|Stichting NLnet Labs||Annual Report 2004|
1098 VA Amsterdam
|Chamber of Commerce||Amsterdam, nr 34126276|
NLnet Labs was founded in 1999 by Stichting NLnet to develop, implement, evaluate and promote new protocols and applications for the Internet.
The NLnet Labs offices are located in the Amsterdam Science Park (ASP) where traditionally most Internet development in The Netherlands has taken place. The ASP is still very important for the Internet, as it is the location of the Amsterdam Internet Exchange (AMS-IX), in which vicinity many Internet companies can be found.
The goal of NLnet Labs is to contribute knowledge to the Internet. This can be achieved by software development, and also by educating people to develop software elsewhere. NLnet Labs' staff therefore not only focuses on software development defined in projects, but also on collaboration with other organisations. The budget of NLnet Labs is based on long term (15 years) investment for development with a staff of five to six people.
Staff, projects and collaboration are the topics addressed in this section.
NLnet Labs employed seven people in 2004: Miek Gieben, Erik Rozendaal, Ronald van der Pol, Martin Pels (from February until July), Jelte Jansen (from March 1), Jaap Akkerhuis (from August 1), and Ted Lindgreen (director) to work on the projects described in the next section.
NLnet Labs focussed in 2004 on DNSSEC, NSD, and the TestLab.
The DNSSEC project started in 2000 with a study of the scaling issues involved in deploying DNSSEC for large domains. This study proved that DNSSEC scaled better (i.e. less loss of performance) than previously feared by many. This resulted in a renewed interest in DNSSEC.
In 2001 the focus was on deployment at TLDs, and a testbed where DNSSEC was implemented in a secure shadow tree of .nl, called .nl.nl, was set up. This work revealed a new scaling issue, namely with respect to the administration of keys at registries. A new record type "DS" (Delegation Signer) was proposed to solve this issue.
In 2001 also another change to RFC 2535 was proposed: OptIn. This proposal fundamentally changes the way DNSSEC will be used, as it introduces partial security within a zone. This proposal did not meet consensus in the IETF dnsext working group until mid 2003. At the 57th IETF (Vienna, July 13-18,) it became clear that OptIn would become either informational or experimental. It also was clear that there was consensus to standardize the DS proposal and some other minor issues in a new RFC with working title RFC2535bis. The new (proposed) standard was ready in 2004, but it took until Q1 2005 until it was finally published as RFC 4033, 4034 and 4035.
In 2004, NLnet Labs worked mainly on DNSSEC deployment, which is work without much visibility. Part of the work was promoting DNSSEC deployment by actively participating in various fora like IETF, RIPE, ISOC-international, and the DNSSEC deployment group. Most of this work is done by Jaap Akkerhuis. The other part was to build secure aware tools: a demo-resolver (Martin Pels), a DNSSEC debugging tool (Miek Gieben and Jelte Jansen), and a library with various DNSSEC tools (ldns).
The .nl experiment was closed on 28 December 2003, after we concluded that there are no more showstoppers in the proposal for RFC2535bis. After this, it appeared that SIDN had lost interest in further testing DNSSEC deployment. Hopefully this will change in the future.
NSD is nameserver software aimed at usage on large and/or important authoritative nameservers, such as the root-nameservers and TLDs. The idea to write this software came up at the RIPE 40 meeting in October 2001 in Prague, Czech Republic.
It was observed that all rootservers and most TLDs were converging to use exactly the same software: the latest version of the BIND-8 software. This because the development of BIND-8 has stopped, and both its successor, BIND-9, and all other alternatives are not, or at least not yet, suitable for these nameservers. It was generally felt that all rootservers using the same software was an unacceptable risk.
During 2002, and until April 2003, Alexis Yushin wrote most of the code of the initial versions. From May 2003, Erik Rozendaal took over the development. A rewrite of large portions of the code was needed to implement DNSSEC in a clean way. This rewrite was completed in 2003. In 2004 the new version was released with DNSSEC disabled by default, but it can easily switched on. This default is to be changed as soon as DNSSECbis is published as (proposed) standard (Q1 2005). NSD runs on two rootnameservers, a few percent of all TLD servers, and various other nameservers.
Ronald van der Pol is co-author of RFC 3750 (Unmanaged Networks IPv6 Transition Scenarios) and RFC 3904 (Evaluation of IPv6 Transition Mechanisms for Unmanaged Networks), which were published in 2004 by the IETF v6ops working group.
Little progress was made on other IPv6 projects.
In 2003 we installed the RIPE-NCC "DISTEL" testlab at NLnet Labs. This testlab was designed by Daniel Karrenberg. The current TestLab consists of 3 Athlon and one alpha system. They are connected both on a private network and on the Labs-LAN.
It was planned to have repository of traces from various root- and TLD-nameservers, and to conduct test on a regular basis as to obtain and publish progress of the use of IPv6, EDNS0, DNSSEC, and other developments. To obtain and maintain the repository of traces, cöoperation was sought with RIPE, SIDN, and ISC. However, despite multiple efforts, we have not yet succeeded in receiving traces on a regular basis.
NLnet Labs has been co-operating with SIDN and CENTR on DNSSEC since the very start of the project in early 2000. However, after the (successful) completion of implementing DNSSEC on a shadow registry for .nl, it seems that SIDN has lost interest in both development and further co-operation with NLnet Labs.
NLnet Labs still works together with RIPE-NCC on the Testlab, the DNSSEC and the NSD projects.
Ted Lindgreen chairs the TechSec RIPE working group and Jaap Akkerhuis is one of the chairs of the RIPE DNS working group.
On invitation of ISOC and RIPE, Jaap Akkerhuis has participated in offering a training for managers and administrators of the new, and fastgrowing ccTLDs. The course took place in Thailand, but the effort has lead to setting up ISOC-trainings on a regular basis.
In 2002 NLnet Labs started collaboration with NLnet's IIDS Research Group at the VU. This collaboration did not work out as hoped and expected, and was put on hold mid-2004. We hope to revive this collaboration in 2005 again.
Furthermore NLnet Labs actively participates in the following IETF working groups:
In 2005 NLnet Labs will continue to focus on getting DNSSEC implemented. As the (new) standard has now been published, most of the work will be producing and testing resolver and the signing procedures, including administration and debugging tools. These tools will be built around the ldns library.
Miek Gieben and Jelte Jansen will be doing most of this work, so no extra manpower is needed.
NSD has matured, so little new development is needed. There will be some development on tools outside the NSD-core, like AXFR and IXFR support, but most of the work will be maintenance.
Setting up a traces repository and doing tests on a regular basis is still aimed for. However, this depends on the availability of traces.
The Host Identity Protocol architecture introduces a new layer between the "Transport" and "Internetworking" layer. HIP provides a method of separating the end-point identifier and locator roles of IP addresses. It introduces a new Host Identity (HI) name space, based on public keys, that function as the end-points of sockets. When a host moves from one network to another e.g. as a multi-homing node, or a mobile node, sockets will remain bound to the HI but the binding between the HI and the transport layer will need to be dynamically updated. The HIP architecture provides methods to do this securely.
The idea to work on HIP is from Olaf Kolkman, who will start working for NLnet Labs in September 2005. It is planned that Olaf takes over the management of Labs in January 2006. Olaf proposes that NLnet Labs does a pilot study to:
On request of the the NLnet foundation, NLnet Labs will test released and pre-released software from other NLnet projects, provided, that NLnet Labs has the necessary skills and knowledge in house. It is expected that the necessary manpower can be scheduled on an ad-hoc basis.
The following workshops, presentations and/or publications were given/produced by NLnet Labs in 2004:
More information on past, current and planned projects can be found at:
Stichting NLnet Labs was founded on December 28, 1999 by Stichting NLnet. Its Board consists of three members and has remained unchanged in 2004:
||name||function||end of term|
||Teus Hagen||chairman||December 28, 2005|
||Frances Brazier||secretary||December 28, 2005|
||Wytze van der Raay||treasurer||December 28, 2005|
Six Board meetings took place in the year 2004:
||January 14, 2004||Amerongen|
||March 10, 2004||Amsterdam|
||May 13, 2004||Amsterdam|
||August 18, 2004||Amsterdam|
||October 7, 2004||Amsterdam|
||December 7, 2004||Amsterdam|
Ted Lindgreen is the managing director of Stichting NLnet Labs. He continues to be responsible for the daily management of all activities of the Open Source network software development laboratory, including development of strategies and plans for new activities.
Six staff members worked for NLnet Labs in 2004:
NLnet Labs rents office space in the Matrix I building in the Amsterdam Science Park in Amsterdam, very close to one of the most important internet interconnection centres in Europe.
Stichting NLnet Labs primarily finances its projects and activities from grants obtained from its parent organisation Stichting NLnet. In addition, income may be obtained by providing Open Source internet based consultancy and/or programming services to third parties. A contract for consultancy at SIDN, the Dutch top-level domain registry, was a source of additional income in 2004 in the latter category.
Stichting NLnet Labs has been set up as a non-profit organisation,
with general benefit objectives. Its request to be classified
as an entity with general benefit objectives within the meaning
of the Successiewet 1956 (article 24 sub 4) has been granted by
the Dutch tax office (department Registratie en Successie)
on February 2, 2000. Due to this status, Stichting NLnet Labs
can receive grants from Stichting NLnet (with the same general
benefit objective classification) without considerable tax consequences.
Because Stichting NLnet Labs may provide consultancy and/or development
services based on its Open Source and internet expertise, to commercial
third parties, it has also applied for registration as a Value
Added Tax-registered entity. This registration has been provisionally
provided by the tax inspection on March 15, 2000.
Based on its non-profit status, Stichting NLnet Labs does not
expect to become subject to company tax (vennootschapsbelasting
Since Stichting NLnet Labs employs staff, it has been registered
for Social Security insurances with UWV GAK, in the sector commercial
services II (BV 25).
The books of Stichting NLnet Labs are kept by the treasurer.
The salary administration has been contracted out to the Financial
Management Solutions group of PricewaterhouseCoopers in Rotterdam.
This group also prepares the salary tax forms.
PricewaterhouseCoopers Accountants has been charged with compiling
and auditing Stichting NLnet Labs's Annual Accounts 2004. The
accountancy report is a separate document with this Annual Report.
At the start of 2004, a budget was drawn up for the expected
staffing level and activities of NLnet Labs during the year 2004,
with a total of EUR 299.340. This budget excluded the cost for
a possible expansion of the staff in the course of 2004 with one
to two persons. Based on this budget and the expected consultancy
income, a grant was requested from Stichting NLnet for EUR 274.000
during 2004, with the option to request an additional grant if
the desirable staff expansion could be effectuated. Stichting
NLnet allocated these funds for 2004, to be received by NLnet
Labs on a quarterly basis, EUR 68.500 per quarter.
Based on the successful staff expansion realised by employing
Jelte Jansen en Jaap Akkerhuis in the course of 2004, an additional
grant of EUR 66.000 was requested from Stichting NLnet in August
2004, and this was granted in September 2004.
The net result of that is that Stichting NLnet Labs received a
total of EUR 340.000 from Stichting NLnet during 2004.
Also, a new consultancy contract with SIDN over the period September
through December 2004, brought in some additional income of EUR
14.000, but this was less than budgeted.
The only other source of income during 2003 was interest derived
from a savings account used to deposit funds temporarily. This
amounted to EUR 1.442.
Summarizing the 2004 income:
|Donations for Fonkey||-||35.000|
|Donations for A-A-P project||-||49.409|
|Donations for Atom-Based Routing project||-||50.051|
The major expenditure categories of NLnet Labs in 2004 are
|Atom-Based Routing project||-||50.051|
Thus total income in 2004 was somewhat less than expenditure;
the negative result of EUR 18.635 has been taken out of the the
financial reserve. As a result, the financial reserve at the start
of 2005 is EUR 36.099.
The provisional budget for 2005 as approved by the Board in
its meeting on December 7, 2004, is as follows:
The 2005 budget looks considerably bigger than the realisation
for 2004, in particular the staff budget. There are two reasons
Since NLnet Labs expects to receive some income from consulting activities, the projected deficit for 2005 comes down to EUR 447.000. A request for four quarterly grants of EUR 111.750, thus for a total of EUR 447.000 in 2005, has been submitted to Stichting NLnet. Stichting NLnet has approved these grants on January 27, 2005.