ask him for ad hoc networks, there is no way. And many, many more and I think we should discuss some things on this, so hopefully this doesn't happen. Thanks.
(Applause)
SHANE KERR: Thank you. So, I really appreciate this talk, I think within the Programme Committee we were pretty excited to ‑‑ we were excited to see it, and but we were a little concerned that there might be some controversy or some emotions, so as we are discussing this this morning in the little time we have, keep it excellent.
JAAP AKKERHUIS: NLnet Labs. You might have missed it but the FCC actually released a statement last week where they emphasised the they only met the IF part of the devices. All the other things are just ‑‑ they don't want to block that, they just want to block the IF devices, that is to prevent leakage when self build software transmitters into different bands where it's not ‑‑ where there are no licence for things like that. So that was the original motivation of this ruling, at least proposed ruling, so don't get your ‑‑ and we really look at the improved version of this statement. It was sent out last week
CHRISTIAN SCHEELE: That is exactly what I put on here.
JAAP AKKERHUIS: That is what people have to ‑‑ that actually makes kind of sense what just to leave at IFCs.
CHRISTIAN SCHEELE: I am using the last, so something like five days ago version of FCC document, and for sure it was changed, there was things removed, and block cleared it up but what they have written down in the FCC document could be still lead to this big problem, I am pointing on. And the European parliament already decided something in 2014 as you can read here and this is really, really ‑‑ from my perspective it's more bad.
SHANE KERR: Jan was next. I am going to close microphone because this is a lightning talk.
JAN ZORZ: So, if I understand this correctly, if you want to ‑‑ if this comes into place, if you want to be able for people to install DDWRT or OpenWrt or anything else.
CHRISTIAN SCHEELE: Whatever they want.
JAN ZORZ: You will have to go through some sort of certification for the wireless, through some agencies.
CHRISTIAN SCHEELE: If the hardware Windows for wireless don't react in they make sure that the wireless settings can't be changed then as I said, this could be to lead to the situation that hardware and software, even any update, need to go through a certification process, yes.
JAN ZORZ: Does that mean if you push out the version and a week later it's discovered there is a major security flaw and you are not able to push in the patches in like few hours but you need to go again through the certification for the wireless, for the next version that would patch a security flaw, is that the case?
CHRISTIAN SCHEELE: Mostly, I think they left some space for that if you can prove as a vendor that you don't touch the wireless interface at all, then you could bring out security things really, really fast. For sure, if it affects the wireless driver and you may need to make a change to the wireless driver, then it could take time until this security update comes out, yes.
JAN ZORZ: So this is broken by default?
CHRISTIAN SCHEELE: Yes, that is why I am standing here.
SHANE KERR: So, Martin, please be brief.
MARTIN WINTER: Just a comment about oh, it may be just RF path is locked down, we were involved on doing some home networks and we actually, for the IETF part of the standard, and we had very hard time to find like actually drivers which were open enough because some requires to change cost of a links in protocols based on wireless metrics, how well the connections is, and stuff like that to put into the wireless driver path was only possible based on the OpenSource. So, a change like that would really like changes double up on new standards.
CHRISTIAN SCHEELE: It would kill innovation on the wireless driver path, exactly.
SHANE KERR: All right, thank you.
(Applause)
So, I think this ends the part of the session controlled by the PC. So we will be handing it over to the RIPE NCC.
RAZVAN OPREA: Don't worry this will be the only Romanian I will speak. Good morning, everyone. This especially for those who are new to this meeting, this is RIPE 71 technical report, you know the presentation in which we discuss about the services, the technical services that we provided, about the problems we encountered, lessons learned, in which we acknowledge the team that made all this possible and most importantly in which we ask for your feedback for future meetings.
First about the network, our local host Interlan provided us with two different fibres, one active and one backup. You can see in the picture Menno and Colin doing some high level troubleshooting over there. We did not have any major issues or any issues that we could report on. It was stable, it worked nicely and we didn't even have to use the backup links, so well done Interlan.
Wi‑Fi.
We deployed roughly 45 access points in the venue, if you don't see very clearly where those are located, please don't worry, you can download this presentation and can look at more closely but it resembles the set‑up we have done for the past few meetings. We had four SSIDs available. The RIPE MTG which is 5GHz, the 2.4 and for the first time we took out of the experimental the NAT 64 and NAT 642.4GHz. It was about time.
We heard very clearly what the IPv6 Working Group has said. We have all been in there. And we will look at the ways to make this fully support in the future, this NAT 64. We are going to look at several other steps in which to bring it in line with what a regular SID is, like the RIPE MTG and we will work together with the community on that.
In terms of Wi‑Fi issues, well, the first one is probably a funny one now when we look back but was very, very confusing in the set‑up weekend. Basically on the Aerohive when you set the country code to Romania, the 5GHz network disappears completely, the radio just switches off. And after lot of trial and error ‑‑ I can laugh now ‑‑ but back then at the weekend it was puzzling ‑‑ well, in the end we just switched them back to the Netherlands and things just continued working as they used to be.
(Applause)
You have seen that we have an IT support help desk where you can come and ask us questions about Wi‑Fi, about the technical set‑up, you can come and chat to us, and we did have some of you that came with various Wi‑Fi connectivity issues, and some of them were returning customers and we tried to help as many of you as possible. We did our best. It's just I would like very much to ask all of you now, with a show of hands, how many of you actually had a good Wi‑Fi experience that enabled to you do your work, to do everything that you wanted to do, without being, I don't know, be left out and off‑line. Show of hands. Thank you very much. I appreciate it. Thank you.
Everything else in terms of technical services but the Wi‑Fi and the network but they are still very important items, we had the registration desk manned by the staff together with Interlan staff, it was a nice cooperation. We had the terminal room, still called like that, in which we had a network printer and a couple of laptops. Basically, that is the last resort in case something happened to your mobile device, to your laptop, you go there. You can also check your presentation there. If you don't know how your presentation is going to look like on these systems, please go to the terminal room, try it out over there, see how it goes and then you know exactly it's working. And you have some patches in case the Wi‑Fi really, really plays issues for you.
Network services DHCP, DHCPv6, caching only resolver, the IRC server, IT help desk which I told you about, and I am going to say just one more time: We appreciate very much when you come to the IT help desk, we are there, we are there for you, please come for questions, comments, feedback, we take every single one of them seriously, so just use them when you see them standing there.
And yeah, 100s of metres of tape, patches and so on.
The presentations system, we tried to do seamless presentations as much as possible. We support keynote, that is sometimes a pain because Apple updates keynote and there are compatibility issues between previous versions and new versions of keynote and we don't know what kind of keynote you are going to have so we try our best. PowerPoint, open document format and PDF, we try to support remote presentations using Skype, but you have seen, those of you who were here this morning in which we tried the Skype session, it didn't go out very well, it ‑‑ it didn't go very well. It's like a relationship, you know, it needs both sides to work properly. And the moment this is not in a way, guaranteed, then it can actually affect the other presentations that are being scheduled on the time slot. So we are looking for feedback from you on what should we do next, should we continue with Skype on a best effort? Should we switch to something else? Should we require that those who are not present physically here should submit their presentations in advance in a video‑recorded format that we know is going to work? So if you have ideas, if you have feedback, we will listen.
Of course, for those who want to have interactive presentations, we support to use your own laptop. Yes, please.
AUDIENCE SPEAKER: Erik Bais. To give an answer on the remote participation using Skype, typically there is one or two per RIPE meeting. As a suggestion, there are small video‑conferencing units that you can use like feeder stream, live stream, that kind of units that basically could be shipped to the other side, and you can do actual feeder conferencing into the conference room here. There are specific tools that you can use for that. I will be more than happy some experience that we have and basically, you know, it's a small investment and basically you just ship the things around, it's easier than having crate of whiskey to ship around. So just saying...
