‘Trust is gone’: Is the RIPE NCC still fit for purpose?

  • At RIPE 88 in Kraków, Poland, a long time member of the board called for major changes to the structure of the RIPE NCC.
  • Created in the 1990s, the RIPE NCC may no longer be fit for purpose, and Remco van Mook invited suggestions for improvements.
  • Already suffering from financial pressures and account security issues, some questioned the adequacy of the organisation.

‘Trust is gone. We have to expect that we are now working in an untrusting environment.’

These ominous words, uttered by Randy Bush, an outspoken stalwart of the internet community for many decades, are an apt precis of the mood that prevailed at the RIPE 88 conference in Kraków, Poland.

Amidst the leafy, quiet surrounds of the Metropolo Hotel in the suburbs of the city, Bush, a 2012 inductee into the Internet Hall of Fame and one of the architects of the modern internet, boomed his thoughts via a live stream into the room where the topic of discussion was: ‘Building A Stable Future for the RIPE NCC’.

That rather tepid title doesn’t capture the question at the heart of the debate: RIPE NCC is no longer fit for purpose, so how does it need to change?

Also read: RIPE 88 kicks off in Kraków with questions around RIPE’s future

Is RIPE NCC still fit for purpose?

RIPE NCC is the secretariat or administrative body for the RIPE community, a collection of internet professionals and engineers from Europe and some parts of the Middle East. Its core service is to maintain a database of IP addresses, to ensure their uniqueness, so that data sent over the internet goes where it’s meant to go. Without this, the internet would collapse.

The problem is, RIPE NCC was formed in 1992, and the world has changed in the last 31 years. It originally had 30 employees, fewer than 1,000 members, and a budget of €2 million (US$2.2 million). Today it has 190 employees, more than 20,000 member organisations and a budget of around €40 million.

More importantly, the value of the assets it maintains (IP addresses) has grown from zero (IPv4 addresses were readily available for free in the 1980s and 90s) to around €20 billion (IPv4 addresses are now nearly all used up, so if you want some you may have to pay roughly $40 for each), and its own funding is under serious pressure as the number of paying accounts declines, millions of euros are tied up in problem areas like Ukraine, and the costs of running its additional services increases.

Is an organisation that was set up by technicians and engineers to carry data packets along wires equipped to handle billions of dollars-worth of digital assets? Does it have the resources to ensure the security of its systems, and can it afford to pay for their maintenance and upgrade?

Also read: Orange Spain RIPE NCC account is hacked, questions asked of account security

The RIPE meetings always include an extravagant dinner – which has been questioned as a proper use of funds.

RIPE accounts hacked

Late last year the details of 870 RIPE NCC accounts were hacked and leaked to the dark web. Around the same time thousands of customers of Orange Spain lost internet access after a hacker misconfigured the BGP routing and RPKIs after correctly guessing its account password. Since then RIPE requires longer passwords and 2FA has been added, but these events reflect badly on an organisation whose core remit is to protect these numbers.

A survey of its members in 2023 showed that only 69% of people thought RIPE NCC offers value for money, a figure that is declining too.

And so, with these points in mind,  Remco van Mook, a RIPE NCC board member since 2010, led the session to discuss how RIPE needs to change, giving Bush his chance to voice his thoughts about trust. “We have to sit down and do the hard work of completely reinventing how we manage our membership and our funding, while taking into account how we can mitigate current risks and future-proof the RIPE NCC,” van Mook said.

It doesn’t help that one of the most sensitive topics – that of what the registry should charge its members – has been debated, voted on, debated some more, and now is lined up for another vote. If a simple charging scheme can’t be defined and implemented, what does that say about the decision making capabilities of the people in charge?

Also read: RIPE 87: ‘Something needs to change’ – ‘chief frugal officer’ describes a problematic future

Already, the challenges of this kind of effort are clear. Hans Petter Holen, RIPE NCC Managing Director, added his thoughts, asking to steer clear of wholesale changes. “I don’t mind change, but small changes that we understand are best,” he said in the General Meeting.

That flies in the face of many of the comments that came out of van Mook’s session, which inspired the highest engagement from the crowd of the week.

Big changes needed

Tina Morris, vice chair at ARIN, the Regional Internet Registry for North America, and Technical Business Developer at Amazon Web Services, made the point several times that strong leadership, willing to make tough decisions, was required. Perhaps she has noticed how one of the prevailing traits of the RIPE NCC board is to defer to ‘the community’ every time something needs to be done.

Malcolm Hutty, Head of Public Affairs at London Internet Exchange (LINX), suggested that doing away with the duality of the free-to-join RIPE community, and paid membership of the RIPE NCC, could be considered.

And for at least one member, this entire debate is moot, because the very nature of a private organisation running something as valuable and important as IP addresses makes them unsuitable. Lu Heng, CEO at LARUS Ltd, is running a campaign to untangle IP address administration from the RIRs, and have it all done instead on the blockchain. Pointing to AFRINIC, the African RIR, which has been without a board or CEO for two years as it fights a litany of lawsuits and financial problems, Lu says the vulnerable nature of an organisation like this makes it inadequate to manage not only billions of dollars of assets, but a utility as essential as the internet, and blockchain offers a cheaper, fairer and more secure alternative.

Also read: What is AFRINIC? The role and challenges of the African Regional Internet Registry

Now the work begins for van Mook and the RIPE NCC board, and one wonders if they have the ability to make the tough decisions needed. In the final session to discuss the ideas, a considerable portion of the debate was given to deciding whether this mission needs a ‘working group’ or a ‘taskforce’ or just a simple email list. If that’s how this thing is kicking off, van Mook’s timeline of 18-36 months may be rather optimistic.


James Durston

James Durston is the Editor-in-Chief for Blue Tech Wave, and a former editor and journalist for some of the world's biggest international media organisations.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *