Fairfield, NJ...On 14 March 2014, the US Government announced plans to transition oversight of the...

Fairfield, NJ 10 September 2015

Wireless Access

•  SSID: •  Password:

Welcome. Here today from ARIN… •  Dan Alexander, ARIN Advisory Council

•  Einar Bohlin, Senior Policy Analyst

•  Eddie Diego, Senior Resource Analyst

•  Andy Newton, Chief Engineer

•  Avneet Wadhwani, Senior Software Engineer

Morning Agenda 10:15 - 10:45 ARIN: Mission, Services and Community

Engagement; Einar Bohlin 10:45 -11:20 Security Overlays on Core Internet Protocols –

DNSSEC; Andy Newton 11:20 - 12:00 Life After IPv4 Depletion: IPv4 Inventory, Waiting

List and Transfers; Leslie Nobile

12:00 PM - 1:00 PM Lunch

Afternoon Agenda 1:00 - 1:30 Security Overlays on Core Internet Protocols - Resource

Certification (RPKI); Avneet Wadhwani 1:30- 2:00 Number Resource Policy Discussions and How to

Participate; Dan Alexander

2:00 - 2:30 Automating Interactions with ARIN: Avneet Wadhwani

2:30- 3:00 Moving to IPv6 - Getting IPv6 from ARIN/Current Uptake;

Andy Newton and Eddie Diego

3:00- 3:15 Q&A / Open Mic Session; Einar Bohlin

Let’s Get Started! •  Self introductions

– Name – Organization

ARIN and the RIR System: Mission, Role and Services

Einar Bohlin

Policy Analyst, Communications and Member Services

What is an RIR?

A Regional Internet Registry (RIR) is an organization that manages the allocation and registration of Internet number resources within a particular region of the world. Number resources include IP addresses and autonomous system (AS) numbers.

Regional Internet Registries

Not-for-profit Membership Organization

Community Regulated

•  Fee for services, not number resources

•  100% community funded

•  Open

•  Broad-based - Private sector - Public sector - Civil society

•  Community developed policies

•  Member-elected executive board

•  Open and transparent

RIR Structure

The NRO exists to protect the unallocated number resource pool, to promote and protect the bottom-up policy development process, and to act as a focal point for Internet community input into the RIR system.

Number Resource Organization

ARIN, a nonprofit member-based organization, supports the operation of the Internet through the management of Internet number resources throughout its service region; coordinates the

development of policies by the community for the management of Internet Protocol number resources; and advances the Internet through

informational outreach.

ARIN’s Service Region

The ARIN Region includes many Caribbean and North Atlantic islands, Canada, the United States and outlying areas.

IP Address and Autonomous System Number Provisioning Process

Who is the ARIN community?

Anyone with an interest in Internet number resource management in the ARIN region

The ARIN Community includes…

•  20,000+ customers •  5,000+ members •  60+ professional staff •  7 member Board of Trustees

•  elected by the membership

•  15 member Advisory Council •  elected by the membership

•  3 person Number Resource Organization Number Council

•  elected by the ARIN Community

ARIN Board of Trustees •  Paul Andersen, Vice Chair and Treasurer •  Vinton G. Cerf, Chair •  John Curran, President and CEO •  Timothy Denton, Secretary •  Aaron Hughes •  Bill Sandiford •  Bill Woodcock

17

ARIN Advisory Council •  Dan Alexander, Chair •  Cathy Aronson •  Kevin Blumberg, Vice Chair •  Owen DeLong •  Andrew Dul •  David Farmer •  David Huberman •  Scott Leibrand •  Tina Morris •  Milton Mueller •  Leif Sawyer •  Heather Schiller •  Robert Seastrom •  John Springer •  Chris Tacit

18

ARIN Services and Products

ARIN Manages: •  IP address allocations & assignments •  ASN assignment •  Transfers •  Reverse DNS •  Directory service

Whois Routing Information (Internet Routing Registry) WhoWas

19

ARIN Services and Products ARIN coordinates and administers: •  Policy Development

Community meetings Discussion Publication

•  Elections •  Information publication and dissemination

and public relations •  Community outreach •  Education and training

20

ARIN Services and Products ARIN develops technologies for managing Internet number resources:

•  ARIN Online •  Community Software Project Repository •  DNSSEC •  Resource Certification (RPKI) •  Whois-RWS •  Reg-RWS

21

Globalization of IANA Oversight

On 14 March 2014, the US Government announced plans to transition oversight of the IANA functions contract to the global multistakeholder community Current IANA functions contract expires 30 September 2015

NTIA Conditions for Transition Proposal 1.  Support and enhance the multi-

stakeholder model 2.  Maintain the security, stability, and

resiliency of the “Internet DNS” 3.  Meet the needs and expectation of the

global customers and partners of the IANA services

4.  Maintain the openness of the Internet

Current Status of IANA Stewardship Proposal

ü Number Resources (RIR community) –  CRISP Team

https://www.nro.net/wp-content/uploads/ICG-RFP-Number-Resource-Proposal.pdf - submitted 15 Jan 2015

–  Draft Service Level Agreement (SLA) for the IANA Numbering Services – Open for public comment 1 May 2015 – 14 June 2015

https://www.nro.net/news/call-for-comments-for-a-draft-sla-for-the-iana-numbering-services

IANA Stewardship Proposal – Victory Conditions •  A proposal submitted to NTIA by July 2015 which meets NTIA’s conditions and provides for transition of IANA stewardship to the global Internet community •  Community support of the ICG proposal, based on belief that the mechanisms provided for oversight and accountability are appropriate

IANA Stewardship – Potential Implications •  Successful transition of IANA Stewardship from the USG to the Internet community would be an important validation of the Internet’s multi-stakeholder governance model •  Inability to transition could raise concerns about the validity of the multi-stakeholder process and fuel discussion of the perceived need for intergovernmental mechanisms for Internet Governance

