RIPE 89. 2pm. Main hall.
ROB EVANS: Good afternoon everyone. Hope you have all enjoyed your lunch. My name is Rob Evans and along Janos, I am one of the co‑chairs of this, your favourite working group, RIPE NCC services.
So a little bit of housekeeping first. After the after our working group, we'll go straight into the general meeting, if you haven't picked up your badge yet from the counter next to registration, please do so because we'll have to clear the room and you won't be allowed back in until you have got your little GM badge.
The agenda for today looks a little bit like this, the admin is what we are doing now. Mention the co‑chair selection process. Then the presentations are very much focused on planning so planning forestry, planning for information information services and external engagement in community and planning for organisationaL stability, we'll have a bit of time hopefully at the end for AOB.
A few thanks first of all, thank you to the scribe, doing the scribing, our wonderful steno Tina who will be trying to keep up with everyone's acronyms and language and Hans is going to be monitoring the chat and if you have any questions.
So and if there's any comments on the agenda, we will take that as final. We sent around a link to the minutes from RIPE 88, there were I think there might have been a couple of typos that were noted and corrected and unless there are any objections now, we'll take those as final.
No. Thank you very much.
And on to the co‑chair selection process. So four weeks ago we had an announcement asking for volunteers to be co‑chair of the working group, one person stepped forward, Stefan Wahl, nobody else stepped forward, there's been no objections on the list unless you wish to make some now, I'd like to thank Stefan if you want to step up for stepping up literally and helping us chair the working group.
(APPLAUSE.)
Thank you very much Stefan, of course as one person joins, that means we person unfortunately leaves, I want to make a quick note to say thank you very much to Bijal, so Bijal has...
(APPLAUSE.)
Bijal stepped up to co‑chair this with Curtis. RIPE NCC services was formed from the old LIR working group back at RIPE 46, Bijal was as you can see from the notes, the minutes there from RIPE 47, appointed at co‑chair one meeting later.
Curtis stepped down two meetings ago, this actually means that Bijal has been co‑chair of NCC meetings for more years than Curtis was. So I just want to say thank you very much to Bijal for being ‑‑ for co‑chairing and encouraging me to step up and help out when needed an extra co‑chair, and let's see what we can do in the future, thank you Bijal.
(APPLAUSE.)
So, I shall stop talking now and hand over to Hans Petter who is going to start the presentations.
HANS PETTER HOLLEN: Thank you, Rob. So I got this microphone today so I could move around and that slide just reminded me that before this working group, services working group, there was a local IR working group. And yeah, I shared that working group until it was split into Address Policy and Services Working Group and then I chaired Address Policy Working Group for some years. So this makes me feel really old.
So I am here today to talk about the registry, I am Hans Petter Holen, and you know as Managing Director and CEO of RIPE NCC, I am acting as Chief Registry Officer, we have al job out for chief registry operations officer to fill the space there but for now, I am filling that position as well.
The registry in RIPE NCC consists of three departments, three areas, we have the registration services, who keeps track of all the numbers, the resources. And then we have member services that keeps track on all the members. And these things are connected because we assign resources to members, right.
And then we have a registry monitoring teams that kind of make sure that everything is accurate and follows up on through ARC assisted registry checks or investigations so I will go a bit more into details there.
So just to give you a view of what's inside the registry, I am techie by part, I have to give you an overview of the technical part here, we moved the technology, the software engineering from the registry department to a joint technology department and the next presentation here is by Philipe, he will talk more about the plans there but just to give you a view of what's behind LIR portal you use to modify your resources, the information about you, the resource holders, about your number resources, there is a ticketing system, there is our internal control room and it's the registry as such.
We have over the last number of years introduced online ID verification, we use a technology provider for that, we have a direct sync with companies registries through a third party and we are doing continuous sanction screening of all our members and we, of course, have your favourite system, the billing system that we send you invoices once a year so you can pay us to do our job.
And the output from this system, you can read either in the RIPE database publicly available or in the standard delegations file. So that's kind of the very high‑level overview of the inside of the technology in the registry.
And the reason I am showing you this is that the complexity here has increased a lot over the last five years.
So, how do we measure success in the registry, we care about you, we care about our customers, we use industry standards like the net promoter score, ask you when you have closed a ticket can you, how likely is it you will speak highly about us to others, on the scale from one to ten and then we use the NPS method to get the number, the percentage of nines and tens versus the percentage of the detractors, one to six, and we then get the score of 83 for the last quarter. And this is consistently high in the above 80s which is extremely good.
So that is, you know, how we not only measure this but we also use this feedback. But because we do more than just asking this question, you can fill in why and you can give us feedback and we use that in the learning. Both the negative ones and also the positive ones so we can see you know on the highest scores why did we score high and we can learn from that.
The other question we ask is that how easy was it for you to get your problem solved, and here we score six and a half on the scale to up to seven. Which is truly amazing. One of the things when you are a customer that you care about is actually getting an answer and you want it now, so we have an internal target that we want to give you same‑day response, and hitting a target of 99.1% is really also in the high one, we have set a target that high, but you would normally think that you should maybe use an 80‑20 principle on this. But I think it's really important that we have an internal drive in order to make sure that we do respond the same day.
So Registration Services, the first department, what we are going to focus on there next year is automation. And of course this is something that we need to work closely with the Registration Services on and the big focus area going forward is not the members but the so‑called end users. The holders of provider independent space which we also need to monitor and understand whether their own sanctions list and we need to automate this the process as well. And Marco says this will actually ‑‑ this automation means we will lower costs, now that we want to do by shifting these people into more interresting tasks and in‑depth investigations where we need humans rather than things that can be automated. We also have work on improving the way we record registration data and the updates and centralising records in the system.
And I think if you were here this morning in Address Policy, I think some of the things that Remco brought up is really something that we should think about also for the sake of making it easier to maintain this set together. We are responsible for maintaining the core registry, you are responsible for maintaining all your delegations in the database, and if there are too many choices, this gets complicated and maybe not accurate.
