Deploy360 Domain Name System (DNS) Domain Name System Security Extensions (DNSSEC) Internet Exchange Points (IXPs) Internet of Things (IoT) IPv6 Mutually Agreed Norms for Routing Security (MANRS) Securing Border Gateway Protocol (BGP) Transport Layer Security (TLS)

SEE 7: Connectivity, Routing Security & IoT

The 7th RIPE South-East Europe (SEE 7) meeting is being held on 18-19 June 2018 in Timisoara, Romania, and is focusing on several of the subjects of interest to the Internet Society. It’s also being chaired by our colleague Jan Žorž, whilst I’ll be talking about IoT Security and the OTA IoT Trust Framework.

In Monday, there are talks on BGP monitoring from Paolo Lucente (pmacct), and from Krzysztof Grzegorz Szarkowicz (Juniper Networks) on improvements to routing protocols to suit the centralised data centre-based architectures that are becoming more prevalent on the Internet, and which are the subject of an Internet Draft. Zoran Perovic (SOX) will also talk about paradigm shifts in the implementation of Internet Exchange Points.

On Tuesday, there will be a discussion led by Goran Slavic (SOX) on implementing MANRS in an IXP, which is very relevant to the current MANRS initiative which is increasingly being adopted by IXPs. Our colleague Jan will then be presenting about RIPE-690 which provides recommendations for IPv6 address prefix assignments for end-users. Preceding this, will be an update on IPv6 adoption in the SEE region from Massimiliano Stucchi (RIPE NCC).

Some other highlights are the talk on Quad9DNS by Nishal Goburdhan (PCH) that’s supporting secure DNS queries over TLS between client and resolver, and the road to 400 Gb/s connectivity from Thomas Weible, Flexoptix GmbH. On Monday morning there’s a tutorial on IPv6 Security being led by Massimiliano Stucchi (RIPE NCC), whilst for those with a policy bent, the Tuesday evening session will focus on GDPR.

My own presentation on IoT Security will be on Tuesday afternoon.

More information can be found on the SEE 7 website. The meeting is free to attend, although it is necessary to register. Alternatively you can participate remotely.

Deploy360 Mutually Agreed Norms for Routing Security (MANRS) Securing Border Gateway Protocol (BGP)

MANRS BCOP published as RIPE document

The MANRS initiative’s set of Best Current Operational Practices has received recognition from the RIPE community by being published as RIPE-706.

Mutually Agreed Norms for Routing Security (MANRS) – which is supported by the Internet Society – aims to help network operators around the world to improve the security and resilience of the global routing system through four actions that include filtering, anti-spoofing, coordination and support for global validation. It currently involves over 85 organisations encompassing nearly 200 Autonomous Systems around the world, including some of the largest ISPs.

The MANRS BCOP offers guidance on how to practically implement each of the MANRS actions, based on the operational experiences of numerous network operators around the world. It’s a must read for those working with the global routing system, as routing security is a shared responsibility and needs commitment to good practices from all its participants.

The RIPE documents are developed and approved by the RIPE community, having been published since 1989. They include technical and operational recommendations, as well as policy, procedural and organisational documents. The publication of RIPE-706 represents community recognition of the MANRS principles and the importance of a commitment to routing security.

The MANRS initiative would like to thank David Freedman, Brian Foust, Barry Greene, Ben Maddison, Andrei Robachevsky, Job Snijders and Sander Steffann who were the primary authors of the document, but also all those who provided comment and feedback, and those who translated it into other languages.

If you’re interested in signing-up to MANRS, more information is available on the MANRS website.

Deploy360 IPv6

IPv6 prefix assignment BCOP published as RIPE-690

We’re pleased to announce that after a year of intensive work by IPv6 experts around the world, supported by the Deploy360 team, the RIPE community has reached consensus on the Best Current Operational Practices (BCOP) for IPv6 prefix assignment for end-users – persistent vs non persistent and what size to choose. These were officially published as RIPE-690 this week.

RIPE-690 outlines best current operational practices for the assignment of IPv6 prefixes (i.e. a block of IPv6 addresses) for end-users, as making wrong choices when designing an IPv6 network will eventually have negative implications for deployment and require further effort such as renumbering when the network is already in operation. In particular, assigning IPv6 prefixes longer than /56 to residential customers is strongly discouraged, with /48 recommended for business customers. This will allow plenty of space for future expansion and sub-netting without the need for renumbering, whilst persistent prefixes (i.e. static) should be highly preferred for simplicity, stability and cost reasons.