Join in Internet Governance Discussions

Visit ARIN’s webpage: Ways to Participate in Internet Governance

https://www.arin.net/participate/governance/participate.html

Get 6 – Websites on IPv6

http://teamarin.net/infographic/

How to Participate in ARIN

•  Attend Public Policy and Members Meetings & Public Policy Consultations – Remote participation available

•  Apply for Meeting Fellowship •  Discuss policies on Public Policy Mailing

List (ppml) •  Come to outreach events •  Subscribe to an ARIN mailing list

More Ways to Participate

•  Give your opinion on community consultations

•  Submit a suggestion •  Contribute to the IPv6 wiki •  Write a guest blog for TeamARIN.net •  Connect with us on social media •  Members – Vote in annual elections

ARIN Mailing Lists

ARIN Mailing Lists ARIN Consulta8on -‐ arin-‐[email protected] Open to the general public. Used in conjunc8on with the ARIN Consulta8on and Sugges8on Process (ACSP) to gather comments, this list is only open when there is a call for comments ARIN Issued -‐ arin-‐[email protected] Read-‐only list open to the general public. Used by ARIN staff to provide a daily report of IPv4 and IPv6 addresses returned and IPv4 and IPv6 addresses issued directly by ARIN or address blocks returned to ARIN's free pool. ARIN Technical Discussions -‐ arin-‐tech-‐[email protected] Open to the general public. Provided for those interested in providing technical feedback to ARIN on experiences in the use or evalua8on of current ARIN services and features in development.

http://www.arin.net/participate/mailing_lists/index.html

ARIN Announce: [email protected] ARIN Discussion: [email protected] (members only) ARIN Public Policy: [email protected] ARIN Consultation: [email protected] ARIN Issued: [email protected] ARIN Technical Discussions: [email protected] Suggestions: [email protected]

ARIN on Social Media www.TeamARIN.net

www.facebook.com/TeamARIN

@TeamARIN

www.gplus.to/TeamARIN

www.linkedin.com/company/ARIN

www.youtube.com/TeamARIN

#ARIN35

Apply now for ARIN 37 April 2016 in Jamaica h8ps://www.arin.net/par>cipate/mee>ngs/fellowship.html

NEW: Includes a8endance at NANOG

Q&A

Security Overlays on Core Internet Protocols – DNSSEC

Avneet Wadhwani Software Engineer

Core Internet Protocols

•  Two critical resources that are unsecured – Domain Name Servers – Routing

•  Hard to tell if compromised – From the user point of view – From the ISP/Enterprise

•  Focus on government funding

DNS

How DNS Works

Resolver

Question: www.arin.net A

www.arin.net A ?

Caching forwarder (recursive)

root-‐server www.arin.net A ?

Ask net server @ X.gtld-‐servers.net (+ glue)

gtld-‐server www.arin.net A ?

Ask arin server @ ns1.arin.net (+ glue)

arin-‐server

www.arin.net A ?

192.168.5.10

192.168.5.10

Add to cache

Why DNSSEC? What is it?

•  Standard DNS (forward or reverse) responses are not secure – Easy to spoof – Notable malicious attacks

•  DNSSEC attaches signatures – Validates responses – Can not spoof

Reverse DNS at ARIN

• ARIN issues blocks without any working DNS – Registrant must establish

delegations after registration – Then employ DNSSEC if desired

•  Just as susceptible as forward DNS if you do not use DNSSEC

Reverse DNS at ARIN

• Authority to manage reverse zones follows allocations – “Shared Authority” model – Multiple sub-allocation recipient

entities may have authority over a particular zone

Changes completed to make DNSSEC work at ARIN

•  Permit by-delegation management •  Sign in-addr.arpa. and ip6.arpa.

delegations that ARIN manages •  Create entry method for DS Records

– ARIN Online – RESTful interface – Not available via templates

Changes completed to make DNSSEC work at ARIN

•  Only key holders may create and submit Delegation Signer (DS) records

•  DNSSEC users need to have signed a registration services agreement with ARIN to use these services

Reverse DNS in ARIN Online First identify the network that you want to put Reverse DNS nameservers on…

Reverse DNS in ARIN Online …then enter the Reverse DNS nameservers…

DNSSEC in ARIN Online …then apply DS record to apply to the delegation

Reverse DNS: Querying ARIN’s Whois

Query for the zone directly: whois> 81.147.204.in-addr.arpa Name: 81.147.204.in-addr.arpa. Updated: 2006-05-15 NameServer: AUTHNS2.DNVR.QWEST.NET NameServer: AUTHNS3.STTL.QWEST.NET NameServer: AUTHNS1.MPLS.QWEST.NET Ref: http://whois.arin.net/rest/rdns/81.147.204.in-addr.arpa.

DNSSEC in Zone Files ; File written on Mon Feb 24 17:00:53 2014 ; dnssec_signzone version 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 0.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM. 86400 IN NS NS4.COVAD.COM. 10800 NSEC 1.74.in-addr.arpa. NS RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. oNk3GVaCWj2j8+EAr0PncqnZeQjm8h4w51nS D2VUi7YtR9FvYLF/j4KO+8qYZ3TAixb9c05c 8EVIhtY1grXEdOm30zJpZyaoaODpbHt8FdWY vwup9Tq4oVbxVyuSNXriZ2Mq55IIMgDR3nAT BLP5UClxUWkgvS/6poF+W/1H4QY= ) 1.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM. 86400 IN NS NS4.COVAD.COM. 10800 NSEC 10.74.in-addr.arpa. NS RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. DKYGzSDtIypDVcer5e+XuwoDW4auKy6G/OCV VTcfQGk+3iyy2CEKOZuMZXFaaDvXnaxey9R1 mjams519Ghxp2qOnnkOw6iB6mR5cNkYlkL0h lu+IC4Buh6DqM4HbJCZcMXKEtWE0a6dMf+tH sa+5OV7ezX5LCuDvQVp6p0LftAE= )

DNSSEC in Zone Files 0.121.74.in-addr.arpa. 86400 IN NS DNS1.ACTUSA.NET. 86400 IN NS DNS2.ACTUSA.NET. 86400 IN NS DNS3.ACTUSA.NET. 86400 DS 46693 5 1 ( AEEDA98EE493DFF5F3F33208ECB0FA4186BD 8056 ) 86400 DS 46693 5 2 ( 66E6D421894AFE2AF0B350BD8F4C54D2EBA5 DA72A615FE64BE8EF600C6534CEF ) 86400 RRSIG DS 5 5 86400 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. n+aPxBHuf+sbzQN4LmHzlOi0C/hkaSVO3q1y 6J0KjqNPzYqtxLgZjU+IL9qhtIOocgNQib9l gFRmZ9inf2bER435GMsa/nnjpVVWW/MBRKxf Pcc72w2iOAMu2G0prtVT08ENxtu/pBfnsOZK nhCY8UOBOYLOLE5Whtk3XOuX9+U= ) 10800 NSEC 1.121.74.in-addr.arpa. NS DS RRSIG NSEC 10800 RRSIG NSEC 5 5 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. YvRowkdVDfv+PW42ySNUwW8S8jRyV6EKKRxe …

DNSSEC Validating Resolvers

•  www.internetsociety.org/deploy360/dnssec/ •  www.isc.org/downloads/bind/dnssec/

Reverse DNS Management and DNSSEC in ARIN Online •  Available on ARIN’s website http://www.arin.net/knowledge/dnssec/

Q&A

Life After IPv4 Depletion Eddie Diego, Senior Resource Analyst

Overview

•  ARIN’s IPv4 inventory •  Trends and Observations •  Ways to obtain IP addresses post IPv4

depletion –  IPv4 – Transfers –  IPv6

55 55

Check ARIN’s Available IPv4 Inventory

ARIN’s IPv4 inventory published on ARIN’s website: www.arin.net Updated daily at @ 12 am ET

56

Available IPv4 Inventory

•  Today, only /24s remain to fill general IPv4 requests (104 as of 8/28) –  Per policy, ARIN issues only contiguous prefixes

(cannot issue multiple /24s to satisfy a request)

•  Excludes space being held or reserved under policy

.00159

57

*ARIN has issued ~1 /8 equivalent per year over the past several years

57

Other IPv4 Inventory

•  Quarantined space (60 day hold) –  ~19 /16 equivalents held in “quarantine” to clear filters

(returned and revoked space)

•  Reserved space (indefinite hold) –  64 /16s (1 /10) for NRPM 4.10 “Dedicated IPv4 block to

facilitate IPv6 Deployment”

–  ~218 /24s remaining in the original /16 for NRPM 4.4 “Micro-allocation”. 2nd /16 recently added under new policy

–  ~8 /16 equivalents needing further research (reclaimed space that needs further chain of custody research)

58

Trends and Observations •  Surprisingly smooth transition to depletion

–  Very few complaints or escalations –  Community seems to have general

understanding of the situation •  ARIN put depletion plan and communications into

place well in advance of the actual event

–  Most criticism directed at policy not allowing issuance of multiple prefixes

•  More organizations opting to be placed on ARIN’s Wait List for Unmet Resources; 50+ organizations on the list 59 59

Post-IPv4 Depletion Options

•  More efficient use of existing IPv4 resources

•  IPv4 Wait List

•  Specified Recipient and Inter-RIR Transfers

•  Adopt IPv6

60 60

IPv4 Wait List •  If ARIN can’t fill your qualified request, you

have the option to specify the smallest block size you’ll accept

•  If available, your request will be filled and you’ll be unable to request additional addresses for 3 months

•  If no block available between approved and smallest acceptable, you can be added to the IPv4 Wait List 61 61

How the IPv4 Wait List Works

•  Oldest request filled first (based on approval date) –  E.g. - if ARIN gets a /16 back and the oldest

request is for a /24, we issue a /24 to that org

•  One approved request per organization on the list at a time

•  Limit of one allocation or assignment every 3 months

https://www.arin.net/resources/request/waiting_list.html

62

63

How Long Might You Wait? •  IPv4 space can become available

periodically –  Return = voluntary –  Revoke = for cause (usually non-payment)

•  3.54 /8 equivalents returned/revoked since 2005

–  IANA issued – per global policy for “post exhaustion IPv4 allocation mechanisms by IANA”

»  /11 (issued 5/14), /12 (issued 9/14) and /13 (issued 3/15) by IANA to each RIR

•  Demand will be far greater than availability 64 64

Transfers of IPv4 Addresses

•  Mergers and Acquisitions (NRPM 8.2)

•  Transfers to Specified Recipients (NRPM 8.3)

•  Inter-RIR transfers (NRPM 8.4)

65 65

Transfers to Specified Recipients (NRPM 8.3) •  Allows orgs with unused IPv4 resources to

transfer them to orgs in need of IPv4 resources •  Source

–  Must be current registrant, no disputes –  Not have received addresses from ARIN for 12

months prior –  Ineligible for further addresses from ARIN for 12

months after •  Recipient

–  Must demonstrate need for 24-month supply under current ARIN policy

66 66

Inter-RIR Transfers (NRPM 8.4)

•  RIR must have reciprocal, compatible needs-based policies –  Currently APNIC, soon to be RIPE NCC

•  Transfers from ARIN –  Source cannot have received IPv4 from ARIN 12

months prior to transfer or receive IPv4 for 12 months after transfer

–  Must be current registrant, no disputes –  Recipient meets destination RIR policies

•  Transfers to ARIN –  Must demonstrate need for 24-month supply under

current ARIN policy

67 67

Pre-approval for Specified Recipient Transfers •  Pre-approval offered through ARIN

online – Based on 24 month need (per policy) – Valid for 2 years (no need for re-

verification)

•  Must meet current ARIN policy •  Can use multiple transfers to fill need

without being subject to re-verification 68 68

Specified Transfer Listing Service (STLS) •  Optional service intended to facilitate specified

recipient and inter-RIR transfers •  All participants have access to each others

contact information –  Listers: have available IPv4 addresses

•  Resources must be covered under RSA/LRSA

–  Needers: looking for IPv4 addresses •  Must be pre-approved under ARIN policy to be listed

–  Facilitators: available to help listers and needers find each other

•  Public summary provided –  Lists number of available and needed IPv4 address blocks

69 69

Tips for Faster Transfer Processing

•  Make sure that all registration information is current and accurate

•  Request pre-approval for your 24 month need in advance of the transfer

•  Provide detailed information to support 24 month need

•  Apply under the correct transfer policy

70 70

Requesting IPv6 - ISPs •  Have a previous v4 allocation from

ARIN or predecessor registry OR •  Intend to multi-home OR •  Provide a technical justification

which details at least 50 assignments made within 5 years

71 71

Data ARIN Will Typically Ask For - ISPs

•  If requesting more than a /32, a spreadsheet/text file with – # of serving sites (PoPs, datacenters) – # of customers served by largest serving

site – Block size to be assigned to each

customer (/48 typical)

72 72

Requesting IPv6 – End Users •  Have a v4 direct assignment from ARIN or

predecessor registry OR •  Intend to multi-home OR •  Show how you will use 2000 IPv6 addresses or

200 IPv6 subnets within a year OR •  Technical justification as to why provider-

assigned IPs are unsuitable

73 73

Data ARIN Will Typically Ask For – End users •  If requesting more than a /48, a

spreadsheet/text file with – List of sites in your network

•  Site = distinct geographic location •  Street address for each

– Campus may count as multiple sites •  Technical justification showing how they’re

configured like geographically separate sites

74 74

Summary •  ARIN will deplete its available IPv4 pool

sometime this year •  No perfect solution

–  CGN = potential problems –  Waiting list = uncertainty –  Transfers = subject to market prices –  IPv6 = transition effort

•  Begin planning now

75 75

76

Security Overlays on Core Internet Protocols –RPKI


Core Internet Protocols

•  Two critical resources that are unsecured – Domain Name Servers – Routing

•  Hard to tell if compromised – From the user point of view – From the ISP/Enterprise

•  Focus on government funding

Routing

Routing Architecture •  The Internet uses a two level routing hierarchy:

–  Interior Routing Protocols, used by each network to determine how to reach all destinations that line within the network

–  Interior Routing protocols maintain the current topology of the network

Routing Architecture •  The Internet uses a two level routing hierarchy:

–  Exterior Routing Protocol, used to link each component network together into a single whole

–  Exterior protocols assume that each network is fully interconnected internally

Exterior Routing: BGP •  BGP is a large set of bilateral (1:1)

routing sessions – A tells B all the destinations (prefixes) that

A is capable of reaching – B tells A all the destinations that B is

capable of reaching

A B

10.0.0.0/24 10.1.0.0/16 10.2.0.0/18

192.2.200.0/24

What is RPKI? •  Resource Public Key Infrastructure

•  Attaches digital certificates to network resources – AS Numbers

–  IP Addresses

•  Allows ISPs to associate the two – Route Origin Authorizations (ROAs) – Can follow the address allocation chain

to the top

What does RPKI accomplish? •  Allows routers or other processes

to validate route origins •  Simplifies validation authority

information – Trust Anchor Locator

•  Distributes trusted information – Through repositories

AFRINIC RIPE NCC APNIC ARIN LACNIC

LIR1 ISP2

ISP ISP ISP ISP4 ISP ISP ISP

Issued Certificates

Resource Allocation Hierarchy

Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” Attachment: <isp4-ee-cert> Signed, ISP4 <isp4-ee-key-priv>

ICANN

Resource Cert Validation


LIR1 ISP2

ISP ISP ISP ISP4 ISP ISP ISP



1. Did the matching private key sign this text?

ICANN

Issued Certificates



LIR1 ISP2

ISP ISP


ISP ISP4

2. Is this certificate valid?

ISP ISP ISP

Issued Certificates


ICANN



LIR1 ISP2

ISP ISP


ISP ISP4 ISP ISP ISP

Issued Certificates


ICANN

3. Is there a valid certificate path from a Trust Anchor to this certificate?


What does RPKI Create?

•  It creates a repository – RFC 3779 (RPKI) Certificates – ROAs – CRLs – Manifest records

Repository View ./ba/03a5be-ddf6-4340-a1f9-1ad3f2c39ee6/1:!total 40!-rw-r--r-- 1 143 143 1543 Jun 26 2009 ICcaIRKhGHJ-TgUZv8GRKqkidR4.roa!-rw-r--r-- 1 143 143 1403 Jun 26 2009 cKxLCU94umS-qD4DOOkAK0M2US0.cer!-rw-r--r-- 1 143 143 485 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.crl!-rw-r--r-- 1 143 143 1882 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.mnf!-rw-r--r-- 1 143 143 1542 Jun 26 2009 nB0gDFtWffKk4VWgln-12pdFtE8.roa!

A Repository Directory containing an RFC3779 Certificate, two ROAs, a CRL, and a manifest

Repository Use •  Pull down these files using a manifest-

validating mechanism •  Validate the ROAs contained in the

repository •  Communicate with the router marking

routes “valid”, “invalid”, “unknown” •  Up to ISP to use local policy on how to

route

Possible Data Flow for Operations

•  RPKI Web interface -> Repository

•  Repository aggregator -> Validator

•  Validated entries -> Route Checking

•  Route checking results -> local routing decisions (based on local policy)

How you can use ARIN’s RPKI System? •  Hosted •  Hosted using ARIN’s RESTful service •  Delegated using Up/Down Protocol

Hosted RPKI •  Pros

–  Easier to use – ARIN managed

•  Cons – No current support for downstream

customers to manage their own space (yet) –  Tedious through the IU if you have a large

network – We hold your private key

Hosted RPKI with RESTful Interace

•  Pros – Easier to use – ARIN managed – Programmatic interface for large networks

•  Cons – No current support for downstream

customers to manage their own space (yet)

– We hold your private key

Delegated RPKI with Up/Down

•  Pros – You safeguard your own private key – Follows the IETF up/down protocol

•  Cons – Extremely hard to setup – Need to operate your own RPKI

environment – More later

Hosted RPKI in ARIN Online




Hosted RPKI in ARIN Online SAMPLE-‐ORG

Hosted RPKI in ARIN Online SAMPLE-‐ORG


Your ROA request is automatically processed and the ROA is placed in ARIN’s repository, accompanied by its certificate and a manifest. Users of the repository can now validate the ROA using RPKI validators.

Delegated with Up/Down




•  You have to do all the ROA creation •  Need to setup a CA •  Have a highly available repository •  Create a CPS

Q&A

Fairfield, NJ 10 September 2015

ARIN’s Policy Development Process

Current Number Resource Policy Discussions and How to Participate

Dan Alexander ARIN Advisory Council

Number Resource Policy Manual ARIN’s Policy Document

–  Version 2015.3 (29 July 2015) –  39th version

Change Logs HTML/PDF/txt

http://www.arin.net/policy/nrpm.html

Policy Development Process (PDP)

Process Flowchart Proposal Template

http://www.arin.net/policy/pdp.html

PDP Goals •  "open, transparent, and inclusive

manner that allows anyone to participate in the process."

•  "clear, technically sound and useful policies"

•  "Policies, not Processes, Fees, or Services”

Basic Steps 1.  Proposal from community member 2.  AC works with author ensure it is clear and in scope 3.  AC promotes proposal to Draft Policy for community

discussion/feedback (PPML and possibly PPC/PPM) 4.  AC recommends fully developed Draft Policy (fair, sound

and supported by community) for adoption 5.  Recommended Draft Policy must be presented at a

face-to-face meeting (PPC/PPM) 6.  If AC still recommends adoption, then Last Call, review

of last call, and send to Board 7.  Board reviews 8.  Staff implements

Current Draft Policies/Proposals

116

1.  Implemented recently ARIN-‐2014-‐17: Change U8liza8on Requirements from last-‐alloca8on to total-‐aggregate ARIN-‐2014-‐6: Remove Opera8onal Reverse DNS Text ARIN-‐2014-‐21: Modifica>on to CI Pool Size per Sec>on 4.4

2.  Under discussion ARIN-‐2015-‐1: Modifica8on to Criteria for IPv6 Ini8al End-‐User Assignments ARIN-‐2015-‐2: Modify 8.4 (Inter-‐RIR Transfers to Specified Recipients) ARIN-‐2015-‐3: Remove 30 day u8liza8on requirement in end-‐user IPv4 policy ARIN-‐2015-‐4: Modify 8.2 sec8on to befer reflect how ARIN handles reorganiza8ons ARIN-‐2015-‐5: Out of region use ARIN-‐2015-‐6: Transfers and Mul8-‐na8onal Networks ARIN-‐2015-‐7: Simplified requirements for demonstrated need for IPv4 transfers ARIN-‐2015-‐8: Reassignment records for IPv4 End-‐Users

ARIN-2014-21: Modification to CI Pool Size per Section 4.4 •  Increase the pool reserved for Critical Infrastructure

(primarily Exchange Points) from a /16 to a /15 •  Discussion started on the policy list in October 2014 •  Presented at NANOG 63 in February 2015 •  Advanced to Recommended state in March •  Presented at ARIN 35 in April •  Last call was 27 April thru 11 May 2015 (continued on next slide)

ARIN-2014-21 continued

•  AC reviewed last call, advanced proposal to the Board in May

•  Board review in June –  Ensured PDP had been followed –  Ensured compliance with law and ARIN’s mission –  Adopted 2014-21

•  Implemented by staff in July •  474 /24s available in this pool of address space

How Can You Get Involved?

There are two ways to voice your opinion:

– Public Policy Mailing List

– Public Policy Consultations/Meetings •  In person or remotely

•  ARIN meetings and Public Policy Consultations at NANOG

Takeaways

Three things 1. ARIN doesn't make up the policy, ARIN implements

community created/maintained policy.

2. Policy process exists, if you are unhappy with a policy, there is a way for you to try to change it.

3. If you want to participate, you know where you can voice your opinion (email, in person and remote).

References Policy Development Process

http://www.arin.net/policy/pdp.html

Draft Policies and Proposals http://www.arin.net/policy/proposals/index.html

Number Resource Policy Manual http://www.arin.net/policy/nrpm.html

Q&A

Automating Your Interactions with ARIN


Why Automate?

•  Interact with ARIN faster •  Not dependent on ARIN’s systems for

user interface issues •  Build a customized system using

standards-based technologies •  Improved accuracy •  Integrate multiple services

Why Automate (continued)

•  We have a rich set of interfaces •  Focused on reliability and

completeness •  Welcome to share your tools with the

community at projects.arin.net

REST – Service Summary

•  ARIN’s RESTful Web Services (RWS) – Whois-RWS

•  Provides public Whois data via REST

– Reg-RWS (or Registration-RWS) •  Allows ARIN customers to register and maintain

data in a programmatic fashion

– Report Request/Retrieval Automation •  Permits request and download of various ARIN

data (subject to AUP)

– RPKI using Reg-RWS

What is REST? •  Representational State Transfer

•  As applied to web services – defines a pattern of usage with HTTP to create,

read, update, and delete (CRUD) data –  “Resources” are addressable in URLs

•  Very popular protocol model – Amazon S3, Yahoo & Google services, …

The BIG Advantage of REST •  Easily understood

– Any modern programmer can incorporate it – Can look like web pages

•  Re-uses HTTP in a simple manner – Many, many clients – Other HTTP advantages

•  This is why it is very, very popular with Google, Amazon, Yahoo, Twitter, Facebook, YouTube, Flickr, …

What does it look like? Who can use it? Where the data is.

What type of data it is.

The ID of the data.

It is a standard URL. Anyone can use it. Go ahead, put it into your browser.

Where can more information on REST be found?

•  RESTful Web Services – O’Reilly Media

–  Leonard Richardson

–  Sam Ruby

Whois-RWS •  Publicly accessible, just like traditional

Whois •  Searches and lookups on IP addresses, AS

numbers, POCs, Orgs, etc… •  Very popular

– As of October 2014, constitutes 65% of our query load

•  For more information: –  http://www.arin.net/resources/whoisrws/index.html

Whois Queries Per Second

0

500

1000

1500

2000

2500

3000

3500

4000

2001-‐07

2001-‐11

2002-‐03

2002-‐07

2002-‐11

2003-‐03

2003-‐07

2003-‐11

2004-‐03

2004-‐07

2004-‐11

2005-‐03

2005-‐07

2005-‐11

2006-‐03

2006-‐07

2006-‐11

2007-‐03

2007-‐07

2007-‐11

2008-‐03

2008-‐07

2008-‐11

2009-‐03

2009-‐07

2009-‐11

2010-‐03

2010-‐07

2010-‐11

2011-‐03

2011-‐07

2011-‐11

2012-‐03

2012-‐07

2012-‐11

2013-‐03

2013-‐07

2013-‐11

2014-‐03

2014-‐07

2014-‐11

2015-‐03

RESTful

Port 43

RDAP

•  RDAP is a Whois alternative for querying resource registration data from Domain Name Registries (DNRs) and Regional Internet Registries (RIRs).

•  IETF published the RDAP series of RFCs in Q1 of 2015. – ARIN has rolled out RDAP – Will be supported by all 5 RIRs and domain

registries.

RDAP vs Whois-RWS

•  Both are RESTful sevices •  Standardized format used between all

RIRs for RDAP •  RDAP responses offer direct referrals to

other RIRs, whereas Whois defines no queries or responses, and interaction with DNRs and RIRs can vary significantly

ARIN RDAP

•  ARIN’s RDAP service (w/ bootstrap) – https://rdap.arin.net/bootstrap/

•  ARIN’s RDAP service (w/o bootstrap) – http://rdap.arin.net/registry/

•  Command Line client called NicInfo – https://github.com/arineng/nicinfo

RDAP IP Query wget https://rdap.arin.net/bootstrap/ip/100.42.0.0!!{! "rdapConformance" : [ "rdap_level_0" ],! "notices" : [ {! "title" : "Terms of Service",! "description" : [ "By using the ARIN RDAP/Whois service, you are agreeing to the RDAP/Whois Terms of Use" ],! "links" : [ {! "value" : "https://rdap.arin.net/registry/ip/100.42.0.0",! "rel" : "about",! "type" : "text/html",! "href" : "https://www.arin.net/whois_tou.html"! } ]! } ],! "handle" : "NET-100-42-0-0-2",! "startAddress" : "100.042.000.000",! "endAddress" : "100.042.000.255",! "ipVersion" : "v4",! "name" : "ISOTROPIC-NETWORKS",! "parentHandle" : "NET-100-42-0-0-1“,!...!!

Bootstrapped Response !

wget https://rdap.arin.net/bootstrap/ip/176.0.0.0!!--2015-08-21 16:02:16-- https://rdap.arin.net/bootstrap/ip/176.0.0.0!Resolving rdap.arin.net (rdap.arin.net)... 199.212.0.160, 2001:500:13::160!

Connecting to rdap.arin.net (rdap.arin.net)|199.212.0.160|:443... connected.!HTTP request sent, awaiting response... 302 Moved Temporarily!Location: https://rdap.db.ripe.net/ip/176.0.0.0 [following]!--2015-08-21 16:02:16-- https://rdap.db.ripe.net/ip/176.0.0.0!Resolving rdap.db.ripe.net (rdap.db.ripe.net)... 193.0.6.142, 2001:67c:2e8:22::c100:68e!Connecting to rdap.db.ripe.net (rdap.db.ripe.net)|193.0.6.142|:443... connected.!HTTP request sent, awaiting response... 200 OK!

RDAP Statistics

•  RDAP Released June 20, 2015 – 51K queries

•  Entity queries: 173 •  Domain queries: 290 •  IP queries: 40818 •  Autnum queries: 9203

•  1 query/2 seconds

Registration RWS (Reg-RWS)

•  Programmatic way to interact with ARIN –  Intended to be used for automation – Not meant to be used by humans

•  Useful for ISPs that manage a large number of SWIP records

•  Requires an investment of time to achieve those benefits

Reg-RWS

•  Requires an API Key – You generate one in ARIN Online on the

“Web Account” page •  Permits you to register and manage

your data (ORGs, POCs, NETs, ASes) – But only your data

•  More information –  http://www.arin.net/resources/restful-interfaces.html

Anatomy of a RESTful request

•  Uses a URL (just like you would type into your browser)

•  Uses a request type, known as a “method”, of GET, PUT, POST or DELETE

•  Usually requires a payload – Adheres to a published structure – Depends upon the type of data – Depends upon the method

