“If we were to redesign the Internet, it would need greater privacy and security”

31/05/2017

“If we were to redesign the Internet, it would need greater privacy and security”

He spent a few months living in Montevideo and collaborating with the LACNIC team. Daniel Karrenberg, one Europe’s Internet pioneers and founders of RIPE, takes a seat and prepares to share his experience in the region while drinking mate, a tea-like infusion typical of this part of the Southern Cone.

Our lengthy chat covers IPv4 exhaustion, the promotion of IPv6 deployment, the community’s commitment to maintaining a quality IP address registry, and even the new role of Regional Registries.

Our interview with this German national born in Düsseldorf 58 years ago and currently residing in Holland invites optimism regarding the future of the Internet.

Q: What can you say about how the LACNIC region is transitioning from IPv4 to IPv6?

A: We actually looked at that from the research point of view, and collected some data. It´s quite interesting to see that many ISP´s in the region actually announced IPv6 prefixes, so from the rest of internet they can be reached by IPv6.

When you look at the figures and compare the five regions, actually the LACNIC region has the highest percentage of autonomous systems that can be reached by IPv6 in the whole world. But that of course is only one half of the story, the part of the story towards the rest of the Internet. If you look at the other half of the story using data like Google collects or Geoff Huston from APNIC collects, we see there is very little IPv6 traffic actually originated in the region. So the ISP´s are accepting IPv6 connectivity from the rest of the Internet but towards their customers they are not doing very much. That´s the way it looks like. And that is also not very surprising, because even in our region there are some countries where it is exactly the same. So it is mostly a business decision whether an ISP wants to make the investment to actually roll it out towards their customers, and the decision can have a number of reasons. For the content providers them main reason is to make their content universally available, like Google does. Google pushes IPv6 because they don’t want to have NATs in the way between their users and their content, because that provides ISP´s with the possibility to do things to that traffic. So their interest is to have Ipv6 in order to avoid those difficulties.

There are other ISPs where the end users are, we often call them ‘eyeball’ ISPs. These deploy IPv6 because of technical reasons. One clear example is Comcast in the United States. They just said “ok we will deploy a new customer premises equipment and it´s technically easier for us to deploy this as an IPv6, and we will provide an IPv4 address on top of IPv6”. That´s a huge deployment, just for technical reasons.

There are other business reasons. For instance, I have two ISP´s at my home in the Netherlands, one is the cable company, which still doesn´t have IPv6, and the other is an ISP called “XS4ALL”, that in order to preserve their image as being leading in the technical sense, they said “OK, we have to have IPv6”, and they were actually the first IPv6 ISP in the Netherlands who had a widespread deployment. So there are various reasons for ISPs to do this, and there is very little, in my experience, that the regional registries like LACNIC can do. What we can do is capacity building, we can tell them how it works, we can do roadshows and say “this is how you do it”. We can make it very easy for ISPs to obtain IPv6 address space, but beyond that it becomes a business decision of the company and you can make it easy for them but you can´t make the decisions for them.

P: What needs to happen for a company’s CEO to decide to move to IPv6??

R: It is very individual, as I said. Comcast did it because it was easier technically for them, it was cheaper for them to do it that way, and they had a long term vision and basically said “if we make the investment now it will be on the cost side better for us”. In the case of XS4ALL, they want to have the image towards their customers that “we are the leading ISP, so if you are a nerd, a technically ambitious customer, you should choose us and not the other guy”. Also I see two pressures that are going on. One is scarcity of IPv4. It´s all about the scarcity of IPv4 addresses, because I still don´t see much benefit for the end user whether they use IPv4 or IPv6, they normally don´t see the difference. So it´s all driven by the scarcity of IPv4 addresses. And there are two ways to look at that. One is, in the Comcast example, that at some point the decision makers in the company will see there´s no grow path, you cannot grow anymore with IPv4. We can maybe trade or buy some IPv4 addresses from the broker, but it doesn´t scale up to the scale that we want and then they will make a decision and say “ok now we have to bite the bullet”.

So that´s more a strategic vision, and the other is a purely tactical vision, where the manager will just see it is just too expensive to obtain more IPv4 addresses, so we´ll just go for the cheaper solution. Of course, I would always argue for the strategic view, but you know how companies work, sometimes their horizon is three months, so…it´s just life.

P: What do you think happens when a regional registry reaches a stage where it only has IPv6 resources to allocate and manage?

