fairfield, nj 10 september 2015. wireless access ssid: password:
TRANSCRIPT
Fairfield, NJ10 September 2015
Wireless Access
• SSID: • Password:
Welcome. Here today from ARIN…
• Dan Alexander, ARIN Advisory Council
• Einar Bohlin, Senior Policy Analyst
• Eddie Diego, Senior Resource Analyst
• Andy Newton, Chief Engineer
• Avneet Wadhwani, Senior Software
Engineer
Morning Agenda
10:15 - 10:45 ARIN: Mission, Services and Community
Engagement; Einar Bohlin
10:45 -11:20 Security Overlays on Core Internet Protocols – DNSSEC; Andy Newton
11:20 - 12:00 Life After IPv4 Depletion: IPv4 Inventory, Waiting List and Transfers; Leslie Nobile
12:00 PM - 1:00 PM Lunch
Afternoon Agenda1:00 - 1:30 Security Overlays on Core Internet Protocols - Resource Certification (RPKI); Avneet Wadhwani
1:30- 2:00 Number Resource Policy Discussions and How to Participate; Dan Alexander
2:00 - 2:30 Automating Interactions with ARIN: Avneet Wadhwani
2:30- 3:00 Moving to IPv6 - Getting IPv6 from ARIN/Current Uptake;
Andy Newton and Eddie Diego
3:00- 3:15 Q&A / Open Mic Session; Einar Bohlin
Let’s Get Started!
• Self introductions – Name– Organization
ARIN and the RIR System: Mission, Role and Services
Einar Bohlin Policy Analyst, Communications and
Member Services
What is an RIR?
A Regional Internet Registry (RIR) is an organization that manages the allocation and registration of Internet number resources within a particular region of the world. Number resources include IP addresses and autonomous system (AS) numbers.
Regional Internet Registries
Not-for-profitMembership Organization
Community Regulated
• Fee for services, not number resources
• 100% community funded
• Open
• Broad-based - Private sector - Public sector - Civil society
• Community developed policies
• Member-elected executive board
• Open and transparent
RIR Structure
The NRO exists to protect the unallocated number resource pool, to promote and protect the bottom-up policy development process, and to act as a focal point for Internet community input intothe RIR system.
Number Resource Organization
ARIN, a nonprofit member-based organization, supports the operation of the Internet through the management of Internet number resources throughout its service region; coordinates the development of policies by the community for the management of Internet Protocol number resources; and advances the Internet through
informational outreach.
ARIN’s Service Region
The ARIN Region includes many Caribbean and North Atlantic islands, Canada, the United States and outlying areas.
IP Address and Autonomous System Number Provisioning Process
Who is the ARIN community?
Anyone with an interest in Internet number resource management in the ARIN region
The ARIN Community includes…• 20,000+ customers • 5,000+ members • 60+ professional staff • 7 member Board of Trustees
• elected by the membership
• 15 member Advisory Council• elected by the membership
• 3 person Number Resource Organization Number Council
• elected by the ARIN Community
ARIN Board of Trustees• Paul Andersen, Vice Chair and Treasurer• Vinton G. Cerf, Chair• John Curran, President and CEO• Timothy Denton, Secretary• Aaron Hughes• Bill Sandiford• Bill Woodcock
17
ARIN Advisory Council• Dan Alexander, Chair • Cathy Aronson• Kevin Blumberg, Vice Chair• Owen DeLong• Andrew Dul• David Farmer• David Huberman• Scott Leibrand• Tina Morris• Milton Mueller• Leif Sawyer• Heather Schiller• Robert Seastrom• John Springer• Chris Tacit
18
ARIN Services and ProductsARIN Manages:
• IP address allocations & assignments• ASN assignment• Transfers• Reverse DNS• Directory service
Whois Routing Information (Internet Routing Registry) WhoWas
19
ARIN Services and ProductsARIN coordinates and administers:• Policy Development
Community meetingsDiscussionPublication
• Elections• Information publication and dissemination
and public relations • Community outreach • Education and training
20
ARIN Services and Products
ARIN develops technologies for managing Internet number resources:
• ARIN Online• Community Software Project Repository • DNSSEC• Resource Certification (RPKI)• Whois-RWS• Reg-RWS
21
Globalization of IANA Oversight
On 14 March 2014, the US Government announced plans to transition oversight of the IANA functions contract to the global multistakeholder community
Current IANA functions contract expires 30 September 2015
NTIA Conditions for Transition Proposal
1. Support and enhance the multi-stakeholder model
2. Maintain the security, stability, and resiliency of the “Internet DNS”
3. Meet the needs and expectation of the global customers and partners of the IANA services
4. Maintain the openness of the Internet
Current Status of IANA Stewardship Proposal
Number Resources (RIR community) – CRISP Team
https://www.nro.net/wp-content/uploads/ICG-RFP-Number-Resource-Proposal.pdf - submitted 15 Jan 2015
– Draft Service Level Agreement (SLA) for the IANA Numbering Services – Open for public comment 1 May 2015 – 14 June 2015
https://www.nro.net/news/call-for-comments-for-a-draft-sla-for-the-iana-numbering-services
IANA Stewardship Proposal – Victory Conditions
• A proposal submitted to NTIA by July 2015 which meets NTIA’s conditions and provides for transition of IANA stewardship to the global Internet community
• Community support of the ICG proposal, based on belief that the mechanisms provided for oversight and accountability are appropriate
IANA Stewardship – Potential Implications• Successful transition of IANA Stewardship from the USG to the Internet community would be an important validation of the Internet’s multi-stakeholder governance model • Inability to transition could raise concerns about the validity of the multi-stakeholder process and fuel discussion of the perceived need for intergovernmental mechanisms for Internet Governance
Join in Internet Governance Discussions
Visit ARIN’s webpage:Ways to Participate in Internet Governance
https://www.arin.net/participate/governance/participate.html
Get 6 – Websites on IPv6
http://teamarin.net/infographic/
How to Participate in ARIN
• Attend Public Policy and Members Meetings & Public Policy Consultations– Remote participation available
• Apply for Meeting Fellowship• Discuss policies on Public Policy
Mailing List (ppml)• Come to outreach events• Subscribe to an ARIN mailing list
More Ways to Participate
• Give your opinion on community consultations
• Submit a suggestion• Contribute to the IPv6 wiki• Write a guest blog for TeamARIN.net• Connect with us on social media• Members – Vote in annual elections
ARIN Mailing Lists
http://www.arin.net/participate/mailing_lists/index.html
ARIN Announce: [email protected]
ARIN Discussion: [email protected] (members only)
ARIN Public Policy: [email protected]
ARIN Consultation: [email protected]
ARIN Issued: [email protected]
ARIN Technical Discussions: [email protected]
Suggestions: [email protected]
ARIN on Social Media
www.TeamARIN.net
www.facebook.com/TeamARIN
@TeamARIN
www.gplus.to/TeamARIN
www.linkedin.com/company/ARIN
www.youtube.com/TeamARIN
#ARIN35
Apply now for ARIN 37 April 2016 in Jamaicahttps://www.arin.net/participate/meetings/fellowship.html
NEW: Includes attendance at NANOG
Q&A
Security Overlays on Core Internet Protocols – DNSSEC
Avneet WadhwaniSoftware Engineer
Core Internet Protocols
• Two critical resources that are unsecured– Domain Name Servers– Routing
• Hard to tell if compromised– From the user point of view– From the ISP/Enterprise
• Focus on government funding
DNS
How DNS Works
Resolver
Question: www.arin.net A
www.arin.net A ?
Cachingforwarder(recursive)
root-serverwww.arin.net A ?
Ask net server @ X.gtld-servers.net (+ glue)
gtld-serverwww.arin.net A ?
Ask arin server @ ns1.arin.net (+ glue)
arin-server
www.arin.net A ?
192.168.5.10
192.168.5.10
Add to cache
Why DNSSEC? What is it?
• Standard DNS (forward or reverse) responses are not secure– Easy to spoof– Notable malicious attacks
• DNSSEC attaches signatures– Validates responses– Can not spoof
Reverse DNS at ARIN
• ARIN issues blocks without any working DNS–Registrant must establish delegations after registration
–Then employ DNSSEC if desired
• Just as susceptible as forward DNS if you do not use DNSSEC
Reverse DNS at ARIN
• Authority to manage reverse zones follows allocations–“Shared Authority” model–Multiple sub-allocation recipient entities may have authority over a particular zone
Changes completed to make DNSSEC work at ARIN
• Permit by-delegation management• Sign in-addr.arpa. and ip6.arpa.
delegations that ARIN manages• Create entry method for DS Records
– ARIN Online– RESTful interface– Not available via templates
Changes completed to make DNSSEC work at ARIN
• Only key holders may create and submit Delegation Signer (DS) records
• DNSSEC users need to have signed a registration services agreement with ARIN to use these services
Reverse DNS in ARIN Online
First identify the network that you want to put Reverse DNS nameservers on…
Reverse DNS in ARIN Online
…then enter the Reverse DNS nameservers…
DNSSEC in ARIN Online…then apply DS record to apply to the delegation
Reverse DNS: Querying ARIN’s WhoisQuery for the zone directly:whois> 81.147.204.in-addr.arpa
Name: 81.147.204.in-addr.arpa.Updated: 2006-05-15NameServer: AUTHNS2.DNVR.QWEST.NETNameServer: AUTHNS3.STTL.QWEST.NETNameServer: AUTHNS1.MPLS.QWEST.NET
Ref: http://whois.arin.net/rest/rdns/81.147.204.in-addr.arpa.
DNSSEC in Zone Files; File written on Mon Feb 24 17:00:53 2014; dnssec_signzone version 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.60.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM. 86400 IN NS NS4.COVAD.COM. 10800 NSEC 1.74.in-addr.arpa. NS RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. oNk3GVