RIPE 88

Daily Archives

Tuesday, 21st May 2024. 4pm.

Anti‑abuse working group. Side room. 4pm.

BRIAN NISBET: . OK, this is indeed on. Hello, hello, hello. Welcome to the anti‑abuse working group. It's a Tuesday afternoon, yes, we are having working group sessions, this is not a drill. And you know, it's not address space up first, so I am Brian Nisbet and along with the two other co‑chairs to and Tobias Knecht and Marcus de Bruin, I wish to bring you this edition of the anti‑abuse working group. We have made changes to the agenda, we'll talk about that in a moment.

So just to remind people that you are live on the internet as is all of RIPE. We have steno, wonderful steno, not as somebody accused earlier an AI, no AI could do what our wonderful steno people do.

Meetecho is there for also for questions and answers, and I said there is the a live stream. If you are asking a question, either in text or in voice, if you are in the room, please do so in voice for preference and please state your flame and affiliation an do the same on Meetecho and obviously as a RIPE community event, this is covered by the code of conduct.

There is the ability to rate things, where appropriate.

If you wish to do so. On the RIPE 88 website. We do like feedback, either on that or verbally, which will all be good.

So, I am just going to mention, I am going to change things around, in relation to the agenda, we have moved the presentations to the beginning of the session to allow more freedom how much time we are going to need but allow more freedom in relation to the discussion about the owe potential recharter and things like that, because I don't want to be sitting there are we leaving our speakers enough time, we are not going to do that. Just to let you know of that. Th the minutes from RIPE 87, they were circulated and if anything has anything they'd like to talk about now, now is a good time to do so; if not, we will consider the minutes accepted in which case we will.

So the final bit of admin trivia is the working group co‑chairs selection process and given it is about me, I am going to step away from this and let Marcus take over.

MARCUS DE BRUN: Yeah, we had some, we had a call from nominations for a new working group chair or because Brian's term has or is ending at this meeting, we had one nomination, which was Brian, and we asked if if there is still pour for Brian and we received some support and no objections so unless there is something you'd like to voice now... I would like to welcome Brian back as a co‑chair for another three‑year term.

So, thank you, Brian.

APPLAUSE

Oh, we do have a comment.

AUDIENCE SPEAKER: Thank you Marcus. I am generally here as a professional troublemaker, all I want to say I am glad to see that Brian is being reappointed, but I wonder what the process you have here for term limits, because I think it's important we have a healthy but sensible turnover in the leadership of working groups so do you have term limits on the number of terms that people like yourself, Brian, Tobias, can serve as co‑chairs of the working group.

MARCUS DE BRUN: We do not have term limits defined but Brian is speaking up.

BRIAN NISBET: Yeah, no, we don't at the moment. This is an active conversation I think across a lot of working groups and I know that Mirjam is talking to people about looking at the selection processes and things like that.

Speaking purely personally, it's a really funny one because I agree completely with the heal eturnover and I have been here a while. It's not like we have a long queue of people putting their hand up about these things as well so it's a balance but it's absolutely something that I think we are aware of and it's something that as a community across the whole thing, this is not to take away from the fact that we need to do it too, this is something we need to work on.

AUDIENCE SPEAKER: If I remember back in the days when I was doing the DNS working group, co‑chairs said we are all going to stand down and gave the working group effectively three years notice to in order to do a succession plan so maybe something along those lines might be useful here, how you decide to do that is entirely up to you, and I know that you and all the rest of your colleagues have a sensible head on your shoulders and will do the right thing.

BRIAN NISBET: We got that quote, yeah, cool, thank you Jim.

AUDIENCE SPEAKER: Just following on with the Fergus Maccay, Flex Optics, individual as well, exworking group chair as well of the past. The pressure for people to not stand up if people aren't being pushed sideways or there's an obvious vacancy, just because nobody is standing up doesn't mean people aren't thinking about it, but you are going to have to stand up and be criticised publicly if you stand up, are we going to vote for this person, so for EIX working group we always used to have single transferable votes and Rob used to tell me off, why do we need that, the point is unless you have people standing up, they can vote and if they do really badly, it's OK, nobody need know they did really badly and we would have three or four people standing, we had a process that enabled change to happen in a way that you weren't left standing, you know, nobody liked me on the list because they all said they liked Brian more because it does become a popularity contest in this community, I am sorry to say. But the PC is the same in my opinion.

So I would urge strongly that, A, you have people stepping out of the way. Whether it's term limits or individually but also do something like secret STV voting to so that people can express an opinion, and preferably ranked in private without this yeah, I think Brian is great, Brian is great but, you know, who else are we missing.

So, just my sense.

MARCUS DE BRUN: Thank you, noted.

BRIAN NISBET: Absolutely, I will say that again for this working group and forever, not forever, but for the last, I think, probably six years, that we don't announce who is stepping forward until the end of the nominations phase, which is an attempt to go well, to not say that Brian is running again or that Tobias or Marcus is running again to encourage other people to put their hand up.which is a step. But there are doubtless more steps we can take. It's...



AUDIENCE SPEAKER: It's the public voting that is the problem. You know, you can't ‑‑ I can't say actually I think he is better or I am not sure, whatever, you need to, it needs to be a private vote. If we are going to have democracy. But Jim is going to disagree with me I hope.

AUDIENCE SPEAKER: Jim reed, just back again to throw in other piece of trouble making, I kind of agree and disagree with what Fergus said, this is RIPE, we decide things by consensus, we don't vote.

BRIAN NISBET: Moving swiftly along.

AUDIENCE SPEAKER: The thing is... the thing is talking about voting and privacy and so on, it's really hard to do consensus with complete privacy.

BRIAN NISBET: I think the acknowledgment is this is a continuous process as we improve our ability to bring more and more people into the community and I think they are better than we were but we still have absolutely a ways to go, both specifically for this working group and for the community as a whole.

So...

AUDIENCE SPEAKER: Hi concerned citizen, just making a bit of trouble by disagreeing with my good friend Jim on one small point about the voting thing. I see no problem with voting for a position like this. The reason why we say that RIPE doesn't do voting is because we believe in the rough consensus process but that's applicable to policy because in policy, it's important that policy to be supported and have legitimacy an the general support of the community behind it and not to have substantial reasons why this shouldn't be done because that's, that are meant by a significant part of the community, that undermines the legitimacy of it said to be a view of the whole community rather than just a part of it. Because the community has no rights to vote a policy in imposition on another part of it.

But when it's the working group, these considerations don't apply. The idea well we have got two good candidates here, we have got to pick one or the other saying there is no consensus here so we won't do anything is not the right thing to do, it would be in a disagreement over policy. So the rough consensus thing applies to the policy situation. It doesn't necessarily have to apply to internal administrative matters like selecting the chair of a working group. Thank you.

BRIAN NISBET: I will just remind people that the working group chair selection process for this working group is if the working group cannot reach consensus, we have a vote. So it is part of this is already here as a piece but anyway, I think shall we....

MARCUS DE BRUN: So, finalise, again, the agenda, we used to have three presentations, interactions but one presenter is unable to present today so we are left with two. And first up is Maria from RIPE NCC talking about legal content from RIR's perspective.



MARIA STAFYLA: Hello everyone. My name is Maria Stafyla. I am a senior legal counsel at the RIPE NCC and I am here to present on what is our role as a regional internet registry and removing illegal content that is online.

Our goal here is to inform the community in conversation we are having on what the RIPE NCC can do to remove content that is online. We have been having this conversation with various stakeholders and it related to different types of illegal content for example child sexual abuse material, the unauthorised distribution of sports and other live events, piracy, and for the purpose of this presentation, just for clarification, we are not referring to third party content that is hosted by us. We do qualify as a hosting provider under the digital ervices act and therefore the obligations apply to us, especially about piracy, there are on going discussions that are happening at the EU level on how to combat the piracy of sports and other live events in an effective manner, the European Commission has issued a recommendation in this regard and at the moment together with European intellectual property office, they are following, they are monitoring the effectiveness of this recommendation to whether there are further legislative changes that are needed in this regard.

Amid those discussions there have been comments expressed that more obligation should be placed on the RIPE NCC as a regional internet registry, during our A Y C processes, so what is our view in this matter.

So far our response to these kind of conversations and questions is that of course we engage with stakeholders, we hear their issue and we explain from our point of view what is our role as an RIR, how to use the RIPE database in order to identify the relevant holder, what are are on boarding processes and under what conditions we may take actions against them and against the resources they are holding.

What the effects of taking actions against their resources would be and from our point of view would be disproportionate and not effective and removing the illegal content from being online.

To dive further into each of the topics, so what is our role as an RIR, we are registering internet number resource to say our members and maintaining the RIPE registry, members choose how to use the resources to further allocate them to their customers or their own network, however it must be in line with the RIPE policies and the RIPE NCC procedures and than that, we do not have responsibility or control how the resources are being used.

We help interested stakeholders how to use the RIPE database in order to identify the relevant holder and how to to use and interpret information that is shown there.

We also point them to the RIPE NCC conduct form that can be used in order to report incorrect information in the RIPE database and accordingly we follow up with our standard procedures in this regard.

With regards to our on boarding processes, before we sign a new agreement with a new member, we do various due diligence sets, we verify that they exist, their identity, they are appropriately represented in the signing of the agreement. And if a member is later found to be in violation of their contractual obligations including RIPE policies and RIPE NCC procedures we have the right to take actions against them and the resources they hold.

At the moment there is no RIPE policy that describing for what kind of content the resources that we distribute may be used. However if we receive a legally binding order that is obliging us to take actions against our members, we will comply with it.

So we were also asked what the effect of deregistering resources from where illegal content is coming from, would be in this regard and our response to that is that the content would not be directly removed or might not be impacted at all because routing decisions are not our responsibility, it is for the network operators. We do not provide connectivity. Also removing an entire block of IP addresses from where illegal content is originating would affect all the users that are supported by the networks that are running from these ‑‑ from the entire range of IP addresses. So from our point of view, this would be excessive and not proportionate to the desired outcome.

So our next steps here is that we will keep following the relevant developments and we will keep engaging with relevant stoleers to raise awareness and help with explaining what is our role as a regional internet registry.

And with that, any questions?

AUDIENCE SPEAKER: Yes, one simple one. You put on your slide there that if you are faced with a legally binding court order against, to take action against one of the resource holders or against their resources, you naturally comply, this of course you have no choice but that however I'd understood it was previously the committed policy of the NCC that you would take every opportunity to resist such a court order being made, that is if you were faced with essentially an ex parte order or notice of a motion to make such an ex parte order, you would ask to oppose that order and make representations to the court with reasons why that should not be made and this was not the appropriate action to take against content.

Is that a correct understanding and does that remain the policy and practice of the legal department?

MARIA STAFYLA: Of course we would examine case on case on its own merits and we decide what are the next steps but if we are legally obliged to comply with it, perhaps we would have evaluate our legal options at the same time and in which order these actions should be taken.

AUDIENCE SPEAKER: Sure, once a court order is final, there can be nothing to do with you comply, my question was before that, you can be neutral on whether such a court order is made or take every lawful opportunity to persuade the court that it should not be made. That was where I was addressing the question.

MARIA STAFYLA: Your question is if we would be challenging this.

AUDIENCE SPEAKER: Yes.

MARIA STAFYLA: I believe if we had, if we thought that there are reasons to do it, I believe that we would.

AUDIENCE SPEAKER: Thank you.

AUDIENCE SPEAKER: Hello, Robert Carolina, general counsel with ISC. In an earlier talk today, it was interesting because we heard somebody explaining how addresses that are registered with regional internet registries eventually end up clearly being used in many different regions around the world. So I am wondering how, if at all, does your policy differ if the request or indeed the demand comes from a legal authority, completely outside the European or middle eastern region? What if it comes from so far afield that there's no realistic chance of the requesting authority having legal jurisdiction over RIPE?

MARIA STAFYLA: At the moment, we take actions against our members and their resources if we are ‑‑ apart from the cases they might be /SRAEU lighting their contribute /AOUL obligations but we take actions on legally binding orders so they will have to go through the course of recognising for a court decision in order to come against us.

AUDIENCE SPEAKER: Forgive me for the follow up, you are speaking there of what simple enforcement or some other type of international enforcement of a judgment entered in a for court.

MARIA STAFYLA: Correct.

AUDIENCE SPEAKER: Thank you.

AUDIENCE SPEAKER: So, Hans Peter /HOL loan, managing director of RIPE NCC, I find it good that we have legal colleagues asking legal questions here but bear in mind some of the questions have political implications so I do like, the first response from Maria best, we will evaluate this on a case by case basis because it's very difficult to give very tabloid answers to how we will in principle treat any case in this area.

Of course our primary objective is to keep an accurate registry and using the registry to take action against nation states, organisations, for political means or other means is something that the board has stated clearly that we do not want to.

When it comes to breaking the laws for individual organisations, we have to follow Dutch law and follow valid court orders, however we will hope that or trust that court actually make educated decisions. So it's a delicate balance here and if you ask hypothetically how we would treat a case and you create the worst possible court order possible, you know, I don't think it makes sense to discuss that but you know, in principle we want an accurate registry, who has the registered right to use the addresses and trust that the courts won't make life too hard for us.

AUDIENCE SPEAKER: Alex... legal counsel for /OPL six, it's my understanding you would only abide by valid Dutch court orders or for court orders that have been transposed by Dutch courts.

MARIA STAFYLA: As long as it is a legally binding order to us, we have the obligation to comply.

AUDIENCE SPEAKER: If it's a valid Russian court order, you will comply.

MARIA STAFYLA: Sorry, could you repeat.

AUDIENCE SPEAKER: If it's a valid legal Russian court order, you will comply.

MARIA STAFYLA: It would have to be recognised in the Netherlands.

AUDIENCE SPEAKER: It has to be recognised. OK.

BRIAN NISBET: OK. Cool. Thank you very much Maria.

(APPLAUSE.)

BRIAN NISBET: So next up we have Yury, the slides are up, who is going to talk to us about UTRs.

YURY ZHAUNIAROVICH: Hello everyone, so I am happy to be here, so my name is Yury Zhauniarovich and I represent the defendant university of technology and this is my first attendance at the RIPE meeting, I am happy to be here, my back background is in cyber security but today I will talk about combination of network measurements and cyber security and in particular we will talk about the use of UTRs for combating DDoS attacks and this work is I think we need to applaud to Rada because he introduced me to this area and this work we need to we did together with our collaborators from yoke ham ma national university, OK, so usually I presented this work once on the cyber security conference and my first question was like how many people in the audience know what is BGP. So I just want to see the hands.

OK. So much better representative.

Now the second question, what about RTBH. OK. Very good one. And final question what about UTRs. So one, pretty good, so... yeah. To just for those who does not know, so RTBH is remotely triggered black hole, this is the extension to BGP protocol that allows the autonomous system to notify about the IPs that are under attack and then there are other peers should start blocking the traffic going to this IP address and basically redirect this to this nice picture of the black hole so this is where your traffic goes when you use rtbh. An there is a community run traffic removal service, this is basically the RTBH that's run by trusted third party, Tim come re in this case, and it's what is nice, it's global, it's free and it's pretty easy to join so today I would like to understand and to show you a little bit of the background. So imagine if you have a very simple internet consisting of four autonomous systems and basically two of these autonomous systems, one and three, are members of this UTRs service, basically they fulfilled the requirements and joined this UTRs service. In case of the host experiencing the attack from below or the internet, the autonomous number one can notify this host is under attack and will ask all the members to start blocking the traffic to this host. So this is basically what it's about, RTBH and UTRs in particular.

So we started with this nice service and we wanted to understand so how many members are there and how many members use this service to mitigate the DDoS attacks. And to what extents DDoS attacks trigger the notifications in this and how many of these attacks can ‑‑ or announcement for UTRs can be explained with amplification and IoT based DDoS attacks. So for answering this questions we collected three datasets, basically UTRs dataset and milker dataset, we created our own autonomous system and we became a member of UTRs service. So upon doing this, we started to get notification about all announcements, BGP announcement to start blocking particular traffic.

Import dataset, I don't know like anyone knows what is AmpPot. This is basically an amplification honey pot, this honey pot pretends to be the amplifier in the internet like, I don't know, DNS resolver for instance and upon receiving the request to start reflection DDoS attack, it collects the information but does not run the DDoS attack, it's like pretty ethical participation in the attack in order to collect the information about on going DDoS attacks.

So Yokohama university have import sensors all over the world, they deployed more than over 50 sensors and that's how they collect the data from different points on the internet and combine them together and these dataset is what we used around the third dataset, it's IoT milker, this is the piece of code that pretends to be a bot of the IoT bot net so like me RIPE.net and this piece of code received the notifications from control service about starting the DDoS attack to particular the address and for how long this attack should run so this specific type of the comment.

So what are the findings for our UTRs dataset. So we found out that UTRs services not really widely used so we measured, we collected the data in the end of 202, beginning of 2023 and we found out that during the six months, so on average there were like 3,122 announcements using this service, 2700 maximum targets per day, targets is the network some network, this is just the address as we'll show later.

There is a sparse coverage so the majority of the UTRs announcements are targeting individual IP addresses and within this six month measurements we found out that only two entries target the same slash 27 network within one day so apparently there was a pretty huge attack to a whole sub network and they decided to advertise this sub network in order to stop this attack.

And we found out that there is not a huge conversion, so only 122 autonomous systems during this six months, they made the announcement to UTRs service.

Tim reports on the website that they have more than 1200 members. So yeah, it's like 10%, which is only 10% of people or of autonomous systems who actively announce services to the service, to stop the attacks.

And we also observed that the majority of the of the attacks have short duration to 21% of them, they have like five minutes and less, and this is partially due to our way of collecting that UTRs dataset, we observed that in the past the service was not very stable and instead of like collecting the whole announcements ourselves, we were making every five minutes the snapshot of the BGP table in order to collect and this is partially that... we probably missed some of the attacks.

Short attacks.

And the longest attack was like four days, 18 hours and 55 minutes.

What we did next, so we decided to find the intersection between the attacks that are measured by the AmpPot or IoT and the UTRs announcement. And we tried to find the exact intersection so like when the attack and when the announcement have like the exact intersection and we also as in the previous paper by Mathias Yonker, we also extended UTRs announcement by 12 hours in the beginning and 12 hours in the end and tried to find the intersection between them.

And we found that there is very small amount of the entries which we observed so for intersection between the UTRs AmpPot with exact interval intersection we found out there are only 468 entries for the six months of our dataset so pretty low number. And for UTRs milker it's even lower, like 9, and for offset intersection, it's like 791.

And the number of unique autonomous systems were also pretty low, only 25, and two corresponding.

So we also observed that there is a low percentage of DDoS attacks on the UTRs member that trigger mitigation, if you measure that I am the autonomous system, I see all the attacks come in to me, only 1% of all the amplification attacks like triggered the announcement, like and only 0.06 attacks for IoT, they triggered the announcement of the UTRs. So we think that maybe other attacks were not that strong, so that's why we didn't trigger the autonomous system to notify UTRs about these attacks, this is our explanation.

And we also tried to understand if we are like kind of measuring correctly the things and we try to find out what kind of factors that contribute to the, to the attacks being announced for the UTRs to be blocked. And we found out that two factors are duration and the number of packets. So with duration it's obviously so like the longer the attack, it's usually starts autonomous system starts to trigger the announcement an the larger or the heavier the attack, it also triggers that announcement.

So what are the conclusions?

So we know that there are like around 75,000 of autonomous systems and only 1%, roughly 1%, of them are members of the UTRs. And out of these 1% of all autonomous system, only 124 autonomous systems use the service, use the service to drive the announcements.

There are not that many announce ments per day which I was frankly surprised, only 776 targets, so like knowing that there are many, many attacks happening during the day, DDoS attacks, this is pretty low number for me.

And we figure out that for members who participate in UTRs, there's only a small, very small percent of the attacks that trigger the announcement for the UTRs.

So service is nice, but nobody seems to use it.

So thank you very much.

(APPLAUSE.)

BRIAN NISBET: Cool. Thank you. I am just going to interrupt briefly. Any idea why, I mean, has Tim made any comment on this?

SPEAKER: That's good question, the service was in the past not stable first; second thing, they ‑‑ only two years ago they introduced BGP flow speck so before they were using only like blog by piece of like the whole traffic to IP address and this is pretty heavy solution so with BGP flow speck, I suspect people will start to use it more.

Yeah, and of course a lot of just autonomous systems, they have like their RTBH own solutions from their upstreams and of course upstreams because they charge fees for this service, they don't have incentive to use this global and free service.

Also maybe the attribute that this is a company, so maybe in this service would be run by the community, this would maybe drive more participants.



AUDIENCE SPEAKER: Rudiger Volk, before retirement quarter of a century running internet for Deutsch Telecom. And kind of I used to be very sceptical about the blackholing because OK, your first line on that slide says free global low effort to join and requires a lot of trust and kind of the security implementations for making sure that the black hole announcements are kind of clean and legit, are really challenging.

Kind of two remarks to your questions: Well, what you have measured is which of the service ‑‑ well, OK, there is a number of service members ‑‑ and I assume service members includes ASs that are organised to send signals ‑‑ but much more important, that will use the signals to actually effect the blocking. And yes, the world would be really bad if you had 100% of the people who are willing to use the signal if they actually report, oh, we are under attack.

Only 10% of the members are kind of using the service for getting protection. The question of how many of the members who are receiving the signals, who are actually implementing the blackholing seems to be unknown.



YURY ZHAUNIAROVICH: I have a comment on this this, but yeah.

AUDIENCE SPEAKER: Kind of taking.

YURY ZHAUNIAROVICH: Please do, is there a question or...

YURY ZHAUNIAROVICH: Yes, from like Tim, do not disclose the members, but we have the follow up paper on this that will be presented in two weeks on Sigmertrics and I also submitted the short talk for a lightning talk for Friday in order to explain how many and how we identified the members who actually abide to the blockings so we also know this number ourselves.

AUDIENCE SPEAKER: OK so that is kind of the research question that seems to be open for me. So let me just ask, is it high or low percentage?

YURY ZHAUNIAROVICH: It's like around, we are sure with about 600 autonomous systems that they actively block the traffic.

AUDIENCE SPEAKER: OK so that is kind of medium range.

YURY ZHAUNIAROVICH: Yes.

BRIAN NISBET: We are going to have to...

AUDIENCE SPEAKER: Another remark on this is that of course these days not everybody and that also explains some of what you have seen in the measurements that first of all the blackholing actually completes the denial of service, that it tries to protect from and well OK, what it actually protects from is kind of the side effects of the targeted attack.

Of course these days there are ways for if you are under attack, you divert your traffic through devices that kind of sort out what is really attack and what is good signal that can go through. And quite obviously people who are protecting their networks and services with this kind of mechanisms will not issue UTRs signal when something happens unless there is an attack that is so hard that their regular protections do not work.

YURY ZHAUNIAROVICH: Completely agree with you on this.

BRIAN NISBET: Cool.

AUDIENCE SPEAKER: Quick question on your data retention policy, IP addresses for attack traffic, do you ever capture them? And if so, how long do you keep them for and for what purposes and when do you...

YURY ZHAUNIAROVICH: Really good question, so the source IP addresses that were under the attack.

AUDIENCE SPEAKER: Source IP addresses of attack traffic.

YURY ZHAUNIAROVICH: This one, we sources addresses with didn't collect ‑‑ we collected the targets who were the victims of the attacks, because ‑‑

AUDIENCE SPEAKER: I am talking about the people whose machines are compromised and the DDoS traffic, do you collect the IP addresses.

YURY ZHAUNIAROVICH: No, because this is spoof traffic.

AUDIENCE SPEAKER: I understand that, I was just asking the question.

BRIAN NISBET: OK. I don't see any online. So no, thank you very much, Yury.

(APPLAUSE.)

So, will you stop the timer thing. There are no time limits.

So we are ‑‑ a large part of the agenda items that we had are in relation to the proposed ‑‑ sorry if you are going to have a conversation ‑‑ yeah, no, thank you.

In relation to the proposed potential recharger, folks, seriously, please if you are going to have a conversation, can you please leave the room.

Guys. We can hear you talking. Please stop or leave, thank you.

If I can hear you... so can everybody else.

OK, so proposed potential recharger. And what we have here is we have the ‑‑ I mean we have the objective and we have some of the scope and we have made some small edits to this and we want to talk about this.

We did put it out on the mailing list, we got some feedback there which Marcus is going to ‑‑ surrounded by Germans, Marcus is going to go through now and then we are happy to have the conversation here in the room. We have some ideas and we'll talk through that.

So is it best to go through this first and then talk about the mailing list reaction? Do you reckon? Or... cool. So I mean I hate reading slides out but I am going to, they are brief. So what we were talking about again, we talked about this in Rome, we feel that the working group itself may require a change and there's a bunch of reasons for this. The largest one of which is the world has moved, there are some people in this room who were in the room when we rechartered from anti‑spam to anti‑abuse and we have very good reasons for that and we feel we have good reasons now to propose this to the working group.

Companies really ‑‑ yes, people are talking about abuse, absolutely, but what people are mostly talking about is the wider area of security, cyber security, whatever you want to talk about.

And we know that we have had topics over the years which have been in that area and have not been really network abuse or infrastructure abuse and we think that the RIPE community probably needs to be talking about this very clearly and they are in different working groups but also to be seen to do that and there's some other pieces we want to talk about and reinvigorate, the idea is as we said security working group is committed to fostering collaboration, sharing best practices and addressing security challenges within the RIPE community, the primary objective of the working group is to enhance the security, resilience and stability of the internet infrastructure within our region and tackling abuse of the internet infrastructure and resources would remain a goal of the working group.

And then we have the scope piece that we have there. So identifying and analysing emerging security threats and vulnerabilities affecting internet infrastructure, collaborating with stakeholders to develop and advocate for best practices, guidelines and standards for securing internet resources. Facilitating information sharing and co‑operation among network operators, law enforcement and the RIPE NCC and relevant entities to mitigate security risks. Providing education, training and out reach initiatives to raise awareness of security issues and promote best practices adoption.

Develop policies and best practices to to improve security and response to security incidents and abuse issues.

So there's a through‑line there from where we are now. But to move on from that and very importantly make the reference to the people who are being victimised either as the recipients of an attack or because their infrastructure is the piece being abused or whatever else.

So we put this out there, we feel this is the right direction but obviously we are just the co‑chairs, you are the working group. There was some feedback on the mailing list, I think we'll talk about that first and we can go into discussion in the room as people feel. Marcus.

MARCUS DE BRUN: Yeah, we asked in March I think it was if we, that we were intending some change to the working group and first asked for your feedback then and there was some feedback that we can also keep the working group as is, but the most popular option was rechartering the working group although at this point, it was not clear what the rechart erring might look like.

And there was some comments about we should probably focus on things that we can agree on, like best practices, standards, recommendations.

And in April, we proposed a rough draft charter which Brian has just presented to you. I think there was just one addition in the slides which is on this slide, the term the RIPE NCC I think this is the only change made to the one that I have sent to the mailing list. And asked for feedback again and there was indeed some feedback, so most comments were supporting the transition into a security working group so there was from our perspective some positive feedback in this direction but but there was also some comments about the draft charter itself, the main thing was should we address the RIPE community and RIPE NCC more explicitly in the charter. And yeah, I think on the ‑‑ it's just one slide...

I think RIPE community which is explicitly in the working group objectives is already addressed and the RIPE NCC is added now, there was comments on should we state that the working group does make policy ‑‑ not policy suggestions but how do you phrase it, recommendations towards the RIPE NCC; we feel we do not need to make this explicit because, yeah, if the working group does want to have an effect on the RIPE NCC, the way to go is make a policy proposal or reach consensus and yeah. So yeah.

BRIAN NISBET: We felt there was some things implicit in the nature of the working group and RIPE community that we didn't need to spell out completely.

MARCUS DE BRUN: Yes, we would like to hear more. Do you feel that the charter as it is now is a good one and would you like to see some changes, is the wording OK, how do you feel about this in general?

AUDIENCE SPEAKER: Eric Boise speaking for myself. I find the name "RIPE secret working group group" ‑‑ ‑I'm a bit dyslexics and I was very confused when I saw it, that's not correct. But it's not Friday yet and so I thought it was a bit misleading there and I thought oh, this is interesting. So I just wanted to point it out. As a first glance.

BRIAN NISBET: To be fair I did make that joke earlier today as well so...

AUDIENCE SPEAKER: First short remark, well, OK, the overall theory of RIPE and RIPE NCC is that the RIPE community RIPE provides guidelines to the NCC in one form or the other so that's not kind of something that needs very explicit regulation, that thing that is fairly specific where I am kind of wondering where we are going is if there are already established activities in other working groups or elsewhere in RIPE, that are traditionally tackling serious security issues? OK, what's the idea? Take it all over? Move RPKI from routing to exabuse? Not quite sure what the intentions are and whether that has been discussed. In the good old times at the end of a meeting, there was always the topic of input and output with other working groups, nicely routing working group will be later and yeah, well OK, what's the idea.

AUDIENCE SPEAKER: Yes, fair question. I did mention this in my email to the mailing list, so the idea is not to capture all topics that are related to security, but there is security topics that do not fall into our working groups.

BRIAN NISBET: I think it's fair to say we already have a lot of cross‑over across the working groups. V6 turns up in address policy, it turns up in V6 it turns up in routing, it turns up everywhere. Other things, NCC services, there are a bunch of things, this is not an attempt to suddenly take over 50% of the working group slots and work at the meeting, we all have enough to be doing in our spare time.

AUDIENCE SPEAKER: I don't have any opinion whether or not the, where the scope of work should be bounded but if the working group wants to adopt a scope like this, my comments would be the first four bullet points are well written and seem good to me if that was what was intended.

BRIAN NISBET: Could you repeat that please?

AUDIENCE SPEAKER: If a general security scope is wanted from this working group on which I have no opinion, my comment is the first four bullet points are well written and seem to be clear and well designed for that purpose, for broad purpose.

The last bullet point I would like to sort of develop a quick line of questioning from that we just heard. This question of policies, does this mean a PDP policy, that there would be a policy of the RIPE community in that sense? It's one thing to develop best practice, we can develop best practices with we spread around, none comes and takes from what what they will and if they don't, that's up to them too. There's no difficulty there. But the word policy, you know, can have much broader, much more significant implications. Is this meant to be a RIPE community policy? Is it meant to be a PDP process type thing that is followed for it? What are the consequences of breaking that policy? What are the enforcement mechanisms? Who is it addressed to? Because actually security issues, the audience for that is potentially much broader than the RIPE community members, do they really have any interest, that broader audience, have have any interest in listening to RIPE policy on matters as broad as this.

I think that some significant consideration and scrutiny needs to be given so the questions specifically whether the output should have the status of policy, if it were to drop that as a proposal and it was simply to develop best practices along these lines, then again passe my lack of opinion whether we want such broad scope as this, I would have not have any concerns with that dropped, I think it would be unobjectionable as it is, but the word "policy" I think deserves real scrutiny.

SPEAKER: Toby here, I think that you are making a good point but I'm not really 100% understanding how it's different from other working groups, we understand that security is a very, very broad topic and it's not the three of us that make the decision that a policy that somebody wrote is going to happening but it's a community effort so the input from the community is required to make changes to policies or say we don't want to have the policy because it doesn't make any sense for us for whatever reason technically, politically, whatever. I think that's a community decision. But I do not really understand.

AUDIENCE SPEAKER: How would I distinguish policy in this area from other working groups because basically the RIPE community is the community of people who are most interested in the policies of those other working groups so the routing policy really represents the policy of people that actually manage routing within the service area. The address Policy working group is the people who who are most concerned impacted by the policies for the database. Security, however, because it's such a broader scope, this is not really the community of people affected by these security issues anyway, it's actually a much smaller subset of them. Yeah. But it's actually one that potentially has some leverage effects that create some, more stakeholder interests as to whether or not those leverage effects should be used and so forth so there are many reasons why one might argue that this is, has less legitimacy in this area than it would in the other working group areas and more opportunity for error as well.

TOBIAS KNECHT: 100%. But two things, I think the services, the working group is exactly the same, it impacts more or less most of the people that join RIPE NCC doing their work any ways. The second point that you said is.

AUDIENCE SPEAKER: This is about more than the people who join the NCC and join the RIPE community. The impact of this as written is potentially policies that would have knock on effects to people that have no participation within this community.

TOBIAS KNECHT: But the point, the second point I wanted to make, one of the things that we want to do here is that we want to broaden the scope. That means if we want to broaden the scope, we are hoping and we hope that in some way we are able to do that, we want to broaden the audience and broaden the participation of people that are joining in. And when you are talking about the RIPE community and above and beyond the RIPE community, the RIPE community is everybody that wants to join in and be part of the community, the discussion. In whatever way. If law enforcement wants to to be part of the conversation, they are part of the RIPE community as everybody else is as well.

So I think I understand your point, but I'm not really sure if we are overthinking the knock‑on effect in a way where we are saying OK, when we are going and looking at policies obviously we are going to go by the process, we are going to go by consensus, rough consensus and so on and so forth and we apply the rules that we already have, we are not going to go and say we are doing our own thing and it's, you know, own rules set, we are deciding on whatever we want to do, it's part of the established rule set that is working for the policies at RIPE NCC an the RIPE community.

AUDIENCE SPEAKER: If the success of this depended ‑‑ and I think it's something the working group should consider ‑‑ if the success of that effort you subscribed depended on this working group reaching a much substantially enlarged audience with substantially broader set of interests than it currently represents, that would be a relevant consideration as whether or not that was likely to be achieved and therefore whether it be an appropriate thing for this working group to be doing rather than better done somewhere else. Thank you.

BRIAN NISBET: One thing I want to say there is that I would be ‑‑ I think that it would be very wrong of ‑‑ and I understand again, I do understand the point you are making ‑‑ it would be very wrong of a RIPE working group to explicitly say that it is not going to have the possibility of making policy. So I think that's a very important point, and I would be very much against ‑‑ while understanding what you are talking about and obviously understanding the scope. And bear in mind we are a working group that have had policies that have passed through and also have policies that have not gone and have had other people say no or whatever else. So that is a thing that has happened.

But I certainly think it would be very foolish for ‑‑ not just foolish, it's against the nature of, I feel against the nature of the working group to explicitly say no, because then you are just present, eliminating that is, I think, very much the wrong step. So....

AUDIENCE SPEAKER: Peter Koch, DeNIC. I was going to say many things that Malcolm already mentioned but I might be less eloquent.

As a preface, I say two things: One is there's a gap to fill and there is a role for a security working group in a way in this community so the efforts are well invested I believe.

I believe that most of the points are too ambitious and too broad, unless you have an introductory clause that says this is in the context of the RIPE community which is the community gathering around the RIR and thus by matter of fact limited to a set of certain interests, identifying and analysing emerging threats, right, this is not a reinvention of first or of any other such community, that needs to be scoped in a more appropriate way than we can design right here.

Then continuing ‑‑ I am getting old, I need notes for this.

BRIAN NISBET: You haven't had to hold your phone out and lift your glasses!

PETER KOCH: This is discrimination. Collaborating stakeholders, that's the most important point and to be as you said we need to broaden the scope and broaden the participation. I think we need to narrow the scope and broaden the participation.

To make sure that we have a dialogue here and a mutual information to avoid education and while you use it in a right context but this dialogue information about the various communities like the numbering community here, that subsection of the network operators that are in the numbering space with whatever flavour of security people we have, that includes law enforcement, I missed, for example, the Ccerts being explicitly mentioned, that could be added so that's the ‑ that's not all of the security community, it's much more than that but it should be a dialogue forum.

TOBIAS KNECHT: For clarification, when you say broadening, narrowing the scope and broadening the audience, are you talking about the existing or are you talking about the new one?

AUDIENCE SPEAKER: Both actually. Narrowing the scope, well that's with the preface it might be narrow enough but this, again this is not going to be the next whatever security research kind of conference or anything like that, it needs to be here in this particular context.

So information sharing around the RIPE NCC are fine and nice, education, training, la la la la, might be ‑‑ but of course, number five, if it was on me I would actually inscribe in the charter that this group is explicitly exempt from proposing policy; no, this is not a mistake and this is not usual for working groups to do that, like to do policy, there's Address Policy, only had very few others, this group has a history of failure to reach consensus about policy and it should be a clear signal this is not an invitation for random people to walk in and yes we all are part of the community, la la la la but that's a non‑starter or meaningless commitment in a way when it comes to who is affected or what's done here. Policies in RIPE working groups only make sense when they are enforceable and they are only enforceable if they address the RIPE NCC as, A, its function at the secretariat as a community which is the lesser part or as the RIR, coming up with random policies that force, quote‑quote force, therefore are completely senseless, that should be made clear to, to attract the right people and manage the expectations for this very necessary broadening of the participation, that's all I have to say. Thank you.



MARCUS DE BRUN: OK. Applaud and shaking heads. We are just collecting input at this point. So....

AUDIENCE SPEAKER: I try to be brief I think. Dimitry... I am representing myself but my employer... Ukraine an you tilt, I think we have about 50 people in the room, I count. I think we should use a wider audience for this discussion and I am supporting the idea of security focused working group, I just think we should recharter anti‑abuse, with respect to anti‑abuse if you feel the group reaches its plateau and it happens right, group has been closed before, we can easily start the new group and maybe you should involve the RIPE chair team into this whole like group lifecycle discussion, I am not against rechartering but I just feel that rechartering is changing the focus and working items, if there is too much and then there is little question of the chairs, so if it's just recharter, I think it would be just to reconfirm the chair collective, I mean of the group, just so people with let's say security focus who didn't feel like being in a group would now feel like they long belong to this, would have their chance. That can be staggered of course, to ensure the continuity of work.

And the one last comment I will probably agree Peter ‑‑ stenographer put Piotr ‑‑ that we cannot enforce anything on operators or companies and also note that this creates at least two NCC work items in facilitating information sharing and providing education an training, I think with the view of the RIPE discussions, we should probably kind of think of which group immediate or potential effect on this NCC people or time or money budget and so kind of have this consideration because I don't want this to be a... of the comments, just an item for the working group chair collective and for the RIPE chairs to consider. I guess that's all I wanted to say. Thank you. And I appreciate your work and your initiative.

AUDIENCE SPEAKER: Hi. Alistair Woodman, I have a clarifying question before I get to my comment. Is any of this change predicated on what the EU is doing related to the Cyber Resiliency Act and other things in that area?

BRIAN NISBET: No is the short answer albeit things like the Digital Services Act, all of these things an the regulation we spoke a lot about this in, are one of the things where we are like OK this regulation is coming, is there a, so it's all predicated on but certainly with an awareness of the increased amount of regulation and I I know that specifically that I believe has been spoken about at the open source working group and there's co‑op and there's cross overs there but it's certainly with an awareness of an increased regulatory regime in the EU which is not the whole service area about obviously a significant chunk of it.

AUDIENCE SPEAKER: If I can paraphrase that, you are leaning into that assumption that there's going to be more regulatory oversight from the EU?

BRIAN NISBET: I think that certainly seems to be the way the world is going so...

AUDIENCE SPEAKER: I think that's relevant to so then in principle, the way I would read this, if you think you are developing policies, you want to throw your hat in the ring as an industry group that would actually be setting policies that would potentially deal with things at that European level. Is that what you are sort of saying?

SPEAKER:

TOBIAS KNECHT: I would 100% agree with it, so the European Commission is making their laws or their things, whatever you want to call it, directives and so on and so forth based on what they though and at the moment, there's not a lot of feedback coming from the industry itself. Because the industry at the moment and over the last years ‑‑ and Peter was exactly saying hat ‑‑ is not regulating itself very well. So policy proposals for things we are now seeing in DSA have been failing five years. So from my perspective ‑‑ this is my perspective ‑‑ we have now a chance to more or less to be part of that process and also be part of the process that will come from the European Commission and from other legislator and this is what we want to do, and if we can kind of, I don't want to say influence but if we can be a partner on that side, on the security, on anti‑abuse, on different places, then I think that's a good thing.

Because we know exactly what's happening otherwise, the Commission would come with something and I would bet it's not going to be appreciated by a lot of people here if they come with what they want to with.

AUDIENCE SPEAKER: I would concur with your observation, I think I stand on your side of the situation, I am pretty sure I have added a couple of bits who will want to be on the opposite side, my colleague over there I think so I think if you want to have this conversation, there's a desire to look at this as a layer 10, maybe a layer 11 problem space that we are going to be dealing with in the future and there's possibly stuff that's down at just the tactical operational stuff. And I hear from you that you think you want to be playing in the big league and so some of the folks are potentially not comfortable with that idea. I do agree with your thesis if somebody doesn't step in, there will be a vacuum left there.

And at the moment I have been on calls with the European Commission and other folks, they want to go talk to Sen Sen lack and other European entities that might have a clue. But I think there's more clue points in this room than probably over there.

So I think and it sound like I might be raising this, it might be something that folks want to talk about tomorrow, but you have got a bit of an interesting challenge on your hands because there's two different octaves here in the room about what we want to ‑‑ and maybe you want to try and have two groups, I don't know but I'm just, I just read the room, that was my conclusion.

BRIAN NISBET: I am going to say a couple of things at this point in time. One thing is actually I am going to ‑‑ because we have a limited amount of time and Neil is the only person in the queue who has not spoken yet, I am going to skip him because, I'm sorry, I want to get as many voices as we can get in the time that we have, which is 14 minutes.

So just to say though, to address the thing, I think we just need to understand that there are multiple ways of a working group influencing whatever the influence might be, that might be a policy that someone proposes and we talk through and reach consensus on as we have done, it might be that the working group turns around and says to the NCC we need you at this meeting to raise this point, there are multiple ways of doing this. And I think one of the things I am hearing is a belief that the working grouping will go no, right, we are going to make everybody do this one particular thing in this one particular way and while we have, we definitely want to, the working groups do things we think there's a lot of clue and usefulness there, we don't want to try and rule the world. And this is an important point to make. So. Neil, please.


NEIL O'REILLY: Thank you, Brian. I am Neil O'Reilly, the RIPE Vice Chair, and I am wearing my hat. I think an important point, one of the first things I had to do as RIPE chair was study very carefully the policy development process.

And there are two things that are important here, one is that policy development process at the beginning of the process has to identify which is the best working group, the most appropriate working group to act as the vehicle for steering the process from that, from the stage of a particular proposal to the declaration of consensus on policy.

And this is a case‑by‑case first‑off discovery of a working group and then steering of a process.

So whether this working group actually ever ends up as the vehicle for a particular instance of the policy development process is something that will be decided on the occasion according to what's appropriate.

So, I think it's important, therefore, that the exclusion of this working group as a potential vehicle for the policy development process at this stage is inappropriate, that does not mean that this group will ever actually have to carry the burden and especially the co‑chairs of this working group at the time have to carry the burden of steering a process or a policy development from proposal through to policy.

Now, that's all I want to say with my hat on.

I have two other remarks as just another community member.

First I would refer people to my silent lightning talk at RIPE 66.

A key thing about consensus development is not to exclude by systematic blindness or by failure to communicate any significant stakeholder group.

Even if they don't seem to be in the room at the moment. One of the responsibilities ‑‑ sorry I should put my hat back on at this stage ‑‑ one of the responsibilities of the working group chair, the working group co‑chairs who are steering a policy through the process, a policy proposal through the process is to make sure that nobody is left unheard who has a stake in the eventual decision. And that was the point of what I presented at RIPE 66.

And finally, definitely with my hat off, I think perhaps the last bullet point could best be reworded as "develop guidance to improve security." Whether it's policy or whether it's best practice, whatever will be decided case‑by‑case, but guidance might be a good neutral terminology to put in the bullet point.

Thank you very much.

BRIAN NISBET: I am going to actually ask the four of you who have spoken before a favour, as there's one voice who hasn't and I would like, we have got a limited time, you haven't spoken on this particular matter so I would just want to...

AUDIENCE SPEAKER: Alex... from AmSix, I am a board member of euro ISPA which is a European association that lobbies in Brussels for the ISP industry, people are present there, people that do have knowledge about the internet, RIPE is missing, so we don't see RIPE very often, at the events. One of the things that is happening currently is Eevidence, basically every European police officer will be able to request data from any European company that has data. Being part of the these discussions I think is valuable but you need to have a point of view. And my feeling with RIPE is that it takes a very long time to get consensus. So if you fix that, then you can be able to participate in Brussels arena.


BRIAN NISBET: I am just making sure that no one is asking things online as well.

AUDIENCE SPEAKER: So Rudiger Volk 'gain. So kind of Neil's suggestion for wording pleases me quite well; nevertheless, let me remark.

I was kind of annoyed seeing that the first thing that is suggested as being work is policies and only then best practices, kind of quite certainly guidance best practices documentation, helpful stuff comes to mind, what kind of policies that are relevant in this context which essentially means rules for the NCC to be applied in their processes is kind of the last thing that comes to mind and well OK, the guidance suggestion from Neil is fine and the EU level policies is quite certainly something that would need a completely different bullet point and explanation for contextualisation, what that actually means, it's certainly not something that regularly happens in RIPE working groups and is called policy.



AUDIENCE SPEAKER: Peter Koch returned to the microphone because he felt misrepresented by Tobias quoting in terms of what I might have said. I had no reason and therefore did not say that the community had done a bad job regulating itself; quite the contrary, it it has done very well andthat's the reason the system is flourishing in a way and we are where we are, hadn't the community done that self‑egulation, we would have other people doing that by now.

Now, what I did say was that our communication to communities that we haven't reached to yet ‑‑ I am paraphrasing what I said, so bear with me that I don't quote myself literally ‑‑ especially parts of the security community, and that's where I suggested we focus on the dialogue and also on the explanation of what this community is and what an RIR and a so on and so forth and what the opportunities, and also the responsibilities are, that's the important part. On the DSA, well I guess there's been a presentation that I missed earlier in the working group, but bear with me, first of all as Alex said, there are lots of industry representatives in Brussels, yeah, the NCC could be more there but then take it again, take it back to the membership for the willingness to pay for that which actually I think they should, like we should, but in a room full of mere conduits, intermediaries, the scenario painted is more or less irrelevant, we shouldn't mix platform regulation with what's going on here, we can happily take to the bar, but that has nothing to do with the security as you describe it there. Thank you.

TOBIAS KNECHT: Sorry for misrepresenting that if this case if that's what happened, no worries. So I think we have to agree to disagree. I agree that the community has regulated itself in a lot of places very, very well. And it has not done a really good job in other places and I think anti‑abuse and the security maybe the security is better than the anti‑abuse, but I think the community has not made a good job in a lot of places and I can to understand because this is a common misconception just so it's not going to spread in here, the DSA is not only about platforms, paragraph 14 explicitly talks about ISPs and also providers of all sizes, not platforms. So just to be ‑‑ because I think this is a common way on how people, think oh yeah, it's not for us because it's platform, they are talking about Meta and Google: It's not, they have paragraphs in there that are for people in this room and the companies they represent.



AUDIENCE SPEAKER: Jim Reed, just yet another random punter off the street. Several comments to make here. First of all, I don't like the idea of talking about RIPE security working group because security is so nebulous, it can mean too many things to too many different people. So if our focus here is in dealing with anti‑abuse type activities, then fine. But security encompasses a number of things which probably won't ever crop up or be used in this potential new working group to be a rechartering working group so I think a better title will be needed than talking about security because that's an all encompassing term that can mean too many things to too many different people.

In terms of the wording you have got for the bulletpoints, I am worried about that too. Simple terms, there are far too many commas, too many lists, too many things that are prescriptive, if you choose a little bit more carefully some more generic language, like Neil was saying before about providing advice rather than best policy and best practice, if you choose more careful words, that would be a better choice than trying to enumerate all the things this new working group might or might not work on, I think that's another important point to take on board. There's also probably a bullet point missing on this which is advising the NCC and I would go back to that when we were setting up the IoT working group several years ago, one of the main motivations for that was because the NCC's engaging with people were being asked what is the NCC doing, what is the RIPE community doing about IoT and there was nothing and the NCC wanted to have some kind of mechanism in place to get community involvement with the community could give advice or statements to the NCC that the NCC to then represent in these other forums or saying this is what the RIPE community is thinking and developing. So I think that should be another aspect for the work for this and the rechartering thing to consider is what do we want the NCC to do when they go sit down with government officials or regulators or take part in discussions in the Commission about what would be in the next directives coming on, I think that also has to be a key point of whatever this new working group is in the future. I think a lot of the text in there could be condensed quite a lot by just ripping out all these enumerated lists and having a simpler clearer language, but not get into specifics. Thank you.

BRIAN NISBET: This is going to be the last comment, at this point in time.

AUDIENCE SPEAKER: Malcolm Hussey, London internet exchange, like some of the people in this room, though not all of them, I have some considerable time put some considerable time in taking community norms and practices and standards candidate an policies to regulators and saying you pass this broadly stated rather unclear legal requirement, what does it mean, either way we think it ought to mean this.

I'd like to thank Alistair at the back of the room there for uncovering that your ambition is actually to produce the policies that could be that.

I am not opposed, in principle, to that being the objective in this working group.

However, if you wish to do that, the bar in reaching the standard of ‑‑

BRIAN NISBET: Speak into the mircrophone, please.

AUDIENCE SPEAKER: The point that was made by the RIPE voice chair earlier about making sure that everybody that ought to be heard has been heard, including the people not in the room, in order to establish something that has got any chance of being successful of either being a good thing to recommend or in terms of being accepted, the bar to reach in putting that everybody has been heard who ought to be heard including the people not in the room is extremely high. If you reach that bar, you have a very good basis to go and say this is really for the whole community that is affected by this as had all the best brains on this, the most affected people, this is a very well understood thing across the people that actually do and practice this, you should indeed be interpreting this as the meaning of the broad legislative expectations, should mean this.

However, if you do not reach that bar, it neither is likely to be and worse ought not to be accepted. And that is a very high bar to reach.

Which means that the scope of the work of the things that you put up as policies for that purpose really must be very tightly around the expertise and practical knowledge of the people in this community who actually show up and not just the handful of random outsideers that pop in to say let's do this and it seems like a decent idea to us so far as we know when it's really outside our practical working expertise.

Thank you.

MARCUS DE BRUN: Thank you.

BRIAN NISBET: So, I am going to say thank you, one final point on that and thank you Malcolm, is that please do not take it as there are three of us who are going to make all the policies and do all the things, this is a working group, we are merely the co‑chairs, we serve at your pleasure. (APPLAUSE.)

And obviously there is ideas that we have and we have stated why we feel that this is necessary, we have taken no, no, we are ‑‑ I am finishing up and we are going to move on. Malcolm.

AUDIENCE SPEAKER: I am not worried about you, I am worried about the random guy that pops into the working group with the brilliant idea and nobody here knows enough to say no and is prepared to stand up and say this really isn't for us.

BRIAN NISBET: That's absolutely a thing, you were using the word you while speaking to us a lot, this was why I wanted to make that clarification and that's why we have the PDP and various things there. But look, this has been, I think, very useful feedback that we need to go and think about and come back, in a nicely structured way on the mailing list. Because that is where we will be and we will continue, to any of who are worried, we have been speaking extensively to Mirjam and Neil about this and we'll to continue to do so as well, because we are part of the a community.

I just want to say actually because again a lot of different things in there, the education and training, Gerardo told me this morning that roughly 100 people have taken the anti‑abuse desk training. There's more planned for this year, initial responses seem to be positive. Thank you to all of you who worked on that and helped us with that, it's a very concrete output of the working group.

Is there any other business?

I see nothing. I will remind you that you can submit agenda items for our next working group session at any point in time. The mailing list again, obviously, there will be more discussion about the potential rechartering or otherwise there. And please do talk to us for the rest of this week as well. The advantages of going first means we have more time to talk about things we want to talk about.

And other than that from a working group point of view, thank you to our stenos and scribes the AV folks and Meetecho and NCC sport staff, we would have to shout a lot without them. From the three of us, thank you very much and we will see you in Prague if not before. Thank you.

(APPLAUSE.)

Captioning by Tina Kealy, RPR, CRR, CBC, Ireland.