11am
OpenSource Working Group
MARCO SANZ: We are slowly getting in the room. Looking for a place to sit.
MARTIN WINTER: This is the OpenSource working group, you are in the right room, this is the most important session, you might just want to sit down.
SASHA ROMIJN: Hello everyone, welcome to this RIPE OpenSource working group session. I am Sasha and this is Martin and Marcos and we are your chairs for the session. We are going to start, I will take you through the /SKWRAEPD to agenda to start with, minutes the last session and we have received no comments so we take those as approved unless someone objects, our second point is going to be the new chair selection, that we have discussed on the mailing list as well. Then we will have leveraging vagrants to simulate complex systems for network application development by Barry O'Donovan and after that, Piranha BGP filler detection bypass Cal Gloor, are you actually in the room, Pascal? Anyone see Pascal. Someone is cutting it very close. If he doesn't show up on time, we will shift the order around a bit and do our lightning talks first and our lightning talks we have three lightning talks by August, if Pascal is not here on time, we'll move you up by a little bit.
The green tech Hack‑a‑thon announcement by Vesna and another by Maria. This is our agenda.
The minutes from last time were posted and no one seems to have any comment, we'll take those as approved.
MARCO SANZ: Good, then the first agenda point is the results of the co‑chair selection and it's Martin who is going to announce that.
MARTIN WINTER: Yes, we had chair election answer maybe for the basic announced two months before the meeting that we are open for new chairs, I am happy we found somebody new, which also meant that I finally step down and we have a new chair, Marco d'Itri who is somewhere here, come up here. (APPLAUSE.) So Marco is you probably know him, you probably have seen him, I don't know how many RIPE meetings he attended in the past, he is well known and a great Debian developer, he knows the open source and really happy that he stepped up. So he will be in the future take the front row seat of the open source which I am giving up so yes, if you ever considered being a chair, keep in mind you get the front row seat like reserved for you on every session. So it's really worthwhile to do that. So thank you, Marco. So yes. (APPLAUSE.).
So for the ones who not around that long, you may have remembered that this working group was started at actually a long time back at RIPE 65 when I wanted to be more talk about open source and I started with Andre Philip and we talked at Krakow, there was no working group, we started the BoF and then at the second BoF at RIPE 66 I was told you can't just do BoF every single time, so how about you start a working group and RIPE 66 at the end we started the working group and I am chair since the beginning, we had a bit interesting years, we didn't have that many working group like people applying for working group chairs, so it turned out that only just left us about a few years back. And now I finally ‑‑ we have got a fourth chair and an excellent candidate, it was obvious for me that now I make this time to hand it over to so I am very happy on that part. And I am looking forward to the future, I think we had interesting talks, we got a lotful developers in there as a very strong open source community, we had a lot of talks about project and faith project and about licensing discussions we talked about money, testing all these things so I am excited, I think the working group turned out quite well and that makes me very happy to hand it over.
And with that, let's go on and start with the cool talks for this time. (APPLAUSE.)
MARCO SANZ: OK so I will ask Barry to come on stage and he will do a presentation about IXP manager this morning and now he is going to elaborate a bit more on how to leverage vagrant to simulate complex systems, you talk about it.
BARRY O'DONOVAN: Thanks very much, I have an interesting conundrum, Tina our lovely stenographer has asked me to slow down and I have learned I have five minutes less than I thought I have, this is terminology heavy, I think I can easily leave out a section or two.
For anyone who didn't see me this morning, I am from INEX, the peering point for the island of Ireland and in this context it's the home of IXP manager. So what we are going to talk about is how we use vagrant to develop IXP managers. Has anyone heard or used Vagrant? It allows you to create reproduceable and portable development environments; what it really means, it allows you to script virtual machines on your laptop. So you can build the same virtual machine with a team of developers and that you are all using the exact same environment.
Now the immediate question you might have, sorry, that's coming in a second. Firstly is the components of a Vagrant environment, Vagrant has its own terminology, it uses the term providers where we with would use hypervisor, so Vagrant out of the box is compatible with Virtual Box and HyperV and it has support for other providers, so, for example, on my Mac laptop, I use parallels.
So Vagrant is the kind of scripting front‑end that takes what's called a Vagrant file, which is a virtual machine configuration, and it bills a virtual machine to that specification.
The virtual machine comes in what Vagrant calls boxes and boxes are basically virtual machine images.
There's a huge repository of them on Vagrant's website and you can also build your own.
So we take Vagrant with our configuration file and with our box and that runs it on the hypervisor and gives us our development environment.
So just as a very quick start, three simple, once you have enstalled Vagrant you can download from the website, on Mac you can do brew install, once you have it installed, you can just initialise a new Vagrant machine with Vagrant in it and you give it the operating system you want it to use. You run Vagrant up to boot it up and then you can log into it with Vagrant SSH, very easy to script version machines as you can see here.
You might be thinking why do we just use Docker? First of all, Docker is not for me. In the IXP manager source code repository, you will see that there are a Docker compose file, don't try and use it; it definitely doesn't work. It did maybe four or five years ago, but I don't really get Dockers, it's not for me.
But there's another good reason to use Vagrant here and by using Vagrant, we are mirroring the production environment that we suggest you run IXP manager in, so when we release V7, we'll suggest you run it in Ubuntu 24.04 with Vagrant that's exactly what you are going to spin up shall use the same operating system, the same versions of software like BIRD and the same tool chains so you are using the same environment for development as you are going to be using in production.
And you get that full development environment by simply cloning the IXP manager source code and running Vagrant up. Now, I know in this room, you know, network engineers, sys admin developers tend to be polymaths, that's not normal. In the real world, developers are just developers. So we have hired a new full‑time developer or IXP manager and one of the and he is a pure PHP developer. One of the issues we had with him is how do we get him an environment he can develop IXP manager on without having to give him access to production systems or without having to give him the full‑time cyst to admin to sit beside him, we created this Vagrant development environment.
So there is two use cases in this presentation, I never intended to discuss the second one but the slides are included at the very end, that second use case is how we use Vagrant to test the installation script that we provide with IXP Manager, if you want to install X manager and you are not a competent cyst admin, you can install a minimal operating system and run the script.
But we have to make sure the script runs every time we make a new release and we use Vagrant to test that. So there's a few slides at the end that just show you how you do that, what I am going to look at here is how we create a complex development environment for our pure PHP developer and and myself, I use it too.
Just in terms of making it clear about what's on your laptop and what's in Vagrant, I am not suggesting that you develop in Vagrant. So on your laptop, you check out the code just as you always would. Your IDE runs on our own laptop, I use PHP storm, you might want to use Sublime or something else, you do all your source code management. So your Git commands all happen on your laptop.
And I even run IXP manager on my laptop for doing any kind of basic development that doesn't require interacting with these complex systems like BIRDimons or LookingGlasses or SNMP, when I want to do those things, I just do Vagrant up and when this is a very important thing with Vagrant, when the virtual machine boots, the source code repository, the directory I am in gets mounted into Vagrant under slash Vagrant so I have all my source code right there in Vagrant ready to go.
And then on the virtual machine, I have a production like environment for IXP manager, I can simulate switches, I can run BIRD route servers and client BGP speakers and I have got my LookingGlass and I can do all my kind of graphing development.
So if you were to look at IXP manager source code in the repository of the release V7 branch, you will see a Vagrant file that looks exactly like this. This is the configuration file of the Vagrant virtual machine. And you can see that the first thing I'm saying is this is the operating system; this is the box I want to use. So we are starting on Ubuntu 20.4 which is what we recommend for V7. I then do some network settings so I forward port 8088 into Vagrant so that I can, on my Mac OS, just go to local host 8088 in my browser and then I can access IXP manager running in that virtual environment. I also forwarded a port from the database, because then I can use the usual tools I use like TablePlus for interacting with the database. I did say Vagrant has this idea of providers so parallel is the one I use, I have some parallel specific config to to set the memory, to set the number of CPUs I want to use and you can do the same for other providers. And then kind of where the magic happens is I tell Vagrant that once you boot the virtual machine, please execute this bootstrap script.
That's what we are going to look at in particular here.
Now, if anyone wants to see the full bootstrap script, we are only going to look at bits of it, you will find it on INEX/RIPE89, it will redirect you into Github where the script exists as it is named.
So the bootstrap script runs only once. When you do Vagrant up, it runs once to provision the virtual machine. You can destroy the virtual machine with Vagrant destroy, it will remove the hard drive and everything else and then you can run Vagrant up again to get a new freshen environment, that will always look the same.
If you don't want to destroy your VM, you can just shut it down, then of course the developer might need to learn how to spin up 20 instances of BIRD, for example. We have a start‑up script, that's a cut down version of bootstrap that bootstrap puts a system deprocess in place that runs that when the virtual machine boots up.
We can't do everything in in the script when we want to do something more complicate like creation a configuration for BIRD, we are going to spin that off into IXP manager, so we have PHP code in IXP manager that we run what's called artisan commands and artisan is the framework's way of interacting with the code from the command line.
So we are going to look at bootstrap in ‑‑ or a few elements of bootstrap and the goal is to help you create your own Vagrant environment.
So it's a batch scrips as you would expect, some basic set ups, we are going to set the time zone because the box we use has central American time zone for some reason and set some of the falls for apps to make sure any packages we install do not require human interaction to set values, we set everything we want at the top of the script, it's about ten or 15 lines of these.
We install a huge bunch of packages, everything we need to run X manager and more, so we have our web server and database all running in Vagrant and we have tools like BGP Q3 and we want that so we can interact internet ruling registries to get prefixes for members testing and that kind of thing.
There's another reason why Vagrant is very useful here, while it's very easy to set up a PHP development environment in Mac OS, one thing that's very hard is use some of the more esoteric packages like the PHP S extension, that's difficult to get running on Mac.
The Vagrant development environment comes with development database so this is something we built over the last few months and the SQL in the Github repository as well. The development database has two exchanges, it models a complex exchange like INEX, it's not just a single peering LAN, it has a bunch of sample members, so we have got an eyeball network, we have got a wireless ISP, we have got a CDN, we have got an ENREN, all very imaginatively named like eyeball ISP but we do use real AS numbers, from networks in Ireland because we do want to do that kind of real Irrdb querying and it also comes fully loaded with a bunch of route servers and collectors all pre‑configured and we have modelled some of these with different states, the eyeballs ISP connects twice to the peering LAN and that means that the configuration which generate from the root server would be different and allows us to model that.
So the first part of this complex environment is spinning up all of these BIRD damons. Now we install BIRD exactly as you might expect, just a pro tip, if you are trying to model BIRD with multiple BIRD instances on the loop back interface, so that they can peer with each other, you have to configure strict BIND yes and you absolutely have to configure multihub, otherwise they just won't connect to each other.
And just kind of in insight in our development methodology here, we know all the IP addresses in our development database, we could just statically put in a bunch of IP address add, but if we change the development database or if we use a different database, then we'll have to change the bootstrap file, we pull all of these IP addresses dynamically and add them back to the loop back interface.
Now, why is this complex? Well, in modelling these IXP routers, these BIRDimons, you are going to end up with 16 of them, so you have got two infrastructures, you have got IpV4 and IpV6 and you have got a selecter, two route servers and an AS, that's getting pretty complicated straightaway especially if you are a pure developer, that's scripts take care of that, they are all in the Vagrant directory in the IXP manager source code. They download the configurations from IXP manager running in in virtual environment, starts all the BIRD damons and you end up with 16 of them. Having all of these routers is no good unless you have got clients to peer with them. And as it happens, our IXP manager has all the data we need to create dual stack BIRD configurations for our pretend members.
So we know they are peering IP addresses, we know their AS number, we know their MD5 if it's configured, we know all the routes that they should be advertising because we have our Irrdb information, so for our strict prefix filter and route servers, so we have the prefixes in the database, you we can use that to say this is what you are going to advertise advertise in our development environment. We know who they should be peering with, we know if they are an AS 112 client or route server client, we know what LANs they are on, we can configure all of those BGP sessions. The Knecht effect of this is this is me logging into a client BIRD instance in the development environment.
And you can see I have got two static protocols, one for V4 and one for V6 an that's where all of the routes are configured to be redistributed into BGP.
And then you can see for both protocols I have got two route server sessions, I have got a route collector session and AS 112 session and they are all established, all I have typed at this point is Vagrant up and this whole system is up and running.
I am going to skip this except to just show you the screen shot. So as well as spinning up all of these BIRD demons, we also installed Birdseye, the Looking Glass and this is a screen shot from local host 1888 of the Looking Glass looking in the virtual environment and we can see the sessions are up, prefixes we are learning and because this is a route collector, we are not exporting any prefixes.
This was actually the very reason that we built this system, because we needed this new developer to do work on the Looking Glass and it turned out it was extremely difficult without building an environment like this.
We limited need to model IXP switches. Now, for the purposes of IXP manager, that only requires SNMP access, we don't vendor specific APIs because SNMP it ubiquitous across the switches, for that we use a useful python package called SNMP SIM. What we did with this python package is it allows you to run an SNMP walk on a real switch, so we did that with three real IXP switches, grabbed all the SNMP data, through out a load of that didn't and we watched it to our development database, if the eyeball network was on switch X, port Y, we made sure that was reflected in the SNMP data and then this python script runs on, runs in the development environment and the way we decide which switch we are querying, is we set the community to that switch. Essentially the file name of where the SNMP data is loaded.
So with this, we have now a development environment where we can do all of our grapher development, that's the graphing back‑end that we developed in IXP manager and/or it's the graphing sub system I suppose, and it has back ends for MRTG, peer to peer graphing, latency graphing so for MRTG, when this Vagrant up command runs, one of the things it does is it pulls an MRTG configuration out of IXP manager for the development environment, spins up MRTG as a daemon and when you let the development environment run for an hour, you will see the graphs starting to populate with random data, we can fully development and it rate on your graph encode, we can also it rate on our SNMP polling, every five minutes or every hour, IXP manager will go off and query the switches, get the member port states and does all of that with SNMP and stores it in the database, we do that with this SNMP fully enabled in the don't environment. We have am new diagnostic functionality which was wholly developed using this system and this is a screen shot of that diagnostics for a transceiver, I showed this earlier on as well. So you can see on this hundred gig port through SNMP, it reflects off the transceiver, I can see the model, the serial and all the light levels for the four channels on the one hundred gig interface.
But it also does diagnostics like pinging the member IP addresses, that all works in this development environment.
So the takeaways here hopefully are typically developers are not sys admin or network engineers, we have to provide environments for developers to be able to develop in these complex environments just on their own laptops and the key thing here as well it's much easier to hire developers without expecting them to be sys admin and network engineers, that makes it a lot easier, the complex environments are as easy as Vagrant up; everything I have shown you, all those BGP sessions, the MRTG daemon, they are all running into the environment once you type Vagrant up, it's fully provisioned and everything I presented today is on Github, don't look at the master branch, make sure you switch to release V7.
So thank you. (APPLAUSE.)
MARTIN WINTER: OK, any questions? Yes.
NIALL O'REILLY: Lots of hats, this time small open source contractor. I am a Vagrant fan too and I am wondering what was it that made you choose between having a bootstrap shell script and using something like answerable or puppet?
BARRY O'DONOVAN: The main reason is that it was a lot quicker to get this done with the bootstrap script for me. It's a single virtual machine. And it's a lot easier to change it or add to it by single bootstrap script.
NIALL O'REILLY: Sure thanks.
AUDIENCE SPEAKER: You mentioned background and you mentioned Mac OS and we are also running Vagrant for and we have this issue that any Mac OS device younger than four years is using our architecture and it's really painful to run an Arm 64 code on it and that we have to migrate to somebody else. I wonder are you tackling this problem somehow?
BARRY O'DONOVAN: I know exactly what you are talking about. We don't have the problem any more, our hypervisor is paralleled, Virtual Box is not really supported on the new Mac M chip sets, we use parallel, it is a commercial product, it's about 100 quid a year, and then the Vagrant boxes like when I installed the Ubuntu box, Vagrant knows I'm on Arm 64 and installs an Arm 64 version of Ubuntu. If I ran the same Vagrant up on an AM D 64 box, it would be AM D version.
AUDIENCE SPEAKER: Thank you.
AUDIENCE SPEAKER: Enjoyer of both Vagrant and Docker for a long time. I wanted to ask you with parallels because I have been running with Virtual Box for a long time with Linux and the slash Vagrant shared folder is usually tricky, sometimes it doesn't like some things and I have had issues with it, is parallels handling this better?
BARRY O'DONOVAN: So far I never had an issue, it handles it perfectly well, I hadn't had to do custom configuration in the Vagrant file for the, I think I used to have to do something in Virtual Box to make it work. When you are in the virtualised environment, everything is owned by Vagrant but that's fully transparent, it just comes out at my own user on Mac OS, I never had an issue, we don't have any SIM links from the source code to other parts of the Mac OS.
AUDIENCE SPEAKER: That's cool and I would like to offer some additional tooling for those interested in Vagrant because what you were doing there you are pulling a pre‑build VM, right, what is also very helpful is that Vagrant can package a running VM for you if you want to distribute it to others but it can also use another tool called packer if you want to build these images from the ground up yourself and distribute to to developers to use as a base, that's very useful and you can also install Docker inside for running additional services and stuff and the last one I want to offer is ContainerLab, which a lot of folks have heard of it, if you want a run a more complex lab with multiple daemons and whatever, it will use Docker but you really just right the topology filing, a little bit am YAML engineering and then that's about it and you get a lab with your development environment.
BARRY O'DONOVAN: ContainerLab is excellent, we use it in other projects.
AUDIENCE SPEAKER: Awesome, thanks for the presentation.
AUDIENCE SPEAKER: Great interesting talk, I have done similar work for Free Swan 20 years ago and over and over again I know the FRR people have interesting stuff and some others. I almost think we need a conference where the people get together to talk about the network, complicated networking development and how do you do it without shipping around a cabinet full of stuff. But I guess what the thing I am kind of ‑‑ what I have run into and maybe you could comment on this is at the end of the day what seems to happen is that we have replaced medium level system administration skills with now you better have someone with uber uber uber level sys admin plus Vagrant plus blah blah skills to fix it when it's broken and repeatedly that has been unrepeatable in things and so people and particular contributors outside of your organisation find it very hard to actually get all that working because, I don't know, they don't want to run parallels, they don't do this or that or repeat what you are doing and what's your experience with people outside of your org trying to use this stuff and contribute.
BARRY O'DONOVAN: I don't necessarily.
MARTIN WINTER: A quick interruption, we are closing the queue after him, sorry Maria, you are no longer, too late.
BARRY O'DONOVAN: I don't disagree with the premise, I can't speak to experiences though because we'll only be publishing this with version 7 of IXP manager.
AUDIENCE SPEAKER: Come back next year.
MARTIN WINTER: OK. Thank you very much. A quick reminder: Please rate the presentations, it gives us really good feedback what you like and what you don't like and what you want to hear more of. Thanks very much.
(APPLAUSE.)
So next up we have Pascal Gloor who made it just in time. Good morning. So he will talk a little bit about BGP, Piranha BGP, not OpenSource, and give us some interesting discussion about failure detection so go ahead.
PASCAL GLOOR: Thank you. So either it's going to get better or worse, you will see.
So yeah, my name is ‑‑ I am going to be, go slowly‑‑ I need to find the right frequency where there is a voice.
So Piranha BGP. That's how it works, agenda, basically, what it is, what it does, what it might do in the future, what I need and at the end, well Q and A, what do you want to know.
So what is Piranha BGP. So the main component, first component, it's a route collector, I am really sorry. Well, we have time, don't we.
So it is a route collector, I have wrote it in C, it's a few years old. It currently supports IPv4 and IPv6 and a number of BGP attributes like next top, community, e x t community and large community and AS path and origin. The idea is it takes all the evidence and pushes them down in into the files and it will restate those flat files so that then you can read them with another software.
There is also in the package a decodeer software that allows you to read those.
Then there's the second part called Piranha Injector which will read those files, decode them and update the database. The idea is that you keep the state of each router, the routing state of each router you collect data from, in this the database. So that you can then centrally query those routing states. It will also keep the last updates so that you can have a look at the last updates that came in.
And at the end you have UI, it shows you what you have in the database. So you can see the status of each peer, you can look up routes, you have top N of flapping routes, longest AS paths, invalid, when I say invalid, it's been a few years, so it has nothing to do with RPKI, it's just like an invalid AS unallocated AS or private which should not be appear in the global routing table, same as invalid prefixes, this is about unallocated or really small prefixes.
In looks like that, you have BGP session to collect and Piranha, BGP which will dump all these updates into files and rotate, the rotation time can be modified so it's typically one minute, you could do five seconds or longer.
Then you have the database Injector application that takes those down and updates and at the end we have an UI that allows you to visualise data.
OK, let's go to the daemon. So the daemon configuration is pretty simple. It's nothing crazy, you need to define local AS, local binding IP addresses, change the port if you want to, then you can select on the bottom left there where you want to export them, if you want to save space or wanting to be faster, you might want not to export communities, it depends really what you are interested in exporting.
Then you define the router ID, user and MD5 notification. OK. So you can define a bunch of numbers. Then you can see the state of your peers, typically 15 seconds. If you have a SS daemon, typically host will take 15 seconds to dump the whole, IPv4 full routing table.
So that's the rotation, the folder with the peer IP and then time stamp. So you can read those dumps. This is the decodeer. And you can have, you have three export, you have a human readable and JSON readable. So machine individual format, you will time stamp, always with peer to peer definition of a peer where you have the IP an the AS of the peer and it always has an end time stamp then you have like announce with different options.
Individual, the screen is not wide enough but... images in another format and at the end, JSON. That's exactly the same so depending on what you want to do with those dumps, you can choose these different formats to export the collected data.
So, what can it do. So the UI current allows you to as I said before access the state of the routing table of all your BGP speakers so you have a central point where you can access the state of the router or you can look up routes or original ASs and it also integrates RDAP, does anyone know what RDAP is? Yeah a few, interesting. It's been a few years but not a lot of people are using it. It's a who is replacement.
I will have some screen shots later about RDAP and as I said before, you can look at your top hundred, I mean you can scroll the pages but you have to call it something.
It's getting a bit better now, you can look at longest AS paths, flapping routes. So this is the UI, so this is the status of a peer, you see the name, the ASN, the IP and you see if it's up, connected last time disconnected, the update time stamp to so the last update time stamp is really based on the files that are processed so if you had a delay between now and the processing of files, you would actually, this is why you have a delay, the delay is the difference between now and the last update time stamp.
Indeed, if there is no BGP updates and if there is a rotation of one minute and there is no update, there were always be a file with a peer and the end of file in every file rotation so that there is an activity. So you should never see like more than a minute if you are up to date.
Then you have some graph net mask distribution Ipv6 and /48 is already taking up, it's going in the same direction as before with /24s are taking more than half the routing table.
Then you have a history of BGP updates, you can see there was peaks when something happened clearly, there was a lot of over 100,000 updates coming in. And you can change the timescale. And you would then also see the BGP events which are mostly connect and disconnect and on keep the stats on the protocol, and on the bottom that would be the last hundred or thousand or 10,000, whatever you configure BGP updates.
OK. So in the top one hundred interface, you have the flapping routes, it can be quite impressive and also what some people don't get is that you can have announces that overwrite other announce ‑‑ routes but without having them withdrawn. So sometimes you really have routes that have been announced thousands an thousands of times because of like flapping, changing AS paths without having them withdrawn and so you still see the database keeps with wrong routes so the line there means the without has been withdrawn, it's not there any more, the database still keeps it so you can run the statistics on number of announce and withdrawns.
And this is the same with valid route. Here you can clearly see those updating thousands of times and there was never a withdrawn.
So this is the ASN path, the quite interesting, I guess you can make it worse but it's pretty good. (AS path) so if anyone knows a guy...
It's a 32 bit... you have the time stamp and the graphics, you see the route and I mean you can scroll a few pages and it's still horrible.
Indeed you can change IPv4 to IPv6 with just a click and it will show the same.
This is what I call the invalid global prefix, I said before it's unallocated, smaller than slash 48, 46, or in that case default and then sometimes it's not even there but in this case, we just have it defaulted, clearly the network couldn't, since the BGP session does not have any filter, you just get that.
And there's a bunch of slash 64 come from outside, that's not ideal.
Invalid ASN, that's private ASN but still it's internal to that AS but again it's not an issue, if you would have like private and then public, it might not be good, also those are slash 128.
Indeed you can look up route and you can choose if you just want to look at a route from a specific peer for from all the peers, you can just put an IP, in that case just an IP and it will look up any route that will match so in that case we have a /24, 12 and a/9 and you will see route from all the peers who have it.
So in that case that's two peers and you see it looks consistent, also the communities are identical, the AS path is identical so in that case it looks good.
Just go back, yeah. So as you see on the top right, you can look up the IP, you can look up the IP with a mask, so it will restrict the look on that specific mask, or you could put the mask range to make you look up. You can also look up by original OS and all the routes that match the origin ASs.
OK. RDAP is a who is replacement, from IANA to every RIR, there is an observer and basically you can click any IP, any prefix, any IS and it will look up what it is, who it is, for example, just click on the six and they will return the matching Whois information. So you can be quick in the UI just, for example, when you have a long AS path, you can just click through them and you will immediately see who it is.
And also the database will cache this information for, I don't know, I think it's 24 hours. So once you have clicked through, it's very, very fast.
So it's not implemented in the client, the implemented on the... side, the UI requires the server, the server will cache this information.
OK. So since the idea is that you can look up your network and find issues or inconsistencies, I was thinking where can we go from there, what would be interesting to analyse. And the first thing would be an automation of possible inconsistencies like routing loops, because since in the session of BGP, we have the nexthop and you would be able to detect if there's like a hop A wanted to send a prefix to B and B back to A, ghost routes, and that kind of thing. Like if you have a withdrawn somewhere checking that there is, you don't have actually properly propagated everywhere, there is no router but keeps a route that should not be there.
RPKI validation, that would also be interesting to do just in case you have a failure in your network or you forgot to configure something somewhere, that happens.
So an additional layer of security on the sever he shall side would show you invalid prefixes. Further than that, BGP is nowadays used to transport all sorts of information, who would have thought you would transport Mac addresses, so it would probably be interesting to be able to collect VPN routing information as well as EVPN and integrate that in the UI to make these searchable and display the inconsistency. I have heard so many times about data centre E VM and teams looking for the issue for three days to compare the Mac address table of 25 switches and going mad so maybe collecting this information would make it easier to find the inconsistency.
So yeah, there's issues, there's always issues. I guess the biggest issue is everything stored in my sequel, probably a very poor choice, can't imagine how you have to sort IpV6, there's no filter, you have to split 128 bits into two fields in just 64 and ‑‑ post grace knows how to store CIDR but I am not sure of the performance, I haven't done a test.
Extended communities and large communities, they can be exported by the daemon but there's nointegration in the UI further at the moment.
What's next. So what's next? Is it worth it? I don't know. You tell me. This is why I am here. Because I ‑‑ I don't know if you think this is something that should be continued to be developed, that looks interesting or you are like, I have 25 other tools that do exactly the same. So give me some feedback.
And if it goes further, we'll need some test deployment where I can actually have instances in real life data and also a bit of contribution help, that would be, because I am the only one developing so ‑‑ and that's basically free time. So, yep, Q and A.
(APPLAUSE.).
SASHA ROMIJN: Thank you very much for that talk despite the difficulties. Let's start at the front.
AUDIENCE SPEAKER: So I understand that this brings BGP to the routers and you need to configure those devices to actually be willing to talk to you. So that means there's possibly filters and other things on those things that might prevent you from getting things, do you just say don't do that, give me the whole feed or how does that test in communities and other stuff.
PASCAL GLOOR: So since it's a tool for you by you, it's really up to you. It's going to be the dataset that you can look at if you want to filter, it might not be a good idea because you might miss things that you have and won't see in the database. However, you could also say, well, I want to have in the database what I am sending to my BGP customers. And I want to make sure there's no mess in there. So you could then filter ‑‑ you could then filter and just have that view or you could just send peering route. Whatever. It's really up to you. But the more you filter, the less you see.
AUDIENCE SPEAKER: All right. I wanted to ask you why do you have to store all the information in the rotating file before injecting it into the database? Why can't you write it, the data, into the database directly?
PASCAL GLOOR: That's ‑‑ it's a time‑delay problem. The routing daemon is very fast and all the announce and withdrawn and all the BGP events will be time stamped there. There's no time stamp in the protocol so you need to process it very fast. Otherwise your time stamp will not be accurate. The injection in the database is not so fast. So in order to have actual time stamp, the BGP daemon is very fast. Also, it's easier because the less things together, the more you can use the tools separately. So I didn't say it because obviously it's OpenSource, I wouldn't be here, it's on Github, but you can also just have the BGP daemon and use the tool and then do something else. It's really up to you. You don't need the whole UI and database, you can just rub that and keep the BGP daemon and say I just want that. So this is why it's separated.
AUDIENCE SPEAKER: Thank you.
AUDIENCE SPEAKER: I am the guys on the slide there, so it was ‑‑ I love this tool, I already said that to Pascal and we already fixed things with one of our providers that didn't want some filters because of upgrade, whatever and so on, so that was already helpful for me, as I would be happy if some people go and help Pascal taking this project on. And I think it's something that might be useful for the community. But I would be, I really think other people could voice their views and I think you show what the real results with my machine to who are ‑‑ who might be interested around to so come to to me if you want.
PASCAL GLOOR: That wasn't a ghost step.
SASHA ROMIJN: Thank you again very much. (APPLAUSE.).
PASCAL GLOOR: As Will said, I am around if you want to have a look at the UI, just come to me, I have my laptop here and I can show you, thank you.
SASHA ROMIJN: Next up we have August talking about the cyber resiliency work in a follow up from the lightning talk in the plenary earlier this week and I will remind you again to rate the talks, also for working groups we'll take that feedback to plan next sessions and also give it to the speakers. August.
AUGUST BOURNIQUE: All right, so this is a talk on the cyber resiliency act, the new EU product regulation but I specifically want to give a more technical talk ‑‑ I mean technical ‑‑ about some of the specific code involved.
Particularly around what is commercial and what's not commercial free and open software.
So, my name is August Bournique, I am an Amsterdam based, California licensed attorney, and I need to give you my disclaimer as always. This presentation is general information and not legal advice, because I don't know your specific situation and I am not your lawyer. And that's actually kind of important so just remember your situation may differ.
So what is the Cyber Resilience Act? There are few exceptions, it covers any product with a network component an the goal of it is really to get manufactures to start caring about security and also to provide documentation so that users can have more information.
You may have heard the of the act a few years ago, that's when it was composed, it's only now being finalised, it still hasn't been signed off as far as I know, maybe today, by some of the member states at least. And it's going to come into effect 21 months after certification, so probably July 31, 2026 but that's only for the recording requirement. The full act comes into effect in October 2027.
So how it will regulate: There's a reporting element, manufactures of products, digital products need to report breaches, incidents, exploited vulnerabilities, and you are going to have to record them probably online to ENISA and that he will we hope be forwarded to the CSIRT, the national incident response team. And this is the union wide agency for information security. The standards certification process is more in depth, it's going to crease documentation that's public lie available and getting a CE mark on production, so people know it meets the standard and there's self‑assessment for that primarily and also there's also of course fines an penalties. The interesting thing about CR A for me, there's various protections in it for freedom from software which is nice, it's a success story for FOSS getting involved in policy, the first exception we are going to deal with is non‑commercial FOSS may be excluded from the CRA, you are free and open software, it doesn't apply to you, it's not true, it applies to a lot of people because commercial a legal definition here but there's also general standards and free and open software gets these special category of open software stewards which are going to be things like Linux foundation and big NGOs or small NGOs that have a specific OpenSource project or area they work in. And they are actually going to be able to help set standards with the regulators which could be really nice because hopefully you will have a voice as to what kind of protections your product should have.
So what is FOSS? Silly question, right? We all know what it is, but we are not the CRA so this is the definition of FOSS in the CRA and I am bringing this up for here not to read it out loud very fast which would be hilarious, and I am not going to do but just to go over the elements I take from it and I think one of the things that I want to share with you and if you take something away from this, this is what we are dealing with when we talk about yes or no, this is what the law says, this isn't very clear.
I think I might say if it were something more of a code, a technical code, it has a lot of sort of undefined elements, I think. In US legal jargon, we would say there's a lot of appplesauce in there.
So, what is free and OpenSource under the CRA? It's really two things. It's any product that shares its source code openly but it also has to share it online. I don't know if that's in ‑‑ it's kind of funny ‑‑ and is offered under licence where all rights are freely accessible, so it's not covered by the CRA if it does those things and it's not commercial, I will note we have our first issue here which is that what does really access, what is the licence that's freely accessible mean, there's a lot of modifications in CC licences that might be argued does not mean freely accessible, but we don't know that yet, so that's the kind of thing we are dealing with.
So the big question is: What is commercial? Let's cover this quick.
I have edited these down a little bit, a commercial product in FOSS does one or more of the following things, charges, charges for for the technical support than it cost to say provide, might be hard to figure out. And here's another one, intended to be monetised, oh a smelling error and collects or this is another one I think is interesting, collects and sells user personal data, more than you need to collect user data for keeping the product functional, if you collect it and then package it off, you are commercial. And then accepts donations but only if, accepts donation social security fine but if you intend to profit from accepting donations and more importantly, if you both intend to profit and succeed in profiting from accepting donations so you can say we are going to take these donations and get rich and you know, living in a shack and nothing good is happening, you are still not under the CRA.
So there's more and I will go really quickly through it, it gets much more complex, these are more protections, what does it all mean, we don't know. This is additional protection that relates to a kind of distinction between development process and the supply phase of the Opensource products, maybe it's only commercial if you are selling the final product but you are getting support and contributions from manufactures during the development, that's not commercial.
And I think there's also this interesting note in the section above this that says regulators need to be concerned about, that FOSS products are developed differently. So it may be really, really helpful, you get a lot of money to develop new things, it may be completely fine.
And there's more of course. The final bits.
This notes that updates and new versions aren't themselves commercial activity, which I think feeds back into that issue of the development phase is not commercial but it's hard to say. If you constantly releasing updates, are you always developing? We'll have to find out.
We get a couple of real exceptions, non‑profits can sell FOSS and as long as the earnings that are in excess of their costs are used for charitable purposes, they are fine. And then also probably one that's the biggest relief for people, if you are contributing to someone else's project, you are fine, you don't need to worry about the regulation. So I think it was a real success for FOSS lobbying because originally none of these exceptions were in there, it was just if you make money, you are commercial, you got to meet the CRA's requirements. And we also get the fact it's an ongoing process, the OpenSource stewards are going to keep being able to help direct the regulations.
So what should you take away? Hard limitation, CRA, if you intend to monetise the product, the CRA applies, if you sell the final product, the CRA applies. And donations keep you outside of the CRA. So I have out of time, but I do want to say one last thing. I think the CRA is a great example of what FOSS can do if it works with regulators and hopefully other regulations can get this kind of back and forth to get some say in them. All right, thank you.
(APPLAUSE.)
MARCO SANZ: Thank you. We have time for one question. That would be possible. So if one wants to, yes.
AUDIENCE SPEAKER: I just have a question already the last time you were on stage, legally can a non‑profit profit from donations?
AUGUST BOURNIQUE: Ah, I mean ‑‑
AUDIENCE SPEAKER: If a director has whatever, a salary or...
AUGUST BOURNIQUE: That's the kind of thing we are going to have to see worked out here because it says, if we go back to that bit of code there, it doesn't say profit exactly, that's just me using a, cutting it through quickly ‑‑ it says if you have income as a non‑profit organisation, income in excess of our costs and you don't, you don't use that income for non‑profit purposes, now it's kind of unclear, right, like if you pay your director amounts of money, is that a fair cost? You don't want a regulator looking into that, of course, but will they even? This is the sort of kind of imprecise nature of this code that we are going to have to be comfortable with for a while until we know more. I mean, I would say make sure you document everything that you are doing, everything charitable and above board, so if it does happen the lightning strikes you and the regulator comes down, you have got something. But I can't tell you one way or the other.
AUDIENCE SPEAKER: OK, thank you.
MARCO SANZ: Thank you, August.
(APPLAUSE.).
Our next lightning talk is going to be Vesna who is going to make an announcement about the upcoming green tech Hack‑a‑thon. Questions questions hi everybody, my name is questions have a, I am a senior community builder at RIPE NCC and I am here on behalf of the organising committee of the next hack‑a‑thon to invite you to join.
The event itself is going to be beginning the December, so this is Tuesday and Wednesday, a week after the...class, a week after, for the Dutch people very important. And we want to do it both in Amsterdam and online and in local hubs. So there is a lot of ways that you can take part, please doe not fly to Amsterdam to join the Hack‑a‑thon about sustainability!
There will be t‑shirts, this is going to be design on the t‑shirt.
So there will be other activities, we will have a pre‑event only online for the people who couldn't really make it but still wanted to give some talks about their approach to the ecological way of dealing with internet infrastructure and then at the last day of the event, the Wednesday afternoon, it will be possible to join the presentations for all the Hack‑a‑thon project and then to stay for a little social event to mingle with the participants, because we have limited amount of physical space, we are aiming at 42, and all the other people will just have to come after and talk to us.
There will also be stickers, you can see these images from the previous Hackathons that we had, we really celebrate the diversity of the graphic designs of the stickers an the laptop covers.
If you would like to take part earlier or just cannot come to the Hack‑a‑thon, there are all these options for the online participation. There is only some code on Github that you can contribute to, we have discussion lists and there is a Wiki with a lot of other additional documentation.
This is a group of people who are helping organise it and this is also an illustration of who would be like to have in the, event, so we arely liaising with a lot of other groups. I am trying to get people from academia and network operators groups to join with this event. We have Mike Oghia who is helping us get the contacts data centre industry, Mallory who is from the standardiseation into the this event and Shane is our contact in the Opensource community and DNS operators, we have Claudia who is part of the hackers community, Chris connecting us with internet governance kind of core internet governance bodies, and Catalina who will be our online facilitators and Noelle helping the logistics. So it will important to know that we are getting all these various groups to work together and that a lot of people are involved in this, although I am just the one kind of speaking about it.
And this not the first time we are dealing with this subject. There was a workshop organised by internet architecture board and like sustainability related project on the two previous Hackathons that we had and we also hosted an open house about green tech this month, and videos and slides are available online, they are super interesting if you want to learn more about it.
We had opened applications already a while ago and we already have 20 participants who have been accepted by this organising committee and they suggested a lot of interesting project ideas. The thing that these ideas is that we might not end up working on exactly these projects, people will suggest them at the beginning of the event and then there will be a lot of brainstorming and forming of small teams who will then focus on something like this or something completely different.
So it is still very open and we are looking for you, for your participation and for your project and your skills.
So please register. Thank you very much.
(APPLAUSE.)
MARTIN WINTER: Thank you, Vesna. Are there any questions? OK. I see no questions. So I hope ‑‑ oh, one question? No. OK. Thank you.
So next up we have Maria talking about how do you use YANG for code generation.
MARIA BIRD: Hello, this is Wiki, it's his work actually. Thank you for the opportunity to be here, it was a very last‑minute submission, actually there is almost a whole team of BIRD in this room, so thank you for coming, and if you want to see anybody else from the BIRD team, please go to ‑‑ hands up the BIRD team, they are quite spread around the hall. You are not far away, you will get caught if you start to run away.
Yeah, anyway. This thing does, it goes forward and back. So yeah, we are going to speak about how we are using YANG for, how we are not yet using YANG for code generation and how we are circling back to ASN 1. So the problem is the users want an API and they want it described by YANG. But the problem is what do the YANG as far as diverging from the code because the code is updated so let's take another approach, let's define the API by the YANG, but what if the code diverges from the YANG.
So there's the current approach, people typically work with CBOR or JSON, is that you have the CBOR and you parse it with something generic and reparse it again to specific objects. So what are we going to do is do this. We want to remove the thing in between and this is how we are getting back to the... well we want to get from the JSON or from the CBOR which has like those, is it working, yes, those strings and so you will get not get on object directly so we can access all these pieces with the various methods and so, yes. And the recipe is well shall I tell it. OK. Yeah. We can take the vanilla YANG, the file you are using for definitions, we can use ‑‑ we can write an application specific to finish on the file which is how the YANG is actually going to be connected to our application and then we are going to use the tool, the tool is... and the result from this should be an application specific parse and encoder which you can just build into your application and you will just make an object, push it into the encoder an the encoder spits out the CBOR or the JSON on the wire and you get some data and you get directly the objects. We are trying to save memory and save time and also do online validation of all the data you are getting.
This is not a work which is already done, this is a work in progress, we are basically at the end of the drawing board and starting to do some prototypes. So we will very much welcome any thoughts, hints, pointers, where to look at, what not to do so and on and so forth and when I was the telling about this to Alistair, he said, well, we are full circle back to ASN.1, we bought this combiner in the 1990s for a million dollars. So one of my questions is should we charge a million dollars for it?
That's it. Thank you.
(APPLAUSE.)
MARTIN WINTER: Thank you. One question.
AUDIENCE SPEAKER: I can't speak for the RIPE community but we definitely have the same problem and we'll talk about each other and it's not unlikely that we might end up using the same tool, so we definitely tackling the same issues and I hope we can figure out something together.
AUDIENCE SPEAKER: It's a hard problem.
MARIA BIRD: Yes, we know it.
NIALL O'REILLY: Just a quite flippant remark, I guess it's OK to charge the million dollars provided given what August was just telling us you take care to use for charitable purposes... (APPLAUSE.)
MARIA BIRD: Don't worry, my Lamborghini is for charitable purposes.
MARTIN WINTER: Thank you, both of you.
SPEAKER: I want to emphasise if you have some suggestions or thoughts, reach out and we can meet in the hall. I am looking forward to it.
MARTIN WINTER: I wanted to add as you mentioned early about all the BIRD developers here and especially if you are kind to of new to these RIPE meetings shall there are lots lots and OpenSource developers there's from the BIRD from the whole time, there's people behind open VPN here, the open BGP, tons of other Opensource, it's a really great opportunity if you are not aware, it's go reach out to them if you have feedback, information, requests, talk to them. And the Opensource are very interested from hear from you, even if you are not able to give money at this time, they still normally feedback is something which we all love. And then don't forget to rate the presentations please.
MARIA BIRD: Take note, don't drop a bomb on to this hall please. The bus factor is quite bad. (APPLAUSE.)
MARTIN WINTER: So we can do the last thing.
MARCO SANZ: Yes, the last thing. Yes. Any other business.
OK, Martin, so yeah, the time has come for a fair well and I think we cannot emphasise enough what you have done for the working group and we wanted to hand you something out that, yeah, like when you move on and do more higher spheres and more relevant positions, you remember us. So yeah, as you know I live in Germany, close to Frankfurt and then there are a lot of apples there so there's some glorious day, somebody thought we can make wine out of that, it's not cider, it's apple wine. It's a very polarising thing, some people hate it and some people say it's the most honourable way an apple can die for. So...
This is the first thing you have to, yeah. This is the first thing you have to tell us your opinion about this once you are done. But OK. Let's move on. So we know that you are not the wine guy, you are more like the whiskey person. You probably were at the whiskey BoF last night. And yeah, you can spend lots of money in fine single malt Irish whiskeys, forget it, we didn't have that budget so that's, we didn't.
So we thought we are in RIPE and RIPE is about diversity and not having prejudices against something like Spanish whiskey, which is something we want to hand you out and you can also, yeah, tell us your opinion about this once you are done.
And now ‑‑
SASHA ROMIJN: I don't know about apples or any of the controversy because there's none about it, so thank you very much, Martin, for all your 11 years of chairing this working group and starting it up and the three of us are looking forward to taking it further.
(APPLAUSE.)
MARTIN WINTER: So thank you very much the two of you and I am happy to give it up because we got an excellent replacement, so I am very positive looking forward to it. And I won't be missed in the RIPE community, trust me, you will see me whether you want or not. OK. That's it. Have a good lunch.
(APPLAUSE.)
(Lunch break)