R: First of all, it will take a long time before that happens. All the regional registries make policies to still give little IPv4 to new members, so it will last for a long time. The second thing is that there´s going to be a paradigm shift, a shift of how regional registries see themselves. I see it already happening in RIPE, I see it happening in APNIC, I certainly see it happening in ARIN. In the past we were mainly concerned about fair distribution of IPv4, because we knew IPv4 was limited, so we needed to make policies for fair distribution and no waste. And whether we admitted it or not, that was the main focus, it´s what we did. The shift goes towards having a good quality registry. So rather than distribution the emphasis will be on high quality registry. We´ve already seen that in the RIPE NCC for a number of years, and the community also has made policies to reinforce that, to enhance the responsibilities of the members to have the correct information in the registry. And I think it´s in the area of ten years now, that we do what we call audits. When we suspect that the information is not correct, we go back to the member and say “can you confirm that this is correct? Can you update it?”. And in the last four years or something, we´ve changed the name to a more politically correct name, I think it´s now called “assisted registry check”. “Audit” was a little bit like “we audit you” kind of thing, when that´s not the intention. The intention is to help members to have the registry information correct. It is a structured process that gets more and more initiative from the registry the less and less responsive the member is. So if they react very quickly and do staff it´s very easy, if we cannot reach them in the first place it becomes very difficult.

P: This requires a commitment on the part of the members of the registry, who must provide reliable information.

R: It´s all in the policies, the policies say they have to put correct information in, and if they don´t, we go after them. And in the extreme case, it means we will close them and take the resources back. But that´s the extreme case, it usually doesn´t come to that. I don´t know any statistics about that from memory, it is mostly public. If you go to the RIPE NCC website, and you go to “assisted registry check”, there are actually reports on how many we do and all that. You asked about what´s the future of regional registries, and I think it is in that area: it is to make sure that we know who uses what address space, and that we have a good registry that can be used by the membership itself for coordination purposes, but also by external parties such as law enforcement and so on. It´s really my personal opinion that a regional registry has no reason for being if it doesn´t have a good registry.

P: In order to have a better registry in the future, in addition to conducting these assisted registry checks, what other things do you think can be done?

R: That depends on what the community wants. The RIPE NCC didn´t start as a regional registry, we started as a secretariat for RIPE. RIPE needed to do some things that you can´t do with volunteers anymore, like filling questions at the time when the internet was new, and running a database for operational coordination. And RIPE then said “if we can´t do it with volunteers we will have to have a secretariat”. And the mission of that secretariat was to do anything that the ISP´s (at the time we said “Internet organizations”) have to organize between themselves in a neutral and competent place. I think that mission is still valid, at least for the RIPE NCC, we do anything that the membership – mostly Internet service providers and other big users of the Internet in our service region- want to organize together.

And of course the biggest activity is now the registry, but we also do other things that you already mentioned: capacity building in IPv6, looking after the interests of the membership in the Internet governance processes, defending the self-regulation model that we are doing towards governments. In the case of the NCC it´s also important research and science, not so much “pure” science, but we collect a lot of data about the Internet. We have RIPE Atlas, which does active measurement, and that I would like to see much more deployed in Latin America and the Caribbean. It is the biggest such network that exists, and it´s quite useful in finding the data to make policies. And we have RIPE Stat, which is basically a big collection of anything you ever wanted to know about any IP address or an autonomous system number. And that´s something our community recognizes as a common activity, and they are quite happy that we do it and to fund it.

Then of course we organize the RIPE meetings which is something the community appreciates as a way to get together and to discuss basically anything.

P: What new technologies might eventually take the place of the Internet? To put it somehow, if something new were to come up, will there be an Internet One and an Internet Two

R: If I had to set priorities for the next version of the Internet, definitely security and privacy would be the main drivers. The architecture of Internet was created by researchers who wanted to collaborate in an environment that was collaborative, not adversary, in a time when information security wasn´t really much of an issue. So if we would redesign the basic networking part it would need to have more privacy and security: privacy in the first instance, and security in the second instance. And I think those two would be the drivers, because the internet permeates society, the economy and everything. It´s still the best thing we have for a resilient infrastructure, because it is distributed and there is very little centralization, and centralization is actually diminishing. It´s robust in that sense because there´s no central thing that can be attacked, that brings down the whole network. But still, it´s quite fragile. We see a lot of malevolent and bad actors that can do bad things, so we need a new architecture that makes that less and less likely.

I am not sure how and when that will happen. There´s a lot of academic concepts, but I don’t see one at this point that is going to make it to full deployment. I am willing to be surprised. So that´s going to be the main thing for the next Internet. In terms of what will happen to the current Internet, the current fashionable thing is Internet of things. I happen to be an electronics nerd; my home is fairly well automated. But all the ‘things’ in the house are not connected directory to the Internet in any sense. The security of all this stuff is very bad, anybody who has my knowledge could park his car outside my house and with a little radio could turn on and off lights and change other things, if they really wanted to. That is why our door locks are not automated. Once all that becomes more and more networked I see interesting new problems popping up. But I don´t really believe in the vision where every light bulb is going to be equivalent to an internet host.

P: What can you tell us about your experience visiting LACNIC? 

R: I really enjoyed my visit here, the whole house has a very good feeling about it. It´s almost like the feeling that RIPE NCC had ten years ago. Now we are more than 100 people, and that changes the nature. But here everybody knows each other, is relaxed. Personal relations are important and the general vibe is good. I really enjoyed myself

Subscribe
Notify of

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments