[kictanet] IGF 2008 Highlights - Day 3

[mwende njiraini]

*5th December 2008*
*930-1100 Panel Discussion Transition from IPv4 to IPv6*
Based on several studies it is projected that IPv4 addresses will be
globally exhausted by 2011 however address space will still be available at
a local level. Seamless take up of IPv6 is expected with the exhaustion of
IPv4 and there is on going discussion – to define policy to facilitate
smooth transition for operators and ensure that new comers have minimum IPv6
address space allocation to start up business.

The following issues were discussed from different perspectives:

*Issues from operators' perspective*:
- Deployment of IPv6 enabled equipment in the core networks should be done
increment – however uptake is low because there is no extra revenue
generated with the implementation of IPv6 i.e. the lack of commercial
drivers. However this is expected to change with the as customer numbers
grow.

- Need for upgrade – therefore operators from developed countries stand at
an advantage as they have the resources and are nearly exhausted their local
allocations.

- Getting operational experience is a challenge – there is need to invest in
operational tools to run IPv6 in terms of software configuration utilities
management and trouble shooting

- Participation in standardization – where users have equipment that
supports only IPv4 – how do they access services that are available only on
IPv6-based networks? The IETF is working on the transition mechanisms
however the co-existence of both protocols is expected for a long time

- Operators are pushing for IPv6 support in customer premise equipment (CPE)
as well as software that supports the new protocol version. However it is
expected that legacy applications will be available in the foreseeable
future

*Issues from a vendor perspective*
- Transition has been going on for some time in the vendor world. The
transition has been a long process for vendors and operators – in terms of
getting the technology and standards ready

- As IP is the core of the internet – transition to ipv6 – is significant
particularly with the increase of IPv6 enabled devices connected to the
internet specifically mobile phones

- need to understand technology and therefore need for operational and
implementation experience

- managing customer demand/expectations for IPv6 enabled services and
devices

- cost of staff training

- there are mistakes that will be made – therefore need for mutual support
in the implementation of v6

*Social and economic perspectives*-
- Transition should be cooperative endeavour with social and economic and
policy considerations

- Gradual implementation and interoperability between IPv4 and v6 expected
so as to preserve the investment already made

- There is a general understanding that IPv6 will compliment and supplement
the existing IPv4 as well as provide improved routing, multicasting,
efficient infrastructure. The following questions however arise:

o The advantages that IPv6 offer are good reasons to invest in the new IP
version.
o Would transition be transparent and would backward compatibility required

- Users want the stability of the internet to be maintained and hope that
IPv6 will offer opportunities for addition to personality features on the
internet – this is what makes the business case

- In the India case there are a large number of service providers – and
there is only a 1/8 usage – therefore demand is low – the need to enhance
cultural diversity however provides opportunities to create demand through
local content development including E-government programme and Info-tainment

- It is important to break the myth that IPv6 is a new internet - It is not
a new internet rather continuation of the internet

- The main benefit is the address space addition- which may allow for
efficiency

- There is no need to establish a deadline or regulate the implementation of
IPv6 – as it will be market driven. Additionally users should have rights to
use IPv4 and IETF is working on coexistence

*Policy perspective*
- With the impending exhaustion of IPv4 – further implementation will be
problematic – as not all players will support transition therefore it is
important to examine measures – for continued use of IPv4 and possible
migration of users to private IPv4 address space

- creation of action plan to be implemented by 2010 – for example offering
of incentives such as tax exemption and capacity building

- examination of existing programmes and mechanisms

- establishment of taskforce of IPv4 exhaustion

- the messages of ISPs is that they must carry IPv6

- IPv4 scarcity and demand for more security are the 2 major challenges
driving the uptake of IPv6

- Institution of market transfer or reclamation mechanisms of IPv4 resources
not required by local internet registries to the regional internet
registries when transition to IPv6 is implemented. However this would be a
challenge as RIRs have no contractual authority this may create a grey
market. This challenge may be overcome through a loose membership
association that allows others to use others resources

- Institution of secure routing objects including PKI to authenticate users
raises governance/control issues – RIRs have centralized control which may
make it efficient and better able to address security issues this makes an
RIR an central governance institution. Membership of security/government
associations in the RIR would result in infiltration of technical, policy
agendas that may make the transition to IPv6 complicated

- However it is argued that RIRs should remain neutral and trans-national
institutions which:
o maintain a homogenous technical group
o maintain a bottom-up approach in policy making
o guarantee the stability of the internet and business continuity of members

- main challenges in the deployment of IPv6 include:
o lack of public education, information and skill
o limited network policy decisions to make deployment happen
o lack of incentive to deploy ipv6

*1100-1230 Workshop 59:Building a global capacity building curriculum
framework and premier*

- Integration of IG capacity building in existing ICT and public policy
courses was advocated.

- The training may be offered either online, offline or through short term
executive courses.

- Collaboration between different stakeholders who have different needs is
imperative in order create an understanding of the issues arising from
increased used of the internet particularly those that transcend the
geographical, and cultural borders.

- internet security awareness programme set up in India

- Presentations on the Diplo IG capacity building programme (
www.diplomacy.edu/ig) – including a demonstration of the online platform.

- The Diplo approach includes the training course (foundation and advanced),
policy research, policy immersion and community interaction.

- The impact associated with the IG capacity building programme have been
varied and impressive including the establishment of IG governance masters
programme in Srilanka and the use of telecentres to disseminate IG related
information.

- Diplo has successfully offered the training to professional worldwide for
the last 4 years leading to the establishment of national, regional and
global community

*1400-1530 Workshop 29: Building confidence and security in the use and
security in the use of ICTs for African countries

*Main challenges in Africa
- lack of infrastructure
- lack of services

Therefore opportunity to learn from mistakes in developing countries and
establish of computer emergency response team currently there is only one
active CERT in Africa in Tunisia, South Africa is in the process of setting
up a CERT with the deadline of 2010 before the FIFA world cup. While
countries such as Morocco, Kenya and Ivory Coast are thinking about set in
up CERTs.

The approach in dealing with Cybersecurity in developing countries

Success of Cybersecurity is based on 3pillars

1. *Technology pillar* – ICT/security tools –including:
o PCs / networks, physical security tools, data tools (storage media and
cryptography), availability of infrastructure and application (redundant
servers and PKI)

2. *Methodology pillar* – policy, procedures and regulations on three
levels:
o managerial level (security policy, management procedures and capacity
building, audit) Legislative level (law and regulation)
o operational level (acces control rules, implementation plans, monitoring,
watch, incidence handling)
o continuity of services level ( business continuity plan, crisis
management, drill exercises)
- actors in this pillar include the government, security professionals and
users

3. *Social behaviour pillar* – creating a culture of cyber security
o cultivate culture of cyber security through continuous action of raising
awareness using diverse media/channels
o the target audience includes managers, decision makers, security,
children, parents, teachers


*Case study: CERT-TCC - Tunisia*

*The functions of the CERT include*:

- Watch- collect information from different sources eg CISCO, HP. Microsoft,
network of CERTs, community of hackers
- Training
- Coordination
- Response
- Incidence handling
- Incident analysis
- Awareness
- Warning alert

*Key issues*:

• Information, warning and alert – carried out to in collaboration with
ISPs, managers decision makers, internet community through mailing list,
call centre, media

• Oriented campaign – utilizing prospectus, posters, email, radio, cartoons,
video, attack simulation and guides

• Incident handling - training in new tools

• Coordination important in the effective functioning of the CERT – incident
coordination procedures and information including regional CERTs, other
CERTs within the country (for example Brazil has more than one CERT), ISPs
and operators, vendors and integrators, and national authorities.

Need for the formation of CERTs in Africa however the challenges of lack of
"know how" in IT security need to be overcome through:
- capacity building
- encouragement of the development of national solutions based on open
source components
- improved R&D capabilities and making it more responsive to urgent needs
- encouraging academic research in the important topics of security
(cryptography, methodologies…)

*The following questions and comments were raised*:

- the need for social engineering through the creation of a culture of cyber
security to be addressed specifically because of the increased requirements
by government to obligate to provide subscriber identification information

- how can African countries start up a cert- through collaboration for
example with existing CERTs

- in establishing a culture of cybersecurity – consideration should be given
to the fact that there are different social cultures in different countries
however there is consensus on issues such as child pornography, identity
theft

- how can a regional approach be developed where there are differences in
level of ICT infrastructure and use of infrastructure in the delivery of
services, what tools can be used to encourage decision makers to be involved
in the issues of cyber security?

o It was recognised that funding and expertise was required for example
AFDB, World Bank and Islamic Bank while ITU have regional workshops on cyber
security

o As African countries build on infrastructure and services – there is an
opportunity to learn from those that have already developed CERTs.

- How does the CERT monitor traffic: with the collaboration of ISP and
operators as well as supporting legislation

- Regulators need to advice the government to use ICT in development – this
is a manifestation of government commitment

- The role of policy making was emphasized – as it provides government
commitment to using ICT for social economic development and governance and
consequently support for cyber security initiatives – including the
formulation of legislation.

- There should not use a piece meal approach to cyber security to prevent
ineffectiveness for example Mauritius has electronic transaction act but PKI
not yet established



On 12/5/08, mwende njiraini <mwende.njiraini at gmail.com> wrote:
>
> Following our recent online discussions on Internet governance issues in
> Kenya, the Kenya IGF and East African IGF; you may wish to follow the
> discussion currently ongoing at the global IGF 2008 in Hyderabad India at
> http://www.intgovforum.org.
>
> Below are highlights from workshops I attended on Day 1  December 3rd):
>  *0930-1100 hrs Workshop 43: Legal aspects of governance critical internet
> Policy issues of public relevance*
> *1st presentation*
> The issues on that have legal implications include:
> • internet security intellectual property rights, infringement, privacy and
> protection mechanisms
> • IP domain name protection, conflicts arising out of data and content
> ownership privacy therefore increasing role of P2P in growth of internet 2
> • Consumer status and rights in relation to e-commerce cross border and
> domestic online trade
> • Telecom issue viz backbone deployment and interconnection costs
> • Freedom of expression – the extent of censorship and control on online
> content
>
> There is need for capacity building to create meaningful participation of
> individual and SMEs as well as increasing connectivity through building IXPs
> and local content development
>
> The question was raised as to whether there a need of alternative
> institutional mechanism.
> The salient features of the MOU between ICANN and the department of
> commerce (DoC) include:
> - The affirmation of the role of private sector leadership
> - The role of DoC in ensuring transparency and accountability and effective
> GAC participation
> - Ensure accountability and publish by-laws and strategic and operational
> plans
> - Agreement can be terminated in 120 days
>
> The MOU has been criticized because of the following reasons:
> - US governmental control on root server administration
> - Inconsistent with WSIS principle where no single government should have a
> pre-eminent role
> - Domain name allocation policies need better development
> - IPv4 address allocation have been imbalanced need to ensure IPv6 address
> allocation does not suffer the same effects -This assertion was however
> refuted as IP addresses allocation based on need. The need for prudent
> management and keeping barriers low for the transition to IPv6 was
> emphasised.
>
> To overcome this WGIG proposed 4 models:
> - Global policy council
> - Intenational internet council with leading government role to fulfil the
> ICANN/IANA functions
> - GAC to be strengthened with enhanced coordination function
> - Replace US govt role by general internet council or with world ICANN (in
> lieu of GAC)
>
> The common features of these models were the overwhelming government lead
> and the presupposition of the possibility of international treaties. During
> the discussion the viability of these models was questioned given that speed
> is of essence in the management of internet resources. It normally takes a
> long time to negotiate international agreements; including treaties instead
> a set of principles should be endorsed.
>
> The speaker recommended on the management of critical internet
> infrastructure should take into consideration the following
> • Treatment of technical resources of the internet and global economic,
> social and legal aspects arising out the internet should be at par
> • The development and implementation of polices and standards and solutions
> to various internet issues should be done in a coordinated manner for
> example telecommunication standard development is done in a hierarchical and
> predictable way.
> • New structure would be a supreme authority over internet
>
> In conclusion the speaker asked: Does the internet as we know it need to be
> altered radically? Should the status quo be maintained? Should a Red Cross
> model of recognition by international community states be given to an
> international entity like ITU, INTELSAT. However fundamental change is not
> necessary as failure has not been identified.
>
> *My comment*: this presentation was descriptive and despite the fact that
> an alternative model was proposed the principles, mechanisms that would need
> to be put in place in order to make it work were not discussed
>
> *2nd presentation*
> The next speaker spoke about the ccTLDs in latin Amercia which are broadly
> organised into two main groups: non-governmental and governmental
> organisations. A contribution from the floor however clarified that the
> Brazilian ccTLD is a multi-stakeholder – coordinated by government – but on
> a day by day basis operates as a non-governmental organisation. The Indian
> ccTLD is managed by government and private sector – sovereign interest taken
> care of through government representation.
>
> The rules and regulations under which the institutions that manage the
> ccTLDs are managed determinate legal framework under which they operate.
> Consequently ccTLDs are regulated under national law while ICANN regulates
> gTLDs – The possibility of self regulation is based on the assumption that
> private sector would act in the public interest.
>
> In the discussions some felt that there was need for increased attention of
> government in the management of ccTLDs – as it was critical infrastructure
> while on the other hand other felt that there was the risk of excessive
> regulation with increased involvement of government.
>
>  *1130 -1200 hrs Workshop 36: Strategies to prevent and fight child
> pornography in developing countries*
> Child pornography in Brazil has grown out of the popularity of social
> networking. However the main challenge has been issues related to
> jurisdiction as content is resident in ISP based in the USA and
> trans-national ISPs like Yahoo, Microsoft and Google which have branches in
> strategic markets and have tailored the services for these markets in terms
> of language and content.
>
> Brazil was therefore unable to deal with serious offences related to
> content – specifically child pornography - committed by Brazilians using
> Brazilian IP addresses. The government has been able to sign an agreement
> with Google to fight child pornography on Google's orkut social network.
>
> The following are consideration taken in drawing up the agreement
> 1. Which criteria should be used to define the ability of a particular
> country to legislate over and sanction conducts committed on the internet?
> - Where the data is located?
> - International law principles (territoriality or nationality) shall be
> used to define the sovereignty of a state regarding – cyber space – which is
> a network of networks
> - Define some reasonable standard – for example managed by Brazilians and
> is local content and local language
> - Access points in Brazil, harmful conduct felt in the country – taken
> obligation under international law to take offence – country of origin
> approach would force thousands of users to unfamiliar rules and travel –
> offence under human rights therefore apply local legislation
>
> 2. It is legitimate to enforce the conduct of local office –as it
> impracticable to send legal request to the US.
>
>
> New tools have been implement that have reduced number of images uploaded
> and increase in number of reported cases- subject to investigation. It was
> inspiring to listen to parliamentarian talk about the need to have
> legislators engaged in the process as they ultimately pass the laws. I
> appreciated the fact that in there is great cooperation between the
> parliament, government, police, civil society and private sector.
>
> The main challenges are:
> • Lack of awareness and participation by parliamentarians who are critical
> in the formulation of legislation
> • how to obligate ISPs to provide information without infringing on freedom
> of expression and privacy,
> • what criteria should be used to deal with these offences
> • the creation of awareness of ISPs in developing countries of the need for
> judicial cooperation as well as social initiatives to deal with cyber crime.
> • Insufficient infrastructure to deal with this issue – law enforcement
> does not have the human resources and technology
> • Material produced to fight child pornography are not evaluated – they
> should be inline with the demand
>
> *My comment*: I would have like to know if initiatives have reduced
> offences, what is the success rate registered in prosecution, ability of the
> law enforcement and judicial system to deal with offences. There was no
> mention of where initiatives had been launched to fight child pornography on
> the financial front.
>
>
> *1530-1700 Workshop 45: Opening to diversity and competition of the DNS
> system*
>
>
>
> There were 3 presentations in this session:
>
>
> - *1st presentation* - alternate DNS system used in library systems
>
>
> - *2nd presentation* - implementation of security in the Handle system
>
>
> - *3rd presentation –* discussed the Net4D
>
>
>
> Net4D- provides the technical solution to the political concern on the
> control of root servers. Net4D networks enable the following:
>
> • Empower the second generation of the web: the semantic web.
>
> • Multi-stakeholder governance of DNS
>
> • Net4D classes should be open and interoperable
>
> DNS 1.0 – was a monopoly of ICANN web 1.0 html with USA parentage and
> English only while DNS 2.0 is open allowing for competition including inter
> alia:
>
> • Net4D semantic web
>
> • Open coherent approach to linguistic diversity
>
> • Allow technological innovation with value added services
>
>
>
> Concern was however raised on the:
>
> • Investment/implementation cost required to implementation of different
> DNS systems depending on the BIND implemented and root servers enabled
>
> • relinquishing of the political control of root servers
>
> • Value to end users
>
> • Awareness and understanding of the issues by different stakeholders
> necessary – delivered in a way that they can understand
>
>
>
> *My comment*: the session was technical – I hope the techies on the
> mailing list can help us understand the governance issues associated with
> the introduction of DNS competition and the impact on developing countries
> :)!
>
>
>
> Kind regards
>
> mwende
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20081208/ec039207/attachment.htm>