RAZVAN OPREA: I understand completely. Thank you very much for the suggestion. Wouldn't it depend on the connectivity quality, connection quality on the other side as well?
AUDIENCE SPEAKER: Obviously, there is connectivity required, yes. But without connectivity on the other side there is no uploading of data or video or whatever, anyway.
RAZVAN OPREA: Got it.
AUDIENCE SPEAKER: Blake: Just speaking for my own self. May I also maybe postulate that the Skype thing didn't work so well because they embex the IPv4 address into their protocol stack and it doesn't support IPv6 at all.
RAZVAN OPREA: Indeed. Please talk to us off‑line, if you have other suggestions or any other ideas, write to us.
Webcast, we are HTML 5 and still use flash but only as a fall‑back as opposed to previous meetings when Flash was the one to be used. It did go all right, except for a few hiccups on Monday which were outside of our control.
And yes, we have some statistics on the total network traffic. This is the ‑‑ you won't be able to read this positively, but again you can download the slides. We had over 120 megabit download and then we had something like 20 upload. This is on the RIPE MTG SID and this is the NAT 64. These are being reversed so basically, what you have is a download, is the bottom graph.
Concurrent Wi‑Fi clients: You can see the weekend in which we set up things and as the Wi‑Fi was going stronger and as some of you were already arriving and making use of it. We had also some tutorials and the hackathon, so that you can see it as well. You see the lunch breaks, you see a dip on Wednesday night as well ‑‑ well, not a dip but a little increase, that could be ‑‑ could mean something. And if you are looking at concurrent clients over time, we had close to 600 and we saw something like over 1,000 unique devices associating with our network.
The technical team, these are the stenographery, Mary Aoife and R J.
(Applause)
STENOGRAPHER: KEEP CLAPPING!!!!!!!
That's ‑‑ Anna is missing from this picture unfortunately, will make up the next time, there is a reason I stay stenographery and a picture and nothing else, it's one big major thing going on. If you remember Ronan who used to work with us, promised to have lightning talk actually explaining little bit of how this works but unfortunately, Ronan does not work with Doyle Court Reporters and, this will fall on RJ's back, I believe.
The web services everything that has to do with upload the presentations, everything that has to do with the plug‑ins, where you have the web streaming, the RIPE 71 website, it's the web service's team represented by Meikle in a and Marita, the Ops team, Brian, Colin, David, Menno, myself and our e‑mail address Ops team where you can send suggestions, ideas and criticism, of course. And now if you have any other questions, please come to the mic.
JIM REID: Not a question, just to say Razvan, you and your guys did a fantastic job at this meeting, thanks
(Applause)
HANS PETTER HOLEN: So, thank you very much and I would also like to add to the thanks to the technical team. I mean, this meeting is definitely the best one that I am going to, so keep up the good work. If I am lucky there should be some slides for me here from ‑‑ this is the interesting part, I haven't seen the slides in the final version, right. Thank you.
So this is the closing plenary. We have had 526 attendees this time. So that is really great.
(Applause)
Unfortunately, it's not a new record, so we have to work on that for next time. It's really good to see that almost a third of you are actually newcomers, so we have a healthy recruitment to the community. We have attendees from 52 countries and I am not sure if you can actually read the figures in the middle there but I think actually at least one of the European countries are bigger than the US this time, so US is not the biggest country in our region any more.
(Applause)
But it actually means that we are popular with the people outside the region, and I think that's really great.
By organisation, we are not entirely commercial, as you can see here; there are also, associations, education, government and of course, a bunch from the other RIRs. We had a selection here this morning from the Number Council. Anybody interested in the result? We had some 60 votes, I think, and declared winner is Nurani.
(Applause)
And I guess you all know her from the CRISP team, she got 36 votes over Sander who got 16 and Dimitri who got nine so it was a clear decision from the community. So the Number Council now consists of Nurani, who is going to be there for three years, Filiz, who is going to be there for the one more year and Wilfried is still there for two years. So if you wonder who this Number Council people are and what they do you can talk to them at the lunch.
There was an e‑mail to the RIPE list some weeks before the meeting, regarding the new review committee that comes up in the IANA transition, so the review committee is there to give the NRO EC advice on the IANA performance. Now, the work IANA does for the RIRs is maybe an allocation a month, and with the no more v4 addresses left, there will be even less than that. So the workload on the Review Committee is not going to be very high. And I mean, they are going just to review these things once a year or something like that. So the proposal that was posted to the list that got great support was actually to use the members from the ‑‑ from the Numbers Council that you ‑‑ the two ones that are selected by you, together with one staff. So if you go back here, you see that Nurani and Filiz has been selected by the community, while Wilfried has been appointed by the board so on the Review Committee there will abmember of staff appointed instead of Wilfried so that will be the Review Committee.
So, I trust we are all fine with that? Good.
So, talking about the IANA transition and the CRISP team, I would like to extend my great thanks to Nurani, Andre and Paul for their work on the CRISP team. They are almost done, as we heard earlier this week, there is still some intellectual property thing to be dealt with so that is the IP thing that they talk about at ICANN meetings, when I go there and say I am dealing with IP, they say oh, intellectual property, but usually we think about something else when we talk about that. This is the IANA intellectual property and domain names, that is sort of open there. They had great support from Chris and Athina, and Athina has also done a great job on this CCWG on accountability, and I would also like to thank Daniel for the work you have done on the ICG. So a big applause to all of them.
(Applause)
So, what did you think of this meeting? Instead of all of you running to the microphone, you can go to this URL and give feedback. We really value your feedback. It's taken into account when the staff plans for the next meeting and when I discuss with the staff and with the Working Group chair and the PC, this feedback is very important for us.
This meeting would not have happened without the host, Interlan, so thank you very much Interlan.
(Applause)
And the sponsors, of course, for the socials, the coffee and so on.
(Applause)
This is just to check that you take the cue, right?
Then I would like to thank the Programme Committee. These are the guys and girls that has put together this programme this time, so if you could all come up. I just want to say that the Programme Committee is doing tremendous job by doing outreach to get the presentations that you see. They luckily have a large selection of presentations so they can actually choose from and get the best one and they are not just passively sitting there selecting, they are also giving feedback to the presenters in order to improve this, to create this great programme. So thank you very much.
(Applause)
Next time the Programme Committee will be slightly different, as, you know, so the election results was already presented here earlier on, so Jelte and Mike Hughes will be returning.
There has been a change in Working Group Chairs. Peter, are you around still? Peter has left. He is here. Come up. Oh, yes. I mean, Peter has tried to hide away, he has been here for ten years as Working Group Chairs ‑‑ 12 years ‑‑ and been here for 17 years.
(Applause)
A small token of our appreciation.
PETER KOCH: It's not small. Thank you very much.
(Applause)
HANS PETTER HOLEN: And of course, thank you to all the other Working Group Chairs who have done a great job in putting together all the Working Groups and not only at the meeting but also chairing the Working Group between the meetings. And again, thank you to the stenographers.
(Applause)
And last but not least, this meeting would not have happened at all without the excellent great, superb, RIPE NCC staff.
(Applause)
And then there is also a big change in arranging these meetings, so I have been told to say thank you to Gergana because she is moving on so who is ‑‑
NICK HYRKA: Right here.
(Applause)
HANS PETTER HOLEN: Thank you very much, and I have been told you are not moving that far away. We will see you back in the external relations team so she will still be with us.
We have come to the end of this ‑‑ oh ‑‑ this happens again and again.
(Secret Working Group)
HANS PETTER HOLEN: Thank you very much, whoever you are. And next meeting is, as they said, in Copenhagen, so it's almost Norway, and safe travels home. Thank you.
(Applause)