•  Method, Payload, and XML schema info is found at “RESTful Provisioning Downloads”

Example – Reassign Detailed •  Your automated system issues a PUT

command to ARIN using the following URL:

http://www.arin.net/rest/net/NET-10-129-0-0-1/reassign?apikey=API-1234-5678-9ABC-DEFG

The payload contains the following data:

<net xmlns="h8p://www.arin.net/regrws/core/v1" > <version>4</version> <comment></comment> <registra>onDate></registra>onDate> <orgHandle>HW-‐1</orgHandle> <handle></handle> <netBlocks> <netBlock> <type>A</type> <descrip>on>Reassigned</descrip>on> <startAddress>10.129.0.0</startAddress> <endAddress>10.129.0.255</endAddress> <cidrLength>24</cidrLength> </netBlock> </netBlocks> <parentNetHandle>NET-‐10-‐129-‐0-‐0-‐1</parentNetHandle> <netName>HELLOWORLD</netName> <originASes></originASes> <pocLinks></pocLinks> </net>

Example – Reassign Detailed ARIN’s web server returns the following

to your automated system: <net xmlns="h8p://www.arin.net/regrws/core/v1" > <version>4</version> <comment></comment> <registra>onDate>Tue Jan 25 16:17:18 EST 2011</registra>onDate> <orgHandle>HW-‐1</orgHandle> <handle>NET-‐10-‐129-‐0-‐0-‐2</handle> <netBlocks> <netBlock> <type>A</type> <descrip>on>Reassigned</descrip>on> <startAddress>10.129.0.0</startAddress> <endAddress>10.129.0.255</endAddress> <cidrLength>24</cidrLength> </netBlock> </netBlocks> <parentNetHandle>NET-‐10-‐129-‐0-‐0-‐1</parentNetHandle> <netName>netName>HELLOWORLD</netName> <originASes></originASes> <pocLinks></pocLinks> </net>

Reg-RWS Has More Than Templates

•  Only programmatic way to do IPv6 Reassign Simple

•  Only programmatic way to manage Reverse DNS

•  Only programmatic way to access your ARIN tickets

Reg-RWS Adoption

ARIN 29

ARIN 30

ARIN 31

ARIN 32

ARIN 33

ARIN 34

ARIN 35

Template 408,383 595,858 846,943 1,066,03 1,311,40 1,498,20 1,749,38

REST 40,374 320,197 841,105 3,524,12 4,296,73 4,715,23 5,034,71

0

1,000,000

2,000,000

3,000,000

4,000,000

5,000,000

6,000,000

Template

REST

Testing Your Reg-RWS Client

•  We offer an Operational Test & Evaluation environment for Reg-RWS

•  Your real data, but isolated – Helps you develop against a real system

without the worry that real data could get corrupted

•  For more information: –  http://www.arin.net/resources/ote.html

Obtaining RESTful Assistance •  http://www.arin.net/resources/restful-interfaces.html •  Pay attention to Method, Payload, and XML schema

documents under “RESTful Provisioning Downloads” •  Or use ARIN Online’s Ask ARIN feature •  Or use the arin-tech-discuss mailing list

–  Make sure to subscribe –  Someone on the list will help you ASAP –  Archives on the web site

•  Registration Services Help Desk telephone not a good fit –  Debugging these problems requires a detailed look at

the URL, method, and payload being used

Report Request/Retrieval

•  For customer-specific data, access is restricted by user – Permits you to request and retrieve reports – But only your data

•  For public services, you must first sign an AUP or TOU (Bulk Whois, Registered ASNs, WhoWas) –  ARIN staff may review your need to access this data

•  Requires an API Key

RPKI thru Reg-RWS

•  Delegated – very complex •  Hosted – easy but tedious if managing

a large network through the UI •  Solution: Interface to sign ROAs using

the RESTful API – Ease of Hosted – Programmatic way of managing a large

number of ROAs

Q&A

Fairfield, NJ 9/10/15

Moving to IPv6

Mark Kosters, Chief Technology Officer With some help from Geoff Huston

152

The Amazing Success of the Internet

•  2.92 billion users! •  4.5 online hours per day per user! •  5.5% of GDP for G-20 countries

Time

Just about anything about the Internet

153

Success-Disaster

154

The Original IPv6 Plan - 1995

IPv6 Deployment

Time

IPv6 Transition – Dual Stack

IPv4 Pool Size

Size of the Internet

155

The Revised IPv6 Plan - 2005

IPv6 Deployment

2004

IPv6 Transition – Dual Stack

IPv4 Pool Size


2006 2008 2010 2012 Date

156

Oops! We were meant to have completed the transition to IPv6 BEFORE we completely exhausted the supply channels of IPv4 addresses!

157

Today’s Plan

IPv6 Deployment

IPv4 Pool Size


IPv6 Transition

Today

Time

?

0.8%

158

Transition... The downside of an end-to-end architecture:

–  There is no backwards compatibility across protocol families

–  A V6-only host cannot communicate with a V4-only host

We have been forced to undertake a Dual Stack transition:

–  Provision the entire network with both IPv4 AND IPv6 –  In Dual Stack, hosts configure the hosts’ applications

to prefer IPv6 to IPv4 –  When the traffic volumes of IPv4 dwindle to

insignificant levels, then it’s possible to shut down support for IPv4

159

Dual Stack Transition ... We did not appreciate the operational problems with this dual stack plan while it was just a paper exercise:

•  The combination of an end host preference for IPv6 and a disconnected set of IPv6 “islands” created operational problems

–  Protocol “failover” from IPv6 to IPv4 takes between 19 and 108 seconds (depending on the operating system configuration)

–  This is unacceptably slow

•  Attempting to “bridge” the islands with IPv6-in-IPv4 tunnels created a new collection of IPv6 path MTU Discovery operational problems

–  There are too many deployed network paths containing firewall filters that block all forms of ICMP, including ICMP6 Packet Too Big

•  Attempts to use end-host IPv6 tunneling also presents operational problems

–  Widespread use of protocol 41 (IP-in-IP) firewall filters –  Path MTU problems

160

Dual Stack Transition

Signal to the ISPs:

–  Deploy IPv6 and expose your users to operational problems with IPv6 connectivity

Or

–  Delay IPv6 deployment and wait for these operational issues to be solved by someone else

So we wait...

161

And while we wait... The Internet continues its growth. •  And without an abundant supply of IPv4

addresses to support this level of growth, the industry is increasingly reliant on NATs:

–  Edge NATs are now the de facto choice for residential broadband services at the CPE

–  ISP NATs are now the de facto choice for 3G and 4G mobile IP services

162

What ARIN is hearing from the community

•  Movement to IPv6 is slow – Progress is being made –  ISPs carefully rolling out IPv6

•  Lots of ISPs purchasing CGN boxes •  There is a market for IP space

– Rent by month – Purchase outright

163

Why is there little immediate need for IPv6? •  Some of the claims are either not true

or taken over by events –  IPv6 gives you better security –  IPv6 gives you better routing

•  Some positive things –  IPv6 allows for end-to-end networking to

occur again –  IPv6 has more address bits –  It is cheaper per address

164

2003: Sprint •  T1 via Sprint

•  Linux Router with Sangoma T1 Card

•  OpenBSD firewall

•  Linux-based WWW, DNS, FTP servers

•  Segregated network, no dual stack (security concerns)

•  A lot of PMTU issues

•  A lot of routing issues

•  Service did improve over the years

165

2004: Worldcom •  T1 via Worldcom in Equinix

•  Cisco 2800 router


•  Linux-based ww6, DNS, FTP servers

•  Segregated network, no dual stack (security concerns)

•  A lot of PMTU Issues

•  A lot of routing issues

166

2006: Equi6IX •  100 Mbit/s Ethernet to

Equi6IX

•  Transit via OCCAID

•  Cisco 2800 router


•  WWW, DNS, FTP, SMTP

•  Segregated Network

•  Some dual stack

167

2008: NTT / TiNet IPv6 •  1000 Mbit/s to NTT / TiNet

•  Cisco ASR 1000 Router

•  Brocade Load Balancers - IPv6 support was Beta

•  DNS, Whois, IRR, more later

•  Dual stack

168

Past Meeting Networks •  IPv6 enabled since 2005

•  Tunnels to ARIN, others

•  Testbed for transition techology

•  NAT-PT (Cisco, OSS)

•  CGN / NAT-lite

•  IVI

•  Training opportunity

•  For staff & members

169

ARIN’s Current Challenges for Networking

•  Dual-Stacked Internally –  Challenges over time with our VPN (OpenVPN)

•  One interface works with v6 •  One does not

•  Middleware Boxes –  Claims do not support reality (“we support IPv6”) Yes, but… –  No 1-1 feature set –  Limits ARIN’s ability to support new services like https

support for Whois-RWS

170

So why do the move to IPv6? •  IPv4 will get more expensive •  Move to IPv6 will happen when cost is

too high for IPv4 •  Don’t want to be caught with gear

that will not support IPv6 before it is end-of-life

•  Need to have some experience on IPv6

171

Call to Action for IPv6 •  ISPs should do it now •  Universities should be teaching and making

IPv6 available •  Businesses should be asking for IPv6 support for

gear and services they purchase –  Want to be available to all on the Internet –  If only IPv4 – may miss some IPv6 clientele

•  Application developers need to integrate IPv6 support –  “Preparing Applications for IPv6” –  https://www.arin.net/knowledge/

preparing_apps_for_v6.pdf

172

Call to Action for IPv6

•  End user customers – May be behind CGN

•  Impacts speed and services •  Don’t want to lose in those real-time games!

(CoD gamers in particular)

– Ask for IPv6 support •  Faster •  Better application support •  Less support calls for IPv4

173

What is ARIN doing about it?

•  What we see with Transfers based on market reality

•  What we see with IPv6 Allocations

174

Trends and Observations

•  Comparing the past 12 months over the 12 months prior: –  9% increase in IPv4 requests (3641 > 3981) –  18% increase in transfer requests (500 > 648) –  2% increase in IPv6 requests (745 > 758)

•  Now that we have run out of IPv4 (or very close to it) –  Activity on the Wait List for redistributions from

IANA –  Anticipate a larger number of transfer requests

175

5,196 total members as of 31 July 2015

ISP Members with IPv4 and IPv6

176

IPv6 over time

ARIN IPv6 Allocations and Assignments *As of 30 June 2015

177

Get IPv6 from ARIN now!

Most organizations with IPv4 can IPv6 without increasing their annual ARIN fees

178

Learn More

IPv6 Info Center www.arin.net/knowledge/ipv6_info_center.html

www.GetIPv6.info

www.TeamARIN.net 179

Operational Guidance www.InternetSociety.org/ Deploy360/

www.NANOG.org/archives/

www.hpc.mil/cms2/index.php/ ipv6-knowledge-base-general-info

bcop.NANOG.org

180

Q&A / Open Mic Session

Take Aways •  Apply for IPv6 addresses and get started. •  Subscribe to at a mailing list •  Participate in ARIN 36 – in person or

remotely •  Apply for a future meeting fellowship •  Think about implementing DNSSEC/

Resource Certification •  Member organizations please vote •  Reach out though various channels with

questions or suggestions

Apply now for ARIN 37 in Jamaica hfps://www.arin.net/par8cipate/mee8ngs/fellowship.html

Fill out & submit the survey for your chance to win a ????? !

Date post:	27-Jun-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Fairfield, NJ...On 14 March 2014, the US Government announced plans to transition oversight of the...

Documents