Technical basics everyone should know before calling for regulation – Edu 01 2017: Difference between revisions

From EuroDIG Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
(19 intermediate revisions by 3 users not shown)
Line 1: Line 1:
[[Programme overview 2017]]
6 June 2017 | 11:30 - 13:00 | Room Tartu, Swissotel, Tallinn, Estonia | [[image:Icons_live_20px.png | video record | link=https://www.youtube.com/watch?v=W7hK2_JL9Z4]]<br />
[[Programme overview 2017| Programme overview '''wiki''']] | [https://www.eurodig.org/index.php?id=707 Programme overview '''EuroDIG web site''']


EDUCATIONAL TRACK (basics) How the Internet works
{{Sessionadvice01}}
== Session teaser ==
== Session teaser ==
A basic technical training on how the Internet works: Understanding the different layers of the Internet, how they interconnect and interact and how they relate to current policy debates will empower participants to actively engage in an informed debate in other EuroDIG workshops.
A basic technical training on how the Internet works: Understanding the different layers of the Internet, how they interconnect and interact and how they relate to current policy debates will empower participants to actively engage in an informed debate in other EuroDIG workshops.


== Keywords ==
== Keywords ==
'''Until 1 April 2017.''' They will be used as hash tags for easy searching on the wiki
*Internet layers
*Training
*Internet ecosystem
*Technical basics


== Session description ==  
== Session description ==  
This is a basic technical training on how the Internet works. It provides the audience with information on the underlying building blocks of the Internet and the functioning of the different Internet layers (ISPs, IP addressing, Domain Name System, naming). There will be pointers to policy issues that can have an impact on the technical operations of the different internet layers (e.g. data protection, privacy, content control, etc.). The audience is invited to ask questions, including on how certain policy decisions can affect the daily use of the Internet.
This is a basic technical training on how the Internet works. It provides the audience with information on the underlying building blocks of the Internet and the functioning of the different Internet layers (ISPs, IP addressing, Domain Name System, naming). There will be pointers to policy issues that can have an impact on the technical operations of the different internet layers (e.g. data protection, privacy, content control, etc.). The audience will have the opportunity to engage in some practical exercises that will help understand how data travels and how layers interact. Participants are invited to ask questions, including on how certain policy decisions can affect the daily use of the Internet.


== Format ==  
== Format ==  
'''Until 30 April 2017.''' Please try out new interactive formats. EuroDIG is about dialogue not about statements, presentations and speeches. Workshops should not be organised as a small plenary.
The training on the Internet basics will last approximately 60min including practical exercises, followed by 30min for Q&A and discussions. Pointers to policy issues and legislative developments establish the connection to current debates and can be used to trigger the discussion.


== Further reading ==  
== Further reading ==  
'''Until 30 April 2017.''' Links to relevant websites, declarations, books, documents. Please note we cannot offer web space, so only links to external resources are possible.  
*[http://www.centr.org/education/the-dns.html/ Education section]
Example for an external link: [http://www.eurodig.org/ Main page of EuroDIG]
*[https://youtu.be/vZ007Vi5HIM/ Video on how the Domain Name System (DNS) works]
*[https://www.centr.org/library/library/educational-promotional-material/internet-ecosystem.html/ Internet ecosystem]
We will also produce an info flyer with the basics about the Domain Name System and distribute it on site.


== People ==  
== People ==  
'''Please provide name and institution for all people you list here.'''
'''Focal Point:'''
*'''Focal Point:''' Nina Elzer (CENTR)
*Nina Elzer (CENTR)
Focal Points take over the responsibility and lead of the session organisation. Focal Points are kindly requested to observe [http://www.eurodig.org/get-involved/organising-a-session/#jfmulticontent_c2865-1 EuroDIG's session principles]. Focal Points work in close cooperation with the respective Subject Matter Expert (SME) and the EuroDIG Secretariat.
'''Subject Matter Expert (SME):'''  
*'''Subject Matter Expert (SME):''' Chris Buckridge (RIPE NCC)
*Chris Buckridge (RIPE NCC)
SMEs are responsible for the clustering of submissions into a thematic category they have an expertise in. They define subtopics and identify submissions which fall under this subtopic. The aim is to verify submissions which can be merged in one session. In the course of the session organising process SMEs will serve as a mentor for the respective category by supporting all Focal Points.
'''Key Participants'''  
*'''Key Participants (for workshop) or Panellists (for plenary)'''
*Trainer: Peter Van Roste (CENTR)  
'''Until 15 May 2017.''' Key Participants (workshop) are experts willing to provide their knowledge during a session – not necessarily on stage. Key Participants should contribute to the session planning process and keep statements short and punchy during the session. Panellist (plenary) will be selected and assigned by the org team, ensuring a stakeholder balanced dialogue also considering gender and geographical balance. Panellists should contribute to the session planning process and keep statements short and punchy during the session.
'''Moderator:'''  
Please provide short CV’s of the Key Participants involved in your session at the Wiki or link to another source.
*Peter Van Roste (CENTR)  
*'''Moderator'''
'''Until 15 May 2017.'''
The moderator is the facilitator of the session at the event. Moderators are responsible for including the audience and encouraging a lively interaction among all session attendants. Please make sure the moderator takes a neutral role and can balance between all speakers.
Please provide short CV of the moderator of your session at the Wiki or link to another source.
*'''Remote Moderator'''
'''Until 15 May 2017.'''
The Remote Moderator is in charge of facilitating participation via digital channels such as WebEx and social medial (Twitter, facebook). Remote Moderators monitor and moderate the social media channels and the participants via WebEX and forward questions to the session moderator.
Please contact the [mailto:office@eurodig.org EuroDIG secretariat] if you need help to find a remote moderator.
*'''Organising Team (Org Team)'''
'''As they sign up''' The Org Team is a group of people shaping the session. Org Teams are open and every interested individual can become a member.
*'''Reporter'''
'''Until 15 May 2017.''' The Reporter takes notes during the session and formulates 3 (max. 5) bullet points at the end of each session that:
*are summarised on a slide and  presented to the audience at the end of each session
*relate to the particular session and to European Internet governance policy
*are forward looking and propose goals and activities that can be initiated after EuroDIG (recommendations)
*are in (rough) consensus with the audience
*are to be submitted to the secretariat within 48 hours after the session took place
Please provide short CV of the reporter of your session at the Wiki or link to another source and contact the [mailto:office@eurodig.org EuroDIG secretariat] if you need help to find a reporter.


== Current discussion, conference calls, schedules and minutes ==
'''Remote Moderator'''
See the [[{{TALKPAGENAME}} | discussion]] tab on the upper left side of this page. Please use this page to publish:
*dates for virtual meetings or coordination calls
*short summary of calls or email exchange
Please be as open and transparent as possible in order to allow others to get involved and contact you. Use the wiki not only as the place to publish results but also to summarize the discussion process.


== Contact ==
'''Organising Team (Org Team)'''
Get in contact with the Org Team by sending an [mailto:edu1@eurodig.org email].
*Nina Elzer (CENTR)
*Peter Van Roste (CENTR)
*Raphael Beauregard-Lacroix
 
'''Reporter:'''
*Nina Elzer (CENTR)


== Video record ==
== Video record ==
Will be provided here after the event.
https://www.youtube.com/watch?v=W7hK2_JL9Z4
 
== Messages == 
45 people physically attended the training workshop. They learned:
* That it is important to have at least a basic understanding of how the internet works (the different layers, actors, processes, etc.) before you start calling for regulation that tries to fix something and risks breaking the internet.
* That the internet is not a cloud but very tangible, transmitting data packets using infrastructure and hardware, such as modems, routers, fibre optic cables, undersea cables, etc.
* That the internet is made of carrots, i.e. incentives and voluntary agreements (standards and protocols) that people choose to agree to on a voluntarily basis. The more people agree to it, the larger the user base that you can communicate with, make business with, etc.
* That the internet is a network of networks that started with 4 connected computer systems and grew to tens of billions of connected devices.
* That these devices can be identified via their IP address, which then connect to each other.
* That IP addresses (numbers) are translated into names (using the domain name system) so that humans can more easily remember, e.g. a web address.
* How the domain name system links to the root, IANA and ICANN.
* That blocking a domain names or website is an inefficient tool, as it can be easily circumvented and does not make (illegal) content inaccessible (you can type in the IP address instead of the domain name, you can change your DNS resolver, you can use web proxies…).
* That blocking is a procedure, not an outcome.


== Transcript ==
== Transcript ==
Will be provided here after the event.
Provided by: Caption First, Inc., P.O. Box 3066 ,Monument, CO 80132, Phone 800-825-5234, www.captionfirst.com
 
 
''This text is being provided in a realtime format. Communication Access Realtime Translation (CART) or captioning are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.''
 
 
>> So, shall we?
 
>> We're going to start in a minute. We're just waiting for the last people to arrive.
>> If anyone needs a table, feel free to use these. No one is sitting there, anyway.
 
>> All right. If everybody has taken a seat, we're happy to start. So welcome to our training on the technical basics everybody should know before calling for regulation. The moderation will be done by myself, I'm Nina. And Peter whom you see here. We're working from CENTR. We'll explain what CENTR is during the course of the presentation.
 
So why are we having this presentation? You will know that in view of the whole terrorist attacks, more people talk about more responsibilities for Internet companies. But we think that it's also important to understand what the different actors in the Internet ecosystem do, what they're responsible for and at which layer of the Internet they are. So this is what we're going to explain a little bit today because sometimes it's also important to know what's happening before you try to fix problems and you might break the Internet.
 
Some practicalities beforehand, you will see some red pointers to certain policy issues. And we are not going to go into the debates about them, but they might help you link to whatever else is discussed ature oh dig. So we will see some red boxes and they will refer to such issues.
 
When you can ask questions, given the high number of people in the room, and that's excellent news, we would like to ask you to keep your questions to the end. So we have like half an hour for debate in the end so you can just ask everything you want in the end.
 
For later questions, you can drop us an email and just remember that this is a basic training. So obviously some corners were cut.
 
So what is CENTR? CENTR is the association for exchange dialogue and innovation of country code domain Reg cities. So these are the guys that manage and operate the country code of their Top Level Domain. So this is dot EU et cetera.
 
We have 54 members. We also go beyond Europe. We have also in Australia, for instance, 13 observers including people like ICANN and also the European Commission.
 
Together they hold more than 73 million registered domains and this represents more than 50 percent of registered CCTUDs worldwide. Le 0 percent of all members are not-for-profit that means they are at the, they go back in the local community, for instance in education programmes, upon sponsorships of national IGFs and so on.
 
So what we do in terms of services, we help our members benchmark, improve their security and also exchange best practices. So how do we do this?
We have statistics that we provide them with about the market. We have a repository of presentations. And study papers and so on.
 
We organise events for them. So we have six working groups. And this was one of our bigger events where we have six working groups meeting at the same time and discuss issues from security to administration to technical issues and further things and we also have reports that we publish because they are publicly available and free of charge.
 
So what will you learn today? You will learn what the Internet looks like. It is not the cloud. It is pretty much hyped up so you learn about the infrastructure and the hardware. You will learn what IP addresses are, how they connect to each other, how networks work, how the Domain Name System works, why the root is important and links to ICANN. Who does what on the technical layers of the Internet and why all of this matters for Internet Governance that you have here at EuroDIG. so a way that they interconnect is a recent case from October 2016 actually the ministry asked for the ISP orange to block and redirect a couple of URLs. And what actually happened is that orange had to do this new release. They had to do is some settings in their DNS system, Domain Name System server. What happened was there was a tiny human little error so that all the requests that went to Google search were actually redirected to the ministry of the interior's own website. They DDOS'd themselves. This is one of the examples when you try to fix something and then you might break other things.
 
So this is a link to fundamental rights, obviously. Because obviously not all these requests were for illegal content. So there's a risk of overblocking and also censoring organise certain information that would have normally been available. Where you are in the ecosystem. You are at Euro dig. You're with us and you see your division into the more visible upper part and maybe a bit lesser known and invisible technical layers of the lower part. So this is where you are. So we have a lot of multistakeholder fora in this area. ISOC. Users, policy developing organizations like ICANN, ITU. And this is what you'll learn more about today, the technical layer, the infrastructure, those that discuss protocols, numbering community, IP protocols and the Domain Name System people. The multistakeholder for an that you will know of, also the ones today, this is why there's little point to this. So what is the Internet made of?
 
It's made of carrots. Now you might wonder. You might remember the little metaphor of the guy who was driving a cart and he has a mule. In front of the mule he has the carrots. And he wants him to go faster, if it doesn't react to the carrot, he uses the stick. But we don't use sticks but carrots. So there's no sanctions needed because people have an incentive to agree on these things and to find consensus on them because the more people agree to a certain set of rules, the more we can communicate and the more we can interact. So this is important obviously for businesses but also if you want to communicate to more people. So this has a link to standardization.
 
So now how does everything interconnect? So the Internet is a network of networks and it started with four computer systems in 1969 and now we have tens of billions of connected devices.
 
So in order to demonstrate it a little bit better, we take a journey through your networks and how you interconnect with the Internet. So let's start in your office. So in your office, you will have your computer, you log on with a modem. If you have more computers in your office, you will have a router. And this is actually what you see here. So this goes through the elevator shafts, you were staircases and so on and it links to the cables that will be in the ground in front of you were house. And this is done fiberoptic cable. This is what you should see here. So that's the fiberoptic cables in diameter. That's what they look like.
 
