Nixu DDI in Enterprise Environment – Click to Enlarge

When integrated with Nixu NameSurfer IPAM, Nixu NEE provides organizations with location-aware IP Address Management process greatly speeding up the response times for internal service requests. By providing a transparent real-time view of the active IP allocations, organizations are also able to keep accurate inventory of their IP resources and to take appropriate measures against unauthorized use of their network resource.

Since its initial launch in late 2010, Nixu NEE has been warmly received by enterprises and governmental organizations subject to various security standards, such as PCI (Payment Card Industry) standards. The Managing Director of Nixu Software, Juha Holkkola said in this regard: "Although it's not always easy to quantify a Return on Investment (ROI) for network security enhancements, Nixu NEE has been able to significantly boost the IPAM ROI for our customers. Thanks to its accurate IP-location inventory, organizations running Nixu NEE and Nixu NameSurfer IPAM have been able to dramatically reduce the time require for onsite service calls and as a result achieve 100% improvements in operational efficiency of their IT support teams."

Find out more about Nixu NEE and download a free 30-day evaluation license from our website.

In April 2011, the APNIC (the Regional Internet Registry for the Asia Pacific region) started allocating from its last /8. At the RIPE NCC we did not see a big jump in IPv4 address allocations in 2011, as anticipated by some observers.

The image below shows the total amount of IPv4 address space allocated each year (calculated as /16s on the y axis). You can see that in 2011 there was a drop in the amount of IPv4 address space from the previous year, bringing it down to the level of 2008 and 2009. There was no big run on the remaining IPv4 addresses.

Note that this does not correspond with the number of requests. Especially the number of requests for /21s increased in 2011 (you can find more on this in the background article on RIPE Labs).

IPv4 is certainly running out, but there is no great rush for the last addresses as feared by some. It was all pretty much "business as usual". As we've said in the past, predicting exactly when the RIPE NCC will run out of IPv4 address space is difficult. We cannot anticipate the size of requests we'll receive.

For more information and more statistics, please refer to IPv4 Allocation Statistics in 2011 on RIPE Labs.

Written by Daniel Karrenberg, Chief Scientist at the RIPE NCC

Why register?

The question to this answer seems simple. To know who has registered with an organisation. This makes it possible to contact the registered person or organisation, to send bills and to discuss policy with the members.

The rationale of unreachable registrations

This one completely goes by me. ICANN distributes IP resources at the highest level that are on principle scarce: domain names and IP addresses and sets policy around the distribution of domain names. So it seems to be in the utmost interest of ICANN to have an accurate database. Over the past years it has been shown over and over again, that accuracy was not a priority of ICANN, even against her existing policies.

There does not seem to be a rationale for this lapses in registration measures. ICANN in the end loses money as she provides a service, but is most likely not paid for this service after registered parties have become unreachable. Next to that it is not good for ICANN's image, as government and LEA reactions have shown over the past years. It could even become a threat to ICANN's very existence.

Cyber crime and enforcement

With the coming of cyber crime, spam and botnets, law enforcement agencies of different back ground became interested in Whois data and were very much frustrated when they found data not to be accurate. (And vetting and revocation mechanisms not being in place.) Whois data is a primary source at the start of investigations. So if these are false this makes investigations harder, not impossible.

Inaccurate data

What can be reasons that data is inaccurate? There can be several reasons. To give a few examples. Someone forgot to change the data after a move of the office, contact person, a merger, bank account, a company stopped its activities, etc. In the meantime the domain names are still used as they were meant to, but from an unknown address.

A second reason could be that free speech advocates want to have a chance to hide their identity behind a so called proxy registration. This way they are safe from prosecution in their home country. Usually this is supported by western governments.

A third reason can be criminal intent. A person or group of persons use domain names for personal gain through illegal activities. They never intended to provide accurate data. From a society point of view this is an activity that preferably is stopped as fast as possible.

What to do about it?

We are discussing unreachable registered companies. It looks quite simple to me. ICANN has many ways to reach out to these companies and does so. Everyone concerned gets one year to alter the data. As soon as someone complies, the data is submitted to the Whois database, after being vetted by ICANN.

All that have not updated their registration on time -and one year is a very lenient time frame- are de-registered by ICANN .

Legit after claims

If ICANN makes sure there's a good procedure to follow for legit claims after the de-registration that come in anyway, I'm sure this procedure will work. Criminals usually do not show up and try to find new ways to proceed their business.

Vetting of all new registrations

When ICANN makes sure new applicants are vetted before being admitted and an ongoing checking procedure of existing members is put in place, I'm convinced that the Internet will become a safer place for all concerned. Also, she becomes an example for policy at lower level, whether domain name or IP address organisations, by setting a standard. It makes one avenue on the Internet harder to reach for criminals.

Update - Feb 7, 2012: Some amendments were made to the post as per comment #4

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

This post is about IP address reputation with some background on why IPs are so important and why ISPs focus so heavily on the sending IP.

Why IP addresses?

ISPs built reputation around IP addresses because it was one bit of data that malicious senders / spammers couldn't forge. The connecting IP is a fundamental part of the network transaction and if you forge an IP then SMTP can't work. Because that was the reliable data they had to work with, that's what they used. Even now, when there are other kinds of data, the IP address is still the first thing the receiving MTA sees.

What is IP reputation?

IP reputation can best be summed up as "past performance is an indicator of future results." In other words if recipients responded well to mail from an IP address in the past, then they're likely to respond well to new mail from that IP address.

How is IP reputation measured?

While each spam filtering company and ISP have their own ways of calculating the reputation of an IP address, there are some similarities in what they measure.

• How many non-existent email addresses is this IP attempting to deliver to?
• How many abandoned email addresses is this IP attempting to deliver to?
• How many "known bad" email addresses (spamtraps) is this IP attempting to deliver to?
• How many recipients complain about receiving this mail?
• How many recipients complain about not receiving this mail?
• How respectful of my resources is this IP?
• Does this IP keep connections open for long periods of time?
• Does this IP retry deliveries too aggressively?
• Does this IP stop mailing addresses after receiving a "user unknown" message?
• Is this IP address configured as if the associated machine was infected by a virus?
• Is this IP address listed on blocklists we use?
• That is by no means an exhaustive list of what ISPs measure. If they can measure it they've tried. If the measurement helps them separate spam mail from not-spam mail then they're using it.

How fast does IP reputation change?

IP reputation is often measured over multiple time periods. ISPs can look at a 1 day, 7 day, 30 day and 90 day reputation. A good analogy is stock prices. Prices can be very volatile in the short term, but more consistent over the long term. A single bad day, where one or more reputation measurements go bad, may affect delivery that day or the next day but won't damage an overall good reputation. Likewise, a few days of improved mail may not be sufficient to counter months of poor reputation.

How is IP reputation used?

Mail from IPs with a high reputation is accepted faster and at a higher rate than mail from IPs with a lower or unknown reputation. IP reputation can also influence whether mail is delivered to the inbox or the bulk folder.

Key IP Reputation takeaways

• IP reputation is about how recipients react to mail from that IP. Happy, content recipients turn into good delivery.
• Brief changes (for good or bad) don't necessarily ruin delivery over the long term.
• Steady improvements will result in improved reputation.
• It may takes as much time to change a reputation in one direction or another as it took to establish the reputation in the first place.

Written by Laura Atkins, Founding partner of anti-spam consultancy & software firm Word to the Wise

Nixu DDI Software Appliance Platform Awarded Gold Medal for Its IPv6 Support on 21st December 2011

The exhaustion of IPv4 address space in 2011 made IPv6 connectivity an unavoidable reality. While most organizations are yet to face an urgent need for introducing IPv6 support in their networks, they should nonetheless, plan ahead to ensure a smooth transition to a dual-stack environment. The increased complexity of the IPv6 address syntax and the vast size of the available address space mean that DDI services (DNS, DHCP, IPAM) play an even more pivotal role in managing these dual-stack networks.

Having introduced full dual-stack support already in 2004, Nixu Software has been a pioneer in the wide-scale adoption of IPv6 network connectivity. Juha Holkkola, the Managing Director of Nixu Software, said in this regard: "When we started out working with dual-stack environments, there was no strict standard, let alone any certification available. Now that IPv6 is going mainstream, we decided that it was a good time to have Nixu DDI platform's world-class IPv6 support formally acknowledged. Our products sailed through the testing phase in a matter of weeks, which is pretty impressive considering that for some of our competitors it has taken over a year, while for others it seems completely impossible."

To celebrate this achievement, Nixu Software has released a new version of howismydns.com, a free online test tool used to validate the configurations of public DNS servers. This latest version provides complete support for dual-stack networks, allowing fully transparent testing process for IPv4, IPv6 and dual-stack DNS deployments. In addition to IPv6 support, the new toolset also comes with a number of DNSSEC validation tests. To try out the latest IPv6 DNS and DNSSEC testing tools, please visit howismydns.com.

In this article, we want to present the efforts to keep the address space that is the responsibility of the RIPE NCC up to date and well maintained. When the RIPE NCC allocates addresses to a Local Internet Registry (LIR), the LIR is then the authorised holder and has responsibility for the registration and maintenance of all assignments it makes from this address range.

The RIPE NCC audit activity proactively checks the quality and validity of registry data, both in the internal records maintained by the LIRs and the public records in the RIPE Database. In 2011, approximately 400 audits were opened, which means that the LIR's records were reviewed and, if necessary, together with the LIR, corrected and updated. Taking into account that there are over 7,800 LIRs in the RIPE NCC service region, this might sound like a drop in the ocean. However, an LIR's registry data is also checked every time an LIR requests additional address space. This means that specific audits are carried out in addition to these regular checks and are often performed for LIRs that have not been in contact with the RIPE NCC for a longer period of time.

In the image below, you can see the type of issues that occurred during the audits in 2011. Note that multiple issues can be found in one audit.

During an audit, the following issues are typically found:

• Invalid records, such as:
  
  • more IP addresses registered than were approved
  • unapproved network names
  • missing network objects in the RIPE Database
• Overlapping assignments registered in the RIPE Database
• Resources returned
  
  • assigned PI or AS number resources are no longer valid or in use and are returned to the unused pool
• Internal records updated
  
  • Organisation contact data
• Assignment window (AW) abuse
  
  • if assignments are made that exceed the LIR's AW or are otherwise not compliant with the AW policy

The RIPE NCC works with the LIRs during an audit to assist in the resolution of any issues. An audit is closed only when all issues have been resolved or the audit is no longer relevant for other reasons, such as LIR closure, acquisition and so on.

Please refer to the 2011 Audit Results on RIPE Labs for a more detailed description of the audit activity and some other statistics.

Written by Mirjam Kuehne

BlueCat Networks, the IPAM Intelligence™ company, today announced that it has collaborated with the UK Cabinet Office on a best practice approach for deploying a resilient, IPv6-ready DNS service for the Public Sector Network (PSN). The PSN is a CIO Council initiative designed to create the effect of a single network across government.

"The security of business and network services accessible to users over the PSN is of paramount importance," said John Stubley, Public Sector Network — Program Director. "Over the past year, we have worked productively with BlueCat Networks to identify the technical issues to ensure our DNS core services are authoritative, resilient, scalable and easy to manage. BlueCat Networks has been extremely responsive in answering our requests and has provided expertise to the PSN Programme for this area of work."

"The PSN is a key component of the UK's ICT strategy, and will allow public sector users in the UK to more easily share information and access open standard-based services," said Matthew Pearson, UK and Ireland Sales Director, BlueCat Networks. "We are pleased to have the opportunity to work with the Cabinet Office and the PSN in a technical advisory role. BlueCat Networks contributed to the architecture and configuration for a centralised, authoritative DNSSEC and IP Address Management (IPAM) solution for .gov.uk domains. The approach had to be easy to manage, resilient, geographically-dispersed and scalable to support the network backbone for the whole of the United Kingdom. It also had to be future-ready with support for IPv6. Our recommendations were based on our experience in helping US government agencies successfully deploy DNSSEC and IPAM across their large, distributed networks."

BlueCat Networks' appliance-based software solutions provide a purpose-built platform for IP Address Management (IPAM) and DNS/DHCP core network services. Deployed at some of the most demanding and secure organizations in the world, BlueCat Networks' physical and virtual appliances help public and private sector organizations improve security, lower costs and increase IT efficiency. BlueCat Networks' solutions also allow organizations to securely manage change and growth with unsurpassed scalability and future-ready support for IPv6 and DNSSEC.

For a free trial of BlueCat Networks' DNS, DHCP and IPAM solutions, visit http://pages.bluecatnetworks.com/FreeTrial.

"The connected world is also an IP-dependent world," said Michael Hyatt, co-founder and CEO of BlueCat Networks. "By working with HP, we are helping commercial and government organizations successfully make the transition to IPv6, which is a key technology for enabling successful IT initiatives including virtualization and the cloud today and in the future."

By combining IPAM with HP Network Consulting for IPv6 services, enterprises and governments will be able to enhance network flexibility and scalability to support critical IT initiatives, such as virtualization and cloud computing. These services enable a seamless transition to an IPv6 connected world by assessing IPv6 readiness, as well as architecture and design, integration and deployment.

"Organizations need to look ahead to the IPv6 transition to maintain the connectivity needed for real-time responses to business needs," said Imran Khan, vice president, Networking Consulting, Technology Services, HP. "The combination of offerings from HP and BlueCat Networks will help organizations ensure seamless connectivity and business continuity during the IPv6 shift."

Deployed at some of the most demanding and secure organizations in the world, BlueCat Networks' IP Address Management solutions provide an essential technology for helping organizations transition to IPv6, launch new IP-dependent services including virtualization and clouds, and manage network growth and change.

For more on this announcement please visit www.bluecatnetworks.com/hp.

For free trial software, please visit http://pages.bluecatnetworks.com/FreeTrial.

BlueCat Networks, the IPAM Intelligence™ company, will host a live webinar on January 19 featuring Forrester Research, Inc. to discuss the "Five Reasons DDI is Critical to the Network."

"Much of IP, Dynamic Host Communication Protocol (DHCP), Domain Name Services (DNS) management requires too much hand holding; administrators spend time allocating addresses, capturing unused ones, uploading new records, or checking for errors," wrote Andre Kindness, Senior Analyst, Forrester Research, Inc. in a December 7, 2011 blog post. "On average, it takes two days to allocate a set of addresses for the deployment of new servers when it's 5 minutes of work."

A December 2011 report from Forrester provides guidance on why organizations should move off spreadsheets or a homegrown DDI solution and surveys the top commercial DDI solution vendors. A complimentary copy of the Forrester Research report is available at: www.bluecatnetworks.com/forrester.

In the BlueCat Networks webinar, guest speaker Andre Kindness will share key findings from the Forrester Research report "An Infrastructure Can Only Be As Efficient As DNS, DHCP, and IP Address Management" (December 2, 2011) including what to look for in a DDI solution and the capabilities that make BlueCat Networks a top choice for DDI.

"We are pleased that BlueCat Networks is positioned as a top DDI solution in the recent Forrester Research report," said Michael Hyatt, CEO and Co-Founder of BlueCat Networks. "Our IP Address Management solutions not only deliver the automation and intelligence needed to build a more flexible and efficient network, they also provide a critical foundation for helping organizations keep pace with emerging business and IT priorities such as the cloud, virtualization, IPv6 and DNSSEC."

To register for the solution webinar "Five Reasons DDI is Critical to the Network," please visit: www.bluecatnetworks.com/forrester.

Nixu NameSurfer® Suite – Latest 7.1.1 version introduces a centralized reporting tool for DDI, a number of IPAM enhancements. (Click to Enlarge)

"The latest version of Nixu NameSurfer expands the dashboard we introduced in Nixu NameSurfer 7 Series into a global DDI toolset" said Juha Holkkola, the Managing Director of Nixu Software. "The design principle behind the global DDI toolset is to provide network administrators and managers with a set of interactive tools that can be used to monitor and manage the entire DDI environment from a single screen."

A high percentage of enterprise and carrier customers still base their IPAM reporting on static Excel spreadsheets. The new reporting tool included in Nixu NameSurfer Suite 7.1 series provides a set of reports that can be exported in pdf format facilitating the viewing, sharing and storing of DDI-related information offline. To support legacy reporting methods, also csv exports continue to be supported.

The native integration between IPv6 blocks managed in Nixu NameSurfer IPAM and Nixu DHCP Servers running in DHCPv6 mode marks another pioneering step by Nixu Software in supporting and encouraging IPv6 connectivity. Thanks to this functionality, the IP Address Management processes for both IPv4 and IPv6 networks can be aligned and carried out transparently from a centralized IPAM solution.

"Having first introduced support for dual-stack DNS environments as early as 2004, we have been watching the dual-stack networking scene closely for more than five years. As we are now seeing an increasing number of IPv6 — enabled network environments going live, we felt this is a perfect time to add the last part to the IPv6 DDI puzzle" added Juha Holkkola.

Find out more about Nixu NameSurfer Suite and download a free evaluation.

Top 10 Featured Blogs in 2011:

1. A Fairness 'Scorecard' for Trademark Protection Under the New gTLDs
   By Konstantinos Komaitis, Feb 23, 2011 (33,350 views)
2. IP Addressing in the New Age of Scarcity
   By Peter Thimmesch, May 27, 2011 (21,563 views)
3. Smartphones: Too Smart for Mobile Operators?
   By Henry Lancaster, Aug 03, 2011 (21,144 views)
4. On Mandated Content Blocking in the Domain Name System
   By Paul Vixie, Mar 18, 2011 (16,315 views)
5. Court Approves Nortel's Sale of IPv4 Addresses to Microsoft
   By Benson Schliesser, Apr 27, 2011 (13,173 views)
6. The Design of the Domain Name System, Part VIII - Names Outside the DNS
   By John Levine, Sep 17, 2011 (12,399 views)
7. Top Public DNS Resolvers Compared
   By Michael Meisel, Apr 07, 2011 (12,217 views)
8. Why the Lawsuit Against .XXX Maybe the Best Sales Tool Ever For New gTLD Applicants
   By Michael Berkens, Nov 17, 2011 (9,466 views)
9. Independence and Security Online Have Not Yet Been Won
   By Mike Dailey Jul 03, 2011 (9,373 views)
10. Comcast’s Impressive System for Notifying Infected Users
    By J.D. Falk, Mar 01, 2011 (9,216 views)

Top 10 News in 2011:

1. New Top-Level Domains Approved By ICANN
   Jun 19, 2011 (44,312 views)
2. ICANN Approves .XXX
   Mar 18, 2011 (20,936 views)
3. Experts Urge Congress to Reject DNS Filtering from PROTECT IP Act, Serious Technical Concerns Raised
   May 26, 2011 (12,284 views)
4. Microsoft Offers $7.5 Million to Buy 666,624 IPv4 Addresses
   Mar 25, 2011 (9,600 views)
5. Egyptian Government Shuts Down Most Internet and Cell Services
   Jan 28, 2011 (3,988 views)
6. US Government Domain Seizure Results in Unintended Shutdown of Thousands of Websites
   Feb 16, 2011 (3,962 views)
7. J.D. Falk: 1974 - 2011
   Nov 17, 2011 (3,918 views)
8. Cybercriminals Shifting Focus From Windows PCs to Other Systems and Mobile
   Jan 20, 2011 (3,823 views)
9. Researchers Report New Method for Detecting Domain-Fluxing
   Mar 28, 2011 (3,633 views)
10. Microsoft, Federal Agencies Take Down Rustock Botnet
    Mar 18, 2011 (3,607 views)

Top 10 Industry News in 2011 (sponsored posts):

1. Google Says "Think Mobile" ...and then goMobi
   By dotMobi, Feb 15, 2011 (6,120 views)
2. The Botnet-Counterfeit Drugs Connection
   By MarkMonitor, Apr 01, 2011 (4,928 views)
3. New gTLD Timeline Announced and .XXX Approved
   By MarkMonitor (4,253 views)
4. Second Half 2010 "Dashboard" Domain Name Report - Released
   By PIR, Feb 14, 2011 (3,666 views)
5. MarkMonitor Report: How Scammers Generate Significant Traffic Promoting Suspected Counterfeit Goods
   By MarkMonitor, Feb 01, 2011 (3,536 views)
6. AusRegistry Int. and Crowell & Moring Join Forces to Support New Top-Level Domain Applicants
   By ARI Registry Services, Mar 14, 2011 (3,507 views)
7. Celebrity Marketing Guru Jeffrey Hayzlett to Promote New TLDs for AusRegistry International
   By ARI Registry Services, Jun 17, 2011 (3,472 views)
8. Minds + Machines’ Parent Company, TLDH, Appoints Peter Dengate Thrush as Executive Chairman
   By Minds + Machines, Jul 17, 2011 (3,457 views)
9. DNSSEC is Just the Beginning
   By .CO Internet, Mar 02, 2011 (3,421 views)
10. Landrush for New Domain Extension - .GR.COM
    By CentralNic, Jan 11, 2011 (3,421 views)

Written by CircleID Reporter

I am a big fan of DDI (DNS, DHCP and IPAM) as magical trio to manage all transactions on network infrastructures… Or to say the least: make it possible.

Basically it makes these "Core Network Services" concise, manageable and integrated. It basically makes the network infrastructures of today and the future possible.

There is however one thing that continuously seems to irritate when talking about integrating these services on networks.

Let's have a look at the Microsoft DNS and DHCP, it's the most used, and has by far the largest footprint of them all. But is it "Integrated"? Seems to be with "Active Directory", but not so with IPAM as there is no real administration of "content" on Microsoft DNS/DHCP (just config and "records"). And Excel really doesn't count! :-).

If we look at Non-Microsoft DNS and DHCP, it seems to be more network/unix territory, and administering and configuring IP-Addresses seems to be more embedded due to historical reasons (maybe). IPAM is more of a common cause here.

So it would be logical, if one wants to apply the magical trio, to replace Microsoft DNS/DHCP, de-integrated it from Active Directory and put it closer to the network, right? (well, I would say yes, but lots of peoples are not convinced).

Actually there are a couple of scenario's that seems to appeal, but get little to no attention, let alone implemented.

Scenario 1: Let's replace the lot

Disable Microsoft DNS/DHCP and let Active Directory use the company wide DDI solution. This is actually no problem at all, and give lots of benefits. In most cases it actually gives Active Directory a boost in performance and all kinds of extra logging and statistical information. And of course integrated IPAM, which is key for any IP based network infrastructure and it's services nowadays.

Scenario 2: Delegate a Domain

Have a company wide DDI solution, but just delegate a domain to the Active Directory domain which will run on Microsoft DNS/DHCP services. So the "connection" is just DNS. You will loose some oversight (feedback) from the services. As long as there are procedures from the DDI team on handing out IP's and Names, it is a workable situation. Not perfect in my opinion.

Scenario 3: Integrate with the MS Services

Have a company wide DDI solution, have an Active Directory with their own Microsoft DNS/DHCP services, but manage both with the same DDI solution. This is very flexible and best of both worlds. It will have an added bonus: IPAM.

Scenario 4: No integration

Let everyone have their own island. Prone to lots of political and technical discussions. The biggest question here will be "Reverse Zones", who will own them… Good luck!

And there are many more, but I keep it by these 4 which seems to be most common.

There seems to be two camps revolving around this:

Camp 1: The Network / System Guys

They want an integral DDI solution, providing DHCP and DNS to the whole world, including Active Directory. Strong users of IPAM want all kind of neat features for failover, redundancy and disaster-recover. DNS and DHCP is a "Network Component".

Camp 2: The Microsoft Guys

They just want to do their own DNS and DHCP for Active Directory and really don't want to do anything else. Redundancy is fine (multiple servers, multi-master, etc). DNS and DHCP is an "Application".

There seems to be a lot at stake for both camps. Both will touch the core of networks. One from the bottom-up and the other top-down and can "boss around" when needed. It's a responsibility with power!

Both camps are also guilty (mostly because of knowledge shortage) by not understanding each other requirements and forgetting about the complete picture, trying to cover their own requirements. Making no decision seems to be more common in these cases. "Let it be" is mostly the outcome.

I think either scenario works, at least if integrated IPAM is part of it. IPAM is in most cases a missing part, out-of-date and disciplinary. Integrating all three components (DNS, DHCP and IPAM), respecting the infrastructure and requirements is the way forward and the way to build future proof networks.

And I have not even thrown in IPv6 and DNSSEC for added complexity! :-)

As said… An observation…

Written by Chris Buijs, Senior Product Manager

The Resource Certification (RPKI) service was launched at the beginning of 2011. The system enables network operators to perform Border Gateway Protocol (BGP) origin validation, which means that they can securely verify if a BGP route announcement has been authorised by the legitimate holder of the address block.

Using their resource certificate, network operators can create cryptographically validatable statements about the route announcements they authorise to be made with the prefixes they hold. These statements are called Route Origin Authorisations (ROAs). A ROA states which Autonomous System (AS) is authorised to originate a certain IP address prefix.

So far, 10% of the RIPE NCC membership has opted into requesting a Resource Certificate. In the graph below, you can see the number of IPv4 prefixes (blue) and IPv6 prefixes (red) that have been certified by RIPE NCC members using their certificate. More than 900 IPv4 prefixes are certified. That means that more than 10% of the IPv4 address space the RIPE NCC is maintaining is covered by certificates. For IPv6, around 250 prefixes are certified. This is a relatively high number compared to the total number of IPv6 prefixes in the routing system.

Number of IPv4 and IPv6 Prefixes covered by Certificates in the RIPE NCC service region (Click to Enlarge)

More information:
• Find out more information about certification.
• See more RPKI related statistics.
• See RIPE Labs for other related information about IP address space.

Written by Mirjam Kuehne

Neustar, Inc. announced today that Quova, its services specializing in IP geolocation data, will be renamed Neustar IP Intelligence effective January 1, 2012. Neustar acquired Mountain View-based Quova in November 2010. For the time being, its web address will remain http://www.quova.com.

"Quova is a perfect fit with Neustar's family of services," said Alex Berry, SVP, Neustar Enterprise Services. "Its high quality real-time data, which detects the location of a user logging on to the Internet, enables companies to make better decisions based on this intelligence — from customizing marketing campaigns to preventing fraud. The new name more clearly suggests this value, and aligns more closely with our corporate brand."

While the Quova services are being rebranded, its data services, customer service and the team behind them will remain the same. "The name is changing, but everything it represents will be intact — top-quality, real-time data backed by terrific service," said Berry. "We'll provide the same trusted data, along with access to other Neustar services that help businesses find, connect with and authenticate their customers."

For over a decade, Quova has provided IP intelligence data, which contains detailed demographic and network characteristics. This information helps companies prevent fraud in online commerce, regulate content to stay compliant, localize content and more precisely analyze Internet traffic. Quova is the only full-service IP geolocation provider with a team of analysts, customer technicians and developer advocates who add human input to network intelligence to offer consultative services along with world-class data. Learn more at http://www.quova.com.

Unfortunately, that is changing and changing rapidly due to misguided government intervention. Ever since 2000, when we witnessed the LICRA v. Yahoo! conflict, we have had governments taking actions that move us away from the utopian vision of early netizens towards a dystopic, unrecognizable Internet.

This past month has been incredibly busy in terms of misguided governmental interference. Here is a short list of recent governmental bloopers and why they are deeply flawed;

1. Put out a RFP to run the core names and numbers entity (the IANA) but limit it to US organisations. For over a decade, other governments have complained bitterly that the US "controls the Internet". This move further entrenches that flawed perception but serves no actual purpose since it is nearly inconceivable that any entity other than ICANN (based in California) will get this no fee contract from the Department of Commerce. Serving turkey at Thanksgiving is an American tradition, but this move elevates the term "giving the bird" to new heights. Governments unhappy with this decision have another reason to try to "split the root" or build their own set of nameservers that they can control.

2. Propose a UN Committee for Internet-related policies (CIRP). India has done this in the UN General Assembly. Earlier this year, India, along with Brazil, and South Africa floated their "IBSA Proposal" [PDF] to near universal criticism. Despite this, the Indian delegate at the UN still said that CIRP would, inter alia,

"coordinate and oversee the bodies responsible for technical and operational functioning of the Internet, including global standards setting."

Since this is completely unlike the current situation in which the technical and standards bodies operate independently, developing standards and policies in open to all, bottom-up, transparent and consensus based processes this proposal seems aimed at breaking the "Internet Model" [PDF]. This model, sometimes called the Internet eco-system [PDF] has given us the Goose that lays the Golden Eggs. An excellent description of this is well worth reading, and as one commenter suggested "The model is so important that a threat to the model is a threat to the Internet itself." Because some governments are so angry about US unilateral control over Critical Internet Resources (see #1 above), they are willing to kill the Goose, thus ensuring no one gets the Golden Eggs.

3. Start a new Thanksgiving tradition of censoring websites without due process. Last year the rojadirecta case caused quite a stir in Internet governance circles. It seems that ICE will continue to do this until your lolcatz are replaced with this, only then will we see the public at large up in arms.

The rojadirecta case was striking in that ICE not only asserted authority over content (found to be legal in Spain, where rojadirecta is located) stored on a webserver outside the USA, it censored the website that only carried (allegedly) infringing links, as rojadirecta does not have the actual content that were thought to be infringing. Again, the US government angers the rest of the world. It may also be useful to point out that seizing the domain did not stop rojadirecta, they just moved their website to multiple other domains.

4. Be hypocritical. Proclaim your support of Internet Freedom abroad and actually fund projects that are doing excellent work to protect freedom of speech online with one hand while using the other to restrict those freedoms (see #3 above) not just for your citizens, but for billions of Internet users worldwide.

5. Make pressing a facebook "like" button a criminal act. Well done, Thailand for giving us a humorous interlude in this long, boring post!

6. Issue a court order instructing non-profit public interest organisations outside the USA (and one in Virginia) to take specific actions in the databases they manage. In some cases, these actions may violate contracts the organisations have signed with their members. Once again, a unilateral action by a government actor throws sand in the gears of a well-oiled Internet policy system that has taken decades to evolve.

7. Propose legislation that not only censors Internet content on allegations alone, but that requires ISPs and ANYONE who runs a caching DNS server, a search engine, advertising or payment network to police content. In the USA, there is an intense battle over this SOPA/PROTECT-IP legislation that actually reaches in to DNS servers and mandates filtering by server operators.

As the CDT and many others (including myself as a signatory) have argued, the DNS is not the appropriate place to do this.

DNS name queries should be and accurately translated into DNS name responses regardless of query source or query subject. That's the design of the DNS and it does its job billions of times per day. This legislation would mandate that your DNS server send you a lie when you made specific queries. Internet broken, plain and simple. In addition, our new DNS Security extensions are incompatible with a lying DNS server. The DNS is the wrong focal point to attack this problem.

Besides the breakage, the measure, as originally proposed (and as amended) just wouldn't work to Stop Online Piracy (House bill) or PROTECT-IP (Senate). It's trivial to register a new domain name, or find a new DNS service provider and let's not forget the content "lives" on webserver somewhere that has an IP address, so filtering DNS replies does not remove the content. Of course, one domain name can have many sub-domains, so taking down one domain can affect hundreds of perfectly innocent websites (as happened in last years Thanskgiving ICE takedown).

8. Hold hearings to put pressure on the organisation that manages Internet name and number resources to delay a program that is a result of more than 7 years of bottom-up policy making processes. Two separate House committees put ICANN on the hot seat this week because Congress clearly doesn't understand that they don't get to make these policies, they are just one stakeholder among many. I applaud ICANN for sticking to their agreed upon schedule for adding more gTLDs to the root;

"This process has not been rushed," said Kurt Pritz, SVP of ICANN. "Every issue has been discussed. No new issues have been raised. The people at this table participated in this debate."

Even though I have never been a proponent of new gTLDs, I understand that the Policy Development Process has finished and I accept the result. Whinging to Congress is just bad politics for the ANA and others who testified at the hearings if they ever want to be taken seriously in ICANN policy making going forward.

On the face of it, all of these disjointed legislative, judicial and executive actions would seem to argue for a global set of rules that all governments would abide by. We saw during WSIS however that the US is not about to give up the one lever of control they have over Internet names and numbers, nor are other governments willing to give up sovereignty over what happens in their territories.

If, by some miracle, a deal was reached on a treaty, this would be even more disastrous than individual governments making bad policy decisions. Having nearly 200 UN Member States making Internet policy in a top-down governments only setting would only multiply the badness of the bad ideas listed above. Do we really want China, Burma and Iran (just to mention a few) making decisions on what content we can consume or create?

Governments and Intergovernmental bodies are supposed to serve the public interest. Unfortuantely, they don't grok the Internet and their knee-jerk efforts are a threat to the Internet as we know it. They can best promote the public interest by NOT regulating the Internet.

Written by McTim, Co-Chair of the African Network Information Center Policy Development WG