What we also done every second year, first four years ago we did an audit with an external firm, EY, on how we do sanction screening, both on the ‑‑ how we follow the processes but also if they were fit for purpose. And we did one now at the beginning of the year for transfers. We plan another one at the end of the year to have external reviews of what we are doing and that's also feeding into a culture of continuous improvement of processes.
And as you can see here, we are around 20 people ‑‑ I just went back ‑‑ 20 people in this department and this is mainly staff expenses, it looks here that we are increasing it, but that's comparing to last year's budget and the budget was one‑off so it's really steady state on this department.
The main driver in this area, if you look at the right half of this pie diagram, is transfers. Regular transfers at the top, inter RIR mergers and acquisitions and then you dive into legacy which takes ‑‑ it's a small piece here, 1.5% but investigating and figuring out whether it's the legitimate holder of registry takes proportionally much longer time, showing proof that you are representing the same entity that got this resources assigned in the 80s, that's a tall order.
Now PI sponsorship is also a big chunk here and this is also not a one off. I see proposals of why don't we just do a one‑off fee for PI. Well, we need to maintain our customer continuously, it's an going job with us, we don't have a direct contract with them, that's our members responsibility to maintain that contracts and that may not always be well understood and there is a lot of discussions around this.
ASNs, we have talked about ASNs and charging for ASN mc numbers, AST numbers to the members is not a big deal to keep track on, ASN numbers when you go to private persons and private persons in different countries, that's a much harder job to keep track on and they also receive resources from the RIPE NCC and we need to know those customers and keep track on them to make sure they are not sanctioned.
Then we still do some allocations and there is a big chunk of other questions and you can see a tiny bit of questions regarding RPKI here which is kind of good that it's so easy to use maybe it's a bit sad more people don't ask questions about it and deploy more
Moving to member services, the big focus there now is improve the billing process and that's an ongoing thing.
We had planned to send out the invoices for next year as early as possible in January and I would like, urge everybody to pay their invoices as soon as possible so we can be done with billing and do something more interesting. We also carry out verification checks on members and update their contact information. And we are now working on further enhancing or online chat service, which has been very popular and I think takes like 5% of the ticket load or something right now.
And we have also started a broader procedures to look to ways to optimise them by making the procedures and processes smarter but also see if we can automate some of those.
Looking at the pie chart here, you can clearly see more than a third is actually billing tickets and I will talk a bit more about that. And a third of those again goes to finance for updating in the finance system.
RIPE database, general NCC questions and we have some automated registry follow ups and so on which are manual tasks from some of the automations that we need to follow up on manually. Some of the automation we do is not perfect, it's not a hundred percent automatic, it causes tickets to come into the system that needs to be followed up. And you can see here also 8%, so kind of one person out of the team ‑‑ one person works constantly following up on the information. And if you heard me yesterday, we are going down from more than 6,000 a tickets in year to the steady state now. So it's been quite a lot of work to get this pretty simple community ‑‑ well, the decision wasn't that simple from the community ‑‑ to verify Abuse‑C contacts but it's, you know, it's costing us millions to implement such things over the years.
Billing. So I compared the numbers from finance and the numbers from the ticketing system here. And as you can see in February, that's the due date for the invoice, that's 30 days after we have sent the invoice, then you are supposed to pay. If this had been Netflix, your screen would have gone dark on that date, right.
No, the RIPE NCC is very nice, we think that, oh, maybe you haven't received the invoice, so we send a reminder and we send you a final reminder. And then after sixty days, we put a banner in front of you in the portal and we also send emails to everybody in your portal in case your billing contact has been on vacation for a couple of months, after 90 days we block access. And there's a quite a lot of tickets going on after the due date. If everybody paid on the due date, we could you know save a couple of months of ticket working and do other interesting stuff.
So next year, the board decided that we will move the portal blocked from 90 days to 60 days to really push you into, please pay before we do any work for you now. I saw somebody suggesting they should get a discount but you know, it really works the other way around, we have served you for a couple of months without your payment, so please pay.
New chat, you can see that's been a success, we had an older chat before when we started in 2021 up to now, it's really three and a half thousand tickets we expect this year, and with the recent update now you can select the subject and get directly to the group of people that are experts in this so that you can get better and quicker response to your ticket so we are really looking forward to see that.
Registry monitoring. So main thing the accuracy of the registry, what does that even mean. That means that somebody needs to check that from time to time, right. And we need to check that it complies with the RIPE policies and RIPE procedures. So you the community make policies and we then need to make procedures and how to implement that and we need to check from time to time that we do that, we do that through a system, the registers checks, and here in this budget, we are planning to add one person to the team so we will increase it from that but we also automating this, so we have just released internally automation of the system that we used to do ARCs and the next step is when this is in a steady date to state to look at pushing it into the LIR portal so you can do a self‑service request. Part of the concept behind us is we actually talk to our members, email, phone, to stay in touch with you and maybe other things are popping up as well that is worth looking at so we don't want to completely automate this but if we can do registry checks more often, currently the target is everybody, once every fifth year, I think that would be an advantage to everybody.
I mentioned sanction screening, the continuous review of how we are doing that and streamline this is important and in this part of the budget there is also some of the software subscriptions for the back office and staff expenses here are only 84% but as you can see this whole area is heavily driven by personnel cost.
Looking at the pie chart, it's much simpler, it's ARCs, two thirds and then it's registry review, which is what you can find in our contact form, violations of RIPE policies and procedures, people actually go there, click and report that and then we investigate. Or reporting incorrect information in the RIPE database, well, the typical report is that this Abuse‑C contact doesn't work, right. That's kind of the workload split in that team.
