RIPE NCC Services Working Group
.
RIPE 82
.
19 May 2021
.
16:00 (UTC + 2)
.
KURTIS LINDQVIST: Good afternoon everyone, I hope you can hear me and that this is working and that you can see me. And so, I am Kurt Lindqvist, I am one of the Chairs of the RIPE NCC Services Working Group together are Rob and Bijal.
.
First, the housekeeping rules. This is a virtual meeting. And the audio and video queue is what we are using so to request audio floor, ask the question directly and click the mic anded camera icon to get first audio, please state name and affiliation. You are the Q&A window for questions, if there and a question we'll read it out and please state your affiliation. You can check how many people are in the room. We are currently at 291, which I think is more than we have in the in person meetings, and there is a chat, which is the group chat, but it's not the Q&A and we might or might not read that. And this session is being recorded. So, with that housekeeping, we are going to get right into it.
.
Welcome to the truly your favourite Working Group. There's been some imposters early in the week that they claim for some ridiculous reason they have favouritism. We all know they don't and this is the true favourite Working Group.
.
So, this is the NCC Services Working Group.
.
On a serious note, we have the agenda. I'll start with some of the administrative matters. We will have the RIPE NCC update by Hans Petter, and then we have the operational update by Felipe. We will have a 15‑minute break. And then we'll dive straight into the Cloud and then we have some housekeeping business afterwards and the traditional open microphone session that ‑‑ for you to ‑‑ for you to raise topics you want to have discussed.
.
And I want to remind everyone, if you haven't done this before, that the RIPE NCC update by Hans Petter is actually also part of the General Meeting, so this is the update that the NCC does for the membership.
.
So for the administrative matters, I think I have done the welcome.
.
We have a scribe, which is ‑‑ I should know because I have an e‑mail saying who he was ‑‑ but thank you RIPE NCC for the scribe. And if there is anything ‑‑ no other additions to the agenda, if there is nothing to add to the agenda, we'll go with this agenda.
.
We had the minutes of the previous meeting from RIPE 81 was posted or shared to the list on the 22nd April. There was no comments on them. So unless there is no objection, I'm going to consider the minutes approved. So we are considering the minutes approved.
.
And with that, I'm going to go to the ‑‑ straight to the first agenda item, which is Hans Petter's update, and so, Hans Petter, over to you.
HANS PETTER HOLEN: Thank you, Kurtis. My name is Hans Petter Holen, I am the Managing Director of the RIPE NCC for a year now, so I'll share a bit of my experiences from that year.
.
Normally, the managing director has only done one presentation in the Services Working Group, but I will also do another presentation in the GM this time where I will focus more on the achievement in the activity plan, while this will be more about my experiences as Managing Director.
.
So, one year at the helm.
.
Things needed to be developed ‑ getting things in shipshape, as they say on the big boats. One of the first thing that met me when I joined the RIPE NCC virtually was Holacracy. So, the work here is really to see how this new system of self‑management of distributed authority can support the RIPE NCC moving forward. So I have taken this to heart and used this as a transition tool into shaping the organisation into what we need to be for the future.
.
So, now we have a structural organisation that largely matches the structure of the activity plan and budget from the last year. We have a technology area led by Kaveh, a registry led by Felipe, community and engagement is an area where we are currently recruiting a chief community officer, and then it's the organisational sustainability, the supporting areas like finance, HR, legal and so on.
.
So, we now have a good structure in place and we do have financial governance in place matching the structure. And then the work ahead of us is really to see does this operating system, so to speak, Holacracy, really bring us where we want to do?
.
There is one part that is sorely missing in the alignment here, and this is how to do performance management. Because, in Holacracy it's not the traditional hierarchy where you only have one manager; you may have multiple roles in multiple circles, so, we need to further develop the performance management system into a way that takes this different structure into account, or return to a more traditional structure at least for part of ‑‑ some of our functions.
.
On top of all of this, of course, we have had to focus on compliance. Both on the legal side, on the financial side, on the technical side and security. And one of the nice things with the Holacracy is that everybody has the freedom to do what they think is right in order to fulfil their purpose, but, on the other hand, we need alignment across the organisation, and Holacracy supports that as well, but it actually needs to be done.
.
So the default is, if there isn't a rule in place, you can do whatever you want, rather than you have to go and ask your boss.
.
So, what have we done this year then?
.
Well, based on the activity plan and budget last year, that was approved by the board in December, the board assigned some goals to me.
.
And first of foremost is to ensure the accuracy of the registry. That's not a surprise; it's been like that for years. The board, a couple of years back, asked for risk management to be established, and that is one of the top things also this year moving forward.
.
Operational resiliency, and I see that a lot on the mailing lists and making sure that we actually professionalise our service delivery and make sure that we, for some services, deliver 110% uptime. Like the excellent track record for k‑root, for instance, how do we take that knowledge and turn that into a similar 10% availability, so to speak, for RPKI? There is a lot to be done in this area. We are working on setting the service level objectives, the expectations that you can get from our services, and we hope to be able to publish those gradually during the year and next year.
.
Financial management is, of course, important. We safeguard members' money and we need to spend in a prudent way. There was some work done on changing the organisational structure, and we have had some ‑‑ and we need to align the structure of the organisation with the activity plan, which is mostly done.
.
And then, last but not least, we are also acting as the secretariat of the RIPE community. So these are the goals, or the headlines of the goals that the board have set for me, that I have then set for my management team, and this has been done openly within the RIPE NCC so that everybody can see these goals and what has been set. There are work plans for each of the areas and individual goal sets based on these work plans.
.
So we have now, in theory, done a very good job in actually making a plan for the year for ‑‑ for this year to deliver on the activity plan.
.
So, one of my slides from the last meeting was to find our true north, And we worded that as "Deliver world‑class services while engaging people to connect people to maintain the resiliency and stability on the Internet."
.
We are still not there, but I think that's a leading start going forward, that the RIPE NCC needs to be, as it has been in the past, a key part of the Internet to make sure that it is stable and resilient.
.
So, no, we are working from home and that is mostly smooth sailing.
.
There has been several presentations already showing that the Internet actually survived the pandemic, it's actually supporting us to work in a different way that we used to be, and, for the RIPE NCC, I can say that, well, technically, it's working great; we work from home without any technical problems.
.
But, as Erik drew our attention to in his opening presentation on Monday, there are other sides of this, other than the pure technical, and I must say that we sorely miss the human interaction that we would have in an office and that we would have by meeting.
.
So, I really hope that we have now seen a turning point, that vaccines are being rolled out and that we can gladly see that the government will allow society to re‑open again so that we can once again meet in the office, meet socially and then maybe even have a RIPE meeting in November, and even more hopefully in May in Berlin next year.
.
The other big change for the RIPE NCC in a slightly bigger perspective is that we have no in the IPv4 afterlife. I tried to make a joke earlier on that we have lots of IPv6 addresses in stock, so please just come and register. But there is still some demand for v4. The delivery time on the waiting list is below one day, and we currently have 1,533 /24s in the free pool. Now, this, of course, changes all the time since this is recycled space, it stays in quarantine for six months, and you can see from the graph here that now only 134 /24s will be released over the next 30 days, while the rest will ‑‑ is no access available for immediate allocation, interesting. The last slide says it's available in the next six months, but I guess this has been updated since I reviewed my slides earlier today.
.
If you look at the development over time, you can see that just after run‑out, there was a peak but then it became a bit quieter, and now it's slightly positive trend but seems to have stabilised on the 100 plus requests per month.
.
We have a lot of ongoing efforts, as we had planned for in the activity plan this year.
.
Moving services to the Cloud, that's a really hot topic, and we are now really looking for input from you, from the community, from our members, on your experiences, your thoughts on how we should do this. This was an initiative that was started before I joined the RIPE NCC, and the work last year was mainly on making proof of concepts, and they have been successful. It's not that we haven't outsourced in the past. We have never built our own machine room or we haven't been operating our own machine room or our own power generators, and stuff like that, for I don't know how many years; we always relied on somebody else to do that, but now we have, of course, been in professional facilities for some years, but then the question is, should we go to somebody who would provide infrastructure as a service? Once you get there, you kind of ask, well, why can't I use their other tools and features that you will move up up the stack into a platform as a service, and so on, in order to speed up the delivery? Of course, this is a complex matter. The RIPE NCC is ‑‑ well, we have just discussed that we don't want to be named critical infrastructure, but, you know, in some ways, it's really critical that our services work, so we should treat them as if they were, so there wouldn't be any need to regulate us in order to get us to take security and resiliency serious.
.
We should do that without the governments telling us to do so, and we should do it for all governments in our service region and for all users of the Internet.
.
So, it's ‑‑ there are a lot of different threats and different risks in this picture and we need to balance this in order to get the best possible solution.
.
Some of our services are already in the Cloud and has been so for quite some time, and some, we really need to think carefully about how we move them and there will be a presentation just after mine both on the Cloud strategy by Kaveh and further on RPKI and database by Felipe, in particular, so that there will be ample time for questions and answers to those topics after those presentations.
.
RPKI resiliency? Yes, the RIPE NCC has millions of euros of budget, but then if you look at the budget for this year, it's less than 1 million budget to manage the RPKI service. Now, that is something that we need to look at when we look at 2022 budget, of course, but it's also clear that the expectations for this service is different from when we talked about the RIPE NCC 22 years ago and said, well, you know, if the RIPE NCC closes down for a month, nobody will notice. Well, today, that's certainly not true, definitely not with RPKI.
.
We have also enabled, now, checks on our own AS, the 3333, and we have had no big incidents following that, so I guess that's a good sign here.
.
Registry accuracy is, of course, still important to us. Security and compliance is increasingly important, and an area that we're ramping up.
.
Improving user experience across the services. There's been several presentations on that already.
.
Of course, all our outreach now is ‑‑ and engagement, is virtual. But we're already planning for returning to physical meetings, and then of course we need to have a focus on how to make a hybrid experience so it's possible to participate virtually as well.
.
Translations. Further developing e‑learning around certifications, and we're now, after this meeting, starting the next cycle with activity plan and budget for 2002, and with the new membership engagement area, where Fergal is the lead, he has also taken it upon himself to make a five‑year strategy plan ‑‑ I have tried to set out to do that last year, but this was a bit too ambitious, but I have hopes to do that this year.
.
Keep learning. That's important. We have done over 2,000 webinars, had more than 2,000 webinar participants last year. All our training courses are also available as webinars. And the RIPE NCC academy has new content
.
So please have a look that. The new micro learnings, this will also be an update to the v6 security online courses soon.
.
And certified professionals, IPv6 security exam will go live this summer. So if you have taken both the existing exams, then read up on IPv6 security so you can get on with the next one.
.
Improving your experience.
.
The look and feel, the usability on different screen sizes, not everybody uses a computer these days, there are mobile phones and tablets that are ‑‑ that is the main tool for a lot of us, and adapting the services to this has been important.
.
And then cleaning up and making a consistent user experience across the different services is also important, and this is an area where Holacracy has helped us in creating a cross‑functional forum that focuses on this, so instead of having to create a new department and moving people around, it's simply created a group of people working in their existing roles but in addition taking upon themselves to coordinate this work.
.
RIPEstat celebrates ten years. You have already seen Christian's presentation on that this year, and quite honestly, for the last number of years before I joined the RIPE NCC, I never looked up anything in the RIPE database any more; I always went to RIPEstat because I got so much more information around the resources I was looking up, so I could make better decisions on what they were used for or whether they were used, and so on.
.
Take a look at the new RIPE Labs, it's been revamped. Improved user interface, new features, contribute to discussions, share your ideas and opinions and best practices and case studies.
.
I mean, this is a place where we need your content as well, so don't feel shy to write up your ideas and your results and share them here.
.
RACI. Normally we bring researchers to the RIPE meetings so that they can present their recent research. But with the only virtual RIPE meetings, there was not really a good valid proposition for the students to come to a virtual meeting, so we are trying something new this year with making this a grant for research projects instead. Of course, this is a one‑off during the Covid thing, to see if we can still engage this community in a meaningful way, so there is more information on this URL.
.
Community project funds. Over 25 projects have been funded for the good of the Internet until today, €250,000 to support projects of value to the operation, resilience and sustainability of the Internet.
.
We have a focus on tools and services benefiting the technical community.
.
The call for applications will open shortly.
.
It's a committee with community members appointed by the RIPE NCC Executive Board that will make the decision on which projects to support.
.
Now, this was the ride until we do come into choppy waters, and you have already heard some presentations that we are seeing changes in regulatory behaviour of the governments around us. And that's happening across all our service region. This is not only EU; this is all countries, and we are doing as best as we can to follow the legislation in EU, Russia, Middle East, and all the other countries.
.
And our biggest concern is really to be able to provide services to all RIPE NCC members on an equal basis. And one of the things that we have done here is to start a project where we are identifying different scenarios and seeing the regulatory developments and looking at what what can we do if this happens. And in many cases, the proactive thing is maybe the only thing we can do, we need to educate the governments into doing sensible regulations and making sure that they don't do regulations that have unintended consequences. I think the work done, both by Marco but also by other community members working closely with us, on the NIS 2 directive, and getting that into a ‑‑ changed into removing things that we think will be limiting for the Internet operations for the root servers, for instance, is important work here.
.
The work that we have started here, we have also brought that now into the NRO that so that we are working together with other RIRs on these. And you can find an article written by Athina, our chief legal counsel, where she has elaborated a bit more on this.
.
The one regulation that you probably heard most about is sanctions. So since the RIPE NCC is located in the Netherlands, we have to abide by Dutch law. And the Dutch government is implementing EU sanctions, so any sanctions made by the European Union also applies to us as the Dutch organisation.
.
We have had a situation here now where this means that all the members that are on the sanctions list, we have had to freeze the resources. That means that resources cannot be transferred from or to these members. In order to do this, we need to monitor all our members, and this is not only members in certain countries, it could be members that are owned by and then that will be ‑‑ could be cross‑border, so we are implementing monitoring of all our membership to watch the EU sanctions list.
.
Another dimension here is that, in order to do business, we are dependent on banks, and banks have seen stricter regulations, not only the sanctions as such, but also money laundering concerns, and want to know more about who is behind money transfers, and although the membership fee for RIPE NCC is really small, they are concerned with money or transfers from what they call high risk countries.
.
We are currently in a dialogue with them and we hope to resolve that soon, but it has caused us to not send invoices yet for the high risk countries. And that is something that we hope to resolve soon but we really want to have a clear understanding with our bank that this is not going to cause a problem for us.
.
Looking ahead. We need to chart the course for our destination. We are going into the new planning cycle, as I mentioned. Fergal has the lead on this, and we have planned to present the draft activity plan and budget in early September, as we usually do. Do get involved when that happens, do share your ideas even now on the mailing lists. Then, after comments on the September version and the discussion on the GM in November, the board will finally approve that activity plan and budget in their December meeting when they also set the goals for the managing director for 2022 and we do the whole goal‑setting process within the RIPE NCC for that year again. And then the circle is complete.
.
At the General Meeting later today, there will be three resolutions: The financial report for 2020 to be approved by the membership; a discharge of the Executive Board; approval of the charging scheme for 2022; and election to fill two seats on the Executive Board. And you have already had the opportunity to meet and discuss with the candidates there, which is a new thing, and they will play a video to introduce themselves in the GM.
.
So if you are eligible to vote, please make sure that you have registered and exercised your right to vote. It's really important.
.
And with that, sailing ahead to the northern star to deliver world‑class services while engaging to connect people to maintain the resiliency and stability of the Internet.
.
And with that, back to the Chairs and potential questions.
KURTIS LINDQVIST: Thank you, Hans Petter. We had one question actually, which is from Elvis ‑‑ there is quite a few people seconding the question.
.
"Slide 11, improving user experiences across services, you implemented a ticketing system that may work good for the RIPE NCC but is a complete failure for us the members. What is the plan on giving access to a ticketing system send desk to members in the LIR portal?"
And there's been a number of supporting comment of the question.
HANS PETTER HOLEN: Thank you very much for that question. You approached me at the fireplace earlier this week, so I have had a quick chat with Felipe on this and it is on the roadmap for later this year, but I can't promise whether it would happen in Q3 or Q4, but it is something that we're looking into to make the tickets and the history available to the members.
KURTIS LINDQVIST: I think that's all supporting comments, as I take it.
.
Oh, there is a question ‑‑ Elvis is asking ‑‑ we have a queue here. Sorry, I think Erik was faster, so I'm going to let Erik go first.
ERIK BAIS: Thanks, Hans Petter. I have a question about the uptime for the various services that the NCC is now providing. I know you came from a very interesting company before, as a security operator there. What I'd like to ask the NCC is to provide operational reporting in a transparent way for all the services that we talked about, think about k‑root, LIR portal, RPKI, the office infrastructure, and see if there is, you know, if there can be KPI set specifically for those services, and if you can report on the next RIPE meetings on those and how we're doing there, specifically for the uptime and what the problems were in the previous period.
HANS PETTER HOLEN: That's definitely my ambition, Erik, so thank you so much for that. It was one of the objectives from the board also to define these services, and we do have a list of the services that we will start to sort of describe as a service description and also add the sort of the measurements, the KPIs, the targets for those and start to report on them.
.
So, the first step is to do this internally. The second step is to report this regularly to the Board, and then, of course once we're confident on this, report it regularly also to the members and the community.
.
My ambition is clearly to do that at the next meeting; we will see whether I will be able to deliver on that or not.
ERIK BAIS: Looking forward to that. Thanks.
KURTIS LINDQVIST: Thank you, Erik. Elvis disappeared. Next is Rudiger. I can't hear Rudiger. No? He disappeared. Okay.
.
Then we have a follow‑up question from
ELVIS VELEA: Can we get a guaranteed promise that, by the end of 2021, we will have access to a ticketing system followed by a history of conversations for LIRs, someone has or receives access later?
HANS PETTER HOLEN: There is a very simple answer to that question, and that's no. And why can't I give a guarantee on that? Well, the way most people run development these days is using agile methodology. The only thing that we know is what we are going to do in the next sprint. We don't know whether that will be successful or not. We do have rather firm plans for the coming quarter, we do have plans for the following quarters as well, but they are not as firm yet. So we are working now on how to present the plan for the next quarter, that's part of the membership engagement work that has just been initiated, and, with that, it will be easier to have insight into that. I mean,I fully understand your frustration here. As a customer of Google in my previous job, I had the same issue with them. When can I expect feature X in your product? And they presented me a roadmap and, yes, well, their next quarter was rather firm, well the quarter after was less so, and the next year was kind of not the promise at all.
.
So, while I want to get into better planning here, please realise that what we will commit to is the ‑‑ at any time soon, is the next quarter, and then we will make the plan for the quarter following that, so that we can be agile and take on new things.
KURTIS LINDQVIST: Okay. Thank you. We are trying Rudiger again. We still can't hear Rudiger. No sound coming from Rudiger.
.
I am going to go to somebody ‑‑ other questions we had and then I think we have to move on, hopefully, from this presentation.
.
But Peter Hessler asks: "Is the RIPE NCC considering the availability of IPv6 for all the third party hosted services, e.g. send desk... they are all IPv4‑based?"
HANS PETTER HOLEN: I would say clearly, yes, we have a policy that services that we provide should be v4‑based, but then when it comes to ‑‑ not v4‑based, v6‑based as well, but when it comes to reality and picking a tool, then that may not always be an option. So, while I clearly want to raise awareness on that internally so that we take that into consideration, I think we will practically see that some tools will have to live on v4 for a while.
.
KURTIS LINDQVIST: Last question is Dmitry: "With respect to third party data handlers, including Cloud services, what is the process of choosing a provider? Is there any chance of public consultation or tender?"
HANS PETTER HOLEN: That would almost take a presentation by its own, so, what the process is, it's an elaborate process. It's definitely something I'm looking into. We have a purchasing process saying that we will solicit three offers if possible. It's not always possible to do that. We have not yet discussed ongoing into public tenders. That is even more sort of a heavy process.
.
I will bring in systems to do that in the past, so not sure I want to go there.
.
Public consultation, on vendor selection, I am not sure, in general. Maybe we need to be more formalised on public consultation on important issues.
KURTIS LINDQVIST: Okay. Thank you very much, Hans Petter. We are quite a bit over time, so I am going to stop here and I am going to hand this over to Felipe and the operational update. So over to you.
FELIPE VICTOLLA SILVEIRA: Thanks, Kurt. Good afternoon everyone. My name is Felipe, I am the Chief Operations Officer at the RIPE NCC, and today I'd like to give you an update on what's going on within operations.
.
Hans Petter has already shared the true north for the RIPE NCC, so a key strategic focus. My main goal on the presentation today would be to explain how this translates into operations and into the register.
.
I'd like to share some numbers and what you can learn from them. So it's a bit, what Erik Bais was asking before, unfortunately there is no uptime here but there is a lot of very interesting numbers.
.
The first one I'd like to share is a number of requests per category over time, and here we are zooming in on resource ownership change, kind of requests. So we're not including billing and things like that. And the reason for that is these kind of requests are the ones that take most of our resources today.
.
I'd like to highlight one thing here. You can see there is a spike at around the end of the year in the number of consolidations and the number of policy transfers, and that's also mostly related to the fact that, leading to the run‑out, a lot of members, they opened multiple LIR accounts, and now the 24 months waiting period has ‑‑ is expiring and a lot of them are consolidating accounts just at the end of the year to avoid paying the next year's fee.
.
Now I'd like to share the number of policy transfers over the years. And we can see here that the number of policy transfers has been steadily increasing over time, especially in 2020. You can see that pretty much every month we had more transfers than the previous month, the same month in the previous year. And the same trend is repeating in 2021.
.
Another trend I'd like to share is the number of investigations over time, and here you can also see that the number of investigations has been, I think, increasing quite sharply. Like, this year, so far, we had 385 cases, compared to the whole of 2020 where we had 267 cases. The majority of those, as you can see on the slides, are related to the European sanction checks, and this relates to the fact that the RIPE NCC has been tightening up our compliance efforts.
.
A new thing I'd like to share with you are the number of longstanding tickets. So these are requests that last longer than eight weeks and they have more than ten replies. In other words, these are complex cases where it's very difficult to find the right documentation.
.
The numbers are higher than we would like. So we had, for example, 122 of those cases back in January, and, in April, we had 156, so there was a slight increase, and this corresponds to at around 3% of our average monthly ticket workload.
.
Another number I'd like to share is the percentage of tickets that we managed to respond within one business day. We have recently changed the way we calculate this, so that's why we cannot go much further back in time. However, you can see that the numbers are below what we would like them to be. So our internal target is 100%. So basically respond to all the tickets within one business day.
.
In February, we had 85%. In March, the number was much better, almost 100%. But then in April, again it went down to 82%, and the reason for it to be so low in April was that we had a collective occasion day around Easter and so it had a lot of time without anybody actually working on the tickets. So let's hope that the numbers go better in May again.
.
I'd now like to talk about our membership growth, or, more specifically, the lack of growth.
.
The number of members actually have been quite stable over the last year‑and‑a‑half, so it's at or around 20,000. So last year at some point it went below that, and afterwards it recovered.
.
What's more volatile is the number of LIR accounts. So, currently we have 22,700‑ish LIR accounts. 1,200 members, they hold multiple LIR accounts, so if you add like the extra, so additional, instead of having one member with one account more than that, then they have an addition of 3,500 extra LIR accounts. From those, 3,300 will be eligible for closure before the end of this year. And as I explained before, we always have this peak of consolidations; we are expecting the same this year. So a large number of those will probably consolidate.
.
Now, what can we learn from these numbers? So, first of all, the cost of compliance and the work complexity are increasing. A lot of time what's seen as bureaucracy and slowness is basically the RIPE NCC making sure that your resources remain protected, and also that we remain compliant.
.
We have made changes in the past. I have reported here in the Services, like, for example, this chain line of due diligence using a professional trust model.
.
However, we do acknowledge that there is room for improvement in our services, and in my next slides I am going to explain what we are doing about that.
.
The second trend, the second thing is the number of transfers that has been steadily increasing over the last few years, and these are more ‑‑ most complex cases with the largest number of controls.
.
And finally, we have exposure in a high number of additional LIR accounts that to be eligible for consolidation and before the end of year and that may have an impact on our future income development.
.
Now, what are we doing about all of this? So our goal here from our strategy is to deliver world‑class services and to keep an accurate registry, so we want to achieve that while improving our measurements and also by streamlining the troublesome processes.
.
One of the main actions we have taken over the last two months is to improve how we implement and how we track good KPIs. Some of them I have just presented, like, for example the longstanding tickets. That's a new one that we have implemented back in December last year.
.
As a registry, one of the most important KPIs should be how accurate the registry is. So the key question is: How can we do that reliably? We have recently implemented a new KPI that I believe shed some light into this question. In and this KPI is how recent the information in the registry is. So when you process a transfer, when you process an MNA, when you do an arc, when you onboard the member, we always verify information provided against an official source, like, for example, in a line registry or company registration papers and so on.
.
Therefore, at a very specific point in time, we know with a high degree of certainty that that information is accurate. So the question really is, how recent information in the registry is.
.
And this is what we found: Roughly half our members have registration information up to two years. The question here is, this 20% in purple, which includes numbers that have more than five years old information. One of the main reasons for that is because, up to 2018, doing the arcs, so our auditing activities, would not verify information provided on online registries; it would simply ask the member is the name of your company correct? So therefore, we have not included those in our calculation, so we are being quite conservative here.
.
One thing that we want to do right away is to start prioritising our arcs on this 25%. This information actually is quite recent. We got the first of the project just finalised last week, so I am quite happy to share that with you today.
.
The other goal that we have is to improve our membership experience, and the starting point here is again having good measurements in place. As you are all probably aware of, every three years we run a membership survey and it's a really good source of feedback for us. However, we are more in process now of implementing something more fine‑grained and these are measure the customer satisfaction per ticket.
.
The goals here are twofold: The first one is to improve our processes so that we can follow through on successful interactions and the second one is that we want to streamline troublesome processes by identifying clusters of negative feedback around certain processes.
.
We have already done quite a lot of improvement in the closure procedure. And the next one we want to improve is the mergers and acquisitions one.
.
And the last thing I want to report about that is our efforts to proactively monitor the accuracy of our, registry and this is all about the usage of a third party tooling for monitoring our compliance with EU sanctions and changes in the members' legal structure.
.
We are halfway through the implementation. We are focusing now on our compliance with the EU sanctions, and later this year we are going to use the same tooling also to monitor changes in our members' legal structure. And our goals here are threefold:
First is to reduce our compliance costs.
.
Second is to have a higher accuracy in our registry.
.
And third is to be more efficient.
.
Now, I'd like to talk about RPKI and the efforts we are taking towards building a more secure trust anchor and have available repositories.
.
Here, we have two goals. The main one or the first one is ensure the security and integrity of our trust anchor, and the second one is to ensure high availability, resiliency and low latency for our RPKI repositories.
.
Starting with the first goal. Since October last year, we have been working with a third party called British Standards Institution, and, together with them, we have defined a SOC 2 Type II audit report for RPKI, which consists of a list of controls that was tailor‑made for RPKI needs.
.
So, in total, we have 179 controls, ranging from security to age art to process and so on. It's very, very broad.
.
So, together with that, we have gone the gap analysis and identified 49 missing controls within the RIPE NCC. So, here we have an overview where all these control gaps are, and right now we are in the process of closing all these control gaps. That should take us a few months. We don't have an exact estimate. It should be around two to three months, but it can take longer.
.
And then, after that, we have to wait six months before we hire an external party and then perform a full audit against us, and the result of this audit will be a SOC 3 report, and this kind of report can be shared with all of you.
.
Now, the most interesting part of the presentation, which is our deployment of RPKI repositories to the Cloud.
.
First of all, I'd like to frame the discussion here. Our main goal is to offer very high availability for our mission‑critical services, so these are the famous five knights. This is a goal. It's not where we are today. With this goal in mind, we have started to look into the usage of Cloud infrastructure, since about one year ago initially for the RIPE database and later on for RPKI as well.
.
We fully understand the uniqueness of our position and the importance of our services to the well functioning of the Internet.
.
We have involved the community since RIPE 80, so as presented in the Database Working Group, last year in RIPE 81, I presented here in Services, Sander presented in the Database and it was presented in Routing. We have presentations again planned for this year and a lot of feedback that was given back then has been incorporated in our design.
.
I have recently published a Labs article about it as well, and it got a lot of feedback about it, mostly critical, but also some interesting feedback.
.
We have an open house that we want to organise next month probably, and this whole topic is going to be discussed with our Executive Board in our meeting in June.
.
In other words, this is the moment where we are collecting feedback and this feedback will be taken into account in our decision‑making.
.
Now, to go a bit more in detail. These are on the technical presentation, so I won't go too much into the technical details, but I'd like to highlight a few things.
.
The first thing is that our publication server, our HSMs, our core, so all the important stuff, and our RPKI, will remain on premises. We are currently making changes in our publication server to allow multiple publications. What does that mean?
.
It means that we can have independent repository instances running in parallel in subscribing to our publication service, and one of them we are planning to deploy to AWS. The other one will either remain on prim or deploy a secondary Cloud provider. So both options work for us.
.
And we can potentially add more of that in the future as well, like having an architecture that's similar to the DNS route servers.
.
And we can either alternate between these different instances using DNS or using Anycast and then we can compose them all together. These decisions have not been made yet.
.
So, to summarise.
.
The RIPE NCC will remain in full control of our data and processes.
.
We are aiming for a zero down time if one of those instances fails, so if AWS fails spectacularly, we are still aiming for zero down time. The caveat here, though, is that, for a RIPE database, failover is required, and in that case, the five knights availability target won't be met, as has been correctly pointed out in the mail Services Working Group.
.
Care is being taken to remove all the potential circular dependences like AWS depending on RPKI, RPKI is out because AWS is out, the chicken and egg problem. So this has all been taken care of in our design.
.
And our main challenge here is how can we quickly scale up an infrastructure that has a very specific domain knowledge? There is very few people in the world that know the internals of RPKI, while, at the same time, keep operating those services? Like replacing the engine of an aeroplane while it's still flying.
.
And our responding to that by first being a good shepherd, thinking everything through, by growing organically and doubling the size of the team, for example, that would not be very helpful, and also savouring incremental improvements over big bang.
.
To finalise my presentation and going back to my original question:
.
The main goal we have in Operations is to ensure the accuracy and the compliance of our registry while providing world‑class services to our members and safeguarding the resiliency and security of our mission‑critical services.
.
Thank you very much. And I now open the floor for questions.
KURTIS LINDQVIST: We actually have quite a few questions that came in.
.
I'll read them out.
.
The first one is from Gert Döring: "While I appreciate the aim of provider response within one working day, as a customer it annoys me if every interaction actually plays out to, it will take another working day to get to the next e‑mail. So this is not exactly satisfied yet."
FELIPE VICTOLLA SILVEIRA: Thanks for the question and I can fully understand your comment. We have other KPIs that are implementing as well. Like, the full tickets resolution time, and I think, in the end, that's what really matters, like, it's not that we just reply something but that the whole resolution of the ticket takes less and less time, and that ultimately is our goal. It's not just to meet an SLA, but actually to take less time to reply to ‑‑ to complete the resolution of the ticket.
.
KURTIS LINDQVIST: The next one is from Rudiger: "Is it right to assume that Felipe's ticket statistics are almost only LIR services? Is there going to be a ticketing support to track operational functional reports? According to my experience, that kind of support did not exist."
FELIPE VICTOLLA SILVEIRA: Yeah, thanks, Rudiger, for the question. Indeed the ones that I shared is mostly for the RIPE Services and focused on resource management. We do have, of course, other queues, like, for example, to report bugs in the software, and I do know that you requested in the past to use something, to have visibility of the different issues. However, so far, we have not implemented something like this.
.
If you are interested, we can look into sharing the statistics about these kind of tickets as well.
KURTIS LINDQVIST: Thank you. The next one is from Elvis Velea:
"I thought the SLA is for at least one response in a working day to each and every request. Question number 1. How do you calculate it now?
.
2. 80% is not just one ticket but quite a lot. Do you have that number?
.
3. I received a couple of e‑mails on Friday saying that because Thursday was a vacation day, my request will be evaluated on Monday. That reply fixed the stats, but did not do anything to fix my request. What source of this degradation of service?"
FELIPE VICTOLLA SILVEIRA: Thanks, Elvis. There is a lot of questions in one. I'll try to answer all of that.
.
So the first one is, basically, if we don't reply within one business day, then we report that as a failure. What we have been doing in the past, is to reply something to the members saying that they are going to get back to you, and that was kind of maxing out how we are calculating the statistics. So we slightly changed that, so reply a little bit later, so you still get a reply from us but that would count as the SLA ‑‑ SLA don't form SLAs with the membership.
.
Concerning your other question.
.
Yeah, it's a very high number, I admit that. Let me see if I have the exact numbers here. Yes. So, 85%, so a total at 5,100 tickets and we failed at 778 of those. In the 97%, the April ‑‑ no, March, we had 6,200, and we failed 137. And the last one we had 5,600 and we failed at 931. And that's really high on our list on how to fix that.
.
Am I missing something? What's causing the degradation of the service?
.
There is multiple reasons, like explained before in April, it was mostly due to the holidays. Also, we have recently added a lot of extra steps in our due diligence, mostly for European Union sanctions checks. And also, in February, we had a lot of people that were absent due to many reasons like sickness, maternity leave, and so on, so we were under‑staffed and we're working very hard to fix all of them.
KURTIS LINDQVIST: Thank you. The last question was from Wessel Sandkuijl. "On slide 6, what type of investigations are made? What initiates these investigations? Why is why is there a sharp increase in the past few years?"
FELIPE VICTOLLA SILVEIRA: I have reported these in the past. We have seen an increase in the number of frauds and there was a presentation I believe in RIPE 77, so if you look into our archives. It can be for many reasons, it can be due to hijacks, it can be due to our internal audit, we see something suspicious and then we initiate that on our own initiative. And as explained during my presentation, a large number of this extra investigations were due to European Union sanction checks, so this is routine checks that we perform every time we do a transfer for instance. And then during that transfer, there might be doubts whether this member is actually on the sanction list or not. If there is doubts and it gets collated to the investigations team and then they look deeper into the matter.
KURTIS LINDQVIST: We have got two follow‑up questions. One is from Kurt Kayser:
"Are investigations just internal ones or external ones as well?"
FELIPE VICTOLLA SILVEIRA: I don't understand exactly what you mean. It is mostly triggered internally. I don't know if we have requests from external. I can get back to you, or if someone knows the answer, please reply on the chat.
KURTIS LINDQVIST: Okay. And then we had a question from James Kennedy:
"On the topic of tickets, has the NCC considered a chat function for LIRs that quickly resolve instant request, capture the low‑hanging fruit faster, as such?
FELIPE VICTOLLA SILVEIRA: It's a good one because we used to have and then there was a too much, the workload was so high that we are not able to basically man the queues in the chat. And I'm really looking forward to provide that service again because, as you say, a lot of things are low‑hanging fruits and we can solve it right away instead of taking a ticket and going through the queue and going through all the motions. So, yeah, it's something we really want to get back to.
KURTIS LINDQVIST: Okay. I see no further questions. And we're quite behind so I'm going to stop this here, so thank you very much. If we come back here at ten past, we'll try and start then. Hopefully you will get a coffee and we'll see you back here then.
.
(Coffee break)