Main room. 2pm
ROB EVANS: Good afternoon, if you could come inside, find a seat, there's plenty of seats.
So welcome to your favourite working group, RIPE NCC services. I am Rob Evans, I am one of the co‑chairs, along with Janos and Stephen who you will be seeing a bit more of during the session. Thanks for Tina who has been doing our stenography and Anastasia who is taking the notes. This is our proposed agenda, so after I finish here, we'll confirm or otherwise maybe the co‑chair selection.
Hans Petter is going to talk about the draft activity plan and the budget for next year. Then we are going to do something a bit different, instead of a series of presentations, we are going to have a panel discussion on AI and the RIPE NCC. Now, be warned, this is Kahoot heavy, so get your phones ready. If you want to start thinking about maybe what opportunities there are to use AI in the RIPE NCC, what risks, what the NCC might not have thought of, just have that in the back of your mind so that when the Kahoot comes up, you can quickly bash them in and they will appear as a word cloud for the panel to respond to.
There are two local participants, so Anthony and Eleanor are going to be here, and Gabor and Robert will be coming in via Meetecho from Amsterdam.
Then at the end of the session, we'll have Hans Petter back talking about the RIPE NCC strategy from 2027 to 2031, and if there's time, some AOB or open mic. So again you will get your thinking hats on if there's something you want to bring up there. There were no comments when we sent the minutes to RIPE 90 out to the list, so unless there are any objections, we'll declare those minutes approved and final.
Good. I don't know what I would do if anyone did stand up. Right, I will now hand over to Janos to do the co‑chair selection.
JANOS ZSAKO: Hello everybody. As you know we have a team of three co‑chairs at NCC Services Working Group and the term of Rob is about to expire. We publish this on the mailing list, we asked for volunteers to step up and continue as co‑chairs in time, so two weeks before the meeting. Unfortunately we didn't have too much interest. We sent a reminder as well, which didn't bring much interest either, but fortunately Rob has volunteered to continue as a co‑chair, and there was support for him. So I think we can now select him officially if there are no objections? If there are, just stand up and say so, but I think it's quite obvious because he did a very good job so far, and I personally am happy that he is willing to continue.
OK. So I think you are ‑‑ (APPLAUSE.) reselected. I hand it over to you because this is ‑‑
ROB EVANS: Back again. The fact I am here is probably a bit of a bug, I would like to encourage more people to have this fame and power and glory so when it come to the next chair selection procedure, please have a word with us and please consider standing yourself to maybe do things differently or have some ideas to move the working group forward. But anyway, what we'll do now is we'll plough on with the programme and so over to Hans Petter.
HANS PETTER HOLEN: Thank you, Rob. So warming up following up on Rob's encouragement to volunteer for positions here. 30 years ago was my first RIPE meeting and I was volunteered to do the minutes of the database working group at my first meeting, that was before we had the staff doing that for all the working groups. Like 25 years ago, I was Address Policy working group chair, back in the days we just had one, so I envy you being able to split the job between three.
And then later ten years ago, I was RIPE chair, the role that Mirjam has now, and now I am now see, and I have been for five years, the CEO of RIPE NCC. And I have the pleasure of presenting the draft activity plan and budget for 2026 for you. So, volunteering is what brings you forward in this community, right, it's all built on you and your efforts.
We know entering the final of the 2022 to 2026 strategy, so we had a five year strategy plan and the focus this year is kind of really simple, it's completing the tasks that we set out to do.
There may be some things that we haven't started to do, but I think most of what we set out to do, we are roughly there or will be there at the end of next year.
We committed to two years ago when we increased the membership fee that that would be sufficient for 25 and 26, so we committed to a break even budget, so all the work will be delivered within those limits.
Some initiatives extend beyond next year as we lay the groundwork for larger project that goes into the new strategic period so it's a bit of the strategy process that I will talk about later that we will all already lay the groundwork for next year.
One of these things is modernising our infrastructure and if you read in the activity plan, you will see there some very high‑level wording at the beginning about being resilient beyond national borders so that doesn't mean moving from the Netherlands but that means being not only being dependent on Netherlands for data centres and we need to be, you know, not rely on a single vendor for important things. So I think there has happened a lot around us the last couple of years that we are now taking into account and thinking carefully about for the next period, how can we build a really resilient foundation for what we are doing.
Budget. The expecting number of 41.1 million next year, that's about the same as this year and we are budgeting to spend 41.1 million. Now my CFO wanted a positive budget, he added a decimal to say, make sure we have a slight positive result here. Normally as you will see from his presentation later on, we tend to spend a bit less than budget, so hopefully it's even more positive the result.
This figure is based on an estimate of 20,000 contributing local entrant registries, which aligns roughly with the number of members, there is a bit more LIRs than members, but that difference gets less and less over time. But it's important to notice that while the number of LIRs have been declining, we are pretty stable in the number of members.
Our goal is to keep our expenses roughly on the same levels with some adjustments for inflation, as we focus on completing commitments in the strategic cycle. Expense for LIR is around to be around 2,056 euro, which is around a 3% increase, which is what you will find in the cost increased, in our industry in general.
Our FTE count will increase a bit to around 2%, and here also we are slightly below this level today, but the RIPE positions that are unfilled and positions that are needed, and I will come back to that as a result of compliance work later.
You can see a very nice graphical break down of our income in our activity plan. The vast majority of income comes from existing member service fees, for 36 million. Then there is 3 million and a bit bit for sign up fees for independent resources and so on. And then there are less and less there. And when you look at the income from RIPE meetings, it's kind of like 300 K, it's way less than the cost here. So, we are giving a lot back to the community of what we are giving here, you can see that in our external engagement and communities, 9.8 million, now, that's also not only the community activities as this meeting but all communications, the web services, the public policy, the trainings and so on.
The registry, 5.6 million, but then if you look into information services, all the systems to run the registry are in there, you can't really say we don't want IT because the IT platform, the infrastructure is there an also the measurement services. Organisational sustainability, you could call that the organisational overhead, that's the legal cost to of compliance and security and risk. It's finance and it's HR and it's the facilities so it's something that's always needed in an organisation.
And one thing to be aware for the RIPE NCC is that we are amazing diverse organisation with 46 nationalities, so not very home genius branch and just an office in Amsterdam, it's above average needed to keep us happy.
So, what do we want to do next year, we want to prioritise registry data accuracy and compliance by expanding automation and deploying technical solutions to manage the growing workload. We kind of really focusing on how can we improve the processes and then the next steps once the processes are been stream lined, how can we automate them.
And you can see some of that going on with user testing and self service and so on, if you are interested in this, please go to the stand outside where you will find Antonella and some of her colleagues that can, you know, take you through that journey.
Technical department to strengthen service resiliency, RIPE NCC is kind of like 30 years old, there's code in there that needs refactoring. If you are developing code you know that happens over time. There are libraries doing an excellent job ten years ago, that may need upgrading, there are OpenSource components that's become commercial, that needs rethinking, do we need to pay for licences or change them and there is also on the platform level as you will know we have had a discussion the last couple of years on cloud or not cloud and the pendulum is now going strongly back to not cloud. And we don't really have that much in the cloud now, we have some logging systems, we have the single sign on, we have some measurement services, so it's really not that everybody is not there but we need top rethink our architecture to be resilient and make sure we don't have inter dependencies between... so there is a lot that needs to go into the sign of that, we will not be able to implement everything next year but it's the start of the journey.
Outreach effort is going to be continuingly important. The fellowship programme has been revamped and the intention is not only to bring new people in but also welcome them and make them stay, that's going to be interesting to see how this develops. We have now courses and new exams. Continue ongoing monitoring of legislation to minimise political risks, while sustaining strong efforts in compliance and transparency and you can read all about that on the trust portals. And to be quite honest, EU does not make it easy for us. I mean they have good intentions in making sure that society who depends on the internet remains stable place, so I fully understand their motivation but it's a lot. And I guess you feel that as well because it's some of the regulations don't hit us directly, but we are in your supply chain, you come to us to ask about this but the thing also is that the RIPE NCC is not only a European entity, we are located in the Netherlands for sure but we also serve the Middle East and central Asia so we don't only answer to the EU authorities.
And then yeah, there is an increasing trend of cyber crime and we need to be ahead of that curve and operate and defend resilient infrastructure and then of course as I mentioned, the strategy and preparing for that and preparing for the next generation charging scheme, which Simone will talk later about in the GM.
The budget you can see the high‑level here, the registry is roughly flat, it's a 65 K increase, 1%, information services that's 600 K increase, 5%. And you see the same on organisational sustainability, and I will come more into why, why the external engagement and community is roughly flat. And one of the reasons for that is that we can be a bit more efficient and there is quite some reserves into arranging events like this. So you are kind of never know what an event like this will cost two years in the future when we sign the sign the contracts, but we seem to be managed well on the budget so there has been room there to handle inflation within the existing budgets.
Main changes by division. So in the registry, I already said, more efficient processes, increased automation to handle the heavy workload, without greater expenditure. If I said that to staff, they kind of like, oh wow, you are asking us to work for you more, well then you can say I ask you to work smarter, but we want to automate more so that it doesn't get ‑‑ we still can have a happy family working on this also.
Information services: Not really that much increase on the staff side, but the LIR portal modernisation is going to be important, implementation of security measures and work on IT infrastructure that I already talked quite a bit about.
External engagement: Budget neutral, decrease of operational budget allowing for more FTEs without extra costs, we are shifting that into one or two more people.
Organisational sustainability: There are quite some changes internally. Office costs is one thing, we now decided to stay on rent increases a bit year by year, although we still have a very affordable or very competitive contract there, and something needs to be done with refurbishing of the office after ten years there, but most of that cost will come in 2027.
And we also are taking some of the money that was budgeted for security which we haven't spent to putting compliance in increasing the legal team and also building a project management office with two project managers in the budget to align better across the organisation.
The registry as I said, roughly flat, focus on efficiency, and not really increasing the cost. Some of the trick behind that is significant saving on third party licences this year, so that actually allowed for some flexibility on spending on temps and other resources to take some of the peaks.
Yeah, and here you can see the break down for the different teams in the Registration Services.
Yeah. Improving accuracy of the registration for around 20,000 end users and 20,000 members. So I talked a bit about that at the last two meetings on the accuracy and how we continuously monitoring this towards third party service that links to business registries and we now are extending that to the end users to PI holders, not all examiners are all the members but the provider independent resource holders.
Implementation, automation and self service where possible, that comes with not only implementing new stuff but also refactoring and modernisation of code, so it's not as easy as I would like it to be.
Increase the visibility of the policy development process and RIPE policies, and Angela is doing an excellent job there, we would always like to have more people involved in that, and that's also going to be a focus area.
Improvement of the billing process: Really, I am really happy and thankful that 60% kind of pays the invoice on the due date, but I am also puzzled why the remaining 40% needs reminder in order to pay their invoice. So, that's something that we always are always curious about, is there something with the communication, with the layout, with the, whatever we can do, in order to please pay on the due date, right. If you don't pay your Netflix, then it stops working. We do that after several reminders, but you know, sometimes I wonder why does it take so long, anyway.
Continuing improvement: Yeah, explore new ways to enhance online chat and service. The chat has been really a success, as you heard us say, but then how can we take this further to the next level.
And then we do an assisted registry check, which is really a touch point in personally or by email, phone, currently once every five years with all of the members to make sure that you stay up to date with actually doing the job of keeping your registry accuracy and so on.
And we continue to do that but we are moving bits and bits of that also into self service through the next year.
Information Services: That's 12.8 million euro, that's quite a lot, but it also contains quite a lot of services. And one of the things that is on top of everybody's minds there, or if you ask them, top of their list of frustrations is our focus into compliance, right. Because it's not only necessary to date to run a secure network, a secure system, you also have to document it for all the governments and so on.
Strengthening security: We are implementing ISO 27001 across the organisation. We already have SOC 2, type one last year and now in the finishing stages of a type two this year for the RPKI service. The NRO has an RPKI programme so we are, working closely with other RIRs to implement that. And the new shiny thing that comes out this year is the AS path authentication thing, so if you are interested in that, you should have been in the Routing Working Group or talk to our colleagues, that's working on that, I think Tim is around still, so...
