______________________________________________________________________ DRAFT TRANSCRIPT Session: APNIC Member Meeting Date: Friday 3 March 2006 Time: 2.00pm Open Mic - Bogons in routing - Chinese domain names ______________________________________________________________________ PAUL WILSON: I'd like to open the microphone for any questions or comments on anything that we've heard today. We have 15 or 20 minutes for, before the coffee break. So we might as well fill it with some interesting discussion. Or not. The coffee won't be ready anyway, so there's no point leaving just yet. Randy, you've got your own, do you? TRENT O'CALLAGHAN: Hi, I work for an IP based here in Perth. I was sent along for one reason today. Now that you've got the mic open, I'll grab it. It was great to see the Apster we got in the bag today. Our address space came off the bogon list to I think in about December 2004. Yet, there are still bogon lists out there filtering us, particularly NCI have a really nasty one on their DNSs. Them being such a large part of the Internet, it's a very big issue. So I would like to see everyone here tell as many people as possible because the word has to get out that the Internet is broken and it needs fixing until this is done. PAUL WILSON: That's a good promotion too for Apster. Thanks very much for the remark. I think Randy will address the issue maybe. RANDY BUSH: Address indeed is what should happen. Randy Bush, IIJ. Within ARIN we're doing something that will be of general use, I believe. The first experiment was done some months ago when ARIN was given a new block and that was that ARIN took that block and allocated it to somebody who put it in a host, through a router, and announced it. And that host was pingable. The address that could be pinged was announced on the OPs list, so anybody could test if they could reach the new block. The people who had enough clue to this kind of testing were the very people probably who wouldn't have bogon lists. For the next iteration of this experiment, we're planning on doing something a little more extensive and community driven, which is we're going to make it so that end-users can test useability and reachability of all sorts of address space that we worry about reachability on. It's going to take a month or so before we have that stuff in shape to distribute and documentation and etc. But that should be of use to APNIC and other registries in a cooperative experiment. PAUL WILSON: Where did you say that was happening? RANDY BUSH: At ARIN. You can beat me up for it because I'm trying to work on the design part of ARIN. You are not the only one feeling this kind of pain. So I think all the registries are working on doing something about fixing it. There's no guaranteed fix. Make it a little better. RUEDIGER VOLK: Well, OK. It seems to me that this problem is related to most people doing hand-made access lists. That seems to be related in some way to the fact that tools and databases for generating things are not in a state that's desirable. I wonder very much why after many years that languages and databases have been defined in ways that are standardised and well known, the RIRs are not using the databases and the standards that are available to actually publish what address space is considered to be in use, so that the bogon lists are not required as something that comes in from second sources. And is maintained by everybody by hand. PAUL WILSON: Could you explain which tools? RUEDIGER VOLK: There is RPSL. There are supposed to be several IRRs using databases that unfortunately are not up to the same security level that we are expecting to see out of the certificate system, nevertheless, I can tell you how each of the database owners can very securely publish data in the databases. If you tell everybody that AS number, whatever APNIC AS number is, colon RS active address, RS - active address set is going to be the - everybody can actually use that in a secure fashion. PAUL WILSON: Thanks. GEOFF HUSTON: The RIRs do publish on a daily cycle addresses that are out there right now. And you can find that out from published data immediately. What you're saying, I think, is that they should be put inside a route registry. The usage of route registries is not uniform and often are used as policy filters rather than the rather crude hammer of a bogon filter. What we're finding with bogon filters is people use a set and forget architecture. The bogon filter gets constructed and then you leave it because its granularity is too fine. Bogon filters are more like security pantomime than security theatre than any other real form of doing any kind of filtering out of addresses that shouldn't appear inside packets. So one possible sort of solution here to your problem is why are people doing this madness? And the next kind of question is - how can you actually mark real addresses in a way that if you wanted to do secure routing, and understand where the nonsense is in routing and packets, go all the way? That's a very old discussion now. It's around five years old. Our impact on the security pantomime players and actors has been unfortunately very slight. And I'm kind of hoping that they're waiting for a better tool. But the alternative is they're lazy and nothing's going to stop them doing what they're doing. And I really don't know how to stop that. PAUL WILSON: Thanks. APNIC STAFF MEMBER: We have a question in the Jabber chat. It says, "Does anyone know if anyone is involved in a recent announcement by China to run an alternative root for dot com and dot net. How is it accomplished and what affect will it have? Of course, answer is limited to what is permitted to be said. And they would like ICANN IANA and David Conrad to comment on this please? RANDY BUSH: I'll stick my foot in it. There was a movie called 'Lost in Translation' which applies. China is not running an alternate root. PAUL WILSON: Anyone else care to comment? I saw a couple of notices about this recent couple of mailing lists and I took the opportunity to ask the operators add the F & I mirrors, anycast mirrors that are in Beijing were installed with APNIC's coordination. Those two rootserver mirrors are doing quite respectable query rates at around 1,000 queries a second or so which would seem to indicate they're being used. SURESH RAMASUBRAMANIAN: To the previous question about China. There's a fairly interesting discussion which has something that is a little more factual in the newspaper article that's being run. PAUL WILSON: So that's... OK, so there's circle ID. QIAN HUALIN: OK, a rumour, just a rumour, all over the world. Recently, it was announced, published - adding mail .CN in our system. The other is quite generally existing; not new one. For example, the last IIJ equivalent of the China carrier, that .com, .net China. Three of them. These were created three years ago but new. The initial creation is by a company called IDMS, which is not a Chinese company. And CNNIC has to follow up, to provide this kind to protect the users in China. So that's not new, actually. But it looks like a top-level domain but it's was announced many times. Because we provided two different kind of IDN service. It doesn't matter when it going to the root first. It go to the CN server, and then to the other things. And the normalisation and converted the other kind to IDN. We don't have any registration under the IANA root, so it doesn't work. So people want to use it. They have to download the plug-in. Automatically, when people type in the IDN.IDN, automatically append to the right of the .CN. It's also under .CN. So when resolving this name, first going to IANA root. You are taking an idea in top-level domain, you then don't use IANA root. That's wrong. That's a fact. We don't have any root in China and we don't want it to form different roots. CNNIC is participating in the work in ICANN. We have people in the IDN tech group. One of the co-chairs in there. We hope when we're doing the experiment deployed by ICANN, when it finished, officially registered. That's good for everybody. Because the step taken by ICANN is too low during the previous years, five or six years, many people wanted service, the ICANN's service but there's not any protocol, any experiment done. But the people in China don't ask. They need this kind of service. So it doesn't mean we throw the root away, or we create a new root. That's wrong. Thank you. KENNY HUANG: I would like to follow from Professor Qian's point. I believe and I conclude this kind of technology actually have all kind of IETF standard and the application has been demonstrated in the taskforce and demonstrated in the IETF, all kind of engineering community. So I think that's a rumour and the technology itself actually has been done for you and deployed for you already. PAUL WILSON: I hope we've put the rumour to rest. Good, thanks. OK, we're just a few minutes away from the coffee break now. And it was suggested to me that I remind everyone of the APNIC 21 feedback form, which you should all have a copy of or if not I'm sure we've got spares available. And that is quite important for us at the Secretariat as a channel for your information, for your views and opinions about how useful this meeting has been and how it could be improved. We've tried to receive this kind of feedback for many years with varied success. But what we've found is the bribery is a good strategy. So we do have a lucky draw and it's an iPod of some description. KWO-WEI WU: It's not enough. PAUL WILSON: It's an iPod, OK. You want more? What about if we throw in, in addition, not only is there the iPod but some of these very handsome NRO memory sticks, don't we, Gerard? GERARD ROSS: They might have been packed up already but we can send them to them. PAUL WILSON: If there's some successful survey forms taken from the box, we can do that. Please take the opportunity to fill in the form and Holly is at the back with a yellow box for the forms. And it will be drawn just as soon as we get back from the coffee break. OK. Just take a few minutes to do that now. And I think we can multicast.