Annual Report 2004 Stichting NLnet Labs
Independent lab for Internet infrastructure development
Office: | Kruislaan 419 1098 VA Amsterdam The Netherlands |
e-mail: | info@nlnetlabs.nl |
web: | http://www.nlnetlabs.nl |
KvK: | Chamber of Commerce Amsterdam, nr 34126276 |
1. Introduction
NLnet Labs was founded in 1999 by Stichting NLnet to develop, implement, evaluate and promote new protocols and applications for the Internet.
The NLnet Labs offices are located in the Amsterdam Science Park (ASP) where traditionally most Internet development in The Netherlands has taken place. The ASP is still very important for the Internet, as it is the location of the Amsterdam Internet Exchange (AMS-IX), in which vicinity many Internet companies can be found.
2. Activities of Stichting NLnet Labs in 2004
The goal of NLnet Labs is to contribute knowledge to the Internet. This can be achieved by software development, and also by educating people to develop software elsewhere. NLnet Labs' staff therefore not only focuses on software development defined in projects, but also on collaboration with other organisations. The budget of NLnet Labs is based on long term (15 years) investment for development with a staff of five to six people.
Staff, projects and collaboration are the topics addressed in this section.
2.1 Staff
NLnet Labs employed seven people in 2004: Miek Gieben, Erik Rozendaal, Ronald van der Pol, Martin Pels (from February until July), Jelte Jansen (from March 1), Jaap Akkerhuis (from August 1), and Ted Lindgreen (director) to work on the projects described in the next section.
2.2 The main projects
NLnet Labs focussed in 2004 on DNSSEC, NSD, and the TestLab.
2.2.1 DNSSEC
The DNSSEC project started in 2000 with a study of the scaling issues involved in deploying DNSSEC for large domains. This study proved that DNSSEC scaled better (i.e. less loss of performance) than previously feared by many. This resulted in a renewed interest in DNSSEC.
In 2001 the focus was on deployment at TLDs, and a testbed where DNSSEC was implemented in a secure shadow tree of .nl, called .nl.nl, was set up. This work revealed a new scaling issue, namely with respect to the administration of keys at registries. A new record type "DS" (Delegation Signer) was proposed to solve this issue.
In 2001 also another change to RFC 2535 was proposed: OptIn. This proposal fundamentally changes the way DNSSEC will be used, as it introduces partial security within a zone. This proposal did not meet consensus in the IETF dnsext working group until mid 2003. At the 57th IETF (Vienna, July 13-18,) it became clear that OptIn would become either informational or experimental. It also was clear that there was consensus to standardize the DS proposal and some other minor issues in a new RFC with working title RFC2535bis. The new (proposed) standard was ready in 2004, but it took until Q1 2005 until it was finally published as RFC 4033, 4034 and 4035.
In 2004, NLnet Labs worked mainly on DNSSEC deployment, which is work without much visibility. Part of the work was promoting DNSSEC deployment by actively participating in various fora like IETF, RIPE, ISOC-international, and the DNSSEC deployment group. Most of this work is done by Jaap Akkerhuis. The other part was to build secure aware tools: a demo-resolver (Martin Pels), a DNSSEC debugging tool (Miek Gieben and Jelte Jansen), and a library with various DNSSEC tools (ldns).
The .nl experiment was closed on 28 December 2003, after we concluded that there are no more showstoppers in the proposal for RFC2535bis. After this, it appeared that SIDN had lost interest in further testing DNSSEC deployment. Hopefully this will change in the future.
2.2.2 NSD
NSD is nameserver software aimed at usage on large and/or important authoritative nameservers, such as the root-nameservers and TLDs. The idea to write this software came up at the RIPE 40 meeting in October 2001 in Prague, Czech Republic.
It was observed that all rootservers and most TLDs were converging to use exactly the same software: the latest version of the BIND-8 software. This because the development of BIND-8 has stopped, and both its successor, BIND-9, and all other alternatives are not, or at least not yet, suitable for these nameservers. It was generally felt that all rootservers using the same software was an unacceptable risk.
During 2002, and until April 2003, Alexis Yushin wrote most of the code of the initial versions. From May 2003, Erik Rozendaal took over the development. A rewrite of large portions of the code was needed to implement DNSSEC in a clean way. This rewrite was completed in 2003. In 2004 the new version was released with DNSSEC disabled by default, but it can easily switched on. This default is to be changed as soon as DNSSECbis is published as (proposed) standard (Q1 2005). NSD runs on two rootnameservers, a few percent of all TLD servers, and various other nameservers.
2.2.3 IPv6
Ronald van der Pol is co-author of RFC 3750 (Unmanaged Networks IPv6 Transition Scenarios) and RFC 3904 (Evaluation of IPv6 Transition Mechanisms for Unmanaged Networks), which were published in 2004 by the IETF v6ops working group.
Little progress was made on other IPv6 projects.
2.3 TestLab
In 2003 we installed the RIPE-NCC "DISTEL" testlab at NLnet Labs. This testlab was designed by Daniel Karrenberg. The current TestLab consists of 3 Athlon and one alpha system. They are connected both on a private network and on the Labs-LAN.
It was planned to have repository of traces from various root- and TLD-nameservers, and to conduct test on a regular basis as to obtain and publish progress of the use of IPv6, EDNS0, DNSSEC, and other developments. To obtain and maintain the repository of traces, cöoperation was sought with RIPE, SIDN, and ISC. However, despite multiple efforts, we have not yet succeeded in receiving traces on a regular basis.
2.4 Collaboration with other organisations
NLnet Labs has been co-operating with SIDN and CENTR on DNSSEC since the very start of the project in early 2000. However, after the (successful) completion of implementing DNSSEC on a shadow registry for .nl, it seems that SIDN has lost interest in both development and further co-operation with NLnet Labs.
NLnet Labs still works together with RIPE-NCC on the Testlab, the DNSSEC and the NSD projects.
Ted Lindgreen chairs the TechSec RIPE working group and Jaap Akkerhuis is one of the chairs of the RIPE DNS working group.
On invitation of ISOC and RIPE, Jaap Akkerhuis has participated in offering a training for managers and administrators of the new, and fastgrowing ccTLDs. The course took place in Thailand, but the effort has lead to setting up ISOC-trainings on a regular basis.
In 2002 NLnet Labs started collaboration with NLnet's IIDS Research Group at the VU. This collaboration did not work out as hoped and expected, and was put on hold mid-2004. We hope to revive this collaboration in 2005 again.
Furthermore NLnet Labs actively participates in the following IETF working groups:
- dnsext - DNS Extensions
- ipv6 - IP Version 6 Working Group
- v6ops - IPv6 Operations
- zeroconf - Zero Configuration Networking
- dsnop - Domain Name System Operations
- rtgarea - routing area
- DNS - Domain Name System questions and issues.
- IPv6 - IP version 6 related issues and questions.
- Routing - Issues dealing with routing architecture for the European Internet.
- TechSec - Discuss the technical aspects of Internet security technology.
2.5 Plans for 2005
2.5.1 DNSSEC
In 2005 NLnet Labs will continue to focus on getting DNSSEC implemented. As the (new) standard has now been published, most of the work will be producing and testing resolver and the signing procedures, including administration and debugging tools. These tools will be built around theldnslibrary.
Miek Gieben and Jelte Jansen will be doing most of this work, so no extra manpower is needed.
2.5.2 NSD
NSD has matured, so little new development is needed. There will be some development on tools outside the NSD-core, like AXFR and IXFR support, but most of the work will be maintenance.
2.5.3 TestLab
Setting up a traces repository and doing tests on a regular basis is still aimed for. However, this depends on the availability of traces.
2.5.4 HIP
The Host Identity Protocol architecture introduces a new layer between the "Transport" and "Internetworking" layer. HIP provides a method of separating the end-point identifier and locator roles of IP addresses. It introduces a new Host Identity (HI) name space, based on public keys, that function as the end-points of sockets. When a host moves from one network to another e.g. as a multi-homing node, or a mobile node, sockets will remain bound to the HI but the binding between the HI and the transport layer will need to be dynamically updated. The HIP architecture provides methods to do this securely.
The idea to work on HIP is from Olaf Kolkman, who will start working for NLnet Labs in September 2005. It is planned that Olaf takes over the management of Labs in January 2006. Olaf proposes that NLnet Labs does a pilot study to:
- Acquire expertise by running a HIP based services on several machines
- Establish initial contacts with the main players in the field such as individuals in the IETF HIP-WG.
- Identify which architecture components need development and the design of a prototype for one these components.
2.6 Software testing for other NLnet projects
On request of the the NLnet foundation, NLnet Labs will test released and pre-released software from other NLnet projects, provided, that NLnet Labs has the necessary skills and knowledge in house. It is expected that the necessary manpower can be scheduled on an ad-hoc basis.
2.7 Workshops, presentations and publications
The following workshops, presentations and/or publications were given/produced by NLnet Labs in 2004:
- DNSSEC in NL (final report) by Miek Gieben
http://www.nlnetlabs.nl/dnssec/dnssecnl/secreg-report.pdf - RIPE 47, January 2004, Amsterdam (NL): DNSSEC in NL by Miek Gieben
http://www.nlnetlabs.nl/dnssec/pres/ripe47/index.html - RIPE 47, January 2004, Amsterdam (NL): Modifying NSD for DNSSEC: Design, Implementation, Performance by Erik Rozendaal
http://www.ripe.net/ripe/meetings/ripe-47/presentations/ripe47-dn-dnssec-nsd.pdf - RIPE 48, May 2004, Amsterdam (NL): NSD Status Update by Ted Lindgreen,
http://www.nlnetlabs.nl/presentations/RIPE-48/html-ted/ - RIPE 48, May 2004, Amsterdam (NL): Application - Resolver communication in DNSSEC by Miek Gieben
http://www.nlnetlabs.nl/presentations/RIPE-48/html-miek/ - RIPE 48, May 2004, Amsterdam (NL): Secure resolver developments by Jelte Jansen
http://www.nlnetlabs.nl/presentations/RIPE-48/html-jelte/ - Cisco Protocol Journal Volume 7, Number 2, June 2004: DNSSEC: The Protocol, Deployment, and a Bit of Development by Miek Gieben
http://www.cisco.com/en/US/about/ac123/ac147/archived_issues/ipj_7-2/dnssec.html - RIPE 49, September 2004, Manchester (UK): Wild Card Report (Redirection in the COM and NET Domains) by Steve Crocker and Jaap Akkerhuis
http://www.ripe.net/ripe/meetings/ripe-49/presentations/ripe49-dns-wildcard.pdf - ccTLD Workshop, October 2004, Bangkok (Thailand): DNS/ccTLD Technical Training Workshop by Jaap Akkerhuis et.al.
http://ws.edu.isoc.org/workshops/2004/ccTLD-bkk/
- draft-ietf-dnsop-resolver-application-interface-00.txt:
DNSSEC Resolver Interface to Applications by Miek Gieben, G. Guette and O. Courtay
http://www.nlnetlabs.nl/dnssec/draft-gieben-resolver.txt - draft-ietf-dnsop-dnssec-operational-practices-04-pre-1.txt:
DNSSEC Operational Practices by Olaf Kolkman and Miek Gieben
http://www.nlnetlabs.nl/dnssec/draft-ietf-dnsop-dnssec-operational-practices-04.txt - draft-gieben-bert-response-00.txt:
Online Signing of Negative and Wildcard Responses by Miek Gieben
http://bgp.potaroo.net/ietf/idref/draft-gieben-bert-response/
2.8 More information
More information on past, current and planned projects can be found at:
3. Organisation
Stichting NLnet Labs was founded on December 28, 1999 by Stichting NLnet. Its Board consists of three members and has remained unchanged in 2004:
name | function | end of term | |
---|---|---|---|
|
Teus Hagen | chairman | December 28, 2005 |
|
Frances Brazier | secretary | December 28, 2005 |
|
Wytze van der Raay | treasurer | December 28, 2005 |
Six Board meetings took place in the year 2004:
date | place | |
---|---|---|
January 14, 2004 | Amerongen | |
March 10, 2004 | Amsterdam | |
May 13, 2004 | Amsterdam | |
August 18, 2004 | Amsterdam | |
October 7, 2004 | Amsterdam | |
December 7, 2004 | Amsterdam |
Ted Lindgreen is the managing director of Stichting NLnet Labs. He continues to be responsible for the daily management of all activities of the Open Source network software development laboratory, including development of strategies and plans for new activities.
Six staff members worked for NLnet Labs in 2004:
- Miek Gieben, from June 1, 2000 (still employed)
- Erik Rozendaal, from February 15, 2002 (still employed)
- Ronald van der Pol, from June 1, 2002 (until April 1, 2005)
- Martin Pels, from February 23, 2004 until July 9, 2004
- Jelte Jansen, from March 1, 2004 (still employed)
- Jaap Akkerhuis, from August 1, 2004 (still employed)
NLnet Labs rents office space in the Matrix I building in the Amsterdam Science Park in Amsterdam, very close to one of the most important internet interconnection centres in Europe.
4. Finances
Stichting NLnet Labs primarily finances its projects and activities from grants obtained from its parent organisation Stichting NLnet. In addition, income may be obtained by providing Open Source internet based consultancy and/or programming services to third parties. A contract for consultancy at SIDN, the Dutch top-level domain registry, was a source of additional income in 2004 in the latter category.
4.1 Fiscal status
Stichting NLnet Labs has been set up as a non-profit organisation, with general benefit objectives. Its request to be classified as an entity with general benefit objectives within the meaning of the Successiewet 1956 (article 24 sub 4) has been granted by the Dutch tax office (departmentRegistratie en Successie) on February 2, 2000. Due to this status, Stichting NLnet Labs can receive grants from Stichting NLnet (with the same general benefit objective classification) without considerable tax consequences.
Because Stichting NLnet Labs may provide consultancy and/or development services based on its Open Source and internet expertise, to commercial third parties, it has also applied for registration as a Value Added Tax-registered entity. This registration has been provisionally provided by the tax inspection on March 15, 2000.
Based on its non-profit status, Stichting NLnet Labs does not expect to become subject to company tax (vennootschapsbelastingin Dutch).
Since Stichting NLnet Labs employs staff, it has been registered for Social Security insurances with UWV GAK, in the sector commercial services II (BV 25).
4.2 Administration
The books of Stichting NLnet Labs are kept by the treasurer.
The salary administration has been contracted out to the Financial Management Solutions group of PricewaterhouseCoopers in Rotterdam. This group also prepares the salary tax forms.
PricewaterhouseCoopers Accountants has been charged with compiling and auditing Stichting NLnet Labs's Annual Accounts 2004. The accountancy report is a separate document with this Annual Report.
4.3 Income in 2004
At the start of 2004, a budget was drawn up for the expected staffing level and activities of NLnet Labs during the year 2004, with a total of €299.340. This budget excluded the cost for a possible expansion of the staff in the course of 2004 with one to two persons. Based on this budget and the expected consultancy income, a grant was requested from Stichting NLnet for €274.000 during 2004, with the option to request an additional grant if the desirable staff expansion could be effectuated. Stichting NLnet allocated these funds for 2004, to be received by NLnet Labs on a quarterly basis, €68.500 per quarter.
Based on the successful staff expansion realised by employing Jelte Jansen en Jaap Akkerhuis in the course of 2004, an additional grant of €66.000 was requested from Stichting NLnet in August 2004, and this was granted in September 2004.
The net result of that is that Stichting NLnet Labs received a total of €340.000 from Stichting NLnet during 2004.
Also, a new consultancy contract with SIDN over the period September through December 2004, brought in some additional income of €14.000, but this was less than budgeted.
The only other source of income during 2003 was interest derived from a savings account used to deposit funds temporarily. This amounted to €1.442.
Summarizing the 2004 income:
2004 | 2003 | |
---|---|---|
actual | actual | |
|
|
|
Donations general | 340.000 | 325.000 |
Donations for Fonkey | - | 35.000 |
Donations for A-A-P project | - | 49.409 |
Donations for Atom-Based Routing project | - | 50.051 |
Consultancy income | 14.000 | 41.648 |
Interest income | 1.442 | 1.555 |
|
|
|
Total | 355.442 | 502.664 |
|
4.4 Expenditure in 2004
The major expenditure categories of NLnet Labs in 2004 are summarised below:
2004 | 2003 | |
---|---|---|
actual | actual | |
|
|
|
Staff | 310.039 | 364.002 |
Atom-Based Routing project | - | 50.051 |
Housing | 22.799 | 20.616 |
Depreciation | 7.184 | 5.067 |
Other costs | 34.055 | 36.454 |
|
|
|
Total | 374.077 | 476.190 |
|
Thus total income in 2004 was somewhat less than expenditure; the negative result of €18.635 has been taken out of the the financial reserve. As a result, the financial reserve at the start of 2005 is €36.099.
4.5 Budget for 2005
The provisional budget for 2005 as approved by the Board in its meeting on December 7, 2004, is as follows:
2005 | 2004 | |
---|---|---|
budget | actual | |
|
|
|
Staff | 412.800 | 310.039 |
Housing | 23.400 | 22.799 |
Depreciation | 6.840 | 7.184 |
Other costs | 36.960 | 34.055 |
|
|
|
Total | 480.000 | 374.077 |
|
The 2005 budget looks considerably bigger than the realisation for 2004, in particular the staff budget. There are two reasons for this:
- the size of the staff has been expanded over the year 2004 to the desired level, which NLnet Labs intends to maintain in 2005 (and beyond);
- NLnet Labs expects to appoint a new managing director in the second half of 2005, while its current managing director will remain employed for a transition period until the end of 2005.
Since NLnet Labs expects to receive some income from consulting activities, the projected deficit for 2005 comes down to €447.000. A request for four quarterly grants of €111.750, thus for a total of €447.000 in 2005, has been submitted to Stichting NLnet. Stichting NLnet has approved these grants on January 27, 2005.