So, I did mention a couple of times no closing of members, that's not specifically in this team but across all the three teams. And more than 80% of the closures we have are initiated by the members. And why would the members leave us, it's not really the members that leave us, it's the closure of an LIR, the title is wrong, it should be closing LIRs, I see that now. But that's because of the weird policy we have that, no, you can only get one block, so you have to open another LIR, so why have we created this complicated thing that causes a lot of work for us in both opening an closing, I think that's a good question for Address Policy to see if we can revisit that. But going back to why does the RIPE NCC initiate closure, the vast majority of is nonpayment of invoice, if you don't pay, we will eventually close you, it took 120 days according to the other slide.
Then 2% bankruptcy, 12% stops responding. So if you stop responding and over a long period of time we are not able to reach you, we will eventually close you and reregister your resources because otherwise those resources would be up for hijacking.
And then unfortunately we have 5% we closed because they support ‑‑ submit untruthful falsified documentation.
And then half a percent due to incorrect information being registered.
And this untruthful information after r the board resolutions in 2013 and 2017, we are reporting those to the authorities, currently we report that to the Dutch police and you can see that in 2024, we have no already hit the same level as we did in 2018. And it's an interesting question: Why the huge increase? Is that because there are more, there's more fraud going on or because we are better at detecting it, that's a good question, I think it has been increasing, it's also interesting to look at where the fraud comes from. I didn't put in the name and shame here but top one on the list, we don't know whether the fraud comes from that country but the members that are targeted or the LIRs targeted, they are in the UK.
So why do we only report it to the Dutch police? Maybe we should report it to the UK police and have them do something. I just spoke to a colleague from ARIN and for him it's much simpler, he calls the FBI and they actually take action. So I think that's something that we consider because we as a registry, we can't just sit there and accept attempted fraud being taken for resources that could be worth potentially millions.
So this is getting from funnily engineering into serious business unfortunately.
Sanctions investigations, you have heard about this for a long, long time. We are then monitoring and getting sanctions, it's partly on members and partly on end users, that's the PI space or individual ASN holders and there is a tiny bit of investigations that we do on inter RIR transfers, we do sanction screening on all our vendor and consultants and so on. So this is something we systemically take very seriously. Violating EU sanctions is a criminal offence, it could ultimately put me in jail and I don't want that. Out of the 1600 automated sanctions alert we get, we end up with 12 sanctions entities. And you can see the breakdowns here. We still have a backlog of 270 something that we haven't started, but there's 1333 that we have verified that are not sanctioned because this is ‑‑ somebody with a name in cyrillic being translated into Latin and then in a database it may be a match and we need to check that it was or it wasn't and it may not be the company or the person but it may the company that owns the person or a board member of that company or their owner or their owner, it's not a trivial process and, yes, the matching is automated but not the conclusions.
Accuracy of the registry is something that pops up. We did ‑‑ we started to look into this now and this is going to be a focus area for next year.
As a side effect of the sanctions project, we are mapping, matching all of our members automatically to business registers, we do it through a third party that has electronic connections and matching with business registers in different countries across the globe. 96% of those, of our members, are matched there.
So what about the 4%? Well, if you look at our mix of members, you will see that 2,000 of our members, they are natural persons, they will internationally not be in a business register, if I take them out 99% of the businesses are matches, that's a strong indication that the information we have about them is correct, it's not a guarantee and the missing ones, there is that may be an indication we need to look into them and we are investigating those, it doesn't mean that it's wrong but this gives an indication that the accuracy of this part of the registry is pretty high.
Something that's not so good is on email addresses where we know that almost 4% of the email addresses in the registry that we use, they bounce, so we need to dive into that.
We have verifications of Abuse‑C, but unfortunately we didn't implement that across all email addresses. And that is something that we look into to see how we can use the same method and technology to make sure that both billing addresses and organisation addresses and all the registry contacts are also verified, so if emails starts bouncing we need to contact the registry to make ‑‑ the member to make sure it's updated.
And that's the last slide of my presentation. We want to make sure that we shorten the reverification process next year, we want to automate procedures and maintain high‑levels of ticket resolution, provide more multi‑lingual support. And just to give you a peak into these five, five and a half million that the budget here is, roughly half a million of that is actually business licences, plus staff training, travel and so on and the rest is cost of staff. So then back to you:
(APPLAUSE.)
ROB EVANS: Thank you Hans Petter. Do we have any questions in the room? Or remote, on the chat?
HANS PETTER HOLLEN: No questions! Really?
ROB EVANS: Hans will be back on stage later, you have got to time to think.
With that I would like to hand over now to Felipe who is going to talk about planning for Information Services next year. Thank you fell leap.
FELIPE VICTOLLA SILVEIRA: Good afternoon everyone today I'd like to share our planning for Information Services for next year.
I'd like to start my presentation with the main objectives that we have for information services next year. The most important one is to ensure the security and compliance of our services. Coming second is support in the registry to improve accuracy and efficiency. And then it's support the organisation to make decisions based on data. And finally it's to keep our costs within budget.
And you are going to notice that these objectives set a tone for the rest of my presentation.
So what I'm going to do now is go through activity by activity and share the main objectives for each activity starting with the LIR portal, first a short explanation what this is about. I am sure most of you have interacteded with the portal in the past, it's an in‑house built tool where you can manage your resources and also update your registration information. It's closely integrated with the RIPE database and our ticketing system and the registry software, and these activities also include the operation of the registry back hand and many of the internal services that supports the operations.
Like, for example, single sign‑on, RIPE meeting software, GM software and so on.
We have three main objectives for this area for next year. The most important one is enhance the security of the services, and we are going to do that by standardising the SSO protocol to use OpenID connect, enable security‑related features like, for example, better protection against leak credentials, and finally improving the security for internal and external APIs. And that's linked with phasing out MD5 hashes which is an objectivity for the RIPE database I am going to talk about in a minute.
The second goal is to improve the registry accuracy and efficiency. We want to do that by automating processes and also by improving the UI and UX of the LIR portal. With the main goal to make the updates to the registry easier.
And finally supporting the organisation to make decisions based on data. So that's about implementing a data warehousing tooling to be used by the rest of the organisation, we have started this process this year and are planning to carry out in 2025.
Internet infrastructure. So here we have three activities, RPKI which is a certification system that allows a network operators to prove they're legitimate holders of IP addresses and that's a tool that's used for router security. RIPE database which contains public information about IP addresses in our service region, it's the public facing part of the registry, if you will.
And finally DNS in our case includes provision of reverse DNS services for the address that we manage. Plus secondary DNS support to the reliability of the reverse look ups. As part of DNS, we also operate K‑root, which is one of the 13 root‑name servers of the internet let's start with RPKI first, our top objective is is ISAE3,000 type 2 compliance, it covers controls for data security, availability, processing integrity and confidentiality. The type 1 audit, which is the one that we just got basically assesses whether the controls are operational. Which means that we have implemented all the relevant controls. And type 2, which you are going to get one year from now assesses whether we have been implementing these controls over a certain period of time. So in between in between the two audits basically. NRO RPKI programme the goal here is provide a consistent and uniformly secure RPKI service across the five RIRs and it's a joint programme we are doing with the other RIRs.
Finally improving the usability and functionality of the service, that's about enhancing the ROA history and enhance ROA history insights, supporting new RPKI object types like ASP A, and finally improvements in ROA and ASP A operator support like having realtime BGP information, we do have BGP information in the RPKI dashboard, you can see the announcements for your prefixes there, however the information might be up to eight hours old, we want to get something closer to near realtime.
RIPE database enhance the security, that's a top goal. We want to phase out MD5 hashes, they have known security vulnerabilities, and we want to replace that with API keys. So many of you who have provided feedback about our approach ‑‑ and it's a delicate balance between ease of use and security and we are going to have to make a choice, we lean towards security. So if you have questions, feel free to approach me, go to the microphone, and my colleague is also around, feel free to approach him.
Improve service resilience, about improved resistance to DDoS attacks and modernising the deployment and management of our applications that's done due a containerisation and the use of Kubernates and finally implementing the latest IETF standard, improvements for R data and NRTM version 4.
And the idea here is we keep the RIPE database searchs consistent with the other RIRs.
DNS and Kroot, the main goal here is keep it solid and stable, we carried out a number of out‑reach activities to increase the number of Kroot nodes and we are going to continue doing that next year.
Sunset ns.ripe.net service, we have started a process in the last RIPE meeting, my colleague presented in the DNS working group about this and we are planning to complete the sunsetting in January next year.
And if you have more questions about it, my colleague Anand presented in the DNS working group this morning so you might want to watch the recording or see the slides.
Internet measurements. RIPE Atlas is the leading internet measurements network that provides information about connectivity of networks worldwide. RIPE stat, which is a web‑based application, that provides current and historical information about internet number resources and finally RIS is routing information service which provides source of data about the state of routing worldwide, both current and also historical data.
So we are starting with atlas, the main goal is increase the value of atlas to our members, we are going to be looking into information we already have, also information that we can potentially collect in order to provide insights on the networks of our members and then display that, for example, in the LIR portal.
The other goal is implement known use cases, to look into things like connectivity debugging and network monitoring and how we can best support that either in the UI or through APIs.
RIPE stat. The main goal here is improve the UI and UX of the service, based on some user research that we did early this year, we have decided to deCommission what you call the new UI which was bit in 2020 and consolidate everything that we built earl on on in 2013, modernising the stack and looking at the user experience and so on. The ultimate goal is make a nice UI for all of you.
And restore historical data. So it's a lot of content here to cover in a small bullet but in essence due to the exit of the data centre, we have to move dataset around and unfortunately some of the historical data will be unavailable during a certain period of time and we are in the process of restoring that. So there's an availability that will only take place once you complete the migration which should be done in about a month's time we are going to publish a labs article giving more detail why this is the case and what you can expect going forward.
Finally RIS, the main goal here is to modernise the RIS data storage, the main goal is ensure we have a cost effective solution to store historical data. So to do something similar that we did for atlas but this time for RIS, this will be a huge project for RIS for next year.
In parallel to that we are going to focus on data quality, continue what we are doing with our peering strategy in looking for peers in geographical areas not covered or other relevant networks.
IT support. So in the activity plan, IT support is a single activity, internally, we have two different teams, IT engineers which provides the back‑end infrastructure in the network connectivity for the internal and external services of the RIPE NCC. Like RIPE database, RPKI, etc.
And IT support which manages the support of the RIPE NCC internal services like applications we use, hardware, laptops shall the meeting room infrastructure and also the excellent technical service that's provided during the RIPE meetings.
We have three objectives here: Enhance the security and compliance, so that's about implementing the ISO 27001 certification and ISAEaudit and there's a lot of compliance work going on. Modernising our infrastructure, containerising our applications an doing the lifecycle management of the hardware in the data centres. So basically replacing old hardware with newer faster and better ones.
Cost reduction. That has been a big focus for this year. And it will continue being a focus for next year. We are reducing the data centre footprint from 46 racks, what we had at the beginning of this year down to 22, which we are going to have by the end of this year and further down to ten by the end of next year.
So in terms of cost savings, this is 850k, but we budgeted for 2024 and it goes down to 360k in 2025. And the budget for 2024 already included some of these cost reductions. So it doesn't refer to the 46. There will be higher costs associated with with this migration, however at the lower base, so we expect to have net savings in the end.
So it will be around 200,000 euro less by doing this change.
Since we are already talking about money, let's continue.
The budget for Information Services next year is 12.2 million euro, that's a 1.6 increase, when comparing to the 12 million that we had in 2024. Most of the services are basically stable in terms of cost, for example RIPE database, DNS, RIPE stat and RIS, give or take it's pretty much the same.
Now where we have differences is on the LIR portal, we are increasing by two FTEs and we are adding one extra FTE in IT as well and that's basically a replacement for long‑term consultants that we have and these would be a cost neutral operation and these are the last long‑term consultants we have working in Information Services, so we won't repeat this going forward.
There is also a reduction of 400,000 euro in RPKI, that's mostly due to consultancy costs that we had this year and the years before to implement ISO 3000 compliance framework and these costs are no longer necessary and also the service has been pretty stable last few years so there is no need for further investment.
The IT supports costs also got reduced due to the data centres downsizing and atlas increase. But it's mostly a shift of infrastructure costs that used to be in IT support and now they basically moved through atlas. We are expecting something similar next year, we are going to see a further reduction in IT support and an increase in RIS so then you can see in each activity how much exactly is being spent.
So that was pretty much my presentation. The key takeaways, we are particularly looking into security of our services like focusing on LIR portal, SSO and RIPE database, and a lot of this involves complying with international standards. We are also improving our word processes like for example by introducing automation in the LIR portal in the registry procedures and in the main goal here is increase efficiency and finally focus on improving the user experience from several services like LIR portal and RIPE stat and also continuing to modernising our data storage and infrastructure behind several of the services and we expect that this project is not just one, there are several different project which will significant cost savings and efficiency gains and some of these cost savings are materialising on the budget for next year.
That's basically it. Thank you very much.
(APPLAUSE.)
ROB EVANS: Thank you Felipe. Good.
AUDIENCE SPEAKER: On the improving security thing, I do agree that improving security is a worthwhile target but it's not a target in it itself to achieving maximum security is when you have turned off all your machines and nobody can get any work done any more. So there's a fine balance between making more and more security and achieving the point where it's annoying the people that have to actually work with these mechanisms. And we have had this discussion before, but I want it on record. I think the NCC is going towards too much security in some aspects right now; making it hard to actually use the result. You ask for feedback, you got feedback. You ignored the feedback. So what should I do with that result now? I am not completely happy with the outcome, let's face it just that way.
FELIPE VIFOLLA SILVEIRA: Well, thanks, and I completely agree with you that if the usability of the service is really too hard, it actually decreases the security, leads to things like people writing passwords and putting on the desk and so on, I completely agree with you there. And we heard all the feedback and we took into account. However, we also have to make a decision on which direction to go. And yeah, we are concerned about, for example, one of the issues we discussed was about the shared credentials that you have an employee that has access to a certain API key and this person leaves the organisation and then still has access to the API key, that was a reason why we decided to invalidate this API key when somebody leaves the organisation.
In other words, not allow shared credentials. We understand this is an annoyance and in many cases it might not work. I had a chat with Sander the other day about this. This is a trade‑off and ultimately we have to make a decision. I am happy to have a chat with you later on as well to see if there is, yeah, a better solution for it. But we heard you, it's not like we just ignored.
AUDIENCE SPEAKER: Do we have a question from the chat? There's one question and the question is how much does RIPE NCC pay per rack?
FELIPE VICTOLLA SILVEIRA: I would say it's one million for the 46. 20,000, something like this, per year? Yeah. I don't have a calculator in my brain now, but something, something about 16,000, 20,000 per year per rack.
AUDIENCE SPEAKER: Thank you.
ROB EVANS: If there are no more, then thank you very much.
FELIPE VIFOLLA SILVEIRA: Thank you very much.
(APPLAUSE.)
Next up we have Hisham to talk about external engagement and community building planning, thank you very much Hisham.
HISHAM IBRAHIM: Hello everyone. For those of you that don't know me, other than doing correct can he at night, I also am one of the executive team members of the RIPE NCC, I am responsible for community engagement and continuing with the presentations that we did, this is the third budget line in the budget area in the RIPE NCC activity plan which I am going to walk you through now.
So, if you read through the budget you would see three budget lines within community, external engagement and community, the first one speaks to community building and member engagements, this is basically all the work that we do to engage members throughout our service region, this meeting being one of them, regional meetings that we do outside of Europe, all the work that the COMS team does and all the work that the community development team have done and others as well.
The idea here is that we keep the community engaged and informed about all the activities that we are doing but also the latest in the internet and how to keep up with that, I am sure there are opinions vary across various platforms.
The second one speaks to learning and development, we are basically we offer in person courses throughout our service region to our members but we also offer online webinars and e‑learning for the entire community. That way we have been working on this for a few years, it is cost efficient but also open to the entire community without it being too expensive on members and giving the members a little bit more dedication with the in person training.
And the last bit here talks to the co‑ordination and collaboration that we do, the RIPE NCC is part of a much larger internet governance landscape, we play various roles here, you heard Felipe talking about the role we play for example with Kroot in the root server zone, there's a lot of geopolitics happening and tensions and digital agendas that we are part of those discussions and we bring the community's perspective forward, I will be covering a little bit more on that in a second. We also produce in this area reports and updates and do research into the resources internet development that helps us with some of these discussions as well.
So since we are talking budget, this is view of budget for 2025. We have been optimizing our structure and our teams and our workflow for a few years now, I think I first presented on this in RIPE meeting in Berlin, which is 84 if I remember correctly about the structure that we have and since then our structure has been quite stable. Which is why we at this point do not necessarily feel that we require more FTEs, in fact as you are going to see in one of the slides, we might be going down in one of the areas.
We also have been doing a lot of work in figuring out how to optimise the workflows, how to get the best result with the budget allocated and be efficient on it, we have gone through that for a few years which is why at this point we don't necessarily feel we need an increase in budget because we are not launching any new activities; we are only seeking some market corrections here and there because of well the cost of everything else going up.
The main costs in this area is the meetings and events; obviously organising an event like this is quite costly, we report on that transparently in the activity plan but also in the any other report at the end of the year.
The other one is staff travel, if you look at the graph under there, community building which is where the majority of the travel is, it's stable, we are not asking for for an increase there, even though prices of tickets are going up, we are optimizing about this stuff, we are not necessarily asking for the market correction there but it's more on the efficiency gains that we are getting but it is still a big significant part of the budget. Not just travel to a meeting like this, but also to engage with members that cannot come to this meeting. A couple of weeks ago, we were in Kyrgyzstan where we engaged with 280 community members at the regional event that we do there, that wouldn't necessarily engage at a RIPE meeting here, so we had to fly a number of staff to engage with them there.
Now, going down into more detail, while we report on the three lines aggregate in the activity plan, there were requests for more clarity, so we break that down a little bit more into six items. You can read more of about them in the activity plan but I will go quickly into some of the details here.
So like I said the community building and membership engagement, we are focusing on ongoing projects, and developing and refining the processes, you are going to hear me say that across all the bits, we are not planning any new big roll‑outs; however, with the efficiency we are getting and being more optimised and with the return on investment we are seeing from some of the work we have done over the past years, you will see us putting out more reports and you will see us putting out more engagement elements without it costing us more now because now we are just reaping what we so sowed.
We are going to continue to do national engagements. If you remember last year the GM, there was ‑‑ not last year, when was that, for the activity plan for last year, for this year ‑‑ no, I am confusing myself, for the 2024 activity plan, there was an additional 200k that was allocated towards national engagements. It was originally cut due to budget cuts; however, we heard the membership and the board heard the membership asking at the last GM not to do so, so it's been in the 2024 activity plan and it is in the 2025 and hopefully moving forward. So we do now have an allocated amount around 200k towards national engagements and we will use it for stuff like NOCs and Hackathons and for some of our engagements there like RIPE NCC days and such which we cut off this year but we are bringing back next year.
And we are quite efficient in how we use this money and we are optimizing on it to be able to do more.
Our goal is to make engagement easier throughout our service region and also localizing in some of the languages which is also feedback we have been hearing since last year and this year and we have already been producing a few reports, one of them was how to acquire IP addresses and it was a report that was very well received and we are doing more community translation efforts now to get that into other languages because of the demand, especially from the non‑native English speakers.
And this slide is, you know, I usually joke I could put up this slide and go back home, this is a reflection of the work we are doing. This is round the year calendar, because we haven't done MENOG in the Middle East round table yet, this is why you see photos from last year but everything else is engagement from this year, whether it's the round table in Europe, in Brussels, it's the round table in southeast Europe, the SEEmeeting, the south east European meeting, RIPE 88, the central Asia peering and interconnection forum and the inter measurements day we have done a couple so far and Romania being one of them and we have turkey coming up next week.
This is as close as I get to being an influencer in my life. The marketing team, you have walked around, you have seen the brilliant work they have done with the marketing initiatives here, I took snap shop of the elevators and I know about the jokes and I am waiting for the working group that shall not be named, just to show the power of this, I ended up posting that on my LinkedIn profile and it's around 39k impressions and 26 people, 26k members of LinkedIn, you can see the shares, the reactions and stuff. This is the closest I will ever get to being an influencer into my life. And I have become obsessed, I checked before I came up and we are at 41 K, yay me, great works for the COMS teams and marketing team, they are doing a great job here and you can see already I know that the differences in the meetings and the elevation of the levels that we are doing here which is really appreciated.
Learning and development, well so for learn and development we have these learning experiences we have been optimizing over time, whether in person or learn at your own pace through the academy which is showing really great results.
We are improving on our current offerings for next year, we are adding a few more courses, related to measurements and tools and also on BGP.
And we are planning on delivering on more of the in person training because we now have the hosted training that we are doing so anybody interested in hosting a training please do that, that allows not not ask for money and be able to do more which my teams love to do.
In terms of the budget, the majority of the cost here is actually the personnel that do the work so this is really quite cost efficient and we have been working on that for a few years.
Also another shout out, we ran a summer learning campaign on the academy, where we told people if you finish a scourse, you will get a free voucher for a certificate and if you get the certificate we will ship you a t‑shirt. And guess what, t‑shirts work, people in our community love t‑shirts and I know you might not recognise me because I am not in my famous IPv6 t‑shirt, but, you know, I will change right after this.
Anyways, wrapping up. We also have the co‑ordination collaboration, this is all the work we do engaging with governments and responding to consultations, if you are interested in this work, I am doing a quick presentation in co‑op tomorrow, talking about some of the questions and information requests that we are getting from the different engagements that we are seeing, we have a team of people throughout our service region that are dedicated in understanding what's happening in Brussels and the EU and what's happening in the Middle East and what's happening in Ukraine and Russia, to have a better understanding of the ever changing landscape especially with all the tensions that we are seeing and the geopolitics and the increased focus from governments of understanding how the inter works. Now we see our role here as we work with governments to help inform better public policy but also we relay back their thoughts and the ideas from the community and how to get that engaged, and that's something that we have been doing a lot of and like I said, co‑op tomorrow if you are interested in hearing more.
But we have been producing, like I said, telling, as you can see we have two big reports we published this year earlier in the year, we published benchmark report about IXPs in the Middle East, that was very well received, we are planning a continuation for that next year focusing on another part of our service region and that was produced in both English and Arabic as you can see.
We recently launched the "how to get IP addresses for your network" report that shows based on a market survey we have done earlier this year, and it gives all the options from the members how we get addresses, there's been great work from the registry, Marco and the comes team in putting this work done through the market survey into this is how the RIPE NCC can help you and get more informed about these things, really well received reports. And this is one of the things we are looking into more language support for.
But then you can see also we have invested time and effort into building pipe lines that makes it easier for us to produce insight, that speaks to our goal of wanting to to be a centre of technical expertise when it comes to data measurements and insights. So you can see here for the SEEMeetechoing, here's a snapshot of a report, it's a much longer report we produce on RIPE Labs, one of our most successful engage platforms, not just the RIPE NCC posts on but community posts on, their opinions and they have discussions and debates on this so the SEEreport but also if you can read, I don't know how visible, in cyrillic, the central Asia peering forum, talking about stuff, everything from RPKI to IXPs and routing and interconnection and resources and everything else.
Now, how all this stuff fits together, starting from the bottom right corner. Like I said, we have been working for a number of years now I think and the third year of running we have as a top company priority being a centre of excellence for data and measurements to provide insights. Now, you have heard the great work that's happening in Tech technology, fell leap has already covered that, we as internal customers of that take the data that is collected through the different data services that we do and we correlate that with the insights that we have engaging with the community and correlate that with our understanding of what's happening out there and we produce these reports.
Now these reports feed into our engagement with the community, like I said at the SEEmeetings, the RIPE meetings and the other regional events, and we also use it for training activities if you go to the other side. And all of these three elements together is what we use when we go sit down with a government and discuss with them issues related to regulation of the internet, why things are the way that they are, why something might impede the operations of the internet or help them understand better where they are in terms of their networks.
Key takeaways here is basically we are focusing more on the processes, our goal is to make things easier for members, and we continue to build strong relationships with our governments and be the voice of the community.
Thank you very much.
(APPLAUSE.)
ROB EVANS: Thanks very much. Are there any questions? Yes please.
AUDIENCE SPEAKER: Good afternoon, Nigel Hickson, UK government department of science, innovation and technology. I am not a RIPE member but delighted to be here as a European government and just two comments from me if I may following that eloquent and comprehensive overview of what you are doing, what RIPE NCC are doing in the international engagement area.
And the two comments are one is that this is incredibly timely that you engage in these activities with governments of course with responsibilities and duties but we are a stakeholder, we are an environment where governments can only do so much and much of the excellent work is done by stakeholders, various institutions such as ICANN and the RIRs to actually tell people what you do, to explain the importance of your work, this is so important.
And secondly, the engagement that you do in wider fora, such as the consideration that you gave to the global digital compact, the consideration to the which ises plus 20 review processes, these are somewhat outside the normal work of an RIR and of course they are but they are important in the overall operation of what we do, they are important because they affect the overall internet governance ecosystem that we all work in. So thank you so much for all the engagement you do and it's really great taking part in your activities, I was at the round table in Brussels and thank you.
(APPLAUSE.)
.
HISHAM IBRAHIM: Thank you for that Nigel. Highly appreciated, like I said if people are interested in hearing more of what we are doing there, co‑operation, I am speaking there and I will see you there, thank you.
(APPLAUSE.)
ROB EVANS: Finally we have Hans Petter to talk about planning for organisational stability, thank you again Hans Petter.
HANS PETTER HOLLEN: Thank you. So then it's me again. You heard about the registry, you heard about the Information Services, the technology behind it and you heard about the communication out reach, so then it's only the rest, right. What else do we need to make the RIPE NCC ticks, we need officers, we need facilities, we need administration so there is part of the budget there, we need somebody to take care of the people in the organisation and we have around I used to say 42 because that's such a nice number but it's at least 45 different nationalities in the RIPE NCC. So we are an incredibly diverse organisation and while I don't like too many policies, we do need policies and guidelines to keep all of us on the same line.
Legal. As you have heard in many cases here we are talking about new regulations here and new regulations there, staying on top of this is a lot of work. And I need the strong legal team in order to make sure that we manage that.
Finance, well, we need to pay our bills and you need to pay us so we need a finance team to make sure that happens. And also keep us true to not spending more than we have budgeted and maybe even spending less than we have budgeted because it's possible to do it smarter and cheaper. Information security risk and compliance, yeah, it can never be 100% secure, I am not looking for 100% secure, I am looking to avoid data breaches, it doesn't matter how much money I spend, there will still be a breach, hopefully we can contain it, hopefully we can respond quick enough and hopefully we can minimise the damage.
But in today's world, the world is getting harsher , there are more cyber attacks links to political and more people that want to test security, we need to stay ahead on that.
I have some people around me that look after me and we organise board meetings and in the office of the managing director and so on, we have a RIPE chair that we support and we have established a Middle East entity that will be just a new legal construction for our people in Dubai.
So the facilities. We have an office in Amsterdam, we are renting an office in the Amsterdam central station, which is a brilliant location, we have been there for soon to be ten years and we are looking at what next shall the current contract expires sometime in 2026, we are considering should we stay there or should we move somewhere else, that also is linked to will we return more to the office than we have, we have a very flexible working from home policy, maybe a bit too much because the value of getting together as you see in this meeting is really so easy to underestimate.
So this is part of what's thinking here, but this admin team also books travel for us and with the increased security issues in the world, that is not a trivial task any more, making sure that we only travel to safe places and that we do so in a cost‑efficient way, it's also something we do.
Human resources, there is a lot of focus on well‑being and mental health, I think meeting each other helps a lot. Not sitting just alone, but there is more we can do to support staff in that and that has focus in the Netherlands and we are staying ahead of that curve to be proactive and make sure that we don't end up with burnouts or other issues.
We are introducing and carrying out talent and succession planning process, we developed in 2024 so we will start to execute on that. And no, I don't plan on leaving, but in ten years I will retire right and there should be a plan for what happens. So actually taking that really long‑term view into that is important and that's not only about me, that's about all functions in the organisation.
Increasing diversity, that's something that's close to my heart, I said we had 45 different nationalities and I am really proud of my exec team which is really 50/50 men women but there is nor work to be done both among engineers and mid em management and other places so that's something to think about when it comes to diversity age is also a different ‑‑ there is a lot of energy in people coming directly from university or other places and bringing in new things into the organisation, that's really lovely and we need to make sure that works well. There are also regulations coming along enforcing us to report on our CO2 emissions and that may be strange for an organisation like RIPE NCC, but we do travel a lot and that's specific in the regulations and we have already started to work on that.
There are regulations coming on pay equity, that obligation is a couple of years ahead, we are starting to plan for reporting on that as well.
Legal, I already mentioned that, there has already been a presentation on ICP‑2, that's taking a lot of effort to assist the volunteers on the address council to do that.
Review of the articles on the voting procedures to make sure that we stay up with both legislation and technology is something that we are looking into next year and then review of EU legislation and if you are getting bored and want some reading material, we have included some reference material for you here. So you can look up GDPR,Eprivacy, DSA, and so on and so on.
