logo Stichting NLnet Labs

Stichting NLnet Labs Annual Report 2002
Office: Kruislaan 419
1098 VA Amsterdam
The Netherlands
e-mail: info@nlnetlabs.nl
web: http://www.nlnetlabs.nl
KvK: Chamber of Commerce Amsterdam, nr 34126276

Annual Report 2002 Stichting NLnet Labs

1. Introduction

NLnet Labs was founded in 1999 by Stichting NLnet to develop, implement, evaluate and promote new protocols and applications for the Internet.

The NLnet Labs offices are located in the Amsterdam Science Park (ASP) where traditionally most Internet development in The Netherlands has taken place. The ASP is still very important for the Internet, as it is the location of the Amsterdam Internet Exchange (AMS-IX), in which vicinity many Internet companies can be found.

2. Activities of Stichting NLnet Labs in 2002

The goal of NLnet Labs is to contribute knowledge to the Internet. This can be achieved by software development, but also by educating people to develop software elsewhere. NLnet Labs' staff therefore not only focuses on software development defined in projects, but also on collaboration with other organisations. The budget of NLnet labs is based on long term (15 years) investment for development with a staff of five to six people.

The main challenge for 2002 was to increase the number of developers. An additional goal was to increase and improve collaboration with other organisations. By hiring two more developers, setting up a formal (paid for) relation with SIDN, and having NSD running on one of the rootservers (k.root-servers.net) and on a large and important secondary server (ns.eu.net) both goals were accomplished.

Staff, projects and collaboration are the topics addressed in this section.

2.1 Staff

The 5 developers within NLnet Labs in 2002: Alexis Yushin, Miek Gieben, Erik Rozendaal (started in February), Ronald van der Pol (started in June), and Ted Lindgreen (director) worked on the projects described in the next section.

2.2 Projects

NLnet Labs focussed in 2002 on four projects: DNSSEC, IPv6, NSD, and the Query Analyser.

2.2.1 DNSSEC

The DNSSEC project started in 2000 with a study of the scaling issues involved in deploying DNSSEC for large domains. This study proved that DNSSEC scaled better (i.e. less loss of performance) than previously feared by many. This resulted in a renewed interest in DNSSEC.

In 2001 the focus was on deployment at TLDs, and a testbed where DNSSEC was implemented in a secure shadow tree of .nl, called .nl.nl, was set up. This work revealed a new scaling issue, namely with respect to the administration of keys at registries.

In 2001 also another change to RFC 2535 was proposed: OptIn. This proposal fundamentally changes the way DNSSEC will be used, as it introduces partial security within a zone. This proposal did not meet consensus in the IETF dnsext working group in 2001, and also not in 2002. Because of this, NLnet Labs had frozen parts of the work on DNSSEC; in particular the planned release of a BCP (a Best Current Practice document) has to wait until the OptIn issue is resolved, as practice will be very different with or without OptIn.

In 2002, NLnet Labs worked on two issues for DNSSEC: A shadow .nl registry

The former experiment in collaboration with SIDN, the .nl.nl experiment was completed and closed halfway 2002. A new experiment was set up, again in collaboration with SIDN, this time to run a fully secure shadow registry for .nl. This registry is to run completely synchronously with the real .nl registry, with the only difference that it is fully secured and contains DS records for the secured delegations. There are three nameservers, one at SIDN, one at NLnet Labs, and one at the Swedish registry. The .se registry is doing a similar experiment for which NLnet Labs also runs a secondary. One of the .nl shadow nameservers has recursion enabled. When this server is used as forwarder, the resolver has a secured view on the .nl tree.

In order to achive the necessary cooperation with SIDN, which is vital to keep both versions of the registry in sync, SIDN has hired one NLnet developer (Miek Gieben) as a consultant for one day per week. This started in September 2002 and runs until September 2003. A secure aware resolver

Although it is still unclear whether OptIn will be standardized or not, we are continuing on trying to write a secure aware resolver. This is more complicated than expected, and this work is still revealing new and unforseen complications.

2.2.2 IPv6

With the employment of van der Pol NLnet Labs could bring its involvement in IPv6 up to speed again. A successful IPv6 Awareness Day for ISPs was organised together with Nikhef, CWI, XS4ALL, BIT and AMS-IX. As a result the number of ISPs exchanging IPv6 traffic over the AMS-IX, doubled.

Van der Pol has produced a special IPv6 SOHO router image, based on NetBSD. This image can be put on floppy or flashcard to be loaded onto small i386 hardware. A collaboration with SURFnet has been set up to make small Soekris boxes available as IPv6 SOHO routers for IPv6 experiments.

Long term (4 years) analysis of the 6bone routing table was done using the daily 6bone reports of MERIT. Several plots were generated that show the (mostly exponential) growth of IPv6.

Work started in collaboration with RIPE NCC to port the RIS software to IPv6.

Lastly, work has been done on several Internet Drafts for the v6ops working group in the IETF.

2.2.3 NSD

NSD is nameserver software aimed at usage on large and/or important authoritative nameservers, such as the root-nameservers and TLDs. The idea to write this software came up at the RIPE 40 meeting in October 2001 in Prague, Czech Republic.

It was observed that all rootservers and most TLDs were converging to use exactly the same software: the latest version of the BIND-8 software. This because the development of BIND-8 has stopped, and both its successor, BIND-9, and all other alternatives are not, or at least not yet, suitable for these nameservers. It was generally felt that all rootservers using the same software was an unacceptable risk.

NSD version 1.0.2 has been released and was installed on ns.EU.net and k.root-servers.net. The next version, 1.1.0, will be a clean rewrite in ANSI-C, and subsequent versions will support DNSSEC.

2.2.4 Query Analyser

During the preparation for the work on NSD, NLnet Labs studied traces of queries and replies to the K-rootserver. From these traces we learned that many queries were repeating, non-functional queries. For instance the same host asking for the same RR, which could not be resolved due to some configuration error down the tree. Instead of returning an error to the requesting application, some (broken) resolvers enter a loop, asking the same question over and over, starting at a root-server.

The original plan was to write three software parts: a tool to analyse the stream of queries in real-time, and outputting "suspect" queries; a hook in NSD to give those queries a special treatment, like dropping or delaying the request; and thirdly an intermediate format with tools, to be updated from the analyser and to steer the hook in NSD.

Because NSD turned out to be much faster than expected, and fast enough to just answer bad, looping queries, the NSD hook is not implemented. The Query Analyser itself is completed and released under BSD licence. It can be used as a tool to inspect nameserver traffic, which is very useful on its own.

2.2.5 Donkey

The Donkey project aims at setting up a KEY infrastructure apart from DNSSEC. Many projects are waiting on DNSSEC to provide public keys but sofar DNSSEC is stalling. On the other hand, the pressure to implement DNSSEC just to provide a KEY infrastructure seems to work counterproductive on the progress of DNSSEC. This project is the first result of the collaboration with the IIDS Research Group at the VU.

2.2.6 A-A-P

A-A-P is a project by Bram Molenaar. A-A-P makes it easy to locate, download, build and install software. It also supports browsing source code, developing programs, managing different versions and distribution of software and documentation. This means that A-A-P is useful both for users and for developers. Bram Molenaar, although formally an NLnet Labs employee, reports directly to the Board of Stichting NLnet. For more information on A-A-P see http://www.a-a-p.org/

2.2.7 Atom-Based Routing

The Atom-Based Routing project is carried out at CAIDA in San Diego, under direction of k claffy, and in cooperation with RIPE NCC and NLnet Labs. NLnet Labs sponsers RIPE NCC to employ Patrick Verkaik for this work. This project tries to find an answer to the ever increasing number of BGP route-prefixes. For more information see http://www.caida.org/projects/routing/atoms/

2.2.8 IODEF

The IODEF (Incident Object Description and Exchange Format) project started in 2000 in the TERENA IODEF WG (overseen by TF-CSIRT) which delivered RFC 3067 on the IODEF Requirements and an internal draft on the IODEF Datamodel and the XML Dtd. This TERENA project ended in January 2002.

The work on IODEF transferred to the IETF INCH (Incident Handling) Working Group established at IETF54 after two successful BOFs at IETF52 and IETF53. One I-D on IODEF Datamodel and XML Dtd had been submitted as individual submission before IETF53 and will be re-submitted as INCH WG I-D before the next IETF55. Authors of the main I-D on IODEF Datamodel and XML Dtd are Yuri Demchenko (formerly TERENA), Roman Danyliw (CERT/CC) and Jan Meijer (SURFnet, CERT-NL). The presentation of Yuri Demchenko at the 55th IETF (November 17-21, 2002; Atlanta, Georgia, USA) was made possible by NLnet Labs.

2.3 Collaboration with other organisations

NLnet Labs has been co-operating with SIDN and CENtr on DNSSEC since the very start of the project in early 2000. This co-operation will continue in 2002-2003, and likely as long as it takes to implement DNSSEC at TLDs.

NLnet Labs works together with RIPE NCC on the DNSSEC and the NSD projects, and also on Donkey. Ted Lindgreen chairs a RIPE working group (the TechSec group).

The IPv6 SOHO router has lead to collaboration with SURFnet.

The Atom-Based Routing project is a collaboration with CAIDA.

In 2002 NLnet Labs started collaboration with NLnet's IIDS Research Group at the VU. The focus of this collaboration is currently on scalability issues for directory services (which includes the Donkey results) and security/trust in large scale systems.

Furthermore NLnet Labs actively participates in various IETF working groups.

2.4 Plans for 2003

2.4.1 A new direction

Now that the staff of NLnet Labs is complete and we have set up collaboration with other institutes, our new challenge is to refocus our development efforts. We are trying to do this in close cooperation with the IIDS group at the VU. The Donkey project is the first project in this collaboration. We hope and expect that this leads to other new projects.

2.4.2 The current projects

We have still hope that DNSSEC standardization problems will be resolved. In the mean time we will continue assisting CENtr members (like SIDN and DENIC) in implementing DNSSEC in the country code toplevel domains (ccTLDs). As soon as the standards converge again, we plan to increase our work on the secure aware resolver and related issues.

IPv6 is an ongoing effort in 2003.

NSD needs DNSSEC support, and also the release engineering needs to be improved.

Both the A-A-P and the Atom-Based Routing projects will be finalized in 2003.

2.5 More information

More information on past, current and planned projects can be found at: http://www.nlnetlabs.nl/

3. Organisation

Stichting NLnet Labs was founded on December 28, 1999 by Stichting NLnet. Its Board consists of three members and has remained unchanged in 2002:

Teus Hagenchairman
Frances Braziersecretary
Wytze van der Raaytreasurer

Seven Board meetings took place in the year 2002:

January 29, 2002Amsterdam
March 8, 2002Amerongen
April 25, 2002Amsterdam
July 3, 2002Amsterdam
September 3, 2002Amsterdam
October 10, 2002Amerongen
December 4, 2002Amsterdam

Ted Lindgreen is the managing director of Stichting NLnet Labs. He continues to be responsible for the daily management of all activities of the Open Source network software development laboratory, including development of strategies and plans for new activities.

Four staff members worked for NLnet Labs in 2002:

In addition, Bram Moolenaar was and is employed for the duration of the A-A-P project (March 1, 2002 to September 30, 2003).

NLnet Labs sponsors RIPE NCC to employ Patrick Verkaik. Patrick works at CAIDA in San Diego on the Atom-Based Routing project, which started in September 2002 and is planned to be finalised in October 2003.

NLnet Labs sponsered the participation of Yuri Demchenko at the 55th IETF conference in Atlanta, where he presented his work on IODEF.

NLnet Labs rents office space in the Matrix I building in the Amsterdam Science Park in Amsterdam, very close to one of the most important internet interconnection centres in Europe.

4. Finances

Stichting NLnet Labs primarily finances its projects and activities from grants obtained from its parent organisation Stichting NLnet. In addition, income may be obtained by providing Open Source internet based consultancy and/or programming services to third parties. A contract for the support of DNSSEC at SIDN, the Dutch top-level domain registry, was a source of additional income in the latter category.

4.1 Fiscal status

Stichting NLnet Labs has been set up as a non-profit organisation, with general benefit objectives. Its request to be classified as an entity with general benefit objectives within the meaning of the Successiewet 1956 (article 24 sub 4) has been granted by the Dutch tax office (department Registratie en Successie) on February 2, 2000. Due to this status, Stichting NLnet Labs can receive grants from Stichting NLnet (with the same general benefit objective classification) without considerable tax consequences.

Because Stichting NLnet Labs may provide consultancy and/or development services based on its Open Source and internet expertise, to commercial third parties, it has also applied for registration as a Value Added Tax-registered entity. This registration has been provisionally provided by the tax inspection on March 15, 2000.

Based on its non-profit status, Stichting NLnet Labs does not expect to become subject to company tax (vennootschapsbelasting in Dutch).

Since Stichting NLnet Labs employs staff, it has been registered for Social Security insurances with UWV GAK, in the sector commercial services II (BV 25).

4.2 Administration

Since January 1, 2000, the books are kept by the treasurer. At the beginning of 2002 the administration has been converted to the Exact Compact 2000 accounting software package.

The salary administration has been contracted out to the Salarisadviesgroep Rayon Centrum of PricewaterhouseCoopers in Utrecht. This group also prepares the salary tax forms. Due to capacity problems at PricewaterhouseCoopers Utrecht, PricewaterhouseCoopers requested Stichting NLnet Labs to make a switch on July 1, 2002 to the Financial Management Solutions group of PricewaterhouseCoopers in Amsterdam.

PricewaterhouseCoopers Accountants has been charged with compiling and auditing Stichting NLnet Labs's Annual Accounts 2002. The accountancy report is a separate document with this Annual Report.

4.3 Income in 2002

At the end of 2001, a budget was drawn up for the expected staffing level and activities of NLnet Labs during the year 2002, with a total of € 316.000. Based on this a grant was requested from Stichting NLnet for € 316.000 during 2002. Stichting NLnet has allocated these funds for 2002, to be received by NLnet Labs on a growing quarterly basis, i.e. € 62.000 in the first quarter, € 74.000 in the second quarter, and € 90.000 in each of the last two quarters.

In March 2002 NLnet Labs agreed to run Stichting NLnet's A-A-P development project with the understanding that all additional staff and other costs attributable to A-A-P would be covered by an additional grant from Stichting NLnet. A total of € 52.247 was received in 2002 for this purpose.

In September 2002, NLnet Labs requested an additional grant from Stichting NLnet for its Atom-Based Routing project, to be performed in cooperation with RIPE NCC in Amsterdam and CAIDA in San Diego, between October 2002 and November 2003. A grant for a total of € 15.533 was received in 2002 to cover the additional costs attributable to Atom-Based Routing in 2002.

The net result of that is that Stichting NLnet Labs received a total of € 383.780 from Stichting NLnet during 2002.

Also, long-standing expectations about income from possible consulting activities in the DNS / DNSSEC area, did materialize in 2002 in the form of a one-year consulting contract with SIDN, which extends until October 2003.

The only other source of income during 2002 was interest derived from a savings account used to deposit funds temporarily. This amounted to € 1.400.

Summarizing the 2002 income:

  2002 2001
  actual actual

Donations general 316.000 153.000
Donations for A-A-P project 52.247 -
Donations for Atom-Based Routing project 15.533 -
Consultancy income 10.496 -
Interest income 1.400 2.184

Total 395.676 155.184

4.4 Expenditure in 2002

The major expenditure categories of NLnet Labs in 2002 are summarised below:

  2002 2001
  actual actual

Staff 300.283 144.873
Atom-Based Routing project 15.533 -
IODEF project 1.452 -
Housing 17.213 16.390
Depreciation 6.331 7.260
Other costs 36.520 24.153

Total 377.332 192.676

Thus total income in 2002 was slightly larger than expenditure; the positive result of € 18.344 has been used to strengthen the financial reserve somewhat. As a result, the financial reserve at the start of 2003 is € 28.259.

4.5 Budget for 2003

The provisional budget for 2003 as approved by the Board in its meeting on January 22, 2003, is as follows:

2003 2002
  budget actual

Staff 293.400 300.283
Housing 18.012 17.213
Depreciation 7.320 6.331
Other costs 38.100 36.520

Total 356.832 360.347

Please note that the costs for the A-A-P and Atom-Based Routing projects have not been included in these budget estimates, since they are covered by two separate grants continuing from 2002 into 2003. Also, possible costs for extra manpower needed for a new project named Donkey have not been included yet in this budget.

Since NLnet Labs expects to receive some income from its consulting contract with SIDN, the projected deficit for 2003 comes down to € 325.000. A request for four quarterly grants of € 81.250, thus for a total of € 325.000 in 2003, has been submitted to Stichting NLnet. Stichting NLnet has approved these grants on January 31, 2003.