We've added this little slide because it means obviously you not only connect to whatever is on the street and the street then goes to other distribution points in your Vint, in your neighborhood, but also connect cities that happens along railways and motor systems because it is the shortest distance from HB. Also interconnect continents that happen from undersea. They are huge cables that are bundled and there's protection layer of lots of things that can happen at the shore than the deep sea. At the deep sea you might have an occasional shark that is biting at the cable. But more importantly at the shores there can be accidents with ships or some construction and they cut through cables. That's why they need a big protection layer.
 
And obviously there's also other means than cables to con you to the Internet with satellite or 4 G.
 
So this relates to the spectrum allocation questions, radio frequencies that are used for mobile Internet and TV broadcasting how they are used today and in the future.
 
But obviously also other devices connect to the Internet, so we see some server cables here. And obviously when the server is no longer enough for a company, they have Big Data centres. The ones that you see here, for instance, is the one from Facebook. So I think I read somewhere that in 2010 they had 60,000 servers and now they're not even publishing the numbers anymore. But obviously they store all of these things in data centres. So these are huge facilities that have both computer and telecommunications systems and cooling systems and security systems because this is actually very important part of infrastructure so you need to have it properly secured.
 
This links to the issue of privacy because you will, as a user, you will want your communication to be protected. And that's actually Mong the responsibilities of the telecommunication providers and the ones that have these data centres. It also links to the debate of the free flow of countries. Because in some countries there might be obligations to have these data centres and/or data stored locally.
 
The next I will hand over to my colleague Peter, already.
 
>> PETER VAN ROSTE: Thank you. So to take you on a journey from your office desk to the router in the office long the elevator shafts, on the streets through the square to where more and more cables connect an cross the ocean and through the air. So we're connecting devices. So you see now, you picture the physical infrastructure. The copper and the fiber and the network. So far there is nothing happening on it. Now we want to make sure that all these devices, whether it's your laptop or your phone, your digital at home, your baby monitor, your alarm system, that everything gets connected. In order to get connected, it is easy to know, these things need to know where to find each other. In order to find each other, they need an address. And technically first thing every device acquires when it gets connected is an IP address, an Internet Protocol address. What are these addresses? They are identifiers, they're sequences of numbers. We'll get a bit later into the details but you have IPv4 and IPv6 addresses. IPv6 are much longer. All 'recognize them right when you see it. Most of you are probably familiar with IPv4. But we'll see a couple of examples later on. I will take a couple of exercises, too.
 
These need to be managed. You cannot give the same address to more than one device because that would lead to confusion so every needs an a unique address. How do we get this organized? There is one organized who is responsible for chopping up enough IPv4 and 6 addresses and handing huge chunks of those address blocks to different regions. It gives them to the RARs. And the RARs are the Internet registries, they are the regional registries for the number. In Europe this is ripe. And RIPE NCC then chops up the large block into still large blocks and hands them out to ISPs or academic institutions or governments or law enforcement or research institutes. IP IPv4 addresses still pay for them because there's a shortage. IPv6 there were plenty. So economic laws kick in and IPv6 are pretty cheap. So ripe hands out these to their members. Let's call it ISP or mobile operator, for example. The mobile operator will then use an IP address to allocate to device of one of their users connecting to their network. So the moment you switch from mobile on, your operator assigns you an IP address. You moment you switch on your laptop, you get a silent IP address. But also on the lower level which hopefully none of you have to worry about. When you're at home and switch on your WiFi router and your partner brings in a new device and switches it on, the route will automatically allocate an IP address to that device. An.
 
An important thing here is IP addresses can be static and dynamic. Static IP addresses are typically used for devices are that are always online. A great example is one of these servers that Nina showed you earlier, if Facebook has a hosting farm and it contains hundreds of thousands of data servers with all that wonderful information on, obviously always needs to be on. Every time somebody does a search in Facebook or wants to read a post, it needs to be available. So these devices typically have static IP addresses.
 
Dynamic IP addresses were used at the time when IPv6 was still not fully deployed. It still isn't. It's a long way to go but it's getting there. But there was a shortage in IPv4 numbers so they were recycled. The moment you switched off your phone, somebody else got your IPv4 addresses assigned by the operator. So it was just a much more economic way of dealing with these addresses.
 
Why is this technical knowledge important? Because a static address will mean that you can always identify the owner of that address.
 
A dynamic address, you would need to time stamp to know who was the person using that particular address at that particular time? So this is an important thing. For those of you who were following it, there was a very interesting opinion from the advocate general to the European Court of Justice who three, four months ago decided that dynamic IP addresses should also be considered to be personal data because they can be combined with other publicly available information sets today or in the future. Yes.
 
>> This is on? Sorry. Question because this is one of the things that especially for law enforcement I think is very serious when there is a problem, something happens and they can trace whatever happens, whether it's a crime, terrorism, jihadism something like that to an IP address. How can you then decide which person was behind that IP address so you could then arrest them or figure out who it was?
 
>> PETER VAN ROSTE: That's very interesting discussion. There are a couple of policy debates that are crucial there. On the one hand, you have the data retention debate. ISPs and telecom providers, they are obliged to keep specific sets of data, which is, amongst others, the access logs. And the access logs are IP address, time stamp, user. So through those access logs, you would be able to identify who used the specific IP address at the certain time. Data retention.
 
Then there is much, there is increasing pressure on removing data or at least keeping datasets for a as short as possible. Only for the fulfillment of the contractual terms. There is security purposes, too. But there's a constant debate in Europe going on as you are very well aware between those that believe that there is a need to keep those datasets longer and those that believes that it should be kept shorter. The same discussion is now raging in the U.S. after somebody got convicted over phone records -- and this brings it to the next level, but it's an interesting thing. Where they were able to trace somebody's route of robberies based on his cell phone records. And this matches cell phone ID, IP address and then distance between a couple of towers. So it adds a different layer.
 
The Belgium government is just asking to increase the retention period to 10 years. And that will obviously receive quite a lot of forceful feedback I think from some of the European institutions.
 
>> So basically there is no technical barrier to identifying which physical person was behind which IP address, but then if I'm a criminal, I want to make sure that I mask my path. So how do I do that?
 
[Laughter]
 
>> PETER VAN ROSTE: We'll show you at the end.
 
Anyway, remember, and that might have been before you come in, but as Nina mentioned, some corners are cut in this very basic training. There is one problem that is called network address translation, NAT, that on a carrier level, when traffic gets carried between different carriers, they sometimes use the same IP address, at least from an external point of view, for different users. The reason why they did that is, again, using as few as possible. So everybody gets the right type of contact. But also on a billing level, they are able to identify those users internally but it would show externally as one IP address. So for a law enforcement agency coming up time and time with a IP address. There is no master criminal. It is probably on the carrier level. It is referred to as carrier grade net.
 
>> I can you need to also mention that every network interface part has a hardwired address which is also uniquely identifiable to the device.
 
>> PETER VAN ROSTE: That is a Mac address. We're not going into that right now because it's not always used as one communication. So we're trying to specify on the device. That's a very interesting point.
 
IPv4 addresses, as Nina mentioned to you, I'm sure when you had a problem with your router and somebody was yelling that you're working on something related to the Internet, then these were the numbers you were typing in. Your job will get much harder when your router will start using IPv6 addresses. But it is more stable. It is more secure. And/or plenty. We were running out of IPv4.
 
So IPv4 is still compatible with all equipment and this is sometimes a problem with IPv6. Older routers, smallest hubs in your home sometimes have trouble because the firmware has not been updated automatically or you didn't for the last 10 years to do that. Sometimes you get into the trouble that is the lack of compatibility.
 
I have been told by people who can know this much better than I'm eye I'm a lawyer, by the way, I probably should have started with that. But then half of you probably would have left the room.
 
[Laughter]
 
If you compare the number of IPv4 addresses to a golf ball, the proper visualisation of the number of IPv6 addresses is the sun. So that's the ratio. And like with IPv4 addresses 20 years ago, today our technicians will confirm that we will never, ever run out.
 
[Laughter]
 
>> That's what they said.
 
>> PETER VAN ROSTE: How comfortable is that?
 
So now to the more practical things. We've taken the journey from our office down to the street and different city across the ocean. We know these devices have IP addresses. They have an address that identifies them. How do these addresses communicate? How do you get from address 192.168.1.1 to web server which has its own unique address? Apologies for the kind of windows-focused view.
 
>> Before you move on, I just wanted to ask [Inaudible] IPv6 working at the same time?
 
>> PETER VAN ROSTE: Yes.
 
>> How does that actually work? What impact does that have your on your connection? And why?
 
>> PETER VAN ROSTE: None whatsoever if properly configured. Your system will use the addressing that is most efficient or least latency. If you would connect your laptop to a network where there is a further down problem with an IPv6 compatibility, then it might switch back to IPv4. So normally you know don't see any of it. In one of the exercises that we're going to take in a minute, some of you might have different results because of the preference of IPv6 or IPv4. But for the technical requirements or suggestions on you would change the preference or influence, I would have to refer you to a more technically educated person. We know plenty. If you give me your contact details, I'll get you in touch. This is Windows 9 it's pretty easy to figure out your machine. I don't expect you to red that. But you can go to the properties of the device in former Windows or you look into network connection details. That's the easiest ways I think these days to find it. So you find your IPv4 or IPv6 devices. Same for your mobile phone. So then we want to connect to something. And the thing I'm most connecting to is the central website. So how do we figure out what the IP addresses of the website? Where can we find it? Well there is a simple demand. So in Mac I think it's called terminal. The interface in which you can feed in commands. In Windows it's a command prompt. If you type in, you get this 80s style interface which some of you might find exciting. And you type in an Slookup, www.CENTR.org, so that command will basically check the Internet, the name servers, and we'll get to that part, don't worry, and respond with an address. We have two because we have been well trained by our members to make sure we have both an Ipv6 and IP IPv4 address. So for those that have their laptops switched on and are in terminal or the command prompt, what is the IP address of the EDRI, European digital rights website? Give you 15 seconds if anybody finds it. There's a prize. Anyone? Anyone working it? We were told to make this interactive so this was one of the attempts.
 
So you do the name server lookup through the command prompt and you get an answer saying that the address of this website is 37.et cetera.
 
Now very important part, which will help you later on in the training. What happens when you type in this address into your browser? So forget about the domain name. No www.edri.org. But if you type that number into your browser, you'll get to the website.
 
Remember the part when we were discussing blocking about 20 minutes from now.
 
So we have two things now. Remember I have the IP address from my machine through the Windows interface and I have the IP address of the web site which we found through the name server lookup.
 
So how do these two talk? How do they communicate? Any idea what this is? It's a prize. It's not a ball. I think we will 'have to bring our prizes back home at the end.
 
This is the Internet. From a million miles high point of view. If's the connection of all the networks. It's properly mapped. The colors are the regions. So you see regions are not necessarily grouped together because somebody from British telecom could connect easier to a location in Canada or South America than to central Europe. So this is what the Internet looks like.
 
You see interesting things like there is very specific concentrated bubbles. There are areas here, and you can't see that, but the slides will be available later on. But if you look at this area, it's almost closed off from anything else. So why would somebody want to connect to the Internet but not really? Why wouldn't you want to be somewhere here and have a thousand connections in all directions? Because these guys might be in military network. And they typically are not too keen on having too many gates and doors to the rest of the world. Or a large academic research institute that is using millions of IP addresses to lay a sandbox. And they have no need to have all of those communicate to the outside world. So it is an interesting picture. And very specific things tell a story.
 
Let's zoom in here. I already spoiled that one. This is a stand-alone network. In some areas, you see multiple connections. You see blurred networks that are almost interwoven or they are not really stand-loan. So what's the importance of those nodes?
 
When Nina told you the story, we basically assumed that the whole telecom layer from the elevator shaft cables to the street to the railway/road lines belonged to one entity, which is of course not the case. You have hundreds of thousands of communication providers. You have a couple of thousand large ones. You have a few dozen giant ones in Europe, which is telecom, Deutsche Telekom and all the small ones. They need to connect those networks and the more connections those get works have, the stronger this becomes.
 
So, your network becomes more resilient based on the number of connections that you have to other networks. So resilience is one. It's stronger. U. more options. If something goes wrong, you can go find another way to your destination.
 
Secondly, it's also cheaper. When I started working in the Internet industry, I started working for a young Belgium ISP. It was called in-net unit. Half of our traffic that went through an other Belgium network, went from Belgium to the UK, to the U.S. where it got connected to a network from another alternative operator, one of our competitors, was sent back to the UK to Belgium to be delivered on the incumbent's network telecom. When I send an email at that time to my neighbor, the guy physically living next door to the house, the email traveled for, wow, roughly 12,000 miles? These days it's much better. Because we have more connections, connections are more local. And these connections, when they're formally structured and they're multi-peered so more than two people connecting to networks are called Internet exchanges. And the more you have of those, the better. It's the reason why the digital economy and in Europe and North America is much more developed than in Developing Countries.
 
And it's getting better, but it hasn't been too long that most of the African traffic went to the U.S. and back that most of the traffic in the Pacific Ocean went to the U.S. or to Australia and back rather than being held locally.
 
So stronger networks are cheaper. You don't have to buy as a carrier traffic that flows across the Atlantic.
 
This is what it looks like, an Internet exchange point. It's a German one. I think this is a picture from their Frankfort location.
 
Imagine a room where all the ISPs and telecoms have their own coverage roughly, some share because it's cheaper and they pay together for security and air conditioning and electricity. And that in the middle of the room they physically pull their cables from one cabinet to the other. And that's how they're connecting to the network. They are adding security layers to it. And these Internet Exchange Points you have them in every European country and most European countries you have more than one. The tiny country like Belgium have four in the meantime. So they are extremely useful. They are the crossroads of the Internet.
 
And since they've done a really successful job in working smoothly, nobody has heard from them, which is the way that they probably want it.
 
This, one of the important things is that is currently going on is the NES-- it's an interesting discussion on what parts of that are considered to be critical infrastructure? How can the different actors in the Internet improve if possible what they've already been doing? What are the risks? And what are the advantages of communicating on threats and vulnerabilities?
 
So plenty of interesting questions, but I think if's interesting to put a policy placeholder there.
 
Now, the next step. So we know how to identify these addresses. We have seen how those networks connect to each other on the Internet exchanges. But the fun part is that you can actually see how that traffic goes.
 
So you can use -- and we're going skip this exercise also in there for timing reasons -- but you can use a simple command. Trace route with a destination. And you will see in your command prompt or your terminal how the traffic travels cross the world. So if you would, for instance, do this for NIC.MX, which is Network Information Center in Mexico, you could see mainly IPv6, yeah, all the way. But you see fancy places. You see how it travels to Amsterdam, to Boston, the Houston. And you really see it jump across the world.
 
I've made a somewhat clear example much less exciting because it goes from Belgium to Belgium. But it tells a story, the visualization. These addresses did a trace route on the website from my desk at the office. Our website is in Gente, which is about 45 minutes away from the office in Brussels.
 
First thing it does it jumps across the local network. Remember about those corners that were cut? In your network, behind your firewall, hyped your router you will -- you might be assigned the same IP addresses as at home. So when I said IP addresses are unique, I should actually specify that IP addresses that are facing the Internet are unique. Anything behind their own internal router you can do with what you want. But they're assigned automatically.
 
So my laptop, probably the WiFi, this could be a firewall. We move on to the hub of -- in our office. The modem of Belhacom, goes to the street, the square, close to our office. And these are all physical things that are standing there. But you see how it travels.
 
Here an interesting one. Benix, Belgium Internet exchange, where Belhercom meets Internet and then it ends up in the third cabin of the Internet. Exchange traffic in the Belgium Internet exchange.
 
Then it goes along probably across one of these railroads between Brussels and Gente, getting closer over telenetworks to our host of our website which is telenet customer. They're called (?) and they run for the company called open minds. Do that exercise with more exciting stuff. The Singapore times or the straight times, the newspaper in Singapore from here and you'll see your traffic jump across the world.
 
Importantly, if you do the exercise a minute later or your neighbor is doing the same exercise, you might find different results here. And that is because -- I won't go into the technicalities of this -- but because traffic will always find the most efficient, quickest route. If there is somewhere where a traffic jam it might go somewhere else. Instead of from here to here, the jump if here to somewhere else.
 
Infrastructure, physical layer, IP addresses, they connect Internet exchanges. You see now how the traffic when you send a request cross the Internet, it jumps from one of these hubs to the next. So now let's make it a bit more user friendly. Let's add the Domain Name System. So why do we need it? How does it work? What is the root? And what is the implications on Top Level Domain policies?
 
You all know this by now. IP ecosystem vix addresses IPv4 addresses, you didn't want to remember those when you want to send an email or want to visit the website because importantly, well, most of these are the most popular domains or at least until a year or two ago in some of the European Member States. But also email servers have their IP address. It's not just for web traffic. It is for any traffic, whether it is file downloads or FTP if somebody still knows that. Or email.
 
This is interesting one since as you, I'm sure are all aware. Five years go, the DNS infrastructure became possible to register non-ASCII domain names, which didn't make a lot of sense. Since about more than half of the world population cannot use the DNS without having to rely on alternative keyboards or alternative mechanisms to put input. So it's not just a relic. It's 26 onion scripts, oh we have expert in the room. I have lost track of how many scripts are now available as IDN characters but I think it's pretty limitless. Any script is now available. And I know for the ccTLD world you have about 25 country codes, top level domains, so the equivalent to .RS or .GR for the Greeks. You have about 25 equivalents in non-ASCII characters.
 
>> Somebody turn this on? There is a restriction in the sense that of course we only delegate new domain names into the root zone if there's no risk of confusion. And there are risks. I mean I'm not an expert obviously, but certain characters in hundred Chinese are identical to Japanese. So if you delegate those, there can be confusion. There's examples, there's technical experts working on this, if you type in Arabic your name of the of your website of your bank and you do that in Pakistan and you type in exactly the same name in the United Arab Emirates, you will end up at a different location. So as long as there's that kind of confusion, we have to make sure we fix that.
 
I was just at Southeastern, with (?) this was very little confusability. The problem there with this Internationalized Domain Names we call them IDNs is people don't know about them. And of course it would be great if we could get more introduction because not only are there a billion Chinese and a billion Indians although there are hundreds of languages in India, so not just Hindi is going to cut it. But it would be great to have more people online in their own language because you don't have this constant flipping back and forth between your key board. If you want to contact your Armenian, you have to type it in Latin, then the menu pops up in Armenian. The better we do this, but we have to spread the news. They are available. It is great to get people connected to the Internet in their own language. But we have to resolve any technical difficulties because you don't want any confusion.
 
>> PETER VAN ROSTE: On the address translation I think things are working well and functioning well and the registration is possible. There are still some issues on the software level. Or on a logic level. So you can have your -- you're the proud owner or registrant, we call them, on the domain. You want to do your air Lynn ticket. The airline company will not accept your as key character email dress is valid to register your airline ticket to. So there's still a couple issues on that level. I think last year in particular there was quite a lot of attention on that issue at the global and regional IGFs. I have been told to hurry up a little.
 
So why do we need under the DNS? Well first of all it's much more convenient to remember those addresses and email addresses. Much better than IP addresses. It allows flexibility on the technical level this is really important.
 
Imagine that you have a server with an IP address and everybody is using that IP address to communicate. If something happens to that server, as it burns down, trust me that happens more than you would think, they heat up and become incredibly hot. If everybody communicates to that IP address, you would have trouble rerouteing to different IP address, assigning an IP address and then tell everybody "guys stop using the old one, we have a new one".
 
If your auto a newspaper with 3 million subscribers, that's not really scalable. As you communicate the domain name of your website. Everybody knows the website. They don't worry about the underlying IP address. If you need to change the IP address, you can do so without anybody noticing anything. So the Domain Name System provides you with an additional layer of stability in making sure that people can communicate or reach your content.
 
And then there is to a minute or degree, there's also app security reason. You can use the DNS to divert traffic. Malicious traffic. Everybody has heard about denial of service attacks. When they are addressed at IP addresses, obviously DNS doesn't help anything. But sometimes in their combined text when the domain name is used as well as an attack vector the DNS can be used to divert that traffic to black hole.
 
A really fun one that unfortunately I don't have much time to cover is Internet of Things. Fascinating stuff is happening on a members level where European ccTLDs, and this is an example from doc UK. Is using the DNS to do fun stuff. Here they've built a prediction tool that will help car drivers to avoid flooding. So they are using white space, the TV wavelengths that are no longer used that are free to use for purposes in the UK. They use it with an antenna, I have not seen this in a long time. Connected to a modem. Connected to a sensor that they hide in this plastic box and they just stick it on the bottom of bridges. The only thing it does is measures the distance to the water. If the distance becomes shorter, then they know that further down there might be flooding. And it results in an open data project. And somebody with that data has built this. So you know where you can expect traffic jams.
 
The reason why the DNA comes into play here is that rather than giving your devices an IP address, you can give them a name. You can give them the name of the bridge. And so people can easier understand what they're seeing.
 
And the same thing for security purposes. If the water becomes too high and one of your sensors is flooded, you can immediate lip replace it and you don't need to change the name because you can change the IP address.
 
Is it possible to play this movie? There's up with little movie.
 
>> On other devices use IP addresses to identify each other on the Internet. As we can't always remember complicated numbers, we use words, instead. But Domain Name System brings the two together to get you to your destination. This is how it works. All around us we see domain names. For example, the website of your favorite band. The site is stored somewhere on the Internet.
 
Let me explain how your PC find it within milliseconds. The journey starts with typing in the website address. In words, of course, as you wouldn't have remembered IP88.141.253.8. Your device will read the address backwards. It start at the end with the root domain. In our case .EU.
 
Information on the root domains are stored in 13 different root servers located round the world. In re reality, there are numerous more copies of these machines in different locations to make sure that whatever happens, the system will keep on working.
 
A root server contains the information on the name servers for the different zones. In our case, it tells us where we can find the information on addresses ending with dot EU. Again for reasons of security, there are a number of these dot EU named servers located round the world so that if one is too busy or stops working, for example, due to an earthquake, the information would still be reachable elsewhere.
 
The dot EU name server grows where the information for the more than 3 million EU addresses will be found. And Candelus Flaming Flamingo's IP. It will tell us that unique IP address.
 
The IP address for the Flaming Flamingo's website is now identified and sent to your computer. Now the download of the content can start.
 
But, remember, this whole process that makes it possible to connect your computer to the place where the website is stored happens in just few milliseconds before it connects to the Internet and starts downloading the information. In reality, a lot of information is stored along the road in these so-called cache memories that the information can be retrieved false rather than having to return to the root every time.
 
This movie is brought to you by CENTR, the organisation of European organisation country code top level domains.
 
>> PETER VAN ROSTE: All right. So this short movie, there's a lot of information packed in there. But remember one thing, it's hierarchical. So we added the DNS as a convenience to human users, but it makes it a bit more complex for the system itself because now rather than the simple IP address, which it knows where to find, it serves domain name which it still has to look up. And so the movie basically explains how that lookup happens.
 
And you start on the right. Has anybody heard about the hid evidence-based policy dot? Let's see. One nod. Watch out. So the hidden dot is the dot that you never type. When you go to a web site you would actually have to type www.center.org dot. There is a final do the at the end. But our system knows that we are lazy and so it adds it automatically. And that final dot tells your browser to start looking at the top level, which is called the root. And the root will have information about where to find, in our example, .org.
 
When you have that address, your system will then query the domain servers of dot org where to find CENTR. And it will query where to find our World Wide Web, www, site. So it's a higher arcual system. The information on the different levels is spread. It sounds complicated but has an he nor muss advantage, which means that not a single entity is control of all the information. It makes it more secure and stable.
 
You might say who is in control of the root? It is a multistakeholder model called ICANN which I think most of you will probably be familiar with. So it is a hierarchical system and every layer holds information on the information below it. Yes?
 
>> I think the last two years something called dark web has come to be known.
 
>> PETER VAN ROSTE: Yes.
 
>> These sites are I think if I'm not mistaken, on the end is a dot onion or something like this. Are these owned by DNS or do you have to have the IP address in directory?
 
>> PETER VAN ROSTE: When we use the name servers which are typically built into your -- well the software is built into your system, in your browser, in your operator system. It is what your ISPs are using. But you can use alternatives. These will not be as efficient. They are very vulnerable to hijacking. So try at your own risk. There are alternative ways that you can type in addresses that are resolved in different ways that might end up in places like the dark net. But these do not use the regular Domain Name System. So there is no entity that holds the zone file for dot onion. That one is shared by multitude of users. And peer to peer system that is probably already starting to move towards more block chain-based systems where there is no central (?) but with all problems that follow from it, it also means there is no community-driven policy that says, "well we can accept that and we don't do this. "
 
There is no conflict resolution mechanism. First-come, first-serveved. You happen to have registered Coca-Cola.onion then there is no way that -- I'm not making any judgment call whether it's good or bad thing -- but I'm saying regular rules with not ply. In a DNS system the policies are based on typically local discussions on a national level between Internet users and businesses and government, too, on what is acceptable and not.
 
We'll go into some of these in a bit more detail but you understand the hierarchy of this. The root has information on the different Top Level Domains. There is EU and Estonian and .com. There is Brussels and 1800 additional gTLDs. Not all of them are very popular.
 
On the next level -- and I zoomed in on .EU here. Dot EU named servers will have information on it which is the manager of EU, EuropoActive, one of the news sites, and, again, down one level to the domain server. It opened .EU will hold information about Europe.EU for the European courts, EC for the European Commission. (?) for when you're sending an email to one of the people working at the commission.
 
So, all this information is here. All this is information is here. All this information is there.
 
Who does what? Who are the entities? IANA is the entity -- and remember they also do the handing out of large blocks of IPs. They do two things. Three things, but let's forget about the third one, it's not all that important. But the two main important things they do is hand out large blocks of IP addresses. And they manage the root zone. And I'm sure some of you are curious. The third thing they do is they hold a repository of standards. Very technical things that your laptop will check to use specific formats for time, for instance.
 
So on the Top Level Domain, it's the Top Level Domain registry. Every Top Level Domain has one and only one registry that manages that specific zone file. And for dot EU, it's registered on at event. It's multistakeholder not-for-profit organization. I would say that in 80 to 90 percent of the cases they are spinoffs from universities. In the 19s, universities were asked do you want to manage your country's zone file? And said yes, fine, sure, why not? And that became a rhetorical question when then suddenly started to get flooded with ten thousands of requests per day of people that wanted domain name. And universities were not well equipped to deal with the admin and they didn't have the tech nor admin support. So they outsourced that. They're typically still partners in those Ventures. The one I'm most familiar with is dot BE, and where you have the Internet Service Providers, the users, the government and a large industry federation running this together. On a not-for-profit basis.
 
Then on the next level, for example, centre level. For us that's outsourced. That's the guy doing our hosting.
 
The least impressive picture in this whole presentation, this is what the root zone looks like. I'm sure I'm doing some of my colleagues not a favor. You obviously have nicer looking examples. But it's not that impressive because it does a very simple job. It should be done well, but it does a very simple job.
 
Root zone has a list of roughly 1800 top level domains. Whenever somebody asks where can I find this particular Top Level Domain, it responds with an IP address and that's it.
 
And 1800 lines in a database is nothing in today's age. So it's more about network loads than about being able to answer specific queries.
 
As I already mentioned, I and an manages the root zone. The root zone is a file. And it's derived from the root zone database. The root zone database contains more information than just the zone file. As I mentioned, the zone file tells you: This is a name and you can find it at this IP address. And the database you add additional layers. Who runs it? So there is the name of a person who is a technical administrator who is the administrative contact. Where can I call them? What is their address? If they have more than one name server, which they really should. Then this is the list of their name servers. So that's all in the database. So the file is much shorter. Obviously there's not one single fill in the world that everybody queries. They have distributed it and it's copied. So there are 13 identical copies.
 
For each copy -- and it sounds a bit like Lord of the rings -- but for each copy there is one well-established organisation responsible for maintaining its security and integrity. And everybody trusts that organisation. So in Europe you have two organizations that have a copy. It's ripe, the guys who hand out the IP addresses and one of the major providers of security solutions and for the technical operators.
 
And then those 13 copies get many, many, many more copies because there is, remember the carrot story, there is an incentive to have a copy.
 
If I'm an ISP and have a million users and all these users would every time have to query one of the copies, for instance an Amsterdam of the root, and pay for a lot of traffic back and forth from Brussels to Amsterdam or from Madrid to Amsterdam, if I have a copy of that zone file, which I can get a fresh copy every half hour or every hour, every time somebody queries, I can provide the response without having to go all the way. So it's more efficient. It's a carrot.
 
For example, four of those copies are hosted in Brussels. Very importantly, that roots and database was overseen by the U.S. government until last year, October 2016. The U.S. government handed out the oversight to a multistakeholder community that groups within ICANN. So it is the combination of the ccTLDs, the generic TLDs, the users, the governments, the technical operators, the security and stability committee. So there's a lot of people who now decide jointly on how to manage that zone file.
 
Before that, if any change was needed, the NTIA had physically, literally, to approve that by sending an okay confirmation.
 
A snippet from the zone file. See, it doesn't look that interesting. But it tells you where to find the zone, the name servers for EURIT. They are doing the a really good job. They have about 10. They have IPv4 and IPv6 and if you would trace those. They're spread all across the European Union. So well done.
 
The next record, the next name serving, the next name record in root zone file.
 
You have two types of top level domains: Country codes and generics. Quite self-explanatory. There are many more gTLDs these days.
 
CcTLDs are restricted. Only countries that have a code on the ISO tree 166 alpha 2 list can get delegated a country code. Very important that this happens here because you would not want any other organisation but a UN agency to deal with or to decide on which is a country and which is not. So this is not a discussion at that takes place in ICANN. If I'm separating a small community from the Belgium federal state, it's not ICANN that I should ask for permission to get my ccTLD. I should then convince the UN. If the UN puts it on the list then ICANN has a pretty easy job when managing the zone.
 
The most important difference, of course, is that these are managed locally. They serve local community. They serve that community based on its values and the way it expressed those values and local court decisions, too, which typically normally should reflect those local values, as well.
 
GTLDs, they run under a uniform contractual policy that is decided by that ICANN multistakeholder community. So it's not a matter of ICANN organisation, the 300 people that are working there that make these policies. But it's of a community that builds these policies. As a result, these policies are global.
 
And gTLDs, they pay a fee to ICANN, which is ICANN's main source of income.
 
Interesting discussions on the Cyrillic and Greek.eu. On gTLDs, we were thinking about discussions, we were thinking on (?) which triggered a really interesting discussion in ICANN. If I had champagne or champagne.whip he wine, does that mean that I'm officially can decide which wines can register on the third level? Is this a proof of concept for new geographic indicators system? So interesting policy discussion there.
 
So we're at the first level, right? That hidden dot at that told us where to find EU. When you then go, you have the root zone told us where to find dot EU, with e to the next level, so the .EU at the end. So where do we find that information?
 
There is a who is. Every registry runs a who is. That has obviously privacy information implications. If somebody went wrong with a web site you knew who to contact. Hey your website is down. You couldn't probably writ an email if their system is down but you could have called them because there is a phone. There is a fax, even.
 
So that was the initial purpose of the who is. Now it's more used to I'm interested in buying your domain or there's something on your domain that I don't like and I want you to remove it. But there is a useful tool to facilitate that communication.
 
If you zoom in, you find these technical details.
 
It also contains -- remember the hierarchical system -- where to find the information of the system below. And so this is for (?) with all the name servers again IPv6 and IPv4 addresses. We're almost there.
 
We're going to -- I won't redo the movie but we come into some interesting cases here. So we're looking -- for example, .EU. This is inconvenient.
 
[Laughter]
 
Let's see if we can get it fixed. Otherwise, I'll try to talk you through the last couple of slides without the animation.
 
>> So (?)
 
>> PETER VAN ROSTE: I'd say around 40.
 
Yes, thank you. So the question, you type in a name. It first goes to your access provider and it asks for the IP address. The access provider has a machine that's called DNS resolver that does that part of the work. Its workload is spread so answering questions goes to the DNS resolver. The DNS resolver asks where dot EU is. It responds with an address. And it queries the .EU registry. For example, .EU responds with an address. Example.eu is queried, where to find the Web server as opposed to the email server. Responds with an address. And there we are. So we now know where to find information. And the traffic begins. So DNS is no longer relevant.
 
How does blocking work? There's a couple of ways of doing that. But all, as I hope you will be able to show, are inefficient.
 
So ask that question to your access provider and your access provider has been told buy the government if anybody asks, don't respond. Ignore the question. Which is what happens when you get a 404 page. In most countries, I don't know about this one, in mine when you go to (?) you get a 404 response or you get diverted to the law enforcement website.
 
So, what else can happen? That is the access provider provides you with the wrong answer. And this is the re-direction that we get. So it provides you with an IP address that it knows is not the real one, but it sends you to police-controlled server. And that one will then provide you with an answer saying your e trying to reach information that is illegal or based on a court order. So it will provide you with information and serving you a proper notice.
 
Why dent this -- there are a couple of other blocking techniques, but why doesn't this work? I think remember the exercise when I looked for the IP address and I typed that IP address into my browser, I just got to the content without the DNS? So this is obviously the main reason why the DNS is not the communication tool. It is a facilitator or. It helps you memorize IP addresses. It helps you memorize an address without having to know the IP address.
 
So remove DNS from the whole system and it would become pretty annoying to use the Internet or sending emails, but it would still go. You would even shave off the 3 milliseconds that it takes to do the query. But it would probably take you longer to type that in.
 
So the easy way of circumventing DNS blocking is by just simply changing the domain name. It will take you 3 minutes and cost you depending upon the domain around 5 Euros. So if www.example.eu is blocked, it just uses a different language. Use (?).eu. So you register different domain name. You link to it the IP dress and because the system was built to be resilient, it works. And that's the whole reason why we have DNS. Remember the secure security partner.
 
So working on that doesn't make sense.
 
>> Can you explain again? Because one of the things that the law enforcement people say is a problem because people don't understand how the Internet actually works is that so there's a domain, which somehow violates the law. And then they take down the domain. But since the IP address is still there, you can basically, then, put a different domain name and still end up going to the same IP address.
 
>> Of course. And taking down the domain, we might get to that if we have some more time. But taking down the domain, because the domain infringes the law, makes us much sense as removing a street address because the street address in infringes the law. It can't. It's an address.
 
It's what's happening in the house that might be illegal, but removing the address or tearing it out of a directory or wiping it out from Google street's view doesn't make the place go away or make the illegal activity stop. It is what it is. You make it hard to find an address but nothing more.
 
But indeed if you would respond with a false address, so keep on saying the example.eu doesn't exist. Then if the people running example.eu think it's really important that their content remains online because of freedom, it's important that society understands what they want to share with them, and they just take a different domain. They link to it the IP address.
 
Most off into be resilient, these sites already have multiple domains for that. Anybody taking or blocking one of them.
 
So, yes? We already did that trick. So you'd type in the IP address into your browser rather than the domain name and you have direct access to that server rather than to jump around asking where to find it. You don't need the domain name resolver.
 
Many companies, larger ones, run their own DNS resolver. So they would not run the law, when the government, courts, law enforcement tell the access provider to make their domain name servers resolver lie. You don't need to use that one. Most people do. It's automatically in your browser. I think I even had a screen shot there. But you can change. You can use your own. Or you can use for instance Google's. Google is very simple to remember. It's 8.8.8.8.
 
Change your DNS resolver to Google's 8.8.8.8 one and none of the local law enforcement instructions to the ISPs will have any effect on you.
 
And by the way, we keep on telling that store toy law enforcement agencies, too. We're in the trying to circumvent or undermine the really good work they're trying to do. We just want to make sure that they understand that what they're doing is does not always make sense from a technical perspective.
 
This is an example where you basically have not the DNS resolver but your own resolver answer those questions. And the result is the same.
 
Yes, here it is. Third-party DNS. They're plentiful. Some of them are more trustworthy than others. Remember, Google is not a charity. So they are very happy for you to use their name server resolver because every time you ask them a question, they know that this is the type of traffic that you want to start. They know that this domain is quite important because many users are asking for it. It probably adds to their algorithms and increasing the value of that domain and putting it hyper in their ranks.
 
So they have a purpose for doing that, but it is a technical -- it is possible to easily change that and use alternative addresses.
 
I'm sure that if you would ask EDRI, they could provide you with third-party organizations that will not abuse the traffic logs that your queries generate.


== Messages == 
So we will enter this. Same thing. Different provider. Oh yes, one more. Web proxies. You could use some websites to change the course of your traffic by going through that web site typing in the address that you really want to reach, something where somewhere else and then that website is going to fetch that information for you. So practically if on a local level there is a block, access block, you are not visually or visibly looking for that information. You're looking for that third-party web site proxy.example. They look like this. Again obviously they abuse your traffic. They find it very interesting to know what you're looking for, what you're doing. And that information is most likely being sold when it's a free one.
Please provide a short summary from the outcome of your session. Bullet points are fine.
 
You can pay more established ones that -- you would pay for ones that are definitely more safe, but I would not use proxy servers, but it is one way that people avoid blocking, traffic blocking.
 
And it's proxy.example that is then going to ask for example.EU.
 
And you see that none of this querying traffic and back and forth goes over this line. So whatever is blocked here on a national level has no impact.
 
And then you just end up to the example of the EU website.
 
Different things already mentioned to the dark net. Typically accessible through alternative browsers like Tore. What Tore does is it's based on the proxy principle. So it is not you going to specific contents, fetch-specific content but you ask the second person to do that for you. It's actually way more complicated than that. You ask probably a dozen or 20 people to do that for you. And one just asks a colleague the same question.
 
It goes a bit slower. But it is almost untraceable of who is looking for what content. Tore is the onion routing. And it does perfectly what it describes. It builds layers of shields around a person asking for specific content or the identity of a person that is communicating with somebody else because you keep on passing on the traffic until everybody has lost track on who the original question came from. You just know that when you get an answer from whoever you ask, you pass it back to the person asking the question to you. And that's basically it. Less popular or ready, these slides are less than a year old. So things go fast. But a peer-to-peer-based data sharing system that would allow you to store information to have it accessible without easy identification.
 
So, conclusion on the blocking, blocking is a technical term and it describes a procedure. We block. It does not describe an outcome because actually we try to block but we probably hardly ever succeed.
 
I think there's a big difference in preventing users from accessing something accidentally. The type of reaction that you get is I didn't really want to see that. And try to prevent users that want to access condition tent. Typically hired bay users do not end up there by accident. So we can try whatever we want. There are plenty of mechanisms that are easy to circumvent or they're easy to I don't to circumvent roadblocks on the way.
 
So what we strongly believe -- and obviously the training was more about than just blocking but I think it's a good example to link to the technical understanding on how things work. But education is crucial. I mean, we keep on educating law enforcement agencies and our commission officials. We give this training to the commission, to the parliament and to other stakeholders in Brussels to inform the debate.
 
Remember this one, that Nina started you with. So now you understand what happened, right? The French government told French ISPs mobile operators on Monday morning, this is a list every Monday morning, by the way. On "a" Monday morning, I think only last year. They sent them a list of sites to block. It's a manual thing. So most of operators took the list and looked at it and said Google is on here, and Amazon and Twitter. It's not the right list. One of the operators didn't check whether it was the right list.
 
[Laughter]
 
And they blocked Google amongst quite a few others. Ovioche was one of the most popular. It was a test list that had accidentally slipped. But the result was that all traffic or most of the traffic was diverted to the French ministry of interior fairs.
 
[Laughter]
 
So they accidentally committed digital suicide. I'm sure that it is a perfect illustration on how dangerous it is to mess with the technical layer. And if people want to do so, they should be properly informed and understand what the impact is and be well aware of the societal, economic and political risks once you start mingling with the system it might be possible to mistake as we see here.
 
Another one with no time for that unfortunately. Wannacry was stopped because they used the DNS as kind of a check, a safety check. If a researcher would have taken wannacry and put it in a box and close it from the outside world then there wouldn't be any connection possible with the DNS. By registering a name, all the viruses that were out in the wild checked whether the name was still available. It wasn't. So they thought they were in a box and they shut themselves down. So it was an interesting flaw in the software where the researchers definitely outwitted the virus writers. It was a really nice thing. So there the DNS plays a role, too.
 
You see it quite often that there's a link to the DNS and how that today's training, although ridiculously short, helped a little with. So thank you. You wouldn't believe it but we probably spoke about everybody on this list at least on a technical level.
 
The guys with cable and the fiber, root servers, the one in Frankfort we saw, Internet exchange point, hosting providers, the large cabins, the racks that showed you in the centres. Domain registries, ccTLDs, we're hosting all European ccTLDs. We discussed ICANN and all the constituents. Governments, users, security.
 
We discussed the naming community. We focused on the European one, ripe. We have formerly known as I and an now PTI, Public Technical Identifiers, that hand out the names and the numbers and do a bit of protocoling, too.
 
These guys, we and it's shameful but we didn't really discuss but they are the setting the standards. They are the real heroes of this story. They are engineers trust believe it or not are doing this in the spare time. They take a holiday for that and at an IGF meeting they discuss for four or five days they discuss how to build the next standard to have your IP traffic flow smoothly across the world.
 
They're doing incredible world. There are a couple of organizations that work on that, so ITF is probably the main, Internet -- is the other one. So accessibility browser. There is no government deciding on that. There is W3C saying for visually impaired, this is how we're going to build the standards. If your website wants to be accessible to the visually impaired, follow these standards and it will work. It's a carrot again. If you don't, nobody cares. Well probably visually impaired care quit a lot.
 
If you don't get punished, you're missing on a potential opportunity. But these standards bodies, I strongly urge you to look into it and how it works. It provides fascinating examples of governance stories. In ITF, it's not that common anymore but to reach consensus or to confirm consensus there's a humming sound going round the room. A lot of (?) and if some people don't hum, then they don't agree. But if the humming is overwhelming, then it seems to be fair to conclude that there is a standard set.
 
There is more detailed and fine-tuned ways of coming to consensus on some of the more delicate discussions, by the way, but just as an example.
 
There's a great document, ITF-- read it if you want to understand how it works. So perfect primer on whenever ITF is next to you, try to, ISOC provides tickets. Is anybody from ISOC here? I think ISOC still provides access.
 
ISOC, the Internet Society, which is you. Internet Society. They provide sponsorship to ITF, IAB and other standards bodies and the ISOC chapters. So they're doing a great job. If you're wondering where ISOC gets its money from: .org. Every .org domain that gets sold, significant part of that fee goes to ISOC. If you're an ISOC member, you pay a fee.
 
Carrots. Never forget it. Standardization doesn't work. If 30 years ago the ITU, which is the international telecommunications unit would have said "guys, let's sit down and build the Internet" I'm pretty confirmed that we wouldn't have it. It is not something that is set to quick adoption with Internet needs. So without further simplification, things worked very quickly. We learned how you can trace your rates or travel the world. If you want the visit another place, go trace routing and you'll see places.
 
Why we need the DNS? It helps useful for users, build some security into it. It's an old view on the same thing. But it's a hierarchical system. Every layer controls its own information. So there is no central point. And that one point that rules all the top level domains is managed by multistakeholder organisation.
 
So some corners were cut. But everything that I've told you was confirmed as accurate by our technicians.
 
Malcolm provide sod links. If you meet him, say hi and thank him for the slides at the end. Thank you. I don't know if we still have time left.
 
[Applause.]
 
Do we have time for questions? No.
 
[Laughter]
 
All right. But we'll stay around. Feel free to drop by. Thank you so much.
 
 
''This text is being provided in a realtime format. Communication Access Realtime Translation (CART) or captioning are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.''


[[Category:2017]][[Category:Sessions 2017]][[Category:Sessions]][[Category:Technical and operational issues 2017]]
[[Category:2017]][[Category:Sessions 2017]][[Category:Sessions]][[Category:Technical and operational issues 2017]]

Revision as of 21:23, 22 August 2017

6 June 2017 | 11:30 - 13:00 | Room Tartu, Swissotel, Tallinn, Estonia | video record
Programme overview wiki | Programme overview EuroDIG web site

Session teaser

A basic technical training on how the Internet works: Understanding the different layers of the Internet, how they interconnect and interact and how they relate to current policy debates will empower participants to actively engage in an informed debate in other EuroDIG workshops.

Keywords

  • Internet layers
  • Training
  • Internet ecosystem
  • Technical basics

Session description

This is a basic technical training on how the Internet works. It provides the audience with information on the underlying building blocks of the Internet and the functioning of the different Internet layers (ISPs, IP addressing, Domain Name System, naming). There will be pointers to policy issues that can have an impact on the technical operations of the different internet layers (e.g. data protection, privacy, content control, etc.). The audience will have the opportunity to engage in some practical exercises that will help understand how data travels and how layers interact. Participants are invited to ask questions, including on how certain policy decisions can affect the daily use of the Internet.

Format

The training on the Internet basics will last approximately 60min including practical exercises, followed by 30min for Q&A and discussions. Pointers to policy issues and legislative developments establish the connection to current debates and can be used to trigger the discussion.

Further reading

We will also produce an info flyer with the basics about the Domain Name System and distribute it on site.

People

Focal Point:

  • Nina Elzer (CENTR)

Subject Matter Expert (SME):

  • Chris Buckridge (RIPE NCC)

Key Participants

  • Trainer: Peter Van Roste (CENTR)

Moderator:

  • Peter Van Roste (CENTR)

Remote Moderator

Organising Team (Org Team)

  • Nina Elzer (CENTR)
  • Peter Van Roste (CENTR)
  • Raphael Beauregard-Lacroix

Reporter:

  • Nina Elzer (CENTR)

Video record

https://www.youtube.com/watch?v=W7hK2_JL9Z4

Messages

45 people physically attended the training workshop. They learned:

  • That it is important to have at least a basic understanding of how the internet works (the different layers, actors, processes, etc.) before you start calling for regulation that tries to fix something and risks breaking the internet.
  • That the internet is not a cloud but very tangible, transmitting data packets using infrastructure and hardware, such as modems, routers, fibre optic cables, undersea cables, etc.
  • That the internet is made of carrots, i.e. incentives and voluntary agreements (standards and protocols) that people choose to agree to on a voluntarily basis. The more people agree to it, the larger the user base that you can communicate with, make business with, etc.
  • That the internet is a network of networks that started with 4 connected computer systems and grew to tens of billions of connected devices.
  • That these devices can be identified via their IP address, which then connect to each other.
  • That IP addresses (numbers) are translated into names (using the domain name system) so that humans can more easily remember, e.g. a web address.
  • How the domain name system links to the root, IANA and ICANN.
  • That blocking a domain names or website is an inefficient tool, as it can be easily circumvented and does not make (illegal) content inaccessible (you can type in the IP address instead of the domain name, you can change your DNS resolver, you can use web proxies…).
  • That blocking is a procedure, not an outcome.

Transcript

Provided by: Caption First, Inc., P.O. Box 3066 ,Monument, CO 80132, Phone 800-825-5234, www.captionfirst.com


This text is being provided in a realtime format. Communication Access Realtime Translation (CART) or captioning are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.


>> So, shall we?

>> We're going to start in a minute. We're just waiting for the last people to arrive. >> If anyone needs a table, feel free to use these. No one is sitting there, anyway.

>> All right. If everybody has taken a seat, we're happy to start. So welcome to our training on the technical basics everybody should know before calling for regulation. The moderation will be done by myself, I'm Nina. And Peter whom you see here. We're working from CENTR. We'll explain what CENTR is during the course of the presentation.

So why are we having this presentation? You will know that in view of the whole terrorist attacks, more people talk about more responsibilities for Internet companies. But we think that it's also important to understand what the different actors in the Internet ecosystem do, what they're responsible for and at which layer of the Internet they are. So this is what we're going to explain a little bit today because sometimes it's also important to know what's happening before you try to fix problems and you might break the Internet.

Some practicalities beforehand, you will see some red pointers to certain policy issues. And we are not going to go into the debates about them, but they might help you link to whatever else is discussed ature oh dig. So we will see some red boxes and they will refer to such issues.

When you can ask questions, given the high number of people in the room, and that's excellent news, we would like to ask you to keep your questions to the end. So we have like half an hour for debate in the end so you can just ask everything you want in the end.

For later questions, you can drop us an email and just remember that this is a basic training. So obviously some corners were cut.

So what is CENTR? CENTR is the association for exchange dialogue and innovation of country code domain Reg cities. So these are the guys that manage and operate the country code of their Top Level Domain. So this is dot EU et cetera.

We have 54 members. We also go beyond Europe. We have also in Australia, for instance, 13 observers including people like ICANN and also the European Commission.

Together they hold more than 73 million registered domains and this represents more than 50 percent of registered CCTUDs worldwide. Le 0 percent of all members are not-for-profit that means they are at the, they go back in the local community, for instance in education programmes, upon sponsorships of national IGFs and so on.

So what we do in terms of services, we help our members benchmark, improve their security and also exchange best practices. So how do we do this? We have statistics that we provide them with about the market. We have a repository of presentations. And study papers and so on.

We organise events for them. So we have six working groups. And this was one of our bigger events where we have six working groups meeting at the same time and discuss issues from security to administration to technical issues and further things and we also have reports that we publish because they are publicly available and free of charge.

So what will you learn today? You will learn what the Internet looks like. It is not the cloud. It is pretty much hyped up so you learn about the infrastructure and the hardware. You will learn what IP addresses are, how they connect to each other, how networks work, how the Domain Name System works, why the root is important and links to ICANN. Who does what on the technical layers of the Internet and why all of this matters for Internet Governance that you have here at EuroDIG. so a way that they interconnect is a recent case from October 2016 actually the ministry asked for the ISP orange to block and redirect a couple of URLs. And what actually happened is that orange had to do this new release. They had to do is some settings in their DNS system, Domain Name System server. What happened was there was a tiny human little error so that all the requests that went to Google search were actually redirected to the ministry of the interior's own website. They DDOS'd themselves. This is one of the examples when you try to fix something and then you might break other things.

So this is a link to fundamental rights, obviously. Because obviously not all these requests were for illegal content. So there's a risk of overblocking and also censoring organise certain information that would have normally been available. Where you are in the ecosystem. You are at Euro dig. You're with us and you see your division into the more visible upper part and maybe a bit lesser known and invisible technical layers of the lower part. So this is where you are. So we have a lot of multistakeholder fora in this area. ISOC. Users, policy developing organizations like ICANN, ITU. And this is what you'll learn more about today, the technical layer, the infrastructure, those that discuss protocols, numbering community, IP protocols and the Domain Name System people. The multistakeholder for an that you will know of, also the ones today, this is why there's little point to this. So what is the Internet made of?

It's made of carrots. Now you might wonder. You might remember the little metaphor of the guy who was driving a cart and he has a mule. In front of the mule he has the carrots. And he wants him to go faster, if it doesn't react to the carrot, he uses the stick. But we don't use sticks but carrots. So there's no sanctions needed because people have an incentive to agree on these things and to find consensus on them because the more people agree to a certain set of rules, the more we can communicate and the more we can interact. So this is important obviously for businesses but also if you want to communicate to more people. So this has a link to standardization.

So now how does everything interconnect? So the Internet is a network of networks and it started with four computer systems in 1969 and now we have tens of billions of connected devices.

So in order to demonstrate it a little bit better, we take a journey through your networks and how you interconnect with the Internet. So let's start in your office. So in your office, you will have your computer, you log on with a modem. If you have more computers in your office, you will have a router. And this is actually what you see here. So this goes through the elevator shafts, you were staircases and so on and it links to the cables that will be in the ground in front of you were house. And this is done fiberoptic cable. This is what you should see here. So that's the fiberoptic cables in diameter. That's what they look like.

We've added this little slide because it means obviously you not only connect to whatever is on the street and the street then goes to other distribution points in your Vint, in your neighborhood, but also connect cities that happens along railways and motor systems because it is the shortest distance from HB. Also interconnect continents that happen from undersea. They are huge cables that are bundled and there's protection layer of lots of things that can happen at the shore than the deep sea. At the deep sea you might have an occasional shark that is biting at the cable. But more importantly at the shores there can be accidents with ships or some construction and they cut through cables. That's why they need a big protection layer.

And obviously there's also other means than cables to con you to the Internet with satellite or 4 G.

So this relates to the spectrum allocation questions, radio frequencies that are used for mobile Internet and TV broadcasting how they are used today and in the future.

But obviously also other devices connect to the Internet, so we see some server cables here. And obviously when the server is no longer enough for a company, they have Big Data centres. The ones that you see here, for instance, is the one from Facebook. So I think I read somewhere that in 2010 they had 60,000 servers and now they're not even publishing the numbers anymore. But obviously they store all of these things in data centres. So these are huge facilities that have both computer and telecommunications systems and cooling systems and security systems because this is actually very important part of infrastructure so you need to have it properly secured.

This links to the issue of privacy because you will, as a user, you will want your communication to be protected. And that's actually Mong the responsibilities of the telecommunication providers and the ones that have these data centres. It also links to the debate of the free flow of countries. Because in some countries there might be obligations to have these data centres and/or data stored locally.

The next I will hand over to my colleague Peter, already.

>> PETER VAN ROSTE: Thank you. So to take you on a journey from your office desk to the router in the office long the elevator shafts, on the streets through the square to where more and more cables connect an cross the ocean and through the air. So we're connecting devices. So you see now, you picture the physical infrastructure. The copper and the fiber and the network. So far there is nothing happening on it. Now we want to make sure that all these devices, whether it's your laptop or your phone, your digital at home, your baby monitor, your alarm system, that everything gets connected. In order to get connected, it is easy to know, these things need to know where to find each other. In order to find each other, they need an address. And technically first thing every device acquires when it gets connected is an IP address, an Internet Protocol address. What are these addresses? They are identifiers, they're sequences of numbers. We'll get a bit later into the details but you have IPv4 and IPv6 addresses. IPv6 are much longer. All 'recognize them right when you see it. Most of you are probably familiar with IPv4. But we'll see a couple of examples later on. I will take a couple of exercises, too.

These need to be managed. You cannot give the same address to more than one device because that would lead to confusion so every needs an a unique address. How do we get this organized? There is one organized who is responsible for chopping up enough IPv4 and 6 addresses and handing huge chunks of those address blocks to different regions. It gives them to the RARs. And the RARs are the Internet registries, they are the regional registries for the number. In Europe this is ripe. And RIPE NCC then chops up the large block into still large blocks and hands them out to ISPs or academic institutions or governments or law enforcement or research institutes. IP IPv4 addresses still pay for them because there's a shortage. IPv6 there were plenty. So economic laws kick in and IPv6 are pretty cheap. So ripe hands out these to their members. Let's call it ISP or mobile operator, for example. The mobile operator will then use an IP address to allocate to device of one of their users connecting to their network. So the moment you switch from mobile on, your operator assigns you an IP address. You moment you switch on your laptop, you get a silent IP address. But also on the lower level which hopefully none of you have to worry about. When you're at home and switch on your WiFi router and your partner brings in a new device and switches it on, the route will automatically allocate an IP address to that device. An.

An important thing here is IP addresses can be static and dynamic. Static IP addresses are typically used for devices are that are always online. A great example is one of these servers that Nina showed you earlier, if Facebook has a hosting farm and it contains hundreds of thousands of data servers with all that wonderful information on, obviously always needs to be on. Every time somebody does a search in Facebook or wants to read a post, it needs to be available. So these devices typically have static IP addresses.

Dynamic IP addresses were used at the time when IPv6 was still not fully deployed. It still isn't. It's a long way to go but it's getting there. But there was a shortage in IPv4 numbers so they were recycled. The moment you switched off your phone, somebody else got your IPv4 addresses assigned by the operator. So it was just a much more economic way of dealing with these addresses.

Why is this technical knowledge important? Because a static address will mean that you can always identify the owner of that address.

A dynamic address, you would need to time stamp to know who was the person using that particular address at that particular time? So this is an important thing. For those of you who were following it, there was a very interesting opinion from the advocate general to the European Court of Justice who three, four months ago decided that dynamic IP addresses should also be considered to be personal data because they can be combined with other publicly available information sets today or in the future. Yes.

>> This is on? Sorry. Question because this is one of the things that especially for law enforcement I think is very serious when there is a problem, something happens and they can trace whatever happens, whether it's a crime, terrorism, jihadism something like that to an IP address. How can you then decide which person was behind that IP address so you could then arrest them or figure out who it was?

>> PETER VAN ROSTE: That's very interesting discussion. There are a couple of policy debates that are crucial there. On the one hand, you have the data retention debate. ISPs and telecom providers, they are obliged to keep specific sets of data, which is, amongst others, the access logs. And the access logs are IP address, time stamp, user. So through those access logs, you would be able to identify who used the specific IP address at the certain time. Data retention.

Then there is much, there is increasing pressure on removing data or at least keeping datasets for a as short as possible. Only for the fulfillment of the contractual terms. There is security purposes, too. But there's a constant debate in Europe going on as you are very well aware between those that believe that there is a need to keep those datasets longer and those that believes that it should be kept shorter. The same discussion is now raging in the U.S. after somebody got convicted over phone records -- and this brings it to the next level, but it's an interesting thing. Where they were able to trace somebody's route of robberies based on his cell phone records. And this matches cell phone ID, IP address and then distance between a couple of towers. So it adds a different layer.

The Belgium government is just asking to increase the retention period to 10 years. And that will obviously receive quite a lot of forceful feedback I think from some of the European institutions.

>> So basically there is no technical barrier to identifying which physical person was behind which IP address, but then if I'm a criminal, I want to make sure that I mask my path. So how do I do that?

[Laughter]

>> PETER VAN ROSTE: We'll show you at the end.

Anyway, remember, and that might have been before you come in, but as Nina mentioned, some corners are cut in this very basic training. There is one problem that is called network address translation, NAT, that on a carrier level, when traffic gets carried between different carriers, they sometimes use the same IP address, at least from an external point of view, for different users. The reason why they did that is, again, using as few as possible. So everybody gets the right type of contact. But also on a billing level, they are able to identify those users internally but it would show externally as one IP address. So for a law enforcement agency coming up time and time with a IP address. There is no master criminal. It is probably on the carrier level. It is referred to as carrier grade net.

>> I can you need to also mention that every network interface part has a hardwired address which is also uniquely identifiable to the device.

>> PETER VAN ROSTE: That is a Mac address. We're not going into that right now because it's not always used as one communication. So we're trying to specify on the device. That's a very interesting point.

IPv4 addresses, as Nina mentioned to you, I'm sure when you had a problem with your router and somebody was yelling that you're working on something related to the Internet, then these were the numbers you were typing in. Your job will get much harder when your router will start using IPv6 addresses. But it is more stable. It is more secure. And/or plenty. We were running out of IPv4.

So IPv4 is still compatible with all equipment and this is sometimes a problem with IPv6. Older routers, smallest hubs in your home sometimes have trouble because the firmware has not been updated automatically or you didn't for the last 10 years to do that. Sometimes you get into the trouble that is the lack of compatibility.

I have been told by people who can know this much better than I'm eye I'm a lawyer, by the way, I probably should have started with that. But then half of you probably would have left the room.

[Laughter]

If you compare the number of IPv4 addresses to a golf ball, the proper visualisation of the number of IPv6 addresses is the sun. So that's the ratio. And like with IPv4 addresses 20 years ago, today our technicians will confirm that we will never, ever run out.

[Laughter]

>> That's what they said.

>> PETER VAN ROSTE: How comfortable is that?

So now to the more practical things. We've taken the journey from our office down to the street and different city across the ocean. We know these devices have IP addresses. They have an address that identifies them. How do these addresses communicate? How do you get from address 192.168.1.1 to web server which has its own unique address? Apologies for the kind of windows-focused view.

>> Before you move on, I just wanted to ask [Inaudible] IPv6 working at the same time?

>> PETER VAN ROSTE: Yes.

>> How does that actually work? What impact does that have your on your connection? And why?

>> PETER VAN ROSTE: None whatsoever if properly configured. Your system will use the addressing that is most efficient or least latency. If you would connect your laptop to a network where there is a further down problem with an IPv6 compatibility, then it might switch back to IPv4. So normally you know don't see any of it. In one of the exercises that we're going to take in a minute, some of you might have different results because of the preference of IPv6 or IPv4. But for the technical requirements or suggestions on you would change the preference or influence, I would have to refer you to a more technically educated person. We know plenty. If you give me your contact details, I'll get you in touch. This is Windows 9 it's pretty easy to figure out your machine. I don't expect you to red that. But you can go to the properties of the device in former Windows or you look into network connection details. That's the easiest ways I think these days to find it. So you find your IPv4 or IPv6 devices. Same for your mobile phone. So then we want to connect to something. And the thing I'm most connecting to is the central website. So how do we figure out what the IP addresses of the website? Where can we find it? Well there is a simple demand. So in Mac I think it's called terminal. The interface in which you can feed in commands. In Windows it's a command prompt. If you type in, you get this 80s style interface which some of you might find exciting. And you type in an Slookup, www.CENTR.org, so that command will basically check the Internet, the name servers, and we'll get to that part, don't worry, and respond with an address. We have two because we have been well trained by our members to make sure we have both an Ipv6 and IP IPv4 address. So for those that have their laptops switched on and are in terminal or the command prompt, what is the IP address of the EDRI, European digital rights website? Give you 15 seconds if anybody finds it. There's a prize. Anyone? Anyone working it? We were told to make this interactive so this was one of the attempts.

So you do the name server lookup through the command prompt and you get an answer saying that the address of this website is 37.et cetera.

Now very important part, which will help you later on in the training. What happens when you type in this address into your browser? So forget about the domain name. No www.edri.org. But if you type that number into your browser, you'll get to the website.

Remember the part when we were discussing blocking about 20 minutes from now.

So we have two things now. Remember I have the IP address from my machine through the Windows interface and I have the IP address of the web site which we found through the name server lookup.

So how do these two talk? How do they communicate? Any idea what this is? It's a prize. It's not a ball. I think we will 'have to bring our prizes back home at the end.

This is the Internet. From a million miles high point of view. If's the connection of all the networks. It's properly mapped. The colors are the regions. So you see regions are not necessarily grouped together because somebody from British telecom could connect easier to a location in Canada or South America than to central Europe. So this is what the Internet looks like.

You see interesting things like there is very specific concentrated bubbles. There are areas here, and you can't see that, but the slides will be available later on. But if you look at this area, it's almost closed off from anything else. So why would somebody want to connect to the Internet but not really? Why wouldn't you want to be somewhere here and have a thousand connections in all directions? Because these guys might be in military network. And they typically are not too keen on having too many gates and doors to the rest of the world. Or a large academic research institute that is using millions of IP addresses to lay a sandbox. And they have no need to have all of those communicate to the outside world. So it is an interesting picture. And very specific things tell a story.

Let's zoom in here. I already spoiled that one. This is a stand-alone network. In some areas, you see multiple connections. You see blurred networks that are almost interwoven or they are not really stand-loan. So what's the importance of those nodes?

When Nina told you the story, we basically assumed that the whole telecom layer from the elevator shaft cables to the street to the railway/road lines belonged to one entity, which is of course not the case. You have hundreds of thousands of communication providers. You have a couple of thousand large ones. You have a few dozen giant ones in Europe, which is telecom, Deutsche Telekom and all the small ones. They need to connect those networks and the more connections those get works have, the stronger this becomes.

So, your network becomes more resilient based on the number of connections that you have to other networks. So resilience is one. It's stronger. U. more options. If something goes wrong, you can go find another way to your destination.

Secondly, it's also cheaper. When I started working in the Internet industry, I started working for a young Belgium ISP. It was called in-net unit. Half of our traffic that went through an other Belgium network, went from Belgium to the UK, to the U.S. where it got connected to a network from another alternative operator, one of our competitors, was sent back to the UK to Belgium to be delivered on the incumbent's network telecom. When I send an email at that time to my neighbor, the guy physically living next door to the house, the email traveled for, wow, roughly 12,000 miles? These days it's much better. Because we have more connections, connections are more local. And these connections, when they're formally structured and they're multi-peered so more than two people connecting to networks are called Internet exchanges. And the more you have of those, the better. It's the reason why the digital economy and in Europe and North America is much more developed than in Developing Countries.

And it's getting better, but it hasn't been too long that most of the African traffic went to the U.S. and back that most of the traffic in the Pacific Ocean went to the U.S. or to Australia and back rather than being held locally.

So stronger networks are cheaper. You don't have to buy as a carrier traffic that flows across the Atlantic.

This is what it looks like, an Internet exchange point. It's a German one. I think this is a picture from their Frankfort location.

Imagine a room where all the ISPs and telecoms have their own coverage roughly, some share because it's cheaper and they pay together for security and air conditioning and electricity. And that in the middle of the room they physically pull their cables from one cabinet to the other. And that's how they're connecting to the network. They are adding security layers to it. And these Internet Exchange Points you have them in every European country and most European countries you have more than one. The tiny country like Belgium have four in the meantime. So they are extremely useful. They are the crossroads of the Internet.

And since they've done a really successful job in working smoothly, nobody has heard from them, which is the way that they probably want it.

This, one of the important things is that is currently going on is the NES-- it's an interesting discussion on what parts of that are considered to be critical infrastructure? How can the different actors in the Internet improve if possible what they've already been doing? What are the risks? And what are the advantages of communicating on threats and vulnerabilities?

So plenty of interesting questions, but I think if's interesting to put a policy placeholder there.

Now, the next step. So we know how to identify these addresses. We have seen how those networks connect to each other on the Internet exchanges. But the fun part is that you can actually see how that traffic goes.

So you can use -- and we're going skip this exercise also in there for timing reasons -- but you can use a simple command. Trace route with a destination. And you will see in your command prompt or your terminal how the traffic travels cross the world. So if you would, for instance, do this for NIC.MX, which is Network Information Center in Mexico, you could see mainly IPv6, yeah, all the way. But you see fancy places. You see how it travels to Amsterdam, to Boston, the Houston. And you really see it jump across the world.

I've made a somewhat clear example much less exciting because it goes from Belgium to Belgium. But it tells a story, the visualization. These addresses did a trace route on the website from my desk at the office. Our website is in Gente, which is about 45 minutes away from the office in Brussels.

First thing it does it jumps across the local network. Remember about those corners that were cut? In your network, behind your firewall, hyped your router you will -- you might be assigned the same IP addresses as at home. So when I said IP addresses are unique, I should actually specify that IP addresses that are facing the Internet are unique. Anything behind their own internal router you can do with what you want. But they're assigned automatically.

So my laptop, probably the WiFi, this could be a firewall. We move on to the hub of -- in our office. The modem of Belhacom, goes to the street, the square, close to our office. And these are all physical things that are standing there. But you see how it travels.

Here an interesting one. Benix, Belgium Internet exchange, where Belhercom meets Internet and then it ends up in the third cabin of the Internet. Exchange traffic in the Belgium Internet exchange.

Then it goes along probably across one of these railroads between Brussels and Gente, getting closer over telenetworks to our host of our website which is telenet customer. They're called (?) and they run for the company called open minds. Do that exercise with more exciting stuff. The Singapore times or the straight times, the newspaper in Singapore from here and you'll see your traffic jump across the world.

Importantly, if you do the exercise a minute later or your neighbor is doing the same exercise, you might find different results here. And that is because -- I won't go into the technicalities of this -- but because traffic will always find the most efficient, quickest route. If there is somewhere where a traffic jam it might go somewhere else. Instead of from here to here, the jump if here to somewhere else.

Infrastructure, physical layer, IP addresses, they connect Internet exchanges. You see now how the traffic when you send a request cross the Internet, it jumps from one of these hubs to the next. So now let's make it a bit more user friendly. Let's add the Domain Name System. So why do we need it? How does it work? What is the root? And what is the implications on Top Level Domain policies?

You all know this by now. IP ecosystem vix addresses IPv4 addresses, you didn't want to remember those when you want to send an email or want to visit the website because importantly, well, most of these are the most popular domains or at least until a year or two ago in some of the European Member States. But also email servers have their IP address. It's not just for web traffic. It is for any traffic, whether it is file downloads or FTP if somebody still knows that. Or email.

This is interesting one since as you, I'm sure are all aware. Five years go, the DNS infrastructure became possible to register non-ASCII domain names, which didn't make a lot of sense. Since about more than half of the world population cannot use the DNS without having to rely on alternative keyboards or alternative mechanisms to put input. So it's not just a relic. It's 26 onion scripts, oh we have expert in the room. I have lost track of how many scripts are now available as IDN characters but I think it's pretty limitless. Any script is now available. And I know for the ccTLD world you have about 25 country codes, top level domains, so the equivalent to .RS or .GR for the Greeks. You have about 25 equivalents in non-ASCII characters.

>> Somebody turn this on? There is a restriction in the sense that of course we only delegate new domain names into the root zone if there's no risk of confusion. And there are risks. I mean I'm not an expert obviously, but certain characters in hundred Chinese are identical to Japanese. So if you delegate those, there can be confusion. There's examples, there's technical experts working on this, if you type in Arabic your name of the of your website of your bank and you do that in Pakistan and you type in exactly the same name in the United Arab Emirates, you will end up at a different location. So as long as there's that kind of confusion, we have to make sure we fix that.

I was just at Southeastern, with (?) this was very little confusability. The problem there with this Internationalized Domain Names we call them IDNs is people don't know about them. And of course it would be great if we could get more introduction because not only are there a billion Chinese and a billion Indians although there are hundreds of languages in India, so not just Hindi is going to cut it. But it would be great to have more people online in their own language because you don't have this constant flipping back and forth between your key board. If you want to contact your Armenian, you have to type it in Latin, then the menu pops up in Armenian. The better we do this, but we have to spread the news. They are available. It is great to get people connected to the Internet in their own language. But we have to resolve any technical difficulties because you don't want any confusion.

>> PETER VAN ROSTE: On the address translation I think things are working well and functioning well and the registration is possible. There are still some issues on the software level. Or on a logic level. So you can have your -- you're the proud owner or registrant, we call them, on the domain. You want to do your air Lynn ticket. The airline company will not accept your as key character email dress is valid to register your airline ticket to. So there's still a couple issues on that level. I think last year in particular there was quite a lot of attention on that issue at the global and regional IGFs. I have been told to hurry up a little.

So why do we need under the DNS? Well first of all it's much more convenient to remember those addresses and email addresses. Much better than IP addresses. It allows flexibility on the technical level this is really important.

Imagine that you have a server with an IP address and everybody is using that IP address to communicate. If something happens to that server, as it burns down, trust me that happens more than you would think, they heat up and become incredibly hot. If everybody communicates to that IP address, you would have trouble rerouteing to different IP address, assigning an IP address and then tell everybody "guys stop using the old one, we have a new one".

If your auto a newspaper with 3 million subscribers, that's not really scalable. As you communicate the domain name of your website. Everybody knows the website. They don't worry about the underlying IP address. If you need to change the IP address, you can do so without anybody noticing anything. So the Domain Name System provides you with an additional layer of stability in making sure that people can communicate or reach your content.

And then there is to a minute or degree, there's also app security reason. You can use the DNS to divert traffic. Malicious traffic. Everybody has heard about denial of service attacks. When they are addressed at IP addresses, obviously DNS doesn't help anything. But sometimes in their combined text when the domain name is used as well as an attack vector the DNS can be used to divert that traffic to black hole.

A really fun one that unfortunately I don't have much time to cover is Internet of Things. Fascinating stuff is happening on a members level where European ccTLDs, and this is an example from doc UK. Is using the DNS to do fun stuff. Here they've built a prediction tool that will help car drivers to avoid flooding. So they are using white space, the TV wavelengths that are no longer used that are free to use for purposes in the UK. They use it with an antenna, I have not seen this in a long time. Connected to a modem. Connected to a sensor that they hide in this plastic box and they just stick it on the bottom of bridges. The only thing it does is measures the distance to the water. If the distance becomes shorter, then they know that further down there might be flooding. And it results in an open data project. And somebody with that data has built this. So you know where you can expect traffic jams.

The reason why the DNA comes into play here is that rather than giving your devices an IP address, you can give them a name. You can give them the name of the bridge. And so people can easier understand what they're seeing.

And the same thing for security purposes. If the water becomes too high and one of your sensors is flooded, you can immediate lip replace it and you don't need to change the name because you can change the IP address.

Is it possible to play this movie? There's up with little movie.

>> On other devices use IP addresses to identify each other on the Internet. As we can't always remember complicated numbers, we use words, instead. But Domain Name System brings the two together to get you to your destination. This is how it works. All around us we see domain names. For example, the website of your favorite band. The site is stored somewhere on the Internet.

Let me explain how your PC find it within milliseconds. The journey starts with typing in the website address. In words, of course, as you wouldn't have remembered IP88.141.253.8. Your device will read the address backwards. It start at the end with the root domain. In our case .EU.

Information on the root domains are stored in 13 different root servers located round the world. In re reality, there are numerous more copies of these machines in different locations to make sure that whatever happens, the system will keep on working.

A root server contains the information on the name servers for the different zones. In our case, it tells us where we can find the information on addresses ending with dot EU. Again for reasons of security, there are a number of these dot EU named servers located round the world so that if one is too busy or stops working, for example, due to an earthquake, the information would still be reachable elsewhere.

The dot EU name server grows where the information for the more than 3 million EU addresses will be found. And Candelus Flaming Flamingo's IP. It will tell us that unique IP address.

The IP address for the Flaming Flamingo's website is now identified and sent to your computer. Now the download of the content can start.

But, remember, this whole process that makes it possible to connect your computer to the place where the website is stored happens in just few milliseconds before it connects to the Internet and starts downloading the information. In reality, a lot of information is stored along the road in these so-called cache memories that the information can be retrieved false rather than having to return to the root every time.

This movie is brought to you by CENTR, the organisation of European organisation country code top level domains.

>> PETER VAN ROSTE: All right. So this short movie, there's a lot of information packed in there. But remember one thing, it's hierarchical. So we added the DNS as a convenience to human users, but it makes it a bit more complex for the system itself because now rather than the simple IP address, which it knows where to find, it serves domain name which it still has to look up. And so the movie basically explains how that lookup happens.

And you start on the right. Has anybody heard about the hid evidence-based policy dot? Let's see. One nod. Watch out. So the hidden dot is the dot that you never type. When you go to a web site you would actually have to type www.center.org dot. There is a final do the at the end. But our system knows that we are lazy and so it adds it automatically. And that final dot tells your browser to start looking at the top level, which is called the root. And the root will have information about where to find, in our example, .org.

When you have that address, your system will then query the domain servers of dot org where to find CENTR. And it will query where to find our World Wide Web, www, site. So it's a higher arcual system. The information on the different levels is spread. It sounds complicated but has an he nor muss advantage, which means that not a single entity is control of all the information. It makes it more secure and stable.

You might say who is in control of the root? It is a multistakeholder model called ICANN which I think most of you will probably be familiar with. So it is a hierarchical system and every layer holds information on the information below it. Yes?

>> I think the last two years something called dark web has come to be known.

>> PETER VAN ROSTE: Yes.

>> These sites are I think if I'm not mistaken, on the end is a dot onion or something like this. Are these owned by DNS or do you have to have the IP address in directory?

>> PETER VAN ROSTE: When we use the name servers which are typically built into your -- well the software is built into your system, in your browser, in your operator system. It is what your ISPs are using. But you can use alternatives. These will not be as efficient. They are very vulnerable to hijacking. So try at your own risk. There are alternative ways that you can type in addresses that are resolved in different ways that might end up in places like the dark net. But these do not use the regular Domain Name System. So there is no entity that holds the zone file for dot onion. That one is shared by multitude of users. And peer to peer system that is probably already starting to move towards more block chain-based systems where there is no central (?) but with all problems that follow from it, it also means there is no community-driven policy that says, "well we can accept that and we don't do this. "

There is no conflict resolution mechanism. First-come, first-serveved. You happen to have registered Coca-Cola.onion then there is no way that -- I'm not making any judgment call whether it's good or bad thing -- but I'm saying regular rules with not ply. In a DNS system the policies are based on typically local discussions on a national level between Internet users and businesses and government, too, on what is acceptable and not.

We'll go into some of these in a bit more detail but you understand the hierarchy of this. The root has information on the different Top Level Domains. There is EU and Estonian and .com. There is Brussels and 1800 additional gTLDs. Not all of them are very popular.

On the next level -- and I zoomed in on .EU here. Dot EU named servers will have information on it which is the manager of EU, EuropoActive, one of the news sites, and, again, down one level to the domain server. It opened .EU will hold information about Europe.EU for the European courts, EC for the European Commission. (?) for when you're sending an email to one of the people working at the commission.

So, all this information is here. All this is information is here. All this information is there.

Who does what? Who are the entities? IANA is the entity -- and remember they also do the handing out of large blocks of IPs. They do two things. Three things, but let's forget about the third one, it's not all that important. But the two main important things they do is hand out large blocks of IP addresses. And they manage the root zone. And I'm sure some of you are curious. The third thing they do is they hold a repository of standards. Very technical things that your laptop will check to use specific formats for time, for instance.

So on the Top Level Domain, it's the Top Level Domain registry. Every Top Level Domain has one and only one registry that manages that specific zone file. And for dot EU, it's registered on at event. It's multistakeholder not-for-profit organization. I would say that in 80 to 90 percent of the cases they are spinoffs from universities. In the 19s, universities were asked do you want to manage your country's zone file? And said yes, fine, sure, why not? And that became a rhetorical question when then suddenly started to get flooded with ten thousands of requests per day of people that wanted domain name. And universities were not well equipped to deal with the admin and they didn't have the tech nor admin support. So they outsourced that. They're typically still partners in those Ventures. The one I'm most familiar with is dot BE, and where you have the Internet Service Providers, the users, the government and a large industry federation running this together. On a not-for-profit basis.

Then on the next level, for example, centre level. For us that's outsourced. That's the guy doing our hosting.

The least impressive picture in this whole presentation, this is what the root zone looks like. I'm sure I'm doing some of my colleagues not a favor. You obviously have nicer looking examples. But it's not that impressive because it does a very simple job. It should be done well, but it does a very simple job.

Root zone has a list of roughly 1800 top level domains. Whenever somebody asks where can I find this particular Top Level Domain, it responds with an IP address and that's it.

And 1800 lines in a database is nothing in today's age. So it's more about network loads than about being able to answer specific queries.

As I already mentioned, I and an manages the root zone. The root zone is a file. And it's derived from the root zone database. The root zone database contains more information than just the zone file. As I mentioned, the zone file tells you: This is a name and you can find it at this IP address. And the database you add additional layers. Who runs it? So there is the name of a person who is a technical administrator who is the administrative contact. Where can I call them? What is their address? If they have more than one name server, which they really should. Then this is the list of their name servers. So that's all in the database. So the file is much shorter. Obviously there's not one single fill in the world that everybody queries. They have distributed it and it's copied. So there are 13 identical copies.

For each copy -- and it sounds a bit like Lord of the rings -- but for each copy there is one well-established organisation responsible for maintaining its security and integrity. And everybody trusts that organisation. So in Europe you have two organizations that have a copy. It's ripe, the guys who hand out the IP addresses and one of the major providers of security solutions and for the technical operators.

And then those 13 copies get many, many, many more copies because there is, remember the carrot story, there is an incentive to have a copy.

If I'm an ISP and have a million users and all these users would every time have to query one of the copies, for instance an Amsterdam of the root, and pay for a lot of traffic back and forth from Brussels to Amsterdam or from Madrid to Amsterdam, if I have a copy of that zone file, which I can get a fresh copy every half hour or every hour, every time somebody queries, I can provide the response without having to go all the way. So it's more efficient. It's a carrot.

For example, four of those copies are hosted in Brussels. Very importantly, that roots and database was overseen by the U.S. government until last year, October 2016. The U.S. government handed out the oversight to a multistakeholder community that groups within ICANN. So it is the combination of the ccTLDs, the generic TLDs, the users, the governments, the technical operators, the security and stability committee. So there's a lot of people who now decide jointly on how to manage that zone file.

Before that, if any change was needed, the NTIA had physically, literally, to approve that by sending an okay confirmation.

A snippet from the zone file. See, it doesn't look that interesting. But it tells you where to find the zone, the name servers for EURIT. They are doing the a really good job. They have about 10. They have IPv4 and IPv6 and if you would trace those. They're spread all across the European Union. So well done.

The next record, the next name serving, the next name record in root zone file.

You have two types of top level domains: Country codes and generics. Quite self-explanatory. There are many more gTLDs these days.

CcTLDs are restricted. Only countries that have a code on the ISO tree 166 alpha 2 list can get delegated a country code. Very important that this happens here because you would not want any other organisation but a UN agency to deal with or to decide on which is a country and which is not. So this is not a discussion at that takes place in ICANN. If I'm separating a small community from the Belgium federal state, it's not ICANN that I should ask for permission to get my ccTLD. I should then convince the UN. If the UN puts it on the list then ICANN has a pretty easy job when managing the zone.

The most important difference, of course, is that these are managed locally. They serve local community. They serve that community based on its values and the way it expressed those values and local court decisions, too, which typically normally should reflect those local values, as well.

GTLDs, they run under a uniform contractual policy that is decided by that ICANN multistakeholder community. So it's not a matter of ICANN organisation, the 300 people that are working there that make these policies. But it's of a community that builds these policies. As a result, these policies are global.

And gTLDs, they pay a fee to ICANN, which is ICANN's main source of income.

Interesting discussions on the Cyrillic and Greek.eu. On gTLDs, we were thinking about discussions, we were thinking on (?) which triggered a really interesting discussion in ICANN. If I had champagne or champagne.whip he wine, does that mean that I'm officially can decide which wines can register on the third level? Is this a proof of concept for new geographic indicators system? So interesting policy discussion there.

So we're at the first level, right? That hidden dot at that told us where to find EU. When you then go, you have the root zone told us where to find dot EU, with e to the next level, so the .EU at the end. So where do we find that information?

There is a who is. Every registry runs a who is. That has obviously privacy information implications. If somebody went wrong with a web site you knew who to contact. Hey your website is down. You couldn't probably writ an email if their system is down but you could have called them because there is a phone. There is a fax, even.

So that was the initial purpose of the who is. Now it's more used to I'm interested in buying your domain or there's something on your domain that I don't like and I want you to remove it. But there is a useful tool to facilitate that communication.

If you zoom in, you find these technical details.

It also contains -- remember the hierarchical system -- where to find the information of the system below. And so this is for (?) with all the name servers again IPv6 and IPv4 addresses. We're almost there.

We're going to -- I won't redo the movie but we come into some interesting cases here. So we're looking -- for example, .EU. This is inconvenient.

[Laughter]

Let's see if we can get it fixed. Otherwise, I'll try to talk you through the last couple of slides without the animation.

>> So (?)

>> PETER VAN ROSTE: I'd say around 40.

Yes, thank you. So the question, you type in a name. It first goes to your access provider and it asks for the IP address. The access provider has a machine that's called DNS resolver that does that part of the work. Its workload is spread so answering questions goes to the DNS resolver. The DNS resolver asks where dot EU is. It responds with an address. And it queries the .EU registry. For example, .EU responds with an address. Example.eu is queried, where to find the Web server as opposed to the email server. Responds with an address. And there we are. So we now know where to find information. And the traffic begins. So DNS is no longer relevant.

How does blocking work? There's a couple of ways of doing that. But all, as I hope you will be able to show, are inefficient.

So ask that question to your access provider and your access provider has been told buy the government if anybody asks, don't respond. Ignore the question. Which is what happens when you get a 404 page. In most countries, I don't know about this one, in mine when you go to (?) you get a 404 response or you get diverted to the law enforcement website.

So, what else can happen? That is the access provider provides you with the wrong answer. And this is the re-direction that we get. So it provides you with an IP address that it knows is not the real one, but it sends you to police-controlled server. And that one will then provide you with an answer saying your e trying to reach information that is illegal or based on a court order. So it will provide you with information and serving you a proper notice.

Why dent this -- there are a couple of other blocking techniques, but why doesn't this work? I think remember the exercise when I looked for the IP address and I typed that IP address into my browser, I just got to the content without the DNS? So this is obviously the main reason why the DNS is not the communication tool. It is a facilitator or. It helps you memorize IP addresses. It helps you memorize an address without having to know the IP address.

So remove DNS from the whole system and it would become pretty annoying to use the Internet or sending emails, but it would still go. You would even shave off the 3 milliseconds that it takes to do the query. But it would probably take you longer to type that in.

So the easy way of circumventing DNS blocking is by just simply changing the domain name. It will take you 3 minutes and cost you depending upon the domain around 5 Euros. So if www.example.eu is blocked, it just uses a different language. Use (?).eu. So you register different domain name. You link to it the IP dress and because the system was built to be resilient, it works. And that's the whole reason why we have DNS. Remember the secure security partner.

So working on that doesn't make sense.

>> Can you explain again? Because one of the things that the law enforcement people say is a problem because people don't understand how the Internet actually works is that so there's a domain, which somehow violates the law. And then they take down the domain. But since the IP address is still there, you can basically, then, put a different domain name and still end up going to the same IP address.

>> Of course. And taking down the domain, we might get to that if we have some more time. But taking down the domain, because the domain infringes the law, makes us much sense as removing a street address because the street address in infringes the law. It can't. It's an address.

It's what's happening in the house that might be illegal, but removing the address or tearing it out of a directory or wiping it out from Google street's view doesn't make the place go away or make the illegal activity stop. It is what it is. You make it hard to find an address but nothing more.

But indeed if you would respond with a false address, so keep on saying the example.eu doesn't exist. Then if the people running example.eu think it's really important that their content remains online because of freedom, it's important that society understands what they want to share with them, and they just take a different domain. They link to it the IP address.

Most off into be resilient, these sites already have multiple domains for that. Anybody taking or blocking one of them.

So, yes? We already did that trick. So you'd type in the IP address into your browser rather than the domain name and you have direct access to that server rather than to jump around asking where to find it. You don't need the domain name resolver.

Many companies, larger ones, run their own DNS resolver. So they would not run the law, when the government, courts, law enforcement tell the access provider to make their domain name servers resolver lie. You don't need to use that one. Most people do. It's automatically in your browser. I think I even had a screen shot there. But you can change. You can use your own. Or you can use for instance Google's. Google is very simple to remember. It's 8.8.8.8.

Change your DNS resolver to Google's 8.8.8.8 one and none of the local law enforcement instructions to the ISPs will have any effect on you.

And by the way, we keep on telling that store toy law enforcement agencies, too. We're in the trying to circumvent or undermine the really good work they're trying to do. We just want to make sure that they understand that what they're doing is does not always make sense from a technical perspective.

This is an example where you basically have not the DNS resolver but your own resolver answer those questions. And the result is the same.

Yes, here it is. Third-party DNS. They're plentiful. Some of them are more trustworthy than others. Remember, Google is not a charity. So they are very happy for you to use their name server resolver because every time you ask them a question, they know that this is the type of traffic that you want to start. They know that this domain is quite important because many users are asking for it. It probably adds to their algorithms and increasing the value of that domain and putting it hyper in their ranks.

So they have a purpose for doing that, but it is a technical -- it is possible to easily change that and use alternative addresses.

I'm sure that if you would ask EDRI, they could provide you with third-party organizations that will not abuse the traffic logs that your queries generate.

So we will enter this. Same thing. Different provider. Oh yes, one more. Web proxies. You could use some websites to change the course of your traffic by going through that web site typing in the address that you really want to reach, something where somewhere else and then that website is going to fetch that information for you. So practically if on a local level there is a block, access block, you are not visually or visibly looking for that information. You're looking for that third-party web site proxy.example. They look like this. Again obviously they abuse your traffic. They find it very interesting to know what you're looking for, what you're doing. And that information is most likely being sold when it's a free one.

You can pay more established ones that -- you would pay for ones that are definitely more safe, but I would not use proxy servers, but it is one way that people avoid blocking, traffic blocking.

And it's proxy.example that is then going to ask for example.EU.

And you see that none of this querying traffic and back and forth goes over this line. So whatever is blocked here on a national level has no impact.

And then you just end up to the example of the EU website.

Different things already mentioned to the dark net. Typically accessible through alternative browsers like Tore. What Tore does is it's based on the proxy principle. So it is not you going to specific contents, fetch-specific content but you ask the second person to do that for you. It's actually way more complicated than that. You ask probably a dozen or 20 people to do that for you. And one just asks a colleague the same question.

It goes a bit slower. But it is almost untraceable of who is looking for what content. Tore is the onion routing. And it does perfectly what it describes. It builds layers of shields around a person asking for specific content or the identity of a person that is communicating with somebody else because you keep on passing on the traffic until everybody has lost track on who the original question came from. You just know that when you get an answer from whoever you ask, you pass it back to the person asking the question to you. And that's basically it. Less popular or ready, these slides are less than a year old. So things go fast. But a peer-to-peer-based data sharing system that would allow you to store information to have it accessible without easy identification.

So, conclusion on the blocking, blocking is a technical term and it describes a procedure. We block. It does not describe an outcome because actually we try to block but we probably hardly ever succeed.

I think there's a big difference in preventing users from accessing something accidentally. The type of reaction that you get is I didn't really want to see that. And try to prevent users that want to access condition tent. Typically hired bay users do not end up there by accident. So we can try whatever we want. There are plenty of mechanisms that are easy to circumvent or they're easy to I don't to circumvent roadblocks on the way.

So what we strongly believe -- and obviously the training was more about than just blocking but I think it's a good example to link to the technical understanding on how things work. But education is crucial. I mean, we keep on educating law enforcement agencies and our commission officials. We give this training to the commission, to the parliament and to other stakeholders in Brussels to inform the debate.

Remember this one, that Nina started you with. So now you understand what happened, right? The French government told French ISPs mobile operators on Monday morning, this is a list every Monday morning, by the way. On "a" Monday morning, I think only last year. They sent them a list of sites to block. It's a manual thing. So most of operators took the list and looked at it and said Google is on here, and Amazon and Twitter. It's not the right list. One of the operators didn't check whether it was the right list.

[Laughter]

And they blocked Google amongst quite a few others. Ovioche was one of the most popular. It was a test list that had accidentally slipped. But the result was that all traffic or most of the traffic was diverted to the French ministry of interior fairs.

[Laughter]

So they accidentally committed digital suicide. I'm sure that it is a perfect illustration on how dangerous it is to mess with the technical layer. And if people want to do so, they should be properly informed and understand what the impact is and be well aware of the societal, economic and political risks once you start mingling with the system it might be possible to mistake as we see here.

Another one with no time for that unfortunately. Wannacry was stopped because they used the DNS as kind of a check, a safety check. If a researcher would have taken wannacry and put it in a box and close it from the outside world then there wouldn't be any connection possible with the DNS. By registering a name, all the viruses that were out in the wild checked whether the name was still available. It wasn't. So they thought they were in a box and they shut themselves down. So it was an interesting flaw in the software where the researchers definitely outwitted the virus writers. It was a really nice thing. So there the DNS plays a role, too.

You see it quite often that there's a link to the DNS and how that today's training, although ridiculously short, helped a little with. So thank you. You wouldn't believe it but we probably spoke about everybody on this list at least on a technical level.

The guys with cable and the fiber, root servers, the one in Frankfort we saw, Internet exchange point, hosting providers, the large cabins, the racks that showed you in the centres. Domain registries, ccTLDs, we're hosting all European ccTLDs. We discussed ICANN and all the constituents. Governments, users, security.

We discussed the naming community. We focused on the European one, ripe. We have formerly known as I and an now PTI, Public Technical Identifiers, that hand out the names and the numbers and do a bit of protocoling, too.

These guys, we and it's shameful but we didn't really discuss but they are the setting the standards. They are the real heroes of this story. They are engineers trust believe it or not are doing this in the spare time. They take a holiday for that and at an IGF meeting they discuss for four or five days they discuss how to build the next standard to have your IP traffic flow smoothly across the world.

They're doing incredible world. There are a couple of organizations that work on that, so ITF is probably the main, Internet -- is the other one. So accessibility browser. There is no government deciding on that. There is W3C saying for visually impaired, this is how we're going to build the standards. If your website wants to be accessible to the visually impaired, follow these standards and it will work. It's a carrot again. If you don't, nobody cares. Well probably visually impaired care quit a lot.

If you don't get punished, you're missing on a potential opportunity. But these standards bodies, I strongly urge you to look into it and how it works. It provides fascinating examples of governance stories. In ITF, it's not that common anymore but to reach consensus or to confirm consensus there's a humming sound going round the room. A lot of (?) and if some people don't hum, then they don't agree. But if the humming is overwhelming, then it seems to be fair to conclude that there is a standard set.

There is more detailed and fine-tuned ways of coming to consensus on some of the more delicate discussions, by the way, but just as an example.

There's a great document, ITF-- read it if you want to understand how it works. So perfect primer on whenever ITF is next to you, try to, ISOC provides tickets. Is anybody from ISOC here? I think ISOC still provides access.

ISOC, the Internet Society, which is you. Internet Society. They provide sponsorship to ITF, IAB and other standards bodies and the ISOC chapters. So they're doing a great job. If you're wondering where ISOC gets its money from: .org. Every .org domain that gets sold, significant part of that fee goes to ISOC. If you're an ISOC member, you pay a fee.

Carrots. Never forget it. Standardization doesn't work. If 30 years ago the ITU, which is the international telecommunications unit would have said "guys, let's sit down and build the Internet" I'm pretty confirmed that we wouldn't have it. It is not something that is set to quick adoption with Internet needs. So without further simplification, things worked very quickly. We learned how you can trace your rates or travel the world. If you want the visit another place, go trace routing and you'll see places.

Why we need the DNS? It helps useful for users, build some security into it. It's an old view on the same thing. But it's a hierarchical system. Every layer controls its own information. So there is no central point. And that one point that rules all the top level domains is managed by multistakeholder organisation.

So some corners were cut. But everything that I've told you was confirmed as accurate by our technicians.

Malcolm provide sod links. If you meet him, say hi and thank him for the slides at the end. Thank you. I don't know if we still have time left.

[Applause.]

Do we have time for questions? No.

[Laughter]

All right. But we'll stay around. Feel free to drop by. Thank you so much.


This text is being provided in a realtime format. Communication Access Realtime Translation (CART) or captioning are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.