I kind of said I wanted a more exciting slide here but you know, if you like this stuff, there is a lot of exciting reading in in this article. I mean it!
Finance, continue to focus on cost, CFO has changed his business card into Chief Frugal Officer, he really wants to set the tone with us there.
Supporting the charging scheme task force, that's important for us to make sure that we hear members views and get a good charting model for the future.
Setting up and implementing financial management for the new Middle East entity and then one of the really big problems since I started is how do we collect money from ultra high‑risk countries, that's not really sanctions related, but it's kind of indirectly, its banks do not want money from countries like, for instance, Syria and Iran because of the high‑risk or ultra high‑risk they think that this could come from sources that are sanctioned or other ways linked to money laundering or something. And then of course finance department is only so good if they can produce reports that the people that spends money can use and stay on top.
Information security risk and compliance, there's been a lot of talk about compliance and we are not doing ISO 27001 or E SO3001 for the sake of it, we are doing it to increase security and document that we have done so. A lot of the regulations that are coming our ways give the government a right to audit us. I want to be ahead of that curve so in the case we are covered by NIST 2 or DSA or any of these other frameworks, the government don't have to do come in and audit us, we can give them a report and we can give you the members a report or a certificate because a lot of you will be and are regulated by NIST 2, that's very clear from the directive and you need to ensure that your suppliers also have adequate security this is why we are putting more money into security. 24‑7 monitoring of our infrastructure and ensuring continuous threat detection and enhance identity governance and addm, you don't want users names and passwords to get into the wild, right, we have introduced an enforced it on you, it is for a reason, we do not want unauthorised people to get access to your resources.
And that goes to API keys as well, look at best practices on Github and others, they are linked to an identity and they do expire, we need to be ahead of the curve and make sure that API keys that you could potentially use to get access to information on change information do not get out in the wild. And in order to automate a lot of these papers work that we have in place, we are introducing a governance risk compliance platform and we are not all done this planning and presented this to the board, they said that this is not enough, we would like to add to this budget so we actually increased it with another 900,000 I think in order to make sure that we have enough there. So yeah, well, if you blame me to be too paranoid, then the board is even more paranoid. So I think we are in the same boat there.
So to give you a view of what are the teams doing, we have an information security team of six people that are doing security governance, monitoring, vulnerability management, detection and response, incident management, awareness, product security and supply chain security, that's a lot on six people. So that's one of the areas that I am then considering spending more of this money that the board put in here in, on risk and compliance. We have a lean and mean team of two people doing risk management and compliance standards into 27001 and SOC2 area and we are adding systems and processes here for identity governance and privileged access management. And what we are seeing if we put more people and more systems into this area, is that is going to put more pressure on the technical teams so part of this may be that we need to use some of this money that we put in this budget on the technical teams in the DEVsec ops area.
So some of the plans in information security are very firm and well planned but the board gave me additional money here and we need to make more detailed plans on how to spend that. And the purpose here is really keep the registry secure and keep the internet in the region secure and make sure that if an incident happens in our systems, it won't affect you or your networks, that's the main thing here.
Office of the managing director, yeah, I am there to keep the board happy, some things we do four board meetings a jeer and two general meetings, and then there is a budget here for the executive board members to attend regional meetings and round tables, I think that's really important so they get out to meet the meetings. And we will next year start the next strategic planning cycle which will go from 27 to 31. And then the aim here is that we have a plan that we can approve in the spring 2026 general meeting. So now I am trying to do really long‑term planning, not only the new five‑year strategic plan, but being well ahead of the curve to start that with engaging into what should the direction be for the next five years.
And there is also initiative by Remco talked about, he's written a labs article, we have a BoF at the last meeting regarding is the current set up fit for purpose, do we have the right funding, and so on, and that will easily fit into the strategy process.
We have some contributions to other organisations, there's been a lot of questions and discussions around that. We put the community project funds on pause so we will evaluate that, there has been a labs article on those project and the outcome of them and we have for three years supported the open CSIRT foundation, when CSIRT moved out of the academic networks and while we may continue to do that, there is a 10 K budget here, we will not continue the 50 K for three years commitment that we did initially, now they are up and going on their own and we, if we find something interesting to do, we will do that together.
We are working with ISOC on the ground to do joint engagement where that fits both of us, we are still supporting IETF because we believe it's important, we are using their standards, that needs funding. And we are putting money into the NRO to co‑ordinate and with the IANA services. And I think with that there's only the RIPE chair left which we, of course, support and there is a chair election process starting now, but there is budget to fund the salary of the chair and the travel.
And that summarises up to the total budget of this area of 11.3 million. And yeah, what I'm doing is keeping the NCC working, implementing new legislation, security, securing funding and manage risk in general.
Then I spent all my time. And there may be time for one question.
Anyone?
(APPLAUSE.)
ROB EVANS: As it happens, we have got plenty of time for questions. Assuming there are any!. Nothing online? No.
HANS PETTER HOLEN: And this is the time to not necessarily here but sent to the members, discuss questions or suggestions for the budget because this will be approved by the board in December, so there is time to make adjustments and change the focus, it's not a done deal yet, we will present a bit more at the GM as well, there will be opportunities to ask questions, feel free, this is where we want your input.
ROB EVANS: I think I was speaking with Janos earlier, how we want to encourage more discussion on NCC services and as well as the members discuss. So please have a read through what the NCC plan to do, please comment on what you think the NCC should be doing. And have discussions.
Now if there are no more questions, then it's time and there's nothing else for AOB? We do have time for some AOBs if there's any?
If not, I will thank you all for your participation, thank you very much to the NCC speakers. And it's ‑‑ you all need to leave the room please because the general meeting will be in here and you will need to show your GM badge to get back in; that would be in half an hour.
Thank you very much for your participation. Enjoy your coffee and see you later. See you in Lisbon!
(APPLAUSE.)
(Coffee break)
