                                        SIRCE Pilot Project Proposal
                                          Karrenberg, Orange, Ridley

                ____________________________________________________




                      Security Incident Response Coordination

                                     in Europe

                               Pilot Project Proposal


                                 Daniel Karrenberg
                                    Carol Orange
                                    Paul Ridley
                                 Document: ripe-150
                              Date: November 5th 1996



    Scope

                In this document, we propose to execute a pilot pro-
                ject for Security Incident Response Coordination in
                Europe (SIRCE) at the RIPE NCC. We present relevant
                information about the RIPE NCC, including the rea-
                sons why the NCC offers a uniquely suitable setting
                for the SIRCE project.


    1.  Background

                The need for security incident coordination in
                Europe has been undisputed for quite some time.
                Still, no initiative to start such a service has
                gathered sufficient momentum to come to fruition.
                After thorough preparatory work by its CERT task
                force TERENA has recently issued a closed call for
                proposals for a pilot service dubbed SIRCE (Security
                Incident Response Coordination in Europe).

                The RIPE NCC was one of the recipients of this call.
                At its annual meeting, the RIPE NCC contributors
                committee requested that the NCC consider the call
                for proposals with respect to its usefulness for the
                European ISPs, and if deemed beneficial, that the
                NCC respond to such a call. It was also agreed that
                this activity should be funded separately from NCC
                core activities. Having considered both the call for
                proposals, and the final report on "CERTs in Europe"
                prepared by the TERENA Task Force
                (ftp://ftp.ripe.net/ripe/misc/cert-eu.ps), we pro-
                pose that the SIRCE pilot project be performed at
                the RIPE NCC.

                ____________________________________________________
                ripe-150.txt                                  Page 1
                                        SIRCE Pilot Project Proposal
                                          Karrenberg, Orange, Ridley

                ____________________________________________________

    2.  The RIPE NCC

                Before delving into the project itself, we first
                give a brief sketch of the RIPE NCC, the context
                within which this project would be performed.

                The mission of the RIPE NCC is to coordinate Inter-
                net operations in Europe and surrounding areas.  In
                this section, we give an overview of the activities,
                customers, organisation and funding of the RIPE NCC.
                Those familiar with the NCC may want to skip ahead
                to the next section.


    2.1.  Principles for RIPE NCC Activities

                The RIPE NCC performs activities for the benefit of
                the Internet service providers (ISPs) in Europe and
                the surrounding areas, primarily activities that the
                ISPs need as a group, although they may be competing
                with each other in other areas.

                The RIPE NCC observes strict neutrality and impar-
                tiality with respect to individual service
                providers. In particular, activities which are
                clearly in the domain of the ISPs themselves are not
                performed at the NCC.

                Activities are defined, performed, discussed and
                evaluated in an open manner.  Results of activities
                such as software tools are made available to the
                public. All budgets and actual income and expendi-
                ture reports are published.  Individual data is kept
                in confidence as required. For example, the amount
                of address space allocated and assigned to an ISP is
                published as are database entries of the individual
                assignments including relevant contact details. Sen-
                sitive information submitted to support an individ-
                ual assignment request, on the other hand, is kept
                in strict confidence.

                Whereas performing a specific activity may result in
                services being provided to one or more ISPs, the
                result must benefit the European ISPs as a whole.
                Address space registration services, for example,
                are provided to ISPs individually, but the activity
                as such benefits all ISPs by distributing address
                space according to common standards and by maintain-
                ing a neutral and accessible registry.




                ____________________________________________________
                ripe-150.txt                                  Page 2
                                        SIRCE Pilot Project Proposal
                                          Karrenberg, Orange, Ridley

                ____________________________________________________

    2.2.  Activity Areas

                RIPE NCC activities can be grouped into four cate-
                gories. We briefly describe each category below to
                give an indication of the context within which we
                suggest the SIRCE project be performed.


    Registration Activities

                These activities are related to the NCC's role as
                the Regional Internet Registry (IR) for Europe and
                surrounding areas.  It includes the evaluation and
                handling of requests for allocation and assignment
                of IP address space, the management of reverse
                domains associated with this address space, and
                auditing and quality control to ensure fair and
                expedient processing of requests.  Also included in
                this area are training activities for Local Internet
                Registries, production of documentation related to
                Internet registration policies and procedures, and
                activities which ensure the proper set up of new
                local IRs.

                Services performed in this area are only accessible
                to formally established local IRs which contribute
                to the funding of the NCC.


    Coordination Activities

                The activities grouped in this area are quite
                diverse.  Their common purpose is to support the
                coherent operation of the Internet in the European
                area.  An important activity is the provision of
                access to the RIPE database in which information
                about address space and routing policies together
                with the appropriate contact points is registered.
                Developing and publishing the RIPE database software
                is also part of this area, as is the provision of
                information services for ISPs and the general public
                via the Internet.  Operational coordination such as
                efforts to reduce the number of globally visible
                routing prefixes also fall into this category, as
                does the production and publication of software
                tools for such efforts.

                In order to be effective, the services performed in
                this area must to be accessible to the general
                Internet public.  These services are made available
                via the web (see http://www.ripe.net), and ftp (see
                ftp://ftp.ripe.net), together with a range of infor-
                mation useful to the European Internet community as
                ____________________________________________________
                ripe-150.txt                                  Page 3
                                        SIRCE Pilot Project Proposal
                                          Karrenberg, Orange, Ridley

                ____________________________________________________

                a whole. Moreover, progress is reported to the
                appropriate RIPE working group at RIPE meetings at
                which point feedback is gained on the priorities,
                problems and needs of the European ISPs. The RIPE
                meetings, organised by the NCC 3 times per year (see
                ftp://www.ripe.net/ripe/Next-Meeting), are open to
                anyone interested in Internet developments in
                Europe.

                The contributors to the funding of the NCC receive
                precedence over all others when special support is
                needed.


    Administration Activities

                This area covers all regular reports published by
                the NCC, administrative support for RIPE as well as
                general administrative overheads which cannot be
                clearly attributed to a specific activity.  As such,
                it includes production of the Quarterly Reports and
                the resources needed for charging, billing and the
                general financial administration.


    New Activities

                This area represents those activities that are
                either entirely unforeseen or cannot be fully speci-
                fied at the time of this writing.  The existence of
                this area gives the NCC the flexibility to react
                quickly to the rapidly changing needs in today's
                Internet.  Activities in this area are often sug-
                gested by the appropriate RIPE working group.

                If the activities turn out to need long term support
                they may become a regular NCC activity funded by all
                contributors later.  If the activities are short
                term but substantial, or continued support by all
                contributors is not appropriate, they may be contin-
                ued as special projects for which funding is sought
                separately among interested parties.  These new
                activities are executed under the guidance of the
                RIPE working groups.  It is assumed that representa-
                tives of the contributors participate actively in
                these working groups.

                The PRIDE project and the creation of the routing
                registry are good examples of such activities as is
                the startup of IPv6 coordination.



                ____________________________________________________
                ripe-150.txt                                  Page 4
                                        SIRCE Pilot Project Proposal
                                          Karrenberg, Orange, Ridley

                ____________________________________________________

    2.3.  Organisation

                The RIPE NCC is located in Amsterdam, The Nether-
                lands.  It has been operating since April 1992 and
                currently has more than 450 customers and a staff of
                15.  By the end of 1997 it is expected to serve more
                than 900 customers with a staff of 32. The operating
                expenses for 1997 are budgeted at kECU 1984.

                The NCC is currently operated as a service of the
                TERENA Association but is managed quite indepen-
                dently. It has recently been agreed to bring the NCC
                activities under a separate legal entity controlled
                by its customers.


    2.4.  Funding

                The RIPE NCC is fully funded by its customers, the
                European ISPs.  It has a tradition of starting new
                activities and pilot projects funded by interested
                parties, and extending them to meet the needs of the
                European ISP community as required.


    2.5.  Further Information

                More information can be obtained from the RIPE NCC
                web site at http://www.ripe.net/.  The RIPE NCC rou-
                tinely publishes information about its activities in
                the RIPE document series.  The documents are num-
                bered and document ripe-nnn can be found alterna-
                tively at

                http://www.ripe.net/docs/noframes/ripe-nnn.html
                or
                ftp://ftp.ripe.net/ripe/docs/ripe-nnn.ps (PostScript)
                or
                ftp://ftp.ripe.net/ripe/docs/ripe-nnn.txt (Ascii)

                An index of all RIPE documents is maintained in

                ftp://ftp.ripe.net/ripe/docs/ripe-index



                For details about the activities, customer base and
                and expenditure, please refer to RIPE NCC Activities
                & Expenditure 1997 (ripe-144).  For details of
                charging see RIPE NCC Charging Scheme 1997
                (ripe-146).  Recent activities are described in the
                quarterly reports published in the same series.

                ____________________________________________________
                ripe-150.txt                                  Page 5
                                        SIRCE Pilot Project Proposal
                                          Karrenberg, Orange, Ridley

                ____________________________________________________

                Security Incident Coordination at the RIPE NCC ?!
                (ripe-149) is a position statement which describes
                why the RIPE NCC should execute this pilot project.


















































                ____________________________________________________
                ripe-150.txt                                  Page 6
                                        SIRCE Pilot Project Proposal
                                          Karrenberg, Orange, Ridley

                ____________________________________________________

    3.  The SIRCE Pilot Project at the RIPE NCC

                In this section we describe the details of the SIRCE
                project as we propose to execute it at the RIPE NCC.
                In particular, we discuss operational policies, ser-
                vices to be provided, the project plan, the finan-
                cial plan, and open issues.

    3.1.  SIRCE Policies

                The policies established for the pilot project will
                determine the long term success of SIRCE in enabling
                the European Internet community to handle security
                incidents in an effective and timely manner. Should
                the project be performed at the RIPE NCC, the
                detailed policies will be determined by the cus-
                tomers. However, we propose the following provide a
                basis from which to start.


                o    Customers of the SIRCE pilot project are IRTs,
                     the majority of which are expected to be based
                     in European ISPs.


                o    The SIRCE pilot project will be customer ori-
                     ented.  Paying customers will receive priority
                     service.  Non-paying customers will receive
                     service on a time-available basis if there is
                     no work outstanding for paying customers.


                o    The SIRCE pilot project will be developed into
                     a fully operational service as early as feasi-
                     ble. This will establish clarity in the Euro-
                     pean Internet community regarding what can be
                     expected from SIRCE, which in turn will encour-
                     age participation in the incident coordination
                     efforts from the start.


                o    In the pilot phase, we aim to get a significant
                     number of ISPs as paying customers.  This will
                     stimulate security mindedness among the Euro-
                     pean ISPs and ease the handling of incidents
                     affecting European Internet users.  It will
                     also make the transition from the pilot into a
                     regular service easier.


                o    If conflicts of interest between ISPs and other
                     organisations such as software/hardware ven-
                     dors, governments, news media and law
                ____________________________________________________
                ripe-150.txt                                  Page 7
                                        SIRCE Pilot Project Proposal
                                          Karrenberg, Orange, Ridley

                ____________________________________________________

                     enforcement agencies arise, the interests of
                     the ISPs shall be of primary concern.


                o    Customer IRTs will be treated in a strictly
                     neutral and impartial fashion.


                o    Activities which are clearly in the domain of
                     the customers will not be performed by SIRCE.


                o    All SIRCE project activities will be defined,
                     performed, discussed and evaluated in an open
                     manner.


                o    Software tools, statistics and other results of
                     SIRCE activities will be made publicly avail-
                     able.


                o    All budgets, income and expenditure will be
                     published.


                o    Individual data, especially particulars about
                     incidents handled will be kept in strict confi-
                     dence.


                These policies are consistent with general RIPE NCC
                policies which have been established in cooperation
                with the European ISPs, and have proven effective in
                that context.


    3.2.  SIRCE Services

                The services of the pilot project will be those
                described for Basic Incident Coordination (BIC) in
                Section 2.2.1 of the CERTs in Europe Report produced
                by the TERENA Task Force.  This includes the ser-
                vices described for Incident Support in Section
                2.1.1 of that document.

                Many of the incident support activities will be pro-
                vided as extensions of current RIPE NCC activities.
                For example, the information services currently pro-
                vided by the NCC will be extended to include SIRCE.
                Regular meetings of SIRCE contributors can easily be
                held in conjunction with RIPE meetings, held three
                times per year. We believe holding meetings three
                ____________________________________________________
                ripe-150.txt                                  Page 8
                                        SIRCE Pilot Project Proposal
                                          Karrenberg, Orange, Ridley

                ____________________________________________________

                times rather than once per year will facilitate cus-
                tomer involvement and feedback which is crucial to
                th success of the pilot project. The RIPE meetings
                also provide an excellent opportunity to promote the
                need for IRTs in Europe, and to pull the ISP commu-
                nity into the effort.

                To assist the startup of new IRTs, we plan to extend
                our current course program to include a course on
                setting up and operating an IRT. This would be a one
                day course, organised much like the Local IR courses
                currently held throughout Europe. This may be com-
                plemented by courses on Internet Security in a later
                phase to help IRTs stay current on developments. All
                course material will be made publicly available to
                enable IRTs to educate their customers as well.

                The relative priorities and requirements of the dif-
                ferent support services will be set according to
                customer demand.  Input from customers will be
                gained by holding meetings open to all contributing
                IRTs, and by establishing an advisory group consist-
                ing of customers and invited experts.

                The key service of the pilot will be incident coor-
                dination.  Therefore we describe in more detail how
                we propose to implement it at the RIPE NCC.


    The Basic Incident Coordination Service

                In the remainder of this section, we provide details
                on the Incident Coordination service as we propose
                to implement it at the RIPE NCC. While detailed BIC
                policies and procedures will need to be established,
                we envisage BIC to encompass the following service
                elements:


                o    When SIRCE is first notified of an incident, it
                     will be logged, and a ticket will be opened to
                     track further messages and information which
                     pertain to it. A ticket number will be
                     assigned, which will be made available to the
                     appropriate parties when referring to the inci-
                     dent. This facilitates further communication
                     and event tracking for the incident.


                o    We will then work to identify the IRTs, ISP
                     NOCs, and others who should be involved in han-
                     dling the incident. They will be notified of
                     the incident, its current status, and of the
                ____________________________________________________
                ripe-150.txt                                  Page 9
                                        SIRCE Pilot Project Proposal
                                          Karrenberg, Orange, Ridley

                ____________________________________________________

                     other parties involved.


                o    As progress is made, we will work together with
                     the IRTs to track who is working on which
                     aspect of the handling of the incident and com-
                     municate this to all parties involved.


                o    We will close the incident when those involved
                     agree that it is either resolved or that there
                     is no more work in progress.


                o    We will then log a summary of the incident and
                     post it to all involved if appropriate.


                o    Incidents, while open, and after being closed
                     will be logged in such a way, that a recurrence
                     will be identified.  Should an incident be
                     identified as being very similar to a previous
                     one, the relevant incident information will be
                     provided to the parties involved.





























                ____________________________________________________
                ripe-150.txt                                 Page 10
                                        SIRCE Pilot Project Proposal
                                          Karrenberg, Orange, Ridley

                ____________________________________________________

    4.  SIRCE Pilot Project Plan

                We plan to have an initial incident coordination
                capability as soon as possible and much sooner than
                envisaged in the TERENA task force report. We expect
                requests for incident coordination to be submitted
                as soon as SIRCE is announced.  We prefer to deal
                with the initial requests on a best-effort basis
                rather than explain that we are not yet in that pro-
                ject phase.  Not doing so will result in a signifi-
                cant loss of credibility and confusion will arise as
                to what kind of services will actually be provided
                by SIRCE.

                For the same reasons, regular incident coordination
                (normal rather than best-effort service) will be
                provided as early as possible.  To achieve this, we
                plan to ramp up staffing to three FTE as soon as
                practical but before three months have elapsed
                rather than to wait for the time suggested in the
                call for proposals.


    4.1.  Project Phases

                We have divided the pilot project into three logical
                phases.  In this section, we indicate the key activ-
                ities involved in each phase.


    Set Up Phase

                Before the initial incident coordination capability
                can be offered, a number of activities will have to
                be performed to set things up.  This phase is
                expected to take roughly two months, and definitely
                not more than three.

                The work items to be performed in this phase
                include:

                o    Establish local working environment. A suitable
                     computer infrastructure which addresses the
                     projects needs (security, connectivity, work
                     flow software, etc), along with the physical
                     requirements (again including security) will be
                     set up.

                o    Establish contact with customers, peers and
                     relevant groups.  A customer base will be
                     established, and personal trusted contacts
                     built up to be used in incident coordination.
                     Moreover, contacts with experts and established
                ____________________________________________________
                ripe-150.txt                                 Page 11
                                        SIRCE Pilot Project Proposal
                                          Karrenberg, Orange, Ridley

                ____________________________________________________

                     CERTS will be actively pursued.

                o    Establish contact with project management. The
                     project planning, budgets, and reporting will
                     be worked through together with the project
                     management.

                o    Hold the first meeting of customers and estab-
                     lish advisory group. Advice will be sought on
                     the priorities and needs in the user community.

                o    Establish policies and procedures for BIC ser-
                     vices in particular, and for SIRCE services in
                     general.

                o    Hire additional staff. Before the BIC can
                     become operational, experts will be required to
                     coordinate reported incidents.

                o    Develop and document the initial BIC capabili-
                     ties.


    Initial Coordination Capability

                During this phase of the project, we will start
                basic operations on a best effort basis. As we do
                so, we will review and refine our procedures in
                preparation of the regular capability services.
                Sometime during this stage SIRCE may be announced to
                a larger audience.  Project efforts will include:

                o    Start BIC on best-effort basis. We will provide
                     the services defined in Section 3.2 to the
                     extent our resources permit.

                o    Customer contacts will be strengthened and per-
                     sonalised, as will be facilitated by contacts
                     made in providing the initial coordination
                     capabilities.

                o    The procedures will be reviewed and refined
                     based on the practical experience gained in
                     providing the initial services.

                o    Other general services defined in the CERTs in
                     Europe report will be extended based on cus-
                     tomer needs and priorities.

                o    Develop the normal coordination capability.

                This phase will not last longer than three months.

                ____________________________________________________
                ripe-150.txt                                 Page 12
                                        SIRCE Pilot Project Proposal
                                          Karrenberg, Orange, Ridley

                ____________________________________________________

    Regular Coordination Capability

                In the final phase of the pilot project, the BIC
                services will be fully operational, feedback will be
                sought from customers, and steps will be taken to
                move the service to an established, fully opera-
                tional service for Security Incident Response Coor-
                dination in Europe.  This stage will be reached 6
                months after the start of the project.  The nature
                of the activities in this phase will include:


                o    The BIC services will be fully operational.
                     This means that in addition to the services
                     specified for this phase in the CERTs in Europe
                     report, the incident coordination services
                     specified in Section 3.2 will be applied to all
                     incoming incidents.


                o    Additional meetings of customers will be held
                     to review the activities and to gain feedback
                     on the services provided.


                o    Based on the experience gained in the pilot
                     phase, and on the customer feedback, the
                     infrastructure and services will be extended to
                     establish the SIRCE services for the long term.


    4.2.  Implementation Details

                The remainder of this section will describe some
                details of how we plan to implement SIRCE addressing
                questions raised in the call for proposals.


    Personnel

                The project will be directed by Daniel Karrenberg,
                the general manager of the RIPE NCC.  He has consid-
                erable experience in setting up and running coordi-
                nation services as well as in network/computer sys-
                tem operations and security.  Once the decision to
                start the pilot is made we expect to hire a full
                time SIRCE manager very quickly.  Her first task
                will be to start the set-up phase activities and to
                hire additional staff.  We are in contact with suit-
                able and competent candidates already.  Given the
                sensitivity of the project, we may not hold an open
                hiring process for the initial staff.  We plan
                instead to approach selected individuals based on
                ____________________________________________________
                ripe-150.txt                                 Page 13
                                        SIRCE Pilot Project Proposal
                                          Karrenberg, Orange, Ridley

                ____________________________________________________

                recommendations from existing IRTs and customers.
                In the initial stages and later on in case of emer-
                gencies SIRCE will be able to draw on existing RIPE
                NCC staff resources if necessary.


    Physical Location and Security

                The location of SIRCE will be the Amsterdam
                metropolitan area.  The nearest airport is Amsterdam
                Schiphol, a major European airport.  The RIPE NCC is
                planning to relocate within this area in the first
                half of 1997.  The current location is reachable by
                taxi from the airport in approximately 20 minutes.
                The requirements for the new location include good
                connectivity to pubic transport including to/from
                the airport.

                In both the current and the new location SIRCE staff
                will be located in separate offices with physical
                access control and a specific access policy.

                The current location has 24 hour security guards,
                but physical access to the office doors of our
                offices is not controlled tightly as we share the
                building with other organisations.  The new location
                will improve this.  If possible we will reserve a
                closed corridor or wing for SIRCE offices.


    Computer Infrastructure, Connectivity and Security

                The RIPE NCC is currently operating all the systems
                and software which will be needed by SIRCE.  We
                employ standard security measures such as different
                security strata for networks and machines, dial back
                for dial-up access, one time passwords and encrypted
                sessions for access from the outside, packet filter-
                ing on exterior routers and extensive logging of
                security relevant events.  This experience will
                ensure a quick start of the SIRCE infrastructure.

                SIRCE staff workstations and servers will be fully
                separated from the RIPE NCC infrastructure.  Physi-
                cally separate networks will be installed.  SIRCE
                and the NCC will only share the redundant exterior
                routers connecting both to the Internet.  If neces-
                sary SIRCE may use the information services of the
                RIPE NCC such as HTTP and FTP during the set-up
                phase.  Eventually however these services will be
                fully separated from the NCC too.


                ____________________________________________________
                ripe-150.txt                                 Page 14
                                        SIRCE Pilot Project Proposal
                                          Karrenberg, Orange, Ridley

                ____________________________________________________

                We are connected to the Internet both at the Amster-
                dam Internet Exchange and with private connections.
                All connections are at 10Mbit/s.  It is RIPE NCC
                policy to peer with any customer who wishes to do so
                and provides the connection.  We are currently con-
                nected to the following autonomous systems:

                AS286  - EUnet Backbone AS
                AS1103 - SURFnet
                AS1104 - NIKHEF-H
                AS1128 - EuropaNET
                AS1200 - Amsterdam Internet Exchange (AMS-IX)
                AS1755 - EBONE
                AS1759 - Telecom Finland iNET
                AS1888 - CWI-Amsterdam
                AS1890 - NLnet
                AS2686 - IBM Global Network - EMEA
                AS3215 - RAIN Reseau d'Acces a l'INternet
                AS3317 - Universiteit van Amsterdam
                AS5390 - EuroNet - NL
                AS5417 - Demon Internet Ltd
                AS5418 - Internet Exchange Europe B.V.
                AS5484 - BT Netherlands Regional Service
                AS5496 - Wirehub! Internet
                AS5506 - The Digital City



                Mail communications security will be provided by PGP
                and/or PEM as required by the user community.  Voice
                communications security will be studied.  More
                detailed specification of the current plans is
                beyond the scope of this document.



    After Hours Availability

                We have an excellent infrastructure for and ample
                experience and with working remotely either from
                home or when on travel.  This is an excellent basis
                for after hours availability.  We also have a pro-
                grammable voice response system and our operational
                staff carry personal pagers which are triggered
                automatically when operational problems occur.

                While we expect to provide a sufficient level of
                emergency access after hours, we strongly believe it
                would be counterproductive to suggest this being
                anything near 24x7 availability.  Given the staffing
                levels of the pilot we can only provide this on a
                best-effort basis.  We do not expect high demand for
                real 24x7 service since most customers currently do
                ____________________________________________________
                ripe-150.txt                                 Page 15
                                        SIRCE Pilot Project Proposal
                                          Karrenberg, Orange, Ridley

                ____________________________________________________

                not have the full capability for this either.
                Should this demand and the preparedness to pay for
                it grow, we will be able to provide it given our
                present infrastructure.

                In the meantime after hours availability for cus-
                tomers will be organised in one of two ways: either
                using filtering through an answering service or
                through giving selected customers direct access to
                duty staff.  We expect to employ the latter method
                at first, putting the decision whether after hours
                access is needed with the customers.  As the cus-
                tomer base grows we expect to switch to an in-house
                filtering process.







































                ____________________________________________________
                ripe-150.txt                                 Page 16
                                        SIRCE Pilot Project Proposal
                                          Karrenberg, Orange, Ridley

                ____________________________________________________

    5.  Financial Plan

    Operating Costs

                The operating costs for the SIRCE project can be
                thought on in terms of three budget lines, namely
                those for personnel, infrastructure, and NCC sup-
                port. Salary and recruitment costs contribute to the
                personnel budget line. The budget line for infras-
                tructure accounts for from computer, rent, furni-
                ture, office supplies, telephone, connectivity, con-
                sulting, travel and general costs.  NCC support
                involves supervisory manager support, accounting
                support, and administrative support costs. The bud-
                gets for 1997 and 1998 are shown below.



                     +-----------------------------+
                     | SIRCE Pilot Project Budget  |
                     +-----------------------------+
                     |                 1997   1998 |
                     |                 kECU   kECU |
                     +-----------------------------+
                     |Personnel         154    232 |
                     |Infrastructure    108    136 |
                     |NCC support        24     15 |
                     +-----------------------------+
                     |TOTAL             286    383 |
                     +-----------------------------+


                Although we have included the budgeted costs for
                1998, we would like to stress that these are very
                much hypothetical since it is too early to know how
                the project will develop in 1998.

















                ____________________________________________________
                ripe-150.txt                                 Page 17
                                        SIRCE Pilot Project Proposal
                                          Karrenberg, Orange, Ridley

                ____________________________________________________

    6.  Open Issues


    Project Management

                We believe that TERENA should be involved in manag-
                ing the pilot project because its CERT task force
                has outstanding expertise and they have spent sig-
                nificant resources to define SIRCE services in a way
                that useful for ISPs.  They also have significant
                support from existing IRTs.


    Customer Involvement

                Input from customers will be gained by establishing
                an advisory group, and by holding meetings open to
                all contributing IRTs. The advisory group should
                consist of representatives from paying customers and
                invited experts.  Depending on the community of pay-
                ing customers this should be associated with an
                existing organisation such as FIRST and/or RIPE.


    Funding

                We believe funding of the pilot project should not
                be left entirely to TERENA. Rather, SIRCE should be
                primarily funded by the ISPs from the outset. This
                is to establish that a clear interest in these ser-
                vices in the ISP community.  Secondary reasons are
                to establish influence by the target community in
                the project's earliest phases and to facilitate
                transition to a normal service.

                We also believe that the level of resources for the
                pilot envisioned by TERENA is lower than what will
                be needed to guarantee a successful service for the
                size of community we expect.

                The NCC has a proven mechanism of running pilot pro-
                jects funded by interested parties, which can
                quickly be turned into regular services. Exactly
                when this would happen and whether the SIRCE service
                will be either a core service funded by all NCC con-
                tributors or an additional service funded only by a
                subset of contributors is to be decided later on.
                TERENA aims for a pilot taking "no longer than 2.5
                years". Our project plan is is designed to provide
                an operational service by Q1/1998.

                As mentioned elsewhere in this document, the bene-
                fits for those that contribute to funding the pilot
                ____________________________________________________
                ripe-150.txt                                 Page 18
                                        SIRCE Pilot Project Proposal
                                          Karrenberg, Orange, Ridley

                ____________________________________________________

                are:

                o    Preferred service and support. Non-contributors
                     will receive service on a time-permitting basis
                     when there are no requests from contributors;


                o    Direct channels such as private mailing list
                     for contributors to discuss directions and
                     influence the pilot project;


                o    Public credit for their contribution.


                Ideally, all customers currently served by the RIPE
                NCC would take part in funding the SIRCE pilot. If
                this were the case in 1997, then the cost per cus-
                tomer would be ECU 365.  This clearly demonstrates
                that it is very realistic to turn SIRCE into a regu-
                lar service quite quickly.


                Since we are considering a new pilot service, we
                cannot assume that all NCC customers will take part
                in funding this effort.  Assuming equal contribu-
                tions, the cost for those that do support this ser-
                vice will be higher than ECU 365.  Assuming 40% of
                the local IRs serviced by the RIPE NCC participate
                in funding this project, then the average contribu-
                tion per contributor will be roughly ECU 1000.
                Actually it can be lower depending on how much fund-
                ing TERENA will be able to raise.


                Given the numbers above we will request all current
                NCC customers to commit funding this project with a
                minimum of ECU 500 for 1997.  During the coming
                weeks we will regularly publish the level of commit-
                ments received.  Once we have received sufficient
                commitments and TERENA agrees to implement this pro-
                posal we will discuss details with them.  If we do
                not receive sufficient commitments by November 27th
                we will withdraw this proposal.  Should the project
                start, the contributions committed will be invoiced
                in the first quarter 1997.  Should the project be
                oversubscribed, the amounts invoiced will be reduced
                pro rata.


                In the unlikely case that there will not be signifi-
                cant funding commitments from the ISP community, we
                will have to conclude that interest is not
                ____________________________________________________
                ripe-150.txt                                 Page 19
                                        SIRCE Pilot Project Proposal
                                          Karrenberg, Orange, Ridley

                ____________________________________________________

                sufficient and withdraw this proposal.




















































                ____________________________________________________
                ripe-150.txt                                 Page 20
                                        SIRCE Pilot Project Proposal
                                          Karrenberg, Orange, Ridley

                ____________________________________________________

    7.  Why SIRCE at the RIPE NCC?

                We believe the NCC is uniquely suited to succeed in
                making the SIRCE project meet its goals.  In this
                final section, we outline the primary reasons we
                believe the SIRCE pilot project will prove an effec-
                tive approach to the coordination of security inci-
                dents in Europe if based at the RIPE NCC.

                The RIPE NCC, being a Network Coordination Center
                has extensive experience in the kinds of tasks to be
                performed in the SIRCE project and in performing
                them successfully at the scale which will soon be
                required.  For example, we already organise three
                international meetings per year attended by members
                of the European Internet community. We also provide
                extensive information services (WWW, FTP, and mail
                server), the primary users of which the ISPs in
                Europe. Moreover, we have a solid track record of
                piloting services and turning them into stable and
                reliable operational services.

                As necessary to perform its current services, the
                NCC satisfies all the connectivity and infrastruc-
                ture requirements necessary for the SIRCE project.
                Because many of the tools in place to facilitate IP
                registration can be extended to provide SIRCE ser-
                vices, it is feasible to provide basic incident
                coordination early in the pilot project.

                We also have an international group of highly moti-
                vated and competent people including those experi-
                enced in systems/network operations and security.

                Most importantly, the NCC is already a focal point
                for the European Internet community. The customer
                base of the NCC consists of most European ISPs.
                Because the ISPs are the key Internet user contact
                points, they must be involved if security incidents
                are to be handled effectively in the European
                region.  The RIPE NCC is in a unique position to
                facilitate ISP involvement, having already estab-
                lished a trusted working relationship with members
                of most ISPs and is fully accepted as neutral and
                impartial body in the European Internet community.

                We know how to do large scale coordination.  We know
                how to set up pilot projects and turn them into suc-
                cessful services.




                ____________________________________________________
                ripe-150.txt                                 Page 21
