Introduction

III.1 Registry Operator's Technical Capabilities (RFP Section D15.1)

JVTeam offers comprehensive technical capabilities in the areas of registry operation, software development, database management, and standards development. These abilities are founded on expansive experience in all areas related to technical service provision for a critical public resource. JVTeam is the best choice to design, deliver and maintain the next generation domain name registry.

A new top level domain registry must be capable of improving the reliability and effectiveness of domain name registration, contribute responsibly to a competitive environment, and preserve the Internet's continuing stability. In addition the registry must bring the technical know-how to specify and design a solution that ensures the continuing evolution of the domain name system.

There are many complexities within the DNS and Registry environment that require a detailed understanding of the issues and their implications on the technical solution. For instance, a minor change in policy can have far-reaching implications on how a database needs to behave in order to ensure the integrity and efficiency of domain name registration and administration. Management of a TLD registry also brings with it an immense responsibility in the secure administration of personal and business contact information. It is essential for the success of the current program that the registry operator understand the entire operating environment and has the experience and ability to deliver a solution which benefits all relevant stake holders. JVTeam has the technical capabilities to deliver that solution.

JVTeam Technical Capabilities

Shared, mission-critical, registry infrastructure services are our sole corporate focus. We specialize in developing and operating unique support services for the Internet and communications industries, using innovative solutions, operated to the highest of standards and practices, as a trusted third party in an impeccably evenhanded fashion.

NeuStar serves as the North American Numbering Plan Administrator (NANPA). It operates the telephone numbering registry for the North American Numbering Plan as a public numbering resource. NeuStar is also the Local Number Portability Administrator (LNPA) for the US and Canada, operating the telephone number routing registry (called the NPAC SMS) for North America. The integrity and accuracy of this service is essential for virtually every call placed to North America. With the proliferation of communications service providers, competition, and convergence, it believes that the industry will benefit from shared, trusted, infrastructure and clearinghouse services that will facilitate the interoperability of service providers.

The Number Portability Administration Center Service Management System (NPAC SMS) hosts this routing registry, which is used to track network and call routing, SS7 signaling, and billing information for all telephone numbers in North America. Please see ftp://ftp.ietf.org/internet-drafts/draft-foster-e164-gstn-np-01.txt for a description of number portability in the GSTN, as well as the NPAC's specific role in North America. We provide, directly or indirectly, highly secure host-to-host administrative transaction interfaces to this registry for all 5,000 service providers in North America. These service providers' operational support systems (OSSs) require the highest availability standards of our service in order for them to manage and operate their networks.

Consequently, we operate this service to 29 monthly service level requirements (SLRs), including availability (99.99%), transaction response time, throughput, and help desk telephone call answer times, and pay financial penalties for missing any of these levels. Between our data centers, we provide realtime database replication and server failover/recovery functions, and fully redundant enterprise networking facilities. Our data centers are owned and operated by NeuStar, staffed 7x24 with our own network operations center personnel, and are physically secured via both card key and palm print readers.

NeuStar operates its services, including the NPAC SMS, off of a unique world-class IP network and server infrastructure, housed in our own diverse, redundant, data centers. We operate a highly secure, quad redundant, enterprise IP network, application servers, and support servers (e.g. DNS, NNTP, RADIUS/SecurID) providing dedicated access directly to over 300 communication service providers, and indirectly to all 5,000 in North America. Sized at approximately 900 Mbps of aggregate capacity, our IP network provides diverse BGP-4 routed links to external service provider operational support systems (OSSs) and network elements. In addition, we support over 1,000 dial-up or secured internet users from our customers, to access our web-based interfaces for our services. In case of failure of a service provider's OSS, they may log directly into our web-based NPAC GUI to provide critical network management functions. All dial-up users (internal or external) must use a NeuStar-issued SecurID for strong authentication.

Each data center has a completely redundant, hardened, switched VLAN backbone, and redundant set of network access servers and firewalls. All critical application and database servers are dual-homed to each of these site-based backbones, using a virtual-IP address assigned to each host which is reachable through either NIC port on that host through either backbone. Each NIC port and back-bone link is assigned a 4-IP address subnet to ensure quick detection of NIC/link/port failures and maintain full reachability of that server without impacting established internal or external communication associations. Certain key services (such as NPAC SMS application and database servers) are implemented using over 64 Lucent (Stratus) hardware fault tolerant HP-UX servers.

The NeuStar network is structured into a series of security rings, to provide for firewall isolation of traffic from various sources and applications. All internet reachable systems are placed onto one of a series of bastion subnets (bracketed by firewalls) to ensure security of the core network in the unlikely case of a server breach on the bastion network. All external data network links employ extensive BGP-4 route filtering to ensure only appropriate internal routes are advertised, and that routes to other service providers networks are not advertised or reachable.

While extensively using standard, well known, protocols (e.g. BGP-4) we also employ certain relatively unusual protocols, such as CMIP over IP, which are common in OSS applications. The NPAC service employs this protocol to provide a distributed, bi-directional, object oriented application framework for interacting with the registry. Strong authentication is employed for accepting CMIP associations from service provider OSSs, with an extensive administrative key management infrastructure to support. Each service provider system is assigned a list of keys, each at least 660 bits in length. Each and every CMIP provisioning transaction is individually signed to provide the highest in authentication and non-repudiation given the potential operational and financial impacts one service provider could cause another. Given the millions of transaction we process every day, we've employed extensive hardware-based crypto accelerators to ensure the highest performance levels without sacrificing security. Given the industry critical nature of the NPAC service, standardizing access to it from service provider OSSs was essential. In 1996 we developed the CMIP interface standards for the NPAC and subsequently placed them in the public domain. They are now managed under the auspices of a specific industry standards body (the NANC LNPA WG) to whom we provide on-going secretarial support for maintenance of the standards.

These levels of standards are highly relevant and appropriate for a DNS registry provider, given the criticality of ICANN's new TLD initiatives, and the vital need to do so while maintaining stability of the internet. They exemplify our fluency with both the technical, operational, security, and overall business standards with which industry-critical services of this kind must be provided for the interest of all industry stakeholders.

Melbourne IT has managed the Australian com.au registration service since 1996, and since June 1999 has operated as one of the first ICANN accredited TLD Registrars. Due to this extensive experience, Melbourne IT has been in a unique position to observe many possible operational models, including thin and fat registries, different registrant authentication methods, and protocol design requirements and techniques for success in the market.

Our business model is to predominantly work through an extensive network of over 500 channel partners. Because we have made a commitment not to compete with our partner network, we have not deployed functionality such as ISP access and Web hosting.

Melbourne IT's advanced TLD registration system uses a high performance and highly scalable 3-tier architecture. The tiers include a web/protocol server tier, application server tier and back-end server tier (database, billing, credit card payments, registry server, etc). The registration system has been developed in Java with a custom-built application server and associated infrastructure. Security has been a priority throughout both the software architecture and network design.

The infrastructure has built-in redundancy with multiple servers in the web/protocol, application, and database tiers and thus has been engineered for high fault tolerance. In addition, network devices such as routers, firewalls and load-balancers have been deployed in a fully redundant configuration. Each tier is configured as a cluster, with failed servers automatically removed from the cluster. Sun Sparc/Solaris SMP machines have been used throughout the environment, with plenty of headroom for future growth. Melbourne IT also has four years experience maintaining and generating zonefiles, and has developed a second-generation, scalable Whois server architecture.

Melbourne IT has service level agreements with channel partners guaranteeing over 99% availability, minimum transaction response times, throughput, and help desk telephone call answer times. If these service levels are not met, there are financial penalties.

Because we operate through a channel partner network, we have experience providing a number of integration protocols including HTTP Post, XML and email templates, using security mechanisms like SSL and PGP. Melbourne IT's research group has developed two XML domain name registration protocols, and an XML based domain name generation protocol has been deployed.

Melbourne IT brings considerable technical and domain expertise to JVTeam.

JVTeam has been founded on the strengths of the expansive technical experience of two of the world's leaders in the provision of registry services for critical public resources. The scope of this experience includes design and development of secure, real-time resource management systems, the implementation of high transaction, high availability database solutions, the design and management of transcontinental IP networks and the effective and timely delivery of technical solutions within highly regulated environments. All of this combined makes JVTeam the best choice in developing and delivering a responsible and stable solution for the next generation TLD registry.

The table below provides an overview of the defined technical capabilities for a TLD registry operator together with a demonstration of how JVTeam's technical capabilities, backed up by real world experience and success, meets or exceeds those requirements. T

Registry Operator's Technical Capability Requirement	JVTeam's Technical capability
Release Management	NeuStar: 7 major NPAC / SMS software releases over 4 years, incorporating over 300 change orders requested by the industry, costing over $70M Melbourne IT: 5 major releases of leading domain name registration system. Formalized and documented process for release management as required by channel partner network. NeuStar: Numerous other industry service systems (FCC LNP Cost Recovery/Billing, NANPA, CARE, Identibase)
Configuration Management	NeuStar manages an infrastructure of 100+ large servers, 2000 data circuits, including Lucent hardware-based fault tolerant servers, numerous 3^rd party middleware providers, 7 major NPAC/SMS application s/w releases, across 4 sites Melbourne IT manages an infrastructure of 30+ servers across three data centers and has a dedicated production support team with documented configuration management processes. Infrastructure supports separate development, internal test, external (partner) test, and production environments.
Change Management	NeuStar: processing 300 industry change orders in 4 years, across 7 major s/w releases. Established an industry standards group as focal point for coordinate NPAC enhancements (change orders).
Network Engineering	NeuStar: deployed completely redundantly, IP-based, highly diverse and secure private WAN and LAN interconnecting 300 competing service providers with the NPAC SMS, covering 2000 data circuits, total of 900 Mbps capacity, each with BGP-4 routing for fast recovery and routing security, integrated with enterprise wide frame relay and high-capacity inter-site ATM links. Melbourne IT designed, developed and manages a geographically disparate and highly secure IP network spanning 2 continents and 3 data centers.
Applications Development	NeuStar developed the NPAC SMS system and applications software, and associated industry number portability administration and interface standards, and testing services.