The target audience of RIPE-690 is technical staff working in ISPs and other network operators who currently provide or intend to provide IPv6 services to residential or business end-users. Up until now, there have been no clear recommendations on how to assign IPv6 prefixes to customers, and a variety of different and sometimes problematic solutions have been implemented.

By bringing together subject matter experts with practical deployment experience, it’s been possible to identify common practices and problems, and provide recommended solutions to some of the more commonly encountered issues.

The authors of the document were Jan Žorž, Sander Steffann, Primož Dražumerič, Mark Townsley, Andrew Alston, Gert Doering, Jordi Palet, Jen Linkova, Luis Balbinot, Kevin Meynell and Lee Howard. Other contributors were Nathalie Kunneke-Trenaman, Mikael Abrahamsson, Jason Fesler, Martin Levy, Ian Dickinson, Philip Homburg, Ivan Pepelnjak, Matthias Kluth, Ondřej Caletka, Nick Hilliard, Paul Hoffman, Tim Chown, Nurul Islam, Yannis Nikolopoulos and Marco Hogewoning.

The document was submitted to the RIPE BCOP Task Force and then to the RIPE IPv6 Working Group, as part of the Internet community feedback and consensus building process. Thanks should go the Chairs of those groups who ensured the recommendations do conform with actual best operational practice, along with the RIPE NCC staff who facilitated the publishing process.

So now there are some agreed stable recommendations for IPv6 prefix assignment for end-users, we’d ask all network operators to read and consider the document when deploying IPv6 to your customers.

And as always, please visit Deploy360’s Start Here page to find resources on how to get started with IPv6.

Deploy360 Domain Name System Security Extensions (DNSSEC) Events Improving Technical Security IPv6

RIPE 74 starts in Budapest next week

The RIPE 74 meeting is happening next week in Budapest, Hungary. Proceedings commence bright and early with two tutorials on peering and network automation, before the opening plenary starts at 14.00 CEST/UTC+2.

Both Jan Žorž and Kevin Meynell from Deploy360 will both be attending, and will be reporting on relevant developments as always.

In the opening plenary, there will be presentations on the DNSSEC Key Rollover in 2017 from Ed Lewis (ICANN), and the effect of the DNS on Tor’s anonymity from Laura Roberts (Princeton University). This will be followed by several lightning presentations as yet to be announced.

Jan will once again be chairing the BCOP Task Force on Monday evening starting at 18.00 UTC+2. This will discuss progress on documenting best current operational practices, with a new BCOP on IPv6 prefix assignment for end-users to be presented, as well as how to move forward with the global BCOP repository. The Task Force is still looking for volunteers to help support the task of writing other identified BCOPs in the pipeline.

Tuesday is mostly a plenary session, but looks to have some interesting talks lined-up. There are two presentations on RPKI adoption that examine how this has contributed to route security, another on the security implications of IPv6, and a report on expected IPv4 transfers. There’s also a couple of interesting IPv6 case studies being presented on IPv6 addressing in CDNs, and why Rabobank implemented IPv6.

However, be sure to catch the ‘Internet of Stupid Things’ presentation from Geoff Huston (APNIC Labs) who’s always good value for money, and whilst it’s not specifically a Deploy360 topic, it would be worth checking out the ‘Quantum Internet’ presentation from Stephanie Wehner (Delft University of Technology).

On Tuesday evening, there’s also a BoF on IoT security that will discuss stability and security issues of this ever-expanding network of devices, including how botnets pose a substantial threat to the very infrastructure those devices depend upon.

Wednesday and Thursday are set aside for Working Groups, and we’ll be following the IPv6DNS and Routing Working Groups and reporting on developments there.

The IPv6 Working Group will include a short update from Jan on active proposals for IPv6 BCOPs, and on his experiments with NAT64. There will also be an update on using 464XLAT in Residential Networks from Jordi Palet Martinez (Consulintel), and on the Sunsetting of the SixXS tunnel broker service (that we previously reported on) from Jeroen Massar.

The Routing Working Group will have a presentation on MANRS from Ben Maddison, whilst over in the DNS Working Group it would be worth catching the presentation on DNS Privacy Enhanced Services from Benno Overeinder (NLnet Labs).

Finally on Friday, along with the regular agenda items, there will be presentation on BGP Flow Specification Interoperability from Christoph Loibl (next layer).

There are again over 600 registered attendees, so it’s sure to be a busy and productive week. For those of you who cannot attend in person – there is remote participation available with audio and video streaming and also a jabber chat room, so everyone is welcome to participate!

The full programme can be found at:

Deploy360 Events IPv6

RIPE 73 starts in Madrid next week

ripe-73The RIPE 73 meeting is happening next week in Madrid, Spain, kicking off with a couple of tutorials on the Monday morning, before the opening plenary starts at 15.00 CEST/UTC+2. And there’s a lot on the programme of interest if you’re following the Deploy360 technologies, as both Jan Žorž and Kevin Meynell will be.

In the opening plenary, the results of the IPv6 Deployment Survey on residential and household services undertaken by Consulintel will be presented, followed by an analysis of Carrier-Grade NAT (CGN) from Philipp Richter (TU Berlin). Then check out the state of IPv4 transfer markets with Ioana Livadariu (Simula Research Laboratory).

Jan will then be chairing the BCOP Task Force on Monday evening starting at 19.00 UTC+2. This will discuss progress on documenting best current operational practices, with three BCOP documents up for discussion including a new MANRS BCOP. As ever, the Task Force is also looking for volunteers to help support the task of writing the documents and achieve consensus within the group.

On the Tuesday morning, there’s a focus on anycast, with four presentations covering different aspects of this. The afternoon is devoted more to network security, data protection and privacy issues, although there will also be a panel chaired by Leslie Carr on the unique financial challenges of smaller IXPs

Wednesday and Thursday are traditionally devoted to Working Groups, and as usual we’ll be following the IPv6, DNS and Routing Working Groups and reporting on developments there. It’s also worth noting there’s also an open mic  session on the Internet-of-Things between 19.00 and 20.00 UTC+2, which aims to discuss what role RIPE can play in this space and whether the RIPE community’s expertise can be put to good use in safeguarding the security and stability of the Internet.

Finally on Friday, there will be an update on IPv6 performance from Geoff Huston (APNIC) which always makes for interesting listening.

There are already over 600 registered attendees, so it’s sure to be a busy and productive week. For those of you who cannot attend in person – there is remote participation available with audio and video streaming and also a jabber chat room, so everyone is welcome to participate!

The full programme can be found at

Growing the Internet Internet Governance

Connecting Communities at RIPE72 in Copenhagen!

RIPE — the Réseaux IP Européens Network Coordination Centre – is one of the five regional Internet registries that allocates Internet numbering resources that help the Internet run.

We’ll be moderating a panel that brings together people from RIPE’s Middle East, Eurasia, and South Eastern European regions.

On its own this sounds like a lot of other panels at a lot of other events.

But this one, at least for me, is something special.

It will bring together people from very different RIPE regional communities. They come together at this important convening event of the full RIPE community to build bridges with each other and across RIPE. 

ISOC partners with RIPE colleagues throughout the year to help plan and coordinate meetings, to speak on key regional Internet issues or to lend technical assistance, or to find ways to measure Internet traffic together so that people can see the growth of the Internet in an understandable and simple way. Together we build bridges that connect people, communities, countries, and regions.

Connecting the next billion comes down to a lot of things. It comes down to development, policy, technology, and often times navigating some difficult landscapes – both literally and figuratively.  But, it really relies on building and bridging communities to work together. And, ultimately it comes down to people. People who are dedicated to building the Internet, visualizing the Internet, and training people to train each other for sustainable Internet infrastructure development.  

We overcome barriers together – barriers that include things like landscapes, policies, lack of trained people, and lack of infrastructure.

And – while it would be easy to get lost in the details or overwhelmed by some of the challenges – we work through and solve problems together to amplify the work our teams are doing.  

The key thing about this panel is that it brings together people who live in very different countries, and highlights their community within a community that helps to develop the Internet through local solutions that are bridged by shared technical solutions.

They will share ideas about what has worked in their regions, and – more importantly – what did not. 

By sharing local solutions they build bridges with the entire RIPE community and the broader Internet community.  

Technology is a common demoninator across regions, but there’s more to building the Internet than technology. Like most things that work well, it takes people working together. 

You can do this too. We’ll be LiveStreaming the panel and you’ll be able to join online, chat, and build connections. 

Join Bridging the RIPE Community on 27 May 9 – 10:30 CET 

Get more information on the panel and other events on the RIPE website

Deploy360 IPv6 To archive

LACNIC IPv6 Troubleshooting for Helpdesks Webinar today

lacnic-logoLACNIC is organizing a “IPv6 Troubleshooting for Helpdesks” webinar that will take place today, 23rd March 2016 at 15.00 UYT (UTC -3) through Webex. The main theme of the webinar is how ISP helpdesks can use the RIPE-631 Best Current Operational Practice document and associated online tools to troubleshoot and fix IPv6 issues.

The webinar will be lead by LACNIC with the main speakers being Sander Steffann and Jan Žorž (Internet Society), the two co-authors of RIPE-631.

Jan Zorz and Sander Steffann, webinar presenters
Jan Zorz and Sander Steffann, webinar presenters

Who should attend? Technical staff with IP knowledge, IPv6 network administrators, first- and second- level line support, as well as people from companies implementing IPv6.

There are currently over 120 people registered, so we’re expecting a good webinar to happen today.

Registration if free, so please register at and see you later!


Remembering Rob Blokzijl

On December 1, 2015, Rob Blokzijl passed away.

Rob Blokzijl started his career as a nuclear physicist, where he catalyzed the collaborations needed for building the networks that served scientific data exchange. Armed with that experience he became a founding member of the RIPE forum in 1989. He would be its chair, its primus inter pares, for 25 years to come. He was at the cradle of numerous initiatives that shaped the Internet, such as the creation of the first regional Internet registry in the world (RIPE NCC). He was one of the key persons for the European Internet and was involved in AMS-IX, in NATO, in ICANN, and various boards and committees. This year he was awarded the Postel Service Award for his pioneering work, 25 years of RIPE leadership, and for enabling countless others to spread the Internet across Europe and beyond.

There is a lot that can be read about Rob’s professional career on the Internet. So a more personal note on how I got to know him.

Rob Blokzijl was a leader – one that listened, absorbed, and then spoke. Never a word too much, always with the strength of logic and argument, often with small sprinkle of irony, but always with common sense.

He was a leader whose common sense was supported by being well documented. I remember that in discussions he often knew more about a document’s contents than its author did. He would share his vision and knowledge, proactively when needed. One could say that Rob was both principled and pragmatic. He held firm beliefs of the Internet that have inspired me, and many others. Rob was always available for a ‘second opinion’ and would provide advice that could be trusted. I regret the times I ignored it.

When Rob was awarded the Jonathan B. Postel Service Award this year, I asked if I could play a role in the ceremony. I did that because the awardee is what I imagine Jon Postel had been: A man with a vision about the Internet who inspired others through his competence, common sense, and personality. Rob was an important mentor throughout my career in the Internet and I was proud and happy that it was possible to pay him respect publicly by handing him the Postel Service Award.

Thanks, Rob.

Our colleagues at RIPE NCC have set up a memorial website at:

Building Trust Improving Technical Security

Is IP Spoofing A Problem Worth Solving?

During RIPE 71 last week in Bucharest, Benno Overeinder from NLnetLabs and I organised a BoF to discuss the problem of source IP spoofing.

Some may ask with a certain level of frustration, “Anti-spoofing?!! Source address validation?! BCP 38?! Again?!” Indeed, visible progress in anti-spoofing has been quite disappointing. Despite existing technical solutions and more than a decade of consistent evangelizing, not much has changed by the look of the symptom – most notably reflection-amplification DDoS attacks. They have only gotten bigger!

Several aspects make this problem especially tough.

  • Existing technical measures are only effective and applicable close to the edge – computers and other end-devices connected to the net. This requires deployment of anti-spoofing measures by a vast majority of networks on a global scale – something that is not easy to achieve.
  • Accountability is a problem. Tracing spoofed traffic back to its real source is impossible in the majority of cases
  • The business case is very weak. There are network types where confidence in the validity of the source IP address is important for their proper operation, but in general, and coupled with the lack of accountability, implementing source address validation has costs and does not bring real benefits for an individual network.
  • We do not even know where we are. There is a challenge in detecting “spoofable” networks and therefore a lack of statistically representative data regarding the state of affairs. It is impossible to say how the situation has changed over last decade.

And so, we had to pose a question as to whether solving this problem is worth it at all. Should we, as a community and as individual operators, concentrate our efforts on reactive measures of mitigating the outcome of the spoofing – a volumetric DDoS attack? Should we make mitigation measures more accessible, less costly, more automated and more effective?

And, in general:
Are we solving the problem?
Are we solving the right problem?
Are we solving it in the right way?

There was an interesting discussion and people lined up at the microphone. It was hard to expect a breakthrough, but from my perspective three points were reinforced:

Measurements. Being able to identify source address validation capabilities (or lack thereof) is an essential element of any solution in this space. Otherwise, it is like tilting at windmills.

Spoofer is a good start. But the number of measurements is too low and their location is somewhat biased. We need to expand these and find and correlate these data with other sources to produce a more statistically representative set.

Incentives. Without a stronger business case we cannot expect a solution at scale. This is, unfortunately, not telling the BCP38 story better, this means creating better incentives. This might need both a carrot and a stick.

A carrot could be a self-enforcing reputation of a growing group of adopters of these measures that publicly declare their actions – this is what MANRS is doing. The more operators join, the more important anti-spoofing measures become, the stronger the cultural shift toward collaborative security will be.

A stick might be liability. As Paul Vixie wrote recently, “In the world of credit cards, ATM cards, and wire transfers, state and federal law explicitly point the finger of liability for fraudulent transactions toward specific actors. And in that world, those actors make whatever investments they have to make in order to protect themselves from that liability, even if they might feel that the real responsibility for preventing fraud ought to lay elsewhere. We have nothing like that for DDoS. The makers of devices that become part of botnets, the operators of open servers used to reflect and amplify DDoS attacks, and the owners and operators of networks who permit source address forgery, bear none of the costs of inevitable storms of DDoS traffic that result from their malfeasance.”

People still consider this a problem worth solving. The general feeling is that abandoning it will just make the mitigation part harder and harder, not cheaper and simpler. At the same time anything that contributes to the effective mitigation of a DDoS attack should be taken as an integral element of the overall solution.

Please let us know if you have thoughts on anti-spoofing or ideas on how to address it – and whether or not you think it is a problem worth solving. We’ve created a mailing list to follow up the BoF discussions at RIPE, which you can join at Or, of course, you can always comment here on the blog or on Twitter, Facebook, or Google+.


IPv6 for ISPs: State of deployment and lessons learned – Slides and Video from RIPE70

What is the state of IPv6 deployment within Internet Service Providers (ISPs)?  What lessons can be learned from recent deployments?  At the recent RIPE 70 conference, Aaron Hughes gave a great overview of the current state and lessons that can be learned.  His slides are available as PDF:

IPv6 for ISPs

The video is also available from the RIPE 70 archives.

Not to spoil it too much, but Aaron concludes that yes, indeed, ISPs are deploying IPv6 successfully! 🙂

If you want to start deploying IPv6, please visit our Start Here page to get started!


Open Internet Standards

Celebrating 25 years of community

The Internet Society joins with the participants at the RIPE 68 meeting this week in celebrating 25 years of successful collaboration and growth for RIPE meetings and the RIPE community. Even before the founding of the Internet Society, in 1992, the very first RIPE meeting was held in May 1989. Over the past 25 years, the RIPE community has exemplified the practical, bottom-up approach that has been a key to the Internet’s success. The RIPE community also fostered the Réseaux IP Européens Network Coordination Centre (RIPE NCC)— one of the five Regional Internet Registries (RIRs) that are essential components of the Internet ecosystem and a foundation for the smooth operation of the global Internet.

The history of RIPE and the community it brings together demonstrate several aspects and core principles of the Internet’s tremendous success. First, it has grown tremendously. In 1989, 14 people gathered for the first RIPE meeting and this week more than 500 people will attend RIPE 68. Second, RIPE, like the Internet, promotes collaboration, bringing together the technical community and policy makers to promote mutual efforts.

Finally, RIPE has evolved while remaining true to its core mission and principles. The RIPE community initially came together to promote IP networking and to coordinate technical activities among network operators. The agenda of this week’s meeting—with presentations on IPv6 and DNSSEC—demonstrates RIPE’s continued commitment to this mission, even as the underlying technologies and the networks that make up the Internet itself have evolved.

On behalf of the Internet Society, I would like to congratulate the RIPE community on its tremendous success over the past 25 years. We look forward to continued collaboration with them, and with people from around the world who share the vision of an Internet for everyone.


Deploy360 Events

Next Week: South Eastern Europe (SEE3) RIPE Regional Meeting

SEE3The South Eastern Europe RIPE regional meeting has become a very popular event in recent years, so we’re happy to be holding the SEE3 meeting in Sofia, Bulgaria, next week, on 14-15 April. The agenda is finalized and I would like to thank RIPE NCC staff for their support and the SEE Program Committee (that I happen to chair) for putting the program and agenda together.

The meeting will be split into tutorials on  Monday morning and six plenary sessions on Monday afternoon and Tuesday: Opening, IPv6, Infrastructure, IXP, GOV/SEC, and Measurements. Surprisingly and unexpectedly – 257 attendees have already registered for the meeting and we are expecting it to be a great success!

As usual we’ll have a lot of very good speakers in all categories so if you are in the region – you are welcome to join us in Sofia!