I have mentioned modernising IT operations a few times, reducing technical debt, completing the transition from the old on prem register to an infrastructure as a service provider within the EU, rather than us buying new service, we are buying this as a service, but it's still on hardware where we do the operating system and software and it's within EU.
And then prepare our premises to support selected work loads currently running in the cloud, already talked about the single sign on service that we are planning to move back but then some logging services and some of the Atlas controllers is also on that list.
And explore the use of machine learning and AI to enhance data quality in RIPE Atlas and RIPE state. And if you have questions about that, you can ask it to the panel that's immediately after.
External engagement and community: The very short version is the same as we did last year, right, we have the RIPE meetings, we have the three regional meetings, we have the training courses and the government round tables and so on, it seems to work pretty well, so why make big changes to that?
The budget you can see is same same, some small changes between the teams. The focus point is to improve consistency across all documents by aligning terminology and style. Hold consultations on topics such as the charging scheme. Redesign the fellowship programme, we have already talked about that. Expand the language centre, and I think today we launched French and Ukranian on the language centres, so we now have more languages there. Similar number of training courses and webinars, and maintaining engagement with governments, this year has been a heavy year on that because of the IGF being very early in the year and the WSIS+20 process, and next year, will be the follow up on that and next year also ITU has their clinical conference that we will engage in to be present and visible there.
Organisational sustainability. Strong compliance effort of course hits HR, finance, security and risk and compliance that drives this whole effort. They are so frustrated with the rest of us, right, we haven't seen the light quite yet but we are getting there.
And then we see to off‑load some of our subject matter experts, they shouldn't have to run the project, we are now building up a project management so we get professionalised project management across as well.
You can see here a bit the shifts in the cost facilities increasing a bit as I mentioned. HR also increases, legal increases, that's another FTE coming in. Finance also increasing. We are taking that out of some of the money that was in the information security an risk and compliance because we haven't spent the money so we could sort of reallocate it and then the office of the managing director, that's where we are putting the project management office so that's about it. And then the RIPE chair budget is also increasing a bit because going forward, the RIPE Vice Chair is also now remunerated as a 20% position.
I think I mentioned all of these things now. I already talked about new legislation and ISO 27001 and I have a presentation about the strategic cycle afterwards. And that was it and I have four minutes left for questions.
(APPLAUSE.)
SPEAKER: Gert Doering. Thanks for that in and in general I think this is a good way forward. Deteriorating the technical depth is ‑‑ addressing the technical depth is a burden but needs to be done and costs money, but that is actually something I wanted to bring up here in the activity plan, because we do seem to have the standing mandate to do IPv6 in everything you do. And that seems to have been lost in the fine print in the last year so. There's talk in the hallways about services that are being bought to do things that only have V4 because they were cheaper than the service V6, and I think this is not setting a good example. And when you speak about technical depth, getting rid of dependencies on V4 is something I think should have a point on the list. Also to serve as a light house example to the community, look it can be done, you just have to want it.
HANS PETTER HOLEN: I am happy you bring that up, because I think when I started five years ago, it wasn't clear to everybody internally that it was a policy that everything we do should be V6 capable, that has been written down and it's now clear in all the signing and purchasing processes. When we selected the new voting system a couple of years back for the GM, we changed that, of course we had to go for functionality that supports us, and that vendor did not support V6, but we were able to talk to them and they were able to implement V6 in the front‑end, in the CDN they used, it was trivial, but nobody had asked for it and we got that in place, so it has focus.
Now, when it looks to for instance on the other edge secured a vulnerability management systems, we have talked to all of the big vendors and all of them are giving us a cold shoulder saying nobody wants V6 strength. So, should we not have security vulnerability management? Should we use some OpenSource tool that only satisfies 65% of the requirements? Or should we go with something that gives us the functionality? That's the choices that we have to do and for some things we simply need a tool, right. It's not that I like it, unfortunately my purchasing power is not particularly big when I go to the big vendors, if we could get together as a community and see what's your top four, five systems that you have tried to get V6 on and didn't, how can we together affect those vendors, I think that's maybe a path to do, but then I need help from the community.
SPEAKER: Yes, thanks for that.
HANS PETTER HOLEN: I hope the corridor talks on systems, if somebody would tell me what those talks are so I could figure out if they are real or just hearsay, we don't have to do that on stage.
SPEAKER: In particular I didn't want to go into detail, I just wanted to make sure it's in the minutes that at least one person from the community has brought this up again. So thank you for listening, and also thank you for actually addressing this in the last five years, that was something that wasn't really clear to me and I am... yeah, thank you.
ROB EVANS: Interesting and useful, any other questions? We have some time?
HANS PETTER HOLEN: Only got one question? I will lose the competition this time.
ROB EVANS: Thank you back on stage later, so thank you Hans Petter.
(APPLAUSE.) I will hand over to Janos to moderate the panel debate.
JANOS ZSAKO: Thank you. We will have a 45 minute session of a panel where we have two participants on stage and two remote, and we will try to focus first on a question which we will ask ‑‑ actually we will ask five questions on the Kahoot, so this is why we asked you to prepare yourself.
The first question will be whether you think AI is the future. Then we will ask about possibilities for the NCC to use AI. Threats for using AI in the NCC. Any other thoughts which we didn't think about perhaps. And finally, we will repeat the first question, whether you changed your mind.
And I think we will ask Ulka to help with the Kahoot. I would like to present the participants, Eleonora Pedridou who is representing the security part of the NCC. Anthony Gollan, who is here presenting communications. And remotely, yeah, we have Gabor de Wit, on the right side. And Robert Kisteleki. Sorry, Gabor de Wit is from the registration. And obviously you probably all know Robert presenting the science team. I think I will sit down and probably we should ask the first question, and then I will ask the panelists to present themselves and also to say a couple of words about their thoughts. About AI, I mean!.
Yes, so you see the Kahoot QR code, and if you want to log in without a QR code, you have the pin.
And once you are in, we will ask you to say yes or no. It's very easy, we think. We will wait for a while so that we won't put on screen only the final results so that you are not influenced by your colleagues.
I think we see the same thing, yes, over there. Still people joining, that's fine.
Yes, so I think this is a very good initiative actually from the NCC to make such a panel, because the idea is that we would like to have input from the community, what the NCC, what way the NCC should choose, because currently there are no definite paths they want to go on. But based on your advice probably we can choose the best way, that's the idea.
I don't know how long we will wait for the results. So you can see now, yes. Sorry, this is already the questions which will appear on the Kahoot in the future, physically.
But we would like to see the results of the first poll, yes or no. Who thinks that AI is the future, and who thinks the opposite? Well, I think the majority agrees with this statement that AI is the future. I think personally that AI is inevitable, the question is how deeply we want to get involved in AI. Obviously it's not clear what AI means in the first place, but anyway... so I think we have the consensus that the community thinks we should go ahead with using AI at the RIPE NCC. So, I think then we can have a short presentation.
ROB EVANS: That's not the people that has replied, the time has just expired so there is the result.
JANOS ZSAKO: Ah! That's good! I think we will have to convince you that it is not that bad idea! Of course I think it should be thought over deeply, but I don't know, is it still going on? Will these numbers change? OK, so these are the final results. Well, we have a slight majority of those who think we should be careful about AI. And ‑‑ well perhaps I think it is good to hear the representatives, the panelists, about how they see their area of expertise, and how they think they could use AI, or how they do already use AI, perhaps. And after that, we will come back to what the community thinks we should use AI for, even though many don't like it.
So I will probably ask Eleonora Pedridou to start. This is the security aspect of course of the AI. So please, go ahead.
ELEONORA PEDRIDOU: Thank you. I love actually seeing the very diverse opinions in the room because that represents a little bit my function. Because my daily life as an assistant of RIPE NCC means balancing this conflicting forces. There is opportunities and there is innovation, but with every new type of technology, you introduce different types of risk that we need to understand and manage. And specifically for the security landscape, AI has been transformational, because we see it also from the offensive security, how people can weaponise against it, but at the same time we also see opportunities. So for us it's important to understand what's coming our way, how can we utilise it and how can we manage the risks that come with it.
It's interesting in the last month we see ‑‑ well actually on the offensive side, so the threat actors making a lot more use of AI, so for us it's important to understand the threats, what does this mean for us? Can a threat actor try to compromise us by sending far more convincing phishing email to our employees? Or deep fake the face of Hans Petter, to put him on the screen, but then we decided against putting a deep fake of him on the screen. And what does this mean when where trying to protect the organisation? Think that AI can help the threat actors to automate a lot more, discover vulnerabilities quickly and try to exploit them at a very fast speed.
Think of the times that perhaps the threat actor didn't have the skill set, but now with the support of AI they can develop malware very quickly, or produce a very realistic fake identity that can bypass, for example, our identity checks. So these are all elements we are thinking and taking into account when we are going to defend the organisation in X years from now, what do we need to defend against?
But at the same time it gives us also opportunities, right. We can also improve our defences and be much faster or much smarter how we detect when something is going on, previously needing a lot of manual work and helps us get insight from there type of data. It can be a tool that also can be used by our security analysts to look at attack paths that wouldn't have previously existed. Having said that, also I am aware that the more you embed AI in the business operations, there are risks that we need to take into account how are we going to govern AI responsibly within the organisation?
When it comes to ethical risks, privacy, security aspects of everything that either we develop internally or we purchase externally, for us it's important to understand if we are going to use AI in the future, what kind of decisions we'll allow it to make. What kind of data can we use or not, so that we can design this with trust in mind. So, I am very curious about our input today, I am looking forward to that.
JANOS ZSAKO: Thank you very much. Perhaps Anthony will add his thoughts.
ANTONY GOLLAN: Yes, so the COMS team has been playing around with the paid version of ChatGPT for about a year or so and this is opted out of training data and so on.
And I think like in some cases it really impresses us with what it can do and it's really useful. In other cases it's like everything is a bit ad hoc and we are really struggling to see how you really integrate it in a day to day sort of thing.
And then so when thinking about like how it fits within our work, one of the key words for me is like slop and I think a lot of us have this kind of reaction to the stuff. So it's something we need to be quite aware of, I think the fastest way to kill our audience is just flood it with this low effort sort of like horrible stuff that I think we are all sort of having the same reaction to.
But then also like sort of thinking about how this is sort of being used in the wider community, I keep thinking about like the fact that there's sort of no marginal cost with using it in some cases, allows people to do sort of really, quite marginal strategies so I have already seen I think one consultation that was sort of flooded by LRM generated responses all arguing in the same direction. There's one sort of publication out there that's sort of like churning out anti RIR articles very fast clearly using an LRM, possibly the same person, I am not really sure but then also even within like RIPE Labs we are getting articles submitted that it looks like someone basically typed a couple of like errant thoughts into an LRM and then just sent us in the output, so like do we publish this. It's quite sort of a funny thing. When you think about like a community like RIPE that runs on open discussion, consultations, mailing lists, debate and so on, it seems like the stuff could really generate some really novel problems for us. And it could really just take a handful of people to give us all a big headache.
But then, there is a brighter side as well and I know it's going to trigger a lot of people, it could really help with understanding a lot of the really complex stuff, the paid versions are very different to the free version and I found that's really been pretty impressive in a way it can some up of some complex information.
JANOS ZSAKO: Thank you, interesting thoughts of course and we like to share them with Gabor from the legislation side of the ‑‑
GABOR DE WIT: I definitely see a potential of AI within the registry, but I think for me the key focus here is on assistance, it's not necessarily as a replacement of any of my teams as we are seeing in the industry at the moment like Vodafone, like Booking.com who are fully replacing their self service teams, the full funded capability by AI bots. We are not there yet and I don't think we are going to be there in the next two years.
I see three main reasons to believe this. One, it's also addressed by Hans Petter in a previous presentation. I think there is still a lot of automation potential that we are currently not even utilising, in that sense I think we should learn how to walk before we start running, all of the automation capabilities we have before looking into more advanced technologies like AI. And looking at the audience and the feedback we are getting, the human vector in our services I think is highly appreciate, we have an extremely high MPS and CES... I come from a telecom background and I am still amazed every day when I look at the wrong MPS, for example. And this is also where you see if you look at Vodafone, Booking.com, they are all going back to rehiring humans because employees, not necessarily employees but also the customers, they are really missing that human touch and are also missing the ability of a human to do the proper fraud detection as an example. So it's quite interesting to see. And it is also backed by a recent report that I've read, all of the companies and all of the industries have been shouting the loudest that they will move their entire front office to AI, the expectation is that 50% of those companies will actually go back on that promise by 2027 and move back into the human space again.
So that's two of them.
And the third one for me is I think if you look at AI and the sensitivity of some of the data leaks we have seen lately; for me the human should always be in the loop, so there should be always be somebody next to the AI, especially when we deal with sensitive topics at the core of the internet where we are operating. A bias in any model would have global consequences and we should present it at all times.
So, in conclusion, I definitely see opportunities, let's call it AI augmented work‑force, but I don't expect us to move to full AI and start replacing our employees by AI bots in the near future.
JANOS ZSAKO: Thank you. Yes I think this thought about the human in the loop is very important, I think we will come back to that, but I ask Robert to tell us his ideas about how they could use AI.
ROBERT KISTELEKI: Yes. Thank you. Many of you know I am primarily responsible for RIPE Atlas in general, but I have been involved in our measurement systems for 20 years now, so with that background I am going to cover the measurement systems. And they are ‑‑ the picture might be different.
I could express the brave opinion that the internet measurement space could be safe for AI trials, as we call them. So, in fact Hans Petter said that earlier that we have already been thinking about doing some machine learning and experiments in this space. So, most of our measurement systems have ongoing data flow describing some kind of internet behaviour. So for example, there's data playing with Atlas and control playing with RIS. And whenever any of that happens on internet, there's usually a signal there, but it's hard to find by just eye bawling the data, maybe because of the pure volume of data that we see.
But it's trivial to see and pinpoint if you know that there is a signal. So I think there is a nice opportunity to use machine learning in this space.
And entirely different perspective is using AI to interact with systems that we have. As it is with... today, it's likely possible that you can just ask and your agent, please measure this thing of mine and tell me if it works fine. Now that's a bold statement but L and Ms go a long way these days, some of us are experimenting with MCPs and we are considering trying it out on real systems to see if that can work. So that's mostly my interest in the near future.
JANOS ZSAKO: Thank you very much. We have had so far ‑‑ we have heard so far what initiatives there are already within the NCC. I think we can have the question on Kahoot about how you see the opportunities of AI in the NCC, and then I will ask again the participants to react to what you are seeing. We would like you to reply possibly with a single word so that it can be short and we can read it.
Thank you. We will wait for a couple of seconds and I hope this time I will not think that we have finished the question and the answers!
Yes, as we have heard, we have plenty of opportunities, I am sure you were aware of most of them and you have hopefully a lot of other ideas as well. Yeah. This is yeah, we have a big, big automation, yeah. It's clear and efficiency data mining, data mining is probably for Robert, but I don't know, let's reverse then, the answers, I mean the order of the answers, Robert?
ROBERT KISTELEKI: OK, there's a lot of good inspiration here. The automation, data mining, I like them, there's an opportunity to interact with measurement systems, it's about a safe space. But you know, there are risks of course everywhere, so I think it should be possible, provided we can teach LLMs, so to speak, translate some of those questions that network operators have to they don't have the learn at APIs and interactions, imagine that you can ask a question to our systems, say, can you please confirm that traffic can flow from this AS to this AS at this point. Or compare the responses about this thing oncoming from Romania and give me a report. Or even stop monitoring my prefix and let me know if it has a problem. So I find those as opportunities and here the real essence is to use AI machine learning as an assistance, as Gabor said, not replacing the human but don't make me learn this thing, do what you should be doing to help me. As long as it doesn't come with the mandate that make sure this will work in the future so the mandate is more like exploring what's possible here, then it could be a safe place.
JANOS ZSAKO: Thank you, we are a bit short of time I am afraid, we also have a lot of replies and answers from the audience which are quite small and difficult to read even. But hopefully you can react to some of them, Gabor, perhaps you want to continue? Thank you.
GABOR DE WIT: Yeah, I think I can keep it short, I think if I look at what's on the screen at the moment, it's in line with the thinking that we have as well right, it ranges from don't to more or less simple tasks that can be automated and that's also the line of thinking that we have at the moment so like I said, I am not in the game here to greatly reduce my staff, I think a lot of things mentioned here are definitely part of that, so around brain game as an example, but I want to present as much as possible like some of the examples before I think it was IBM also the they fired a lot of staff and then came to the point they needed to rehire everybody, they didn't understand their core processes any more and they had to get their people back, who understood what the LLM was doing. And that's what I sigh here on the screen as well.
The interesting one I see is smart policy search, that is one, and also refers back to what Antony was saying, towards the beginning; BGP is part of the registry, it will be interesting to see how we handle the BGP process in general knowing AI can generate these things for us and have replace and audits done on policies by AI essentially, so I think it's also something that we'll see in the threats maybe a little bit later but I like what I see here, it's already aligned with the line of thinking that we have from the registry perspective.
JANOS ZSAKO: Thank you very much. And Antony, if you want to continue?
ANTONY GOLLAN: Yes, I mean there was various points earlier on when I was sort of testing it out and it would hallucinate all these references and given correct information. We also have a lot of incoming queries from people from often COMS, legal, maybe policy officer, we have got to work on a formal explanation of policy or why things are a certain way and I really noticed later model with ability to sort of select, spend more time thinking or processing this question, what I get back from one of those questions now pretty much matches what we would send that person. And so I just think like externally I think maybe the ability to sort of say, describe to me with references how the RIPE NCC's policy and procedures have developed from V4 run out to today in light of the transfer market and various things. I ran that earlier and that's something I have worked really closely on since I started working with the NCC, I know that point inside out and I don't think it missed anything out there, at first glance I thought it made a few mistakes and I realised I was the one mistaken and I had misremembered a few things so I mean I don't really know to what extent this kind of like defuses everybody is on the same model that has the same ability, but I think the ability to sort of ask really pointed questions and get quite specific answers is going to be really impactful.
JANOS ZSAKO: Thank you. I think there are plenty of interesting thoughts for you, including anomaly detection and so on. Please react to some of them perhaps, thank you.
ELEONORA PEDRIDOU: I love to see some of my brain dump in this work out, definitely some words triggering like risk analysis, anomaly detection or even automation of checks. Because in an ideal world, it would be great if the moment that an AI system can detect an anomaly in our systems, we can have automation running for example directly going quarantining a system under attack to protect the organisation, so this is also the future that we would be striving for.
On the other side I think because for example a little risk analysis in an organisation to understand their emerging threats, how do we prepare as an organisation and we do that holistically from the enterprise level but also for new systems for example that are going to go introduction, would be great to have a tool for every production team that thinks I have a cool idea, I would like to put something completely different, new textile, new technology, to think what about kind of risks am I introducing by doing that. So train a little bit there, the rest of the organisation from that perspective.
And I want to touch and the last thing, because I think the automation of text is perhaps one of the things that can also help holistically, one of the biggest pain paints that most of the employees come to me and say is compliance, right, this is a significant overhead, it's a financial overhead. Right. Going through an audit takes a significant amount of effort from the organisation. And as for having for example yeah, give directly feedback, is it the right piece of evidence for this type of control, perhaps deliver something different to comply, it's also a thinking process can help us in the future, automate to an extent this kind of work for efficiency gains.
JANOS ZSAKO: Thank you very much. We would like to have some feedback from the audience but I think it is useful to have it together for the other, after the other two questions as well. Especially as we are a bit short of time, so perhaps if we could have the second question asked to the audience, namely what are the threats of using AI.
Yes, so as you are answering these questions, I would like to remind you that we could easily and we would like to ask you to continue the discussion on the mailing list because I am sure we will not be able to cover all the aspects on the firsthand, all the questions or ideas that you put forward so this will be a good opportunity to exchange some ideas on the mailing list as well. Now we have some replies.
Who wants to go first. Perhaps Antony this time? Is it fine with you?
ANTONY GOLLAN: Sure. Not sure which one to really ‑‑ I think the dehumanisation thing is quite serious I think. You can see like even I don't know I have had a few times where someone sent me some horrible AI thing and I am like is this even worse, you haven't bothered to think about this, should I bother to think about it? I think they are just, it turns everything off and just ends everything. I think you really want to have a sense that you are talking to other people. Hallucinations, all that sort of stuff is a really big risk so I mean my previous comments were all quite positive but there's a really huge risks here and it's easy to sort of get lulled into trusting the model after you have had a few good answers and then maybe something quite crazy slips upped the radar. Yeah. These are a few things.
JANOS ZSAKO: Yes, perhaps if you want to continue, Eleonora? I think there are a lot of thoughts for you. So.
ELEONORA PEDRIDOU: For sure. I think the ‑‑ what I am missing also is the governing AI responsibly in the organisation, whether it's something we built ourselves or whether that's something we would purchase throughout the price contract, the key fundamental elements that we will need to consider. In order to protect the security of the organisation and also what we produce as output. And so thinking what will be the whole AI governance model to protect our data. Right. Which to come extent is your data, right, that you entrust us with so make sure whatever is being designed is designed with security in mind, privacy in mind, and that there is indeed a human in the loop in the end. I also want to touch a little bit on the bias aspect. Because of course the moment that you start utilising AI for actual services, you need to think also about the ethical aspects of what you are doing, to make sure that the output will, to the extent possible be maintained by a human to make sure you are giving fair treatment when some of the responses of the humans will depend on AI as a tool.
So if we are going to move into this space of AI, we need to do that with respect regulations and design systems that are deployed that go through the proper security assessments and designed with security controls in mind.
JANOS ZSAKO: Thank you. Thank you. Gabor, perhaps what you see here as big risks for the registration?
GABOR DE WIT: One of the big risks for me is so we are, since we have humans for me, dealing with the tickets coming in, the thing that you know I was mentioning before around smarter atax on our people, that's something that's definitely helping. And the interesting thing is that hallucination here is also mentioned as a threat, but actually the sometimes also saving, so we have active cases in which we have seen that evidence that was produced we could just type it into let's say the free versions of AI chat bot and we see the replies that were sent to our employees. So in those cases we were saved by the fact they were hallucinating. It presents an interesting case, around policy development, right. So we can feed the policies since they are OpenSource anyway, if you start feeding those two LLMs, you see it interprets the policies differently. And I think that's the thing that we need to be mindful of, that the things that we are getting at part of audits, as part of let's say a proof that is being sent to us is likely highly to be produced by an AI, as an example, it's something that we haven't thought about before, so we actually need anti AI mechanisms to be able to validate that the things that we are getting from proof to answers that they are actually coming from an actual human and that they are actually documentation of this, that's been produced.
And coming back to the previous point, I think the human element in all of this remains key for us and it's something that an AI would not be able to offer at this stage in time.
JANOS ZSAKO: Thank you. Robert? What do you see as that?
ROBERT KISTELEKI: Just continuing on that Gabor said; also we have to keep in mind that we shouldn't depend, I think those words, some of those words, echo this. We shouldn't depend on the AI being available, even if we are actually using it, because that ‑‑ the unavailability of AI would cripple our business processes, that would be a problem, so we have to make sure that we can fulfil our function even if it's not there, while building on it helping us, that would be kind of an idea situation.
Also picking up on the hallucination, I would hate to work with an AI that I could ask to give me a hundred probes from Albania when there are no hundreds probes in Albania and even giving results would be bad, we have to see if that's happening in our neck of the woods.
JANOS ZSAKO: Thank you. And I think we should ask the audience to tell us what we didn't think about yet, what we didn't talk about and then I think we can have a short queue at the microphone about what the community thinks we should continue talking about a bit here. It's very difficult to react to to all the ideas raised because of course all of them would require longer time for a proper response and I am grateful to the panelists that they tried to react in a short way and due to time constraints, I think we have to react only briefly.
OK, yes, I think we have the answers right now. Yeah, AI poetry, yes, I don't think we need to go back to the limits in the database, but yeah, probably... now, I suggest that the panelists tell us what they want to react to, even environmental impact is obviously quite significant, but this is general to the NCC I think. It is much more difficult to ask, given area to take care of it. So yeah, let's go another round, Eleonora, if you want to start please?
ELEONORA PEDRIDOU: I think it's very hard to ignore the big blob of environmental impact, I think this is something we need to take inhouse together with our internal strategy of... because we look at sustainability in the greater context within the organisation, so this is not something I think that can be ignored.
JANOS ZSAKO: Thank you. Antony.
ANTONY GOLLAN: Maybe I see the dependence one there and on the previous one there was something about brain rot, I think that needs a lot of care to avoid. I think there's some funny stuff you see where like you generate some kind of like sloppy idea thing and you have just really typed in a little bit but all of a sudden you suddenly identify with the output a little bit, and then you are quite proud of what you have made and you show it to people and they are all what is this sort of thing you are doing.
And I think if you think about like since my navigation skills haven't improved since Google maps, I am probably even more lost without it so I think that's probably something we really need to be careful of.
JANOS ZSAKO: Thank you. Gabor?
GABOR DE WIT: One I really like is no AI at all. At least for me. It's hard to forget that we see AI as a given and it's not. It's definitely something that we should also consider, is there an issue with us relying on old fashioned brain power, so to say, and I think that's not the case. And also like Eleonora was saying, as an organisation we cannot overlook the environmental part of it all, right, so every time you fly your query, there's a data centre that's powering up and using all this fuel, so definitely also this is something that we need to take into consideration if we also want to be a sustainable organisation.
JANOS ZSAKO: Thank you. Robert?
ROBERT KISTELEKI: Yes. The others mention the environmental impact, of course I think it's important. I would like to highlight the loss of competence, because in my mind, that's one of the risks, once you start to rely too much on AI, it's really difficult to come back from. And I think I Gabor touched on it before, you have to make sure that you can operate in the future even in the worst case of, you know, sorry, some of our processes are not available, so our capacity just dropped to 10% what it used to be. That is something we have to keep in mind.
JANOS ZSAKO: Thank you.
I think if you have some questions which you with like to ask or some things to raise in the audience, we could have one or two questions? And after that we will ask again the first question, whether you have changed your mind. Yeah. Please. State your name and affiliation please.
TOM HILL: Tom Hill, British Telecom. Kahoot kept breaking for me so I was going to put in one thing that we haven't considered yet, I don't think we have. I don't think I heard anyone say this, but liability because it isn't the case about if it makes a mistake, it's when it makes a mistake.
JANOS ZSAKO: Well yeah that's a very good question, I think the answer is the company itself is liability, but yes, I think I will ask the panelists to volunteer to answer this question. If they want. Any of them? Please.
ANTONY GOLLAN: Speaking for the COMS bits; there's a person there and we always try and take responsibility to make sure we check everything internally and stand by whatever goes out, so however it's generate, that wouldn't change for us.
JANOS ZSAKO: Thank you. Are you kind of satisfied with the answer, or... you would like to go even further details.
TOM HILL: You haven't changed my opinion.
JANOS ZSAKO: OK. Thank you. Then the answer is no. Thank you. Perhaps we can, if we don't have further questions at the microphone or comments, then we could have the Kahoot, OK, Brian, I see.
BRIAN NISBET: I was minded to ask if the opening question in Kahoot was written by an AI, because, and with all due respect to whoever did come up with the question, it's a meaningless question with far too many parameters that are needed to give any sort of meaningful answer.
You know. Is AI the future of NCC services? Well, it's probable that commercial software that they buy will end up using it by default.
There was going to be some stuff, is it the future? Not any sort of realistic reasonable future because as the panel said, the humans ‑‑ we interact with the NCC for the staff, not for the UI, the code is important of course it is, the things behind it are vitally important but we interact with the staff, you know. We have seen the, we have all experienced now large companies that have gone too far down that particular brain rot rabbit hole and you are spending time talking to a bot that the computer says no or will make stuff up or whatever else. And while I appreciate the differences between paid versions and not paid versions of models, these are still fundamentally largely based on theft, it's that straightforward. And the world has gone well they are big, I mean Nick Clegg recently saying that but if we had to ask for permission, this would all fall apart, you are like yeah, dude, you stole a whole bunch of stuff, it shouldn't be there, they should have paid vastly more money. The bubble is almost certainly going to burst. What is left after that of the companies that of the companies that are still standing with the software that's there, the advances in code are amazing and are doing things, but what does the future mean, of what services.
So, I am going to sit down again now in a moment and I am going to answer the question you will put up in Kahoot, and it's still a binary that gives you know, I don't, I can't see how it gives you any useful data that point in time.
And that's my concern. This panel has been very interesting, and I really appreciate the responses from the information from the panel, but that question why are we asking it? Does the panel actually believe that response will give the NCC any useful information?
JANOS ZSAKO: Well, thank you very much for your input, it's very valuable. First of all no, it was not generated by AI. But I agree that this is a very difficult question and I think the idea behind was to judge how the community feels in general about this, not exactly what is the future because nobody can predict it, but how people feel that and how deeply they think we should be involved in using AI. I think this was the purpose, but I see Rob coming to the microphone.
ROB EVANS: So the way it was presented to us was like an old school debate where there was starting premises, this house believes that, X, you have the debate and see how many people have changed their mind after the debate. That's the way it was presented.
ELEONORA PEDRIDOU: If I can add on, it might influence how people answered that question; if Kahoot allowed us to ask any type of question and there were no limitations in the number of words that are put on the screen, the question would have been formulated a little bit, to what extent do we integrate AI in the RIPE NCC services, right? Not at all. A little bit to help make it run more efficient. Our services faster. More feature reach, or other way to talking to a chat bot, right. Where is the sentiment in this line?
JANOS ZSAKO: Thank you. Then if we could have your answers to the first and last question.
Let's see has anybody changed their mind, either in favour of or against.
Sorry, I see that we still have some comment from the audience, and I think you can go ahead because we can comment on the result afterwards. Thank you.
SPEAKER: I am Gill from ODH. I think the AI models that we think about right now are the LLMs, mostly, and they are all statistics based models. And when we think of the statistics we think about approximation. And I think most of the services that the RIPE NCC give to the community are not approximations, they are precisely algorithmically valid. So you can use AI where you don't need precision and authority, but wherever you need authority you can't use AI, you can use it to help you build it, but not be authoritative about it.
JANOS ZSAKO: OK, thank you very much. I think the results we see, are they final, so that I can comment on them? Yes. It means clearly that people are more aware of the threats of the AI. And I think what Brian has raised that we want interact with the staff and not with a machine is very clear and I don't think the NCC ever had this idea to replace people by machine. At the same time it is very clear on the security side that many things have to be clarified before introducing anything and to double check and so on. But at the same time a lot of areas are, well it is very useful if AI is used to a certain level in a lot of areas, I think this is kind of a conclusion we can have about this discussion and of course we welcome any further feedback on the mailing list. And I am sorry we left Hans Petter a bit short of time, so I hope he doesn't mind too much.
Thank you. Thank you everybody for coming and the panelists for their participating, thank you very much.
(APPLAUSE.)
HANS PETTER HOLEN: Thanks for that. It's me again. Ten minutes left, OK. I actually run this presentation twice today so I said if they go over time, I will just say that come to the GM and you can watch it there. And the main message from this presentation is really if you just want to leave now, come to the BoF tomorrow, that's when we will have an in‑depth discussion on strategy.
No, since I am here I can't resist reflecting a bit on the AI thing, because looking into strategy, what does this mean for us and I have a couple of thoughts while we were discussing this. When I was kid, I had own my Encyclopedia in my room, I mean I as privileged I had knowledge there in my book shelf. If I needed more, I could go into the living room where they have the six book version, or I could go to the library, right. Today I can hardly answer any question without consulting Google, or whatever. Tomorrow can I do it without consulting AI. But I am an AI sceptic, I am not the one pushing AI, but as all of you who have worked in IT knows from the last ten years, the concept of shadow IT, your employees does not use the tools from the IT department any more, they use whatever self service is out there. And guess what, you know, staff at the RIPE NCC are using what tools they find useful for them. And Eleonora, you know this, but you don't want to know it. It's in use already. How do we turn this into responsible use, because just saying now that is not going to cut it, but it's an interesting discussion and we need to continue to discuss this to use it in a responsible and controlled manner.
Strategy: Four anchors to guide our strategy going forward. Is what is on the table in the documents that ‑‑ we are not done this, this is a sneak peak after internal discussions with staff, with the board, with the management. Guarantee uniqueness and build stress ‑‑ build stress? Build trust. Show uniqueness of internet number resources, I mean that's the whole thing that we offer you guys with the RIR system, your numbers are registered in our database, that guarantees uniqueness, right.
Demonstrate trust to neutrality, transparency, resilience and data. Provide responsible stewardship, contribute to internet security, resilience, scaleability and stability, supporting open standards, promoting best practices and capacity building effort, focusing on technical integrity, IPv6 deployment, that was mentioned here earlier, RPKI, routing security and interconnection. And this is something that we can't do, we can help you to do that, right.
Be a source of authorative data, we have a lot of measurement services, we have data in the registry, we have other sources of data, how do we curate that into neutral data we can use to produce reports and you can use to do your own research and produce reports.
Engage members and renew community: I remember I joined this community and I was one of the young guys. And I still feel like one of the young guys, although I have to realise that the colour of my hair gives me away now, I am getting to the sort of end of my career so we need to make sure that we, not only let new people in but also let new and younger people set the agenda moving forward.
The focus areas then, I mentioned already in the plan for next year but longer term in the next five as well, registry accuracy, automate processes, modernise technology, strengthen fraud detection because unfortunately we are not very aware of the beginning of the 90s, everybody on the internet could be trusted, today internet is used for crime and fraud.
And we want to enhance self service, ensure compliance with global standards and best practices. Internet itself, resilience, scaleability and routing security widely important for Saturday and we need to ensure promotion of IPv6 and operation of K‑root, routing security and PQC.
Data and insight: Maintain control of data and use automation responsibly to improve efficiency, support members and keep providing high quality neutral insights.
Because the vast amount of data that we have there terra bytes, it's you know, very interesting for researchers, although you kind of you want to not ask your LLM, but you want to read or PDF publication on the analysis of that, right, or both.
Community partnership and trust: Renew and diversify participation, uphold openness and inclusivity and build trust through responsible action, training and knowledge sharing.
Good governance: Demonstrate transparent, representative, neutral and resilient governance. Maintain a fit for purpose membership model. But we also need to be agile and we need to have an execution culture, foster a culture of delivery and accountability with a strong follow through being adaptive and goal oriented. So this is what's on the table, these two slides.
The anchors and the focus areas. Got a slide here about the process, as I said, BoF tomorrow. QR code here. There is a survey. Please take out your phones, everybody take out your phones, you have them, and fill in the survey.
And I will use the rest of my time for that.
Are there any questions? (APPLAUSE.)
MICK O'DONOVAN: I made this comment on the chat, and I have built up the courage to say it on the mic. I think it's regretable that two areas that people have called out to wish the NCC invest less time in is training and certification. I think that that's from my opinion. And as a user of both in the past, it has brought me great pleasure to receive both training and certification from the RIPE NCC. I think if we are looking to encourage new membership into the community without the training programme that the RIPE NCC currently does we are probably in a bad place so I would definitely petition that you continue to do that and I greatly appreciate you doing it till now.
Same for the certification. I think it was great to see that there was vendor agnostic training certification programme that was in our community. And as a network operator, I am sure I am not alone in placing a lot of value in a network engineering that has been trained and well versed in things like BGP security from an agnostic point of view and IPv6 security from an agnostic point of view as opposed to vendor led, so I think that that is something that you absolutely should continue to do and I feel saddened that other members are thinking that that's something that we should invest less time in so.
HANS PETTER HOLEN: Thank you very much, I am quite sure my colleagues that work in this area are very happy to hear that from you.
The result of the survey still open, so this is not live updated but we will see that. From what we have heard so far, very little change is what the feedback is and there are more details tomorrow so you know, tomorrow back and have a look in that, you can see the feedback as you mentioned on the training services. Actually it's not as black and white as you said, there is quite some support on that, but that's kind of for tomorrow's more detailed slide. Any other questions or comments?
If you haven't answered, please fill in the survey!
Thank you. (APPLAUSE.)
ROB EVANS: Thanks Hans Petter. That's us. The GM is in this room, Fergal? Fergal? GM is in this room. Yes. Once we have wrapped up, everybody can make their way out, and you have to show your GM badge to get back in again in half an hour. So thanks all. See you in Edinburgh, which should be a short train ride for me. Thank you.
(APPLAUSE.)
Coffee break.