These are unedited transcripts and may contain errors.
Plenary session, 24th of September, 2012, at 4p.m.:
CHAIR: Welcome back everybody. We are starting our next plenary slot and our next speaker is Thomas from uncensored DNS.org, the technical and political aspects of uncensored DNS.
THOMAS STEEN RASMUSSEN: Hello everyone. My name is Thomas and I have been invited to speak at RIPE about the uncensored DNS service that I run and have been running for close to four years.
I will briefly talk about DNS blocking in Denmark, as that is basically the reason why I started this service; it was a local situation, but the servers are increasingly being used by people all over the world, so it's getting more of an international feel to it.
I will speak about the service uncensored DNS, and then the main part of the presentation will be why DNS blocking is bad and why we should get rid of it.
Right. I don't have ?? I have 25 minutes, so I have had to cut a bit of stuff out of this presentation, but by all means, ask me if something isn't clear.
Right. I am working for small Internet provider in Denmark and part of my job there is to manage the DNS service and the censorship blocking system that comes with DNS servers in Denmark. When I assumed responsibility for the servers, it pretty quickly occurred to me that this is blocking in DNS is stupid, it's pointless, and we should find other solutions to the problems we are trying to solve with DNS blocking.
I joined an association in Denmark called IT political association and, through that, my interest in IT political issues and on?line digital rights have been growing since. This is my first time at RIPE, which is also evident by my huge sticker here, so be gentle with me.
OK. The DNS blocking system in Denmark has been like this slow decline from in 2005 the blocking system was first introduced, with the intention of blocking pages, domains that depict child abuse. It's an automated system, an organisation called save the children, in Denmark has a lot line where you can report a domain, the domain is very ?? the suspicious or illegal content is verified by the police and the domain is put on a list and automatically loaded into the ISP DNS servers. This has been running since 2005, so, yeah, seven or eight years or something.
When they introduced it, we warned that this filter would likely be used for not only child abuse but copyright legislation and stuff like that, and not only a year later, the first copyright based blocking started appearing; it was all of MP3 and especially the par pray is a popular site so that is ?? that is also around when I launched by uncensored DNS servers. There is no, as such no legislation; these are more or less voluntary blocks by the Internet providers, so I am free, since I am not an Internet provider to run uncensored in Denmark and globally. So I did, and I still do.
That was 2009. Over the last few years, we have seen, in Denmark, additional blocking of gambling sites that don't pay taxes and pharmaceutical vendors to sell Viagra and stuff like that are not approved by the Danish Government. And the last thing was groove shark that was blocked in March of 2012 so. This is an ongoing thing in Denmark at least. We block most of more and more stuff and it's increasingly being seen by politicians as an accepted tool of control on the Internet. We like to criticise countries like Iran and China for doing that but we are pretty good at it in Denmark, too.
The child abuse blocking system in Denmark, briefly, is automated through SSH, the police has an SSH server. We each end and we connect once per hour, download the new list, format it and load it into the DNS server. This is fully automated, nobody has to do anything except when they ?? when make a mistake like this spring and accidentally block Google and Facebook and I think it was like 8,000 domains that was accidentally blocked, so Internet users got the message that they were trying it access child porn but in reality they were accessing YouTube or Google or Facebook. That is what happens when you introduce in a redundant system.
So, all the domains in the list from the police, all child card record so every single thing you try to resolve under the block domains, no AAAA so no IPv6 support and censorship in Denmark. And the IP addresses runs a stop warning page that says you are about to do something illegal so we stopped you. That is basically it.
Statistics for the web server displaying the stop page are anonymised and sent to the police and they keep an eye on the number of hits and use it like some sort of indicator of how effective and how many paedfiles we are stopping each day, week and month which is obviously bullshit since it includes ?? you have all seen a web severer access log, it's not all hits.
So this is the system we have in Denmark. It is flawed in so many ways, I will get into that later but this is the basic reason I started my DNS service.
Uncensored DNS called censurfridns in Danish is basically just two name servers, they run FreeBSD and address space at the moment. I have been fortunate enough to get an AS number and PI range before v6 from RIPE recently and Anycast version of my service is underway being planned. There is a lot of complications with monitoring and stuff when you are doing Anycast so I need to get this right but the service is running at the moment and in the future will be upgraded, so to speak, to Anycast. On that note, if anybody is feeling like joining the struggle for freedom on the Internet, I need some friendly sponsors or hosters of Anycast nodes for uncensored DNS but all means hit me if you have ?? if you are able to announce my AS number and have some spare room on a virtual serve or something.
All right. I started this because, well because I believe that DNS is entirely the wrong place to place policy decisions. DNS is, in my opinion, beautiful technical system and to put stuff like politics into that is just always wrong. Furthermore, my friends kept asking how to access the Pirate Bay after it got blocked so I needed to have something to tell them and open DNS was never really my cup of tea, they do NX domain redirection thing where if you make a typo they redistrict you to a site with adds ton and I know they have to turn a profit but well, I don't like messing with DNS, no matter how you do it. So they were out of the question. Google DNS didn't exist at that point and I don't really feel like giving DNS all of my DNS queries anyway. So neither had access port at the time or IPv6 support. And finally, after the whole incident it's pretty obvious that choosing a DNS provider now that you can't just use your ISP provider any more or the ISP providers DNS servers any more, is clearly a matter of trust, like any other provider you choose. And some people might have an easier time trusting someone like me than someone like open DNS or whoever they might choose.
Yes, so an uncensored DNS service was needed and so I started in late 2009, so I have a fourth anniversary coming up.
Right. Issues with DNS blocking:
Aside from the fact that DNS is a technical system and you are basically lying when you say, you make a resurf sieve forgiven domain but it's clearly not authoritative and may I say, oh, that record, it's over here, this IP address. The system we have in Denmark is furthermore, it's constructed based on the idea that http is all the Internet is; I mean, if you try with an FTP client or any other protocol you get time outs and if you try to send a mail to one of the blocked domains, you wouldn't even get a time out, it would sit in a queue somewhere and four days later get a bounce back telling you couldn't get delivered. It's ill thought out, it's ?? it breaks every standard in the book.
Like I side, in March 2012, the police made a mistake with the automated DNS blocking system in Denmark, and accidentally blocked a bit over 8,000 domains that does not ?? did not contain illegal content at the moment which means that help desk support lines of the ISP, well I work and other places, were, of course, flooded with calls from customers who didn't understand why they were met with this top page when they were trying to access Google. DNS is one of the only systems we have in wide use on the Internet where redundancy has been part of it from the very beginning, you have always had two servers, authoritative for domain and always had them on different subnets and you practically always entered two DNS servers in your router or DNS config on your workstation, so what we have done is basically attack a beautiful redundant system and put a very nice point of failure and the official story from the police was that some guy dragged and dropped a text file to the wrong folder and that somehow triggered that all the domains got loaded and automatically shipped to our servers. So, that is obviously a very bad idea.
It's also easy to circumvent of course, that is what I do; I enable people to circumvent it, but other people, yeah, the blocking proponents might see this, that and suggest something like DPI, inspection or other IP blocking or stuff like that. Any kind of blocking and censorship is bad, of course, but if I ?? but if I had to choose, I would choose DNS blocking because that is a simple, most simple one to circumvent but it is still an issue. It also con seals the problem without actually doing anything and at least from the Danish perspective, that is really one of my main complaints, because we all ?? we all agree that child abuse is horrible and needs to be handled, but strongly disagree with the way we are doing it in Denmark because we have five million people and if we find a domain that is hosting actual content that displays child abuse then blocking it is the most egoistic solution ?? solution that we could think of. It might give some peace of mind in Denmark and ?? I don't know, save someone from viewing it but the rest of the world can still view the content, but we should do is obviously getting the content off?line in the first place. There is a whole big talk about jurisdictions and contacting abuse departments in other parts of the world and basically we analysed the block list a few years back and 95% of the content is in Europe and the United States so the old story about not being able to pull the content down because it's in places outside of, like police corporation and jurisdiction, is bullshit, don't believe that; it is very, very possible to get this content taken off?line, so when we block it we merely close our eyes and more or less ignore the problem rather than actually doing something about it.
Right. DNSSEC, which is fortunately growing in use, is obviously incompatible with this. The more our clients browsers and so?so on start doing their own DNSSEC validation, the elect effective this type of blocking will become because a spoofed record looks the same whether it's some sort of censorship or blocking system or doing DNS poisoning, to a DNSSEC validating client it looks exactly the same.
And of course, there is a lot of collateral damage when you choose to block something in DNS, you have a lot of other protocols; you block all content on domain even though maybe only one picture was illegal, in England at some point they were very close to blocking wig peed I can't because of some record cover that features a naked girl, I don't remember the name but it was a big case. There is obviously collateral damage when you block DNS, very, very rarely is all content on a domain illegal.
So, when the local ISP DNS service is no longer reliable, Internet users may access somewhere so they can access the Pirate Bay or wherever or might use a purchase server which if compromised could compromise security of the users. CDNs, very popular these days, and a lot of them are based on DNS server, geolocation or DNS serve location and if people use VPNs or proxy servers they might see degraded performance.
Also, alternative name spaces seem to be growing, still. Obviously, I am probably a result of legislation put into DNS, and if we keep fragmenting the Internet, well obviously it will stop being the Internet at some point F we get too many scattered name spaces.
The way we block in Denmark is particularly bad because it can can serve as an early warning system for some of the criminals it's trying to fight, like if someone is running a site at illegal stuff that come, and that site ?? that domain gets added to our list it is trivial for most anybody to detect but that has been added to the blocking system and the criminal can run and hide and start up under new name so what we are doing is basically running a very expensive early warning system for some of the worst criminals in the world. That is pretty stupid.
So, there is a lot of stuff wrong with blocking in DNS and I can talk about this for hours but I have like five minutes left, so those are the main points and by all means, come and discuss them with me if you want to go deeper with some of this. But a lot of this brings me to a basic conflict that all of us might have encountered at some point of another working with the Internet: There is a basic conflict, not only on?line but in life, between security and liberty of freedom. If we want total security we more or less forbid everything and put everywhere and track everything everybody does. If we go the other way, we wouldn't have any security but we would have not total freedom and of course we need to find some golden middle way, but people say to me, and they are right of course, that my name servers can be used, for example, to resolve a domain that contains child abuse material and they certainly can, and they might be used in an amplification or tag or something even though of try to do everything I can to prevent that. The same could be said for the router and bit coin and and other sorts of projects on the Internet. They can be abused for doing nasty things but they also greatly enhance the freedom on?line and in my opinion, that is often more important than the risks they inherently have, but at least it pays ?? it's important to be aware that there is a basic conflict and you can have both; you can never, ever, ever have both, at least if one of you have the recipe, then speak up, please.
OK. I am nearing the end of my speech. At the moment, in Denmark, and well, in Denmark at least, it's not looking too good with DNS blocking and blocking in general. The general mood of politicians and the content owner industry and so on is that blocking Internet sites is a perfectly acceptable thing to do, and well, we are obviously working in different organisations and stuff to try to effect that but it's hard once people get that idea you can do that, to get them to unlearn it, somehow. We might come to a future where it's like political suicide to ever suggest something like blocking stuff on the Internet. They are pretty close in Germany. They had this child abuse blocking thing up and discussed it a couple of years ago and somehow they managed to turn the debate so now no politicians really there to speak about Internet censorship and blocking down there. I wish we could get that in Denmark, too. But anyway, as long as Denmark or anywhere else needs ?? need uncensored DNS servers, I will keep running this service. I have got a message from China that universities there are using my servers, over IV 6 to get uncensored DNS so it's not only a Danish phenomenon at this point and I am very happy to be able to help those people to, Anycast DNS service make it easier to service people in Asia and Europe and further away from Denmark because latency will be better, lower.
Right. This is the end of my presentation. I will be here all week, and I am always ready to discuss stuff like this, criticisms and so on. And I am very interested in people who might want to host an Anycast uncensored DNS node. I have a blog and Twitter feed and I am sure you can find those, and, yeah, I think that is it.
(Applause)
CHAIR: Thank you, Thomas. We have a few questions.
SPEAKER: James Rice, I have two questions and one comment. One is why do you not register a foundation with the stated aim of providing clean open DNS resolution service for all rather than asking people to on a personal guarantee? Why not incorporate a foundation to say not for profit with the stated aim of being to provide clean DNS resolution service for all, rather than asking people just to rely on a personal assurance that this is how it's going to stay?
THOMAS STEEN RASMUSSEN: Well, I don't know I started out like this. If we have something like that in Denmark, it doesn't sound like a bad idea at all or in another country. Definitely.
JAMES RICE: The other question is, how do you prevent the open recursive resolving service being abused by DNS amplification, DNS dos aattacks?
THOMAS STEEN RASMUSSEN: Automatic blocking if someone continues to go over that but of course, if you fly like below the radar or do it sufficiently distributed obviously I won't catch it. I have to adjust them as time goes because, yeah like universities and stuff like that, I have a lot of inquiries from one IP so it's not an easy problem to solve which is of course why everybody closed their DNS servers over the last five or ten years or something.
JAMES RICE: You mentioned about using TOUR for enhancing privacy and so on, if you all of the TOUR exit node operators, i.e. foreign governments or miscreants themselves and they are inspecting and stealing your cookies, then you probably wouldn't use TOUR, especially when you consider that X509 PKI HTTPs is probably not as secure given things like digi?note as people thought before?
THOMAS STEEN RASMUSSEN: Of course, use https but event that isn't bulletproof, it goes without saying it, we know that.
SPEAKER: Shane Kerr, I have a few questions, hopefully I can get them out. So the first one is about this list of blocked pages that Danish Government produces. That is not public, then?
THOMAS STEEN RASMUSSEN: No, but somebody leaked it to WikiLeaks a couple of years ago and they sent the exact list to all the ISPs, so that might happen again. But no, it's not public.
SHANE KERR: It seems like the kind of thing that would be ??
THOMAS STEEN RASMUSSEN: It really, really should be but it's not. They are afraid to, I don't know ??
SHANE KERR: It's quite easy for any individual website ??
THOMAS STEEN RASMUSSEN: You just query.
SHANE KERR: The next question is about protecting client information from people snooping on the networks so enabling TSIG for client queries or anything, have you looked at that
THOMAS STEEN RASMUSSEN: I have and I am very interested, I know I have been bad mouthing open DNS but they developed the DNS crypto thing between the client and the resurftive server and I am very open to looking into that but at the moment I am focused on getting the Anycast service up because first of all, I have a single point of failure with the provider I am on and the more people, if your Danish server is down you are off?line so I need to get this sorted and I will start looking into stuff like that.
SHANE KERR: OK. And my final question is, why don't you think the authorities would just tell you that you have to use this block list?
THOMAS STEEN RASMUSSEN: Well, that is a legal sort of semi?complicated thing but the Internet providers in Denmark are all volunteering to use the blocked list but they are ?? they are like coerced into volunteering so, if they ?? you know threaten to pull themselves from the, they get threat witnessed like headlines saying, you are the paedophile?friendly ISP and stuff like that, it's really nasty so pseudo?voluntary but not really.
SHANE KERR: I see.
THOMAS STEEN RASMUSSEN: But I am not really a provider, so I mean ??
SHANE KERR: Yes, you have nothing to lose?
THOMAS STEEN RASMUSSEN: Yes.
SPEAKER: Pat Tarpey. What is the extent of the problem? The last question, the last person's question hinted at these lists aren't disclosed but do you have any flavour of the size of what they are trying to block? Are we talking 100s, thousands, tens of thousands?
THOMAS STEEN RASMUSSEN: Yes, I managed the ?? I have sort of a double role, I manage the censored servers at my place of work but in my spare time I manage uncensored so I know ?? I know how many, at the moment it's around 3,000 domains on the list. It has been fluctuating, it's been down at around 200 and it's been up at around 5,000 but they are really, really bad at cleaning up the list. When it was leaked to WikiLeaks in 2010 I think or '11 or something, a guy from ARK cast in Germany, which is and anti?censorship organisation in Germany, he analysed the list and found 90 something percent of the domains were packet pagers or non?responsive at all, and the last few percent he found three or four sites that contained illegal content and he contacted the hosting providers and got all of them taken off?line in 12 hours, on the Danish blocked list for years. So with very little action we could ?? yeah, yeah, it makes very, very little sense when you say it out loud. Speak peek and I appreciate your motive for doing what you do, but you obviously believe very strongly in it but do you believe there is a RIS, a danger that ISPs would then be further compelled to do things as blocking off network DNS queries and services such as yourself, do you think there may be something that actually contributes to, if you like, an arms race where the authorities are imposing more rigorous blocking requirements on ISPs and you know there is kind of like tit?for?tat?
THOMAS STEEN RASMUSSEN: Definitely, I am very aware of the arms race and I am aware when you're talking to politicians and at conference in the spring with Danish Internet provider technicians, which are exactly the people we need to talk to about this, and I try very ?? you need to control the debate, you need to control the debate, you shouldn't say DNS blocking is bad, say all blocking is bad, otherwise of course, they will just say fine, we will do DPI instead so definitely you need to have that in mind when you...
AUDIENCE SPEAKER: Carsten Schiefner with DENIC. My question is a follow?up to what Shane has just asked as in I understand him correctly that using the blocking list is not ?? not mandatory but voluntary, right?
THOMAS STEEN RASMUSSEN: Yes, for small values of voluntary.
SPEAKER: So, in essence, I understand we are not talking about a strict technical phenomenon but rather a social phenomenon as if all the Internet service providers in Denmark in Denmark would agree not to use the list nobody could be blamed to be paedophile?friendly et cetera, et cetera, et cetera.
THOMAS STEEN RASMUSSEN: Exactly.
SPEAKER: That is interesting. My question is how did it start in the first place, as in who would be using it in the first place and no naming and shaming here but how get it ??
THOMAS STEEN RASMUSSEN: It's easy to think how did this all start, but you need to imagine the mood and the environment these things are being discussed in. When somebody says think of the children, nobody can say, well, I think that is a bad idea; you are in a position, if you criticise something that is supposedly fights or helps children or fights child abuse, then ?? I have been called some very, very nasty things on?line by people who don't understand what I am doing and the whole debate is like poisoned, if we can't have a proper debate about these things then obviously we will never arrive at a sensible conclusion, so it all started basically because people, politician especially, but everyone, is afraid to look soft on child abuse and basically, what they are doing is almost, well, it's not fighting child abuse at least on?line, it's almost helping it so yeah.
SPEAKER: Still interesting, though, from a social point of view because as you rightly put it, we have had the exactly the same debate in Germany as well, and even back then when the minister in charge was ?? was campaigning for re?election, so nonetheless, obviously for some reason or the other, I don't know, that is why I find it socially interesting, Germany or the Germans have been able to fight this pop limb of off when the Danes sort of did not, and I just wonder how to get the pace back into the tube to some extent, just in your country in Denmark.
THOMAS STEEN RASMUSSEN: I know what you mean, I would love if ?? don't get me wrong; I think Germans have a natural inherent distrust maybe of authority more than we do, due historic reasons and so on, and if we ?? don't get me wrong but if we only had that in Denmark.
SPEAKER: Hear hear.
CHAIR: We are really running over so I will have to stop there, but the speakers are going to be available after the slot is over and from our Constitution. Our next presenter is Mark Townsley is from Cisco, talking about mapping IPv4 addresses and ports to IPv6.
MARK TOWNSLEY: So, Hi, I am Mark Townsley, I work at a random router vendor. I am going to talk a bit today about IPv4, because we are all out of the dresses and ?? addresses and everything, but IPv4 running through or over IPv6, however you want to talk about it. My first slide is a picture of dual stack light, in the main idea around that, how many supreme heard about dual stack lite? It's great catchy name, isn't it? Dual stack lite, the basic idea is that ?? that is interesting. It's not supposed to do that. We will see how this presentation goes because it's definitely didn't look like that on my laptop. That is prettier, thanks.
Basely, the idea ?? you live in this wonderful future IPv6 deployed everywhere within your residential lines and you create these wonderful tunnels over it up to this big, big box called an after, where you track all the flows of everything, you do basically everything that Geoff Huston was telling you earlier not to do with your brand new shiny IPv6 network and I am actually pretty ?? some days I am very sorry that I was area director when soft wires chartered this work because there is a better way.
Mapping address plus port. It's the exact?same problem space, but instead of creating some big stateful thing in the middle of the network it's staleless so it scales dramatically better but you have to think about it a little bit.
Now there is this other thing, the IETF, it particularly in the software is Working Group but throughout has been very good at going and finding every little shade of a solution space and presenting it, there is a new thing called lightweight four over six, and note the technologies that say light in them are the most heavyweight. Lightweight four over six is somewhere, depending on your perspective, it's either dual stack lite without the CGN but still the tunnel concentrator, or it's map but with a very special rule defined in order to allow sort of a one to one mapping for a given user. So you can reach the same piece of ?? same protocol technology coming from either directions of this problem and it's sort of sits in the middle.
Imagine a world with no IP address summarisation. You could attack your IP address with you whenever you went, great for mobility. But yeah, it has scalability issues, right? Routers with 4 billion entries in their routing table, things like that. It makes things a little bit hard so instead of trying to create that system or continue it from before with circuit switching, we think about where the IP addresses are going upfront. We try to assign them in blocks and use hierarchy in order to scale dramatically more than if we did not do something like that. So, for subscriber network, I am not talking mobility here, you might have millions of subscribers and tens of thousands of host names, maybe 100,000, on the equipment right there first hop facing the subscribers, then within the network you might have hundreds of prefixes and finally you have maybe tens, maybe 100, I don't know, exterior prefixes out into the BGP table that represents the reachability to those users, great scaling, right? That is why all this stuff works with routers instead of big huge switches.
Solight just comes in and says look at that beautiful IPv6 network with all this aggregation that you built, screw it. We are going to tunnel all the way over to the end and build this box that has to set up an association one to one with every single user that is on the network. It does not attack advantage, there has been this talk about dual stack lite is the killer application for IPv6 and in fact it was created in a time before I think people, the engineers working on it actually believed v6 deployment was going to happen, it was before the world launches and 6 RD had allowed free to deliver IPv6 in the first sort of large scale network residential deployment so there was a lot of scepticism. And we ?? you know, wow, this is something that has to have IPv6 in order to be used but the thing is it's not using the IPv6; it's just another tunnel, it could be a VLAN, anything, an MPLS tunnel. It's not really using the network beneath it.
So, MAP, on the other hand, exploits the IPv6 network, the aggregation that is there. And I will try to explain how it does that and make it a little bit less mystical if you have been thinking it was too complicated.
Three step tutorial: First thing, IPv6 ?? IPv6 to IPv4 plus port mapping, the magic is right here, OK? We are going to step through it bit by bit. You start out with an IPv6 prefix that is configured. Everything blue is configured, it's the same for everybody in what we call domain, all the subscribers, maybe millions, all operate within this particular prefix. You can have more than one if you'd like, that corresponds to a separate do it means you have two rules instead of one. So, you start out with your/42 in this example. Now you assign, out of that/42 a given home user a prefix of/56. Leaving those green bits in the middle, we call them the EA bits. The rest is for the user to utilise. That is his space, his big bunch of 64s. Now, for a given block of IPv4 that you want to allocate to this IPv4 over IPv6 service, and have the ability to share that IPv4 address more than one address peruser, you start out with a block, say a /24 in this example, the green now comes from the v6 address above. You have numbered the CPE with this v6 prefix because he is part of the domain, that v4 prefix because he is part of that domain, right, and then individually, you gave him those green bits and they got split automatically down, and they became part of the /32 for the home, the host route, the IPv4 host route as well as the piece of the set of ports that users going to utilise, OK? Be it 1,000 ports or 256 ports, etc.. if it's ?? I am seeing some faces. It's going to gettisier in just a minute. The grey is what the user can play around with.
For this example, what do I have? One IPv4 /24 serves rather than 256 subscribers, serves 16,000. And it does it in a stateless manner, no centralised CGN anywhere in this.
So, years ago I worked hard to go through that example and paint picture with blue and green and this kind of stuff and that helped. But then I had this student, I teach at university, and he came and worked for Cisco for a few months and I said, you know, this ?? look at this slide from this presentation and make it come to life, please. So he took it upon himself to do exactly that. You can bring the mapping to life. And you can really visualise what we are talking about here. For example, in this particular case, I will give the user a 56 at home, and a /32 configured, that is one IPv4 address for this rule, associated with one user, they get 64,000 ?? 64 K ports. That is a lightweight four/six mapping rule, it's one tunnel peruser. That is a ?? just a simple special case of map. I could, if I had a million users, set up a million of these rules, right? But then I wouldn't be taking advantage of the aggregation that naturally exists in the network below me. Why don't I attack advantage of the aggregation, just like this? I move that four bits over. Now I have split up the IPv4 address into different port ranges.
SPEAKER: Clarification question: When you say user, do you mean a host or a home gateway.
MARK TOWNSLEY: Home gateway, does NAT behind it as would expect today. Really it's like taking the /32 and pushing CIDR into your port space. That is exactly what we are doing here. You used to get a /24 and then /28 and then /32, now goes negative, /32 minus four, which is stealing bits out of the port space, but because we are doing it with this mapping in the v6 then we can route it within the v6 network and it's none the wiser, it has no idea this is happening. And we are using the topology beneath. So in this example, now, I am with one IPv4 address and this rule, I can serve 16 users. But I don't have to use a rule on a /32, right? I can, let's say I can carve out a /20. /20 of IPv4 space, /40 within your v6 space and now 240 ?? that is not very nice ?? 240 ports isn't very friendly. 1,000 ports each? OK. 1,000 ports each, so out of 4,000 addresses I am serving a quarter of a million users, 260,000 users. With, again, no stateful CGN going on, right? This is all stateless. You can all go out and use this, that is a server sitting in Paris where the guy worked on this, Arthur, he is off at Stanford now getting his masters, he did a great job. If you don't like using the web ?? can we go back to the slides. He even made an android version, go to the play store and search and you will find the Android version in the UI is a lot easier than what I was trying to do, we had to get an Apple version, this ?? the Google version was out earlier because don't have to go through the Apple rigmarole, this one has been out for a few days so download it, put comments on there, say Arthur is great for doing this, but the Apple version and the ?? sorry, the smart phone version I should say is ?? once you figure it out it's cool, you can move everything around and see, you know, how many users you are getting out of your address space.
So hopefully that kind of lightens up the sort of sometimes complicated mapping, how this is all ?? how this is all happening. So, I said I wanted to talk about three things: That was the mapping rule, that is how we get the aggregation, think of it as a slightly more complicated than CIDR, we are getting aggregation, we are thinking about in advance how we want to lay out those addresses in order to get stateless behaviour, we thought about how to put those IP addresses out there so the routers could do a much more lightweight job, that is what map is versus dual stack lite. So the stateless subordinator relays themselves, they handle traffic, just outside of a given rule domain, right? If your domain has one user in it, well, it's handling all of this traffic. If your domain has 250,000 users in it, it's only handling the traffic that when those users go to the Internet not amongst themselves, because you are using the routing traffic, v4 traffic follows v6 as well as so you are not all up to a central gateway, another advantage.
Again, each map rule is similar in amount of spaces, say a tunnel entry on a box, like an LW 46 or dual stack lite tunnel entry but I have this flexibility now and I can say oh, 250,000 users, whatever. It's in our implementation at Cisco, we have it running now, it will be out before the end of the year, running incited line cards, so one blade on an ASR9K is running at full line late 240 gig light kind of traffic but within the line card so it scales dramatically better than anything that requires a big stateful blade.
And it scales according to the number ?? amount of traffic and the number of rules. You decide in advance how many rules you want to have. If you want to have 100,000 or a million users with exceptions for one?to?one type service versus the port restricted service, you can decide that in advance. And you are scaling not according to new users coming along but based on the traffic in the number of rules so you have a lot more ?? you have more to think about in advance but it gives you a whole lot of power in terms of how you want to utilise this aggregation.
Third thing: Packet flow and forwarding, I alluded to it a moment ago. Traffic friends home to home within the homes, any kind of bitter enter or Skype traffic or what is peer to peer, all happens without going through the gate ways. Only when you exit do you go to the gateway. And you simply just like in 6 RD, you simply Anycast to the cloud of border relays out there and you don't care which one it hits, really; you send the v4 traffic over this v6, as Anycast and it finds the best one.
Forwarding is handled two ways: It's partially because the IETF just couldn't decide and had to do with evolution of the particular technologies. This one is encapslation. Basically, what happens is you start out with private v4 in the home, there is always a NAT involved in this, so the NAT happens, you get your regular full range of ports at home, because you have that NAT there so nothing really changes other than the NAT has to now restrict the number of ports that it uses you MAP, you encap, decap can, check the mapping and forward IPv4 and you have off to the Internet. This is the translation version. Look at the big difference there. Huge difference, massive difference. I am being very sarcastic. Very, very similar, except instead of encapsulating v4 and 6 we translate the header from v4 to 6 and recreate it, so how does that end up looking? These are your bits, what you care about getting from this side to that side, and you start out with this and you either put IPv6 in and then attack it out, or you put ?? you kind of encode IPv4 ?? encode IPv4 inside the IPv6 and then recreate it. Pick one. It boils down to 20 bytes of difference. So now we have this mapping and MAP?T and IETF got wrapped around itself for a year or two over this last little question. The hard part, the interesting part, the mapping algorithm, that is the magic, that got decided, it's been decided for quite a long time, there were different versions so that was really the hard part, and we sat around and complained and moaned over this T vs E thing for way too long and there is even other versions, 4 RD, 4 RDU, etc., we explored every aspect of the solution pace. Prior to the last IETF, that is the state of the world, we finally got a consensus call at the last IETF, and I will kind of explain the unique way that was ?? that happened in a moment. This is a little bit about the evolution of map, it started way back at NAT?PT and there is a bunch of other stuff but you can see that MAP?T comes from this line, from DIVI, IVI, it uses NAT 64 these things. MAP?E starts to ?? has it's roots in 4 RD and SAM, SAM was a grand unification theory of 6 RD and 4 RD and things like that so it had different people involved and I think that that was one of the reasons why it was hard to actually come to an agreement in the end. By the time the IETF was allowed, literally allowed by the leadership to make this call, people were already entrenched and actually what had happened is the MAP?T and E people were going around saying no it's just map, and we will do it this way or that, we will automatically negotiate it, we are going to go arm and in arm and saying we are map, that is what has to move forward in the IETF, but of course the opponents to map were saying, no, no, you are really two separate solutions here, you are MAP?T and you are MAP?E, you can't be the same thing, right? So, at the last IETF, video time, is the audio working? Listen carefully.
So we actually had a coin flip and there is an RFC that describes using this. And it's the first time I know of it being implemented, but it set up the question as MAP?T vs MAP?E versus the other stuff rather than MAP?T and E together versus the other stuff, right? And after that, there is consensus of the room and echoed on the list was MAP?E, encapslation just is easier in people's mind, you are going to encap and decap rather than translate and reverse translate. Now, there are still reasons to do the translate, some people like to have ACLs inside that work or feel like it looks more like real IPv6 traffic or whatever and I believe that one will continue to live and will be in Cisco products, we are going to have both versions but the MAP?E is identified as the standard.
So, that is everything that I just said. We are not sure how MAP?T and forwarding and others are going to end up, probably some version of experimental but there will be a document to look at in order to interoperate. And there have been various inter op tests and I mentioned earlier Cisco has got it, one one K and nine K, I believe the first is on the nine K. By the end of the year we can show demo code and it is blazingly fast; it's wonderful.
In summary: We have been talking about IPv4 but you must do employ IPv6 to use any of this and the cool thing is, you are actually ?? you are getting something out of that hard work, right? Those bits are there; use them, and effectively you are using them to extend the CIDR into that port space of v4 so that you can give a shared address to your users in face of this exhausted world that we live in, without any CGN or any centralised tunnel concentrator, as is the case with dual stack lite and lightweight 4 over 6. You can deploy this alongside the stateful technology as well, so basically your base user, set of users get 1,000 ports of v4 along with their v6 but you have somebody out there that has got to have 65,000 and you are not capable of delivering a native dual stack you can tunnel them back to some box and give them their 64,000 ports. So this can be, you can kind kind of have best of both worlds here.
And that is it. Any questions?
MARCO: In my role of one of the IPv6 CP survey, this is IETF work, do you know if anything out there in the wild on CP implementing this or what is your expectation regarding that wearing your vendor hat?
MARK TOWNSLEY: I know we have a ?? not just my Cisco hat, but inter?op test, last at IETF and one in Japan and a couple of reports on it, there is IP infusion has ?? they run on various CPE, there is a public domain code from Surnet, this being adopted in various places and it's all Linxus's roadmap, not out yet on Linxus but in terms of commercial availability I think 2013 is the year it's going to really start coming, year.
SPEAKER: Hi, my name is Bengt Gördéb from Resilans in Sweden. I am not sure I fully understand all the implication of this but the start, what about denial service stuff like that? How does this work out.
MARK TOWNSLEY: What is interesting is I ?? I am not a tenfold hat guy, I need a security person to really answer that, but as the technology is stateless, there are less things to deny service against, right? It's stateless, there is no state anywhere so once you set up all those rules it's a lot like regular IP and every time you do the mapping, that is when I show the forwarding, right? There was ?? even when you encap and decap, there is a check, a reverse path check on the mapping to make sure that nobody is encapsulating or translating a spoofed or sourced destination, so after that is in place, it's very similar in regard to 6 RD in the same way, there is always a reverse check, and since floss state, there is no control plane, there is a lot less things to attack in terms of DOS very CGN or lightweight four six.
ANDY DAVIDSON: In this post apocalyptical world, no more v4 world, we run out of good options and can only buy bad options from now on and this sounds like one of the least bad options, but if you are going to spend time as a vendor of CPE putting support for this technology into the CPE there is absolutely no point putting it in there unless you have dual stack in all because it's still another solution that means we have to buy more and more NAT boxes and I know you are really happy to sell them to me I would be happier if I could buy some other things from you instead. It doesn't let anybody in the room off the fact that yes we might buy ourselves some more time by giving our users some spongy service for a little while but unless they have got dual stack in the home as well, this isn't a transitional technology, it's the new technology and that would be bad. So that is my view.
MARK TOWNSLEY: I agree with you, dual stack and 4 RD are in all of the new link us's gear since the world IPv6 launch and I think a lot more gear has dual stack and 6 RD. For me, the question from the product marketing is do we do dual stack lite or lightweight four six or map, and the ?? what has happened is there are certain ISPs that have committed to dual stack lite and I think it was too early because the better technology has come later. It was very similar in the IETF with 6 RD you had all these different stateful technologies and they weren't good enough and when 6 RD came we saw AT & T take the lead overnight. I wish what I am trying to do here is to turn the tide towards map, because I think the dual stack lite ?? I am not so sure customers are going to be happy, I don't think operators are going to be happy. Vendors might be happy because they sell much bigger boxes but I don't think it's going to help the Internet or the services so the fight isn't against dual stack; it's against dual stack lite vs lightweight 4/6 versus MAP.
FERGAL CUNNINGHAM: I have two questions on Chat. The first one is from James Blessings at Limeligth Networks: How do you handle the inevitable law enforcement questions?
MARK TOWNSLEY: So the law enforcement questions are general issue with IP address sparing. I think that in this case, it's actually handy because you have a static mapping set?up between v6 and v4 so let's say you are going out and you have got some website and the government calls up and says, you know, what was this user doing at this time, right? Oh, IPv6 address or IPv4 address. Well I don't know, I saw traffic from both, they are flipping back and forth, well at least the mapped users after you call up up the service provider and get their mapping rules by court orderer you know v6s are lined up with the v4s so the police should be happier than this with CGN which they have to go and correlate with time of day and port, etc., etc..
FERGAL CUNNINGHAM: The second question is from Toré Anderson: I understand that MAP would allow individual premium users to acquire a whole IPv4 address or even a prefix shorter than /22 or /32 from their ISP. Have I understood correctly in order to provision that to the end user he would have to get his delegated prefix renumbered also because he would have to move into a different IPv6 mapping domain prefix?
MARK TOWNSLEY: Depending on how the ?? maybe. That's easier. Especially with Toré on the other side of it.
DANIEL KARRENBERG: Speaking for himself, I have one question and a statement. The question is: How do you envisage the routing on IPv4 side of all this? You say Anycast to your, whatever you call them ??
MARK TOWNSLEY: Port relays...
DANIEL KARRENBERG: Would you Anycast on the other side as well?
MARK TOWNSLEY: There is no, no more IPv4 routing; it's IPv6 routing. At the edges in the home there is some IPv4 routing, I guess, well 192, 168, 11 and on the Internet some BGP for prefixes, you know, but within the home it's IPv6 routing and ??
DANIEL KARRENBERG: I get that. The IPv4 side of your routers or whatever you call them, your gateways?
MARK TOWNSLEY: You don't need Anycast on that side. You are attracting the Anycast traffic, the Anycast is only an IPv6 Anycast address.
DANIEL KARRENBERG: Then you have ?? you have single points of failure again because this one prefix that you have there only goes to one place on the IPv4 side.
MARK TOWNSLEY: But it's the same as any IPv4 routing, you just do ?? normal redundancy, however you do it with your IPv4 routing and owl those routers that are collecting that IPv4 traffic for the domain all do the map.
DANIEL KARRENBERG: No special thing, OK.
MARK TOWNSLEY: Though Lorenzo may be correcting me, I don't know.
Lorenzo: It's stateless and therefore you can download as many as you want, whereas DNS light where it goes up.
DANIEL KARRENBERG: The statement, I like this as a former Chair of anti?spoofing task force that we had because if you actually do this then BCP 38 is built in, right?
MARK TOWNSLEY: Exactly.
DANIEL KARRENBERG: So my plea here is, if you implement this and you actually do it for IPv4 by design, please make sure that you don't allow address spoofing in IPv6 operators, please.
MARCO: Quick clarification on your answer to James Blessing in terms of law enforcement, on the IPv4 reel you still need the source port in order to find the right users, right?
MARK TOWNSLEY: Yes, from the ?? from the website or whatever you need you need the source port because one IP address has many users, but at least it's a static mapping, generally static, I guess you could change it but it would be kind of silly, but even if you don't have it, it's pretty easy, relatively easy to be able to go law enforcement guy, that maps to one of these 16 or these 32 or these 128 users, and then hopefully you have more information before you go and start arresting people.
CHAIR: Do you guys have brief questions?
FERGAL CUNNINGHAM: Just a follow?up from Tore Anderson, he says I also assume that the end users can only use TCP UDP through this. Is this restricted if the user gets whole /32 or more?
MARK TOWNSLEY: Yes, I think it is, it is lifted, very good point to put in the RFC. We can use the identifier figure out where the packets go. So you get TCP UDP or ping or anything else you can port?split. That is a good point.
CHAIR: Thank you, Mark.
(Applause)
Next up are lightning talks.
BRIAN NISBET: So we have three lightning talks, four speakers and this goes for all of the session, you have ten minutes. This is for your talk and any questions you want. After ten minutes, a large bald angry Irishman pulls you off the stage. First up, we have Philip Homburg.
PHILIP HOMBURG: I work for the RIPE Atlas project and I am going to just show a few exciting results we got and this is a lightning talk so I can skip all the details that we have and get ?? Rye to get to you come to our BoF on Tuesday, so this is actually just an advertisement.
Well, for the people who don't know what RIPE Atlas is, we distribute huge numbers of those tiny black boxes, we have more than 2,000 worldwide and at any given time there is slightly fewer up. And they can do measurements. And then so we are trying to do more interesting measurements, we started out with just a few things and now we have that we can actually programme the whole thing and this is one of the things that came up. It was basically that there was a reserved prefix, 128 /16 because it's the first class P and that is really exciting and Juniper took that seriously and said you should not route this prefix, we build it into our routers and then the IETF or whatever said at some point, well, maybe there is better users and keep it reserved and then there was the problem that some operators are not all operators are all that quick to updating firmware so they were still blocking this and RIPE NCC got this prefix to assign to members and then the question I asked: What can we actually do that, is this damaged? So we put in some measurements in RIPE Atlas, started creating some graphs and then we saw, well, yeah, there is an issue. The top line, the purple line, is the reference line that is completely different prefix but announcing the same way to verify our announcements actually getting anywhere and it looks like it works. It start out with something like 70% of the RIPE Atlas probes would be able to reach the two test that is we did in 128, and unfortunately, over time, also as we were calling, ISPs that got better and then unfortunately we sort of ran out of IPv4 addresses so we had to give it to customers before you actually reached very high rate. But that is life.
So then the next thing is that people are playing with IPv6 and we had some sort of IPv6 launch day and it was well does this IPv6 stuff actually work ? How far do your fiction prefixes propagate. If we said you are a member you just type any IPv6 address into a very small web forum, we schedule it on Atlas and we give you a huge amount of chase and back and that is with trace route data and then you can analyse your situation and some people actually route for that and did that but then we also thought, well, we should maybe make it a little bit more easy for the users to look at it and we created this visualization so you have your target in the middle, in this case something, well, I think it was RIPE, and then surrounding that, all the closest hubs to you and and further and further and so you can see how your traffic is flowing and because we have a gazillion probes, you get a fairly detailed map of how traffic actually reaches your network.
Then this is for the successful cases, but we can also do complement and unsuccessful cases so you can look at this visualisation and say maybe I have to talk to these ASNs to get my routing fixed somewhere, unfortunately in this case there is not a lot to fix.
Then, moving on to a completely different topic, and that is there is actually also DNS traffic that goes over TCP, and that has been neglected for a very long time, and now, well, some people said, well, actually, could you tell us something about how well that is working, so we started measuring TCP performance off the route DNS servers and created a visualisation for you of that and that looks like this, and this is very interesting because the theoretical optimal would be a factor of two because you needs two round trip times for a normal TCP session compared to one for UDP, and this is K?root, and of course we always look at K?root and it turns out K?root is somewhere between two and a half and five. And well, then the next question: Is it a measurement error? But it turns out some other route servers are doing a little bit better. I don't have time, I now skip why this is.
And we can move on to the next and that is again taking the same data but looking at a different way, in the previous one we said this is how it's geographicically distributed and this is more a statistical analysis where we present all the root DNS servers in one convenient format and if, if you, for example, attack K?root and you compare it to the one just below, then you see that in K?root, it tends to be sort of around three and in, say, J and I root it's more like two, so also here in this, you can see that there is really something going on that apparently different root servers have different behaviour when it comes to TCP.
Then, we got another completely different question, which was also very interesting, and that is is there any kind of spoofing going on? So we started measuring one particular domain and sort of looked at, well, what answers do we get? And then it turns out that apparently, sometimes you get weird results but this is still coming soon so this is also to get to you go to RIPE Labs and hopefully the article will show up there.
Now, I have this page, and I have probably plenty of time for questions.
BRIAN NISBET: Thank you very much.
(Applause)
Lorenzo: I like your, modification in DNS, if you don't already can you implement takes?away AAAA records because there are networks that do that and they don't know how many they take out, nobody knows but you can know nobody else can measure this.
JIM REID: Just some random guy off the street. When you are going to be looking at the DNS traffic that is being monitored in transit, is that going to be checking that it's the packets that are being transformed or could those changes be made by the resolving server that Atlas probes are using, are they querying the root servers or mane name servers directly or are they going through an intermediary to do the resolution?
SPEAKER: Well we can schedule both types, if you want to know, you ask the resolvers and if you want to know what sort of hidden boxes are silently translating, you ask the authority servers directly and if you get an answer back that is not what you expect, then you know there is a hidden box.
JIM REID: I realise that, but it's a case of where is this transit or this, the changes to the packets being made? Is it being made in that local resolving server or elsewhere on the network?
PHILIP HOMBURG: We cannot tell where the box is. We can only say from this probe to that server there is something doing something nasty.
BRIAN NISBET: Thank you very much, Philip.
(Applause)
So next up we have Alain Bidron, with an invitation to the ICANN GNFO ISPCP, and he is going to explain what all of that means.
ALAIN BIDRON: Just a very short invitation to the this ISPCP within ICANN, so most of you are familiar with what ICANN is. I think you are very ?? most of you are familiar with what ICANN is, I won't present ICANN in very much details. ICANN is co?orderinates the global Internet's unique identifiers and stable operation of them including IP numbers and protocol numbers, is also involved in the domain names and specifically generic domain names. ICANN has three meetings per year touring all around the world, five regions.
This is the ICANN organisation complex one, you are aware of this one. We are talking about this one, the GNSO where ISPCP is located ?? here. So what is the GNSO? It's a generic name supporting organisations, is responsible for developing policies relating to gTLDs and this is like RIPE NCC, multi?stakeholder approach with two main stakeholders, the bodies, companies whose contractor is ICANN, mainly registries and registrars and all stakeholder groups who are not cracked with ICANN, IP holders, business users and ISPs.
So not in too much details here. As I said, we are part of the GNSO, two hosts, contracted?party host and non?contracted, where non?contracted and we are here. We are business constituency, intellectual property and Internet service providers in this part.
So, the membership criteria for constituency is to be ISP carriers and associations of those. It's you. This is why I am here, to present this very specific part of ICANN and to invite to you participate to this policy work.
So, if you think you have ?? you are impacted by what happen in this new environment you know that more than person would be introduced in the root DNS zone a couple of years, for some next year. If you think, are you familiar with the details? Is it impacting you? I guess so. So, if you want to be involved in that, in policy development of this environment you can join the ISPCP and you will be involved in that policy making process and our unit.
To contact us, you can ask me, you can send me an e?mail, you can send an e?mail to secretariat at ISPCP dot info. The next ICANN meeting where we will be ?? physical meeting of the will be in Toronto, Canada, it's in October 2012, and the following in Belgium so you are invited to attend those physical meetings and we have always remote participation possible within those meetings.
Any questions?
BRIAN NISBET: Are there any questions? No. Thank you very much.
(Applause)
Five minutes under time. I highly recommend this for lightning talks. Our last talk this afternoon is from Xavier Misseri or enabling inter?domain path diversity.
XAVIER MISSERI: First I would like to apologise for my accent, so thank you for writing all that I will say. I will talk about the inter?domain path diversity of Internet, part of my work of PhD, I am a student. I work with vie van in Austria and John lieuy in France. This work has been published in ICC and in networking.
So, I am here to get your feed backs here, right now, after.
So, the goal is to when you are autonomous system, network service provider, you get several BGP routes, announcements and you select only one route because of the BGP decision process, and this prevents you from using several routes for your own criteria, at the end you can modify a little bit how it selects the routes but it's like a little bit complex; you cannot do whatever you want. So, the goal is to make a proposition and we want to allow networks service provider to use this diversity and make them store the diversity, supposed diversities already received because you are already receiving it into database ?? it could be centralised or not. And if you receive a packet to go to a certain destination, you could ask, conventionally you would use the BGP best path, but our proposal to ask the database to forward the traffic to honour the path that is not the BGP best path, so you encapsulate the packet. So you encans late the packet here. And the packet ?? the IP destination of the encapslation is address by the router, of the pass you want to use. So, at the end encapsulates and forwards to the destination.
We want to first forward the path to the correct ?? to the path you want, selected with your own criteria because as a path diversity is centralised, you can select with your own criteria based on perhaps stability or price or, I don't know, or perhaps congestion in your network. And second, we would like to forward the path and we want to use the protocol at least ?? the LISP, almost standardised, a Working Group in IETF and in this almost everything is already there, I mean the database, this is a mapping system. The protocol that we ask the ?? to the database, the way the cache is performed in the router and encapslation, which is an IP encapslation but kind of modified, and what is interesting is what was in the previous presentation is there is no state. You will have no state in this router and you can have some in this router because you have to store some additional kind of routes.
So what we would like to do is that, is service provider that is storing all its diversity, external route, into database and this database would be shared with its clients, it's clients could have mapping database and the clients would like if you would like to use a route and not the BGP best route, you encapsulate the packet and the packet will be decapslated at the exit point of its network service provider. So as it is IP and IP encapslation, there is no issue; you don't need to change a lot of stuff. Anything will be ?? nothing will be changed inside the network. You can have some change in the ASBR router. So this network service provider can offer added value services like choosing the routes, but it doesn't have to negotiate with the neighbouring domain. So it can do it on its own. So we have centralised diversity storage here. With BGP you can perform advanced route decision with your own criteria, stability, loss, you may want to have the pass where there is no loss. And you can propagate your own diversity to your sub client but you can filter. Here, you are not obliged to propagate everything; you filter according to what you want to sell to your clients and where you can do it according to the identity of the client. I mean, if you have network here, you will sell him, for example, sell him some routes that you will not sell to another client and on different network or home network. This is incremental deployment because it relies on LISP and that is almost already implemented, it's in some existing routers, and this is IP and IP encapslation.
So, then we want to implement such an architecture. I have to say that we are in school or in research centre, so we want to do it for the research. We want to try to generalise such an approach to pass diversity propagation to all the domains but to transit domain, too, like you are transit domain and you want to propagate your own diversity to the transit domain, your neighbour transit domain. This is an ongoing work. And at the end, I am here to get your feedback, here or out there, and I want to know if you are interested, if you have in your head some use cases, some deployment scenarios, we want to make a test?bed, so if you are interested in participating with research centres in university, and perhaps you have already tested some technologies that we use like LISP or if you see some deployment issues. Thank you ?? sorry. I thank you for your attention.
(Applause)
BRIAN NISBET: Are there any questions for Xavier? No. In which case, thank you very much. Just a couple of things to announce before the end of the session. First off, please rate the talks. Rating the talks lets us improve the quality, although obviously we have had a fantastic start to the week, but improve the quality of the talks and it is much appreciated. Plus you can win prizes. Ratings makes prizes. Submit more lightning talks. We have some submitted this afternoon, thank you very much, but we have a lightning talk session tomorrow and then one on Friday so there is still spaces there. And finally, there are some BoFs this evening, which, when I find this particular website again, and I picked the right one, so there is two BoFs this evening, starting at 18:00, so there is the open source round table QUAGA and BIRD which is in the round ballroom next door, and then there is the RIPE stat demo, which is in here, starting at 18:00 as well, so we encourage lots of people to go to those. And importantly, the social event at 19:00 which is in the conference floor area outside, so it should all be very obvious at that point in time. And if there is any speakers who are speaking tomorrow morning and they are in the room, if you'd like to pop up for just 30 seconds here to just make yourselves known to the Programme Committee, that would be very useful. Thank you very much. Enjoy your evening.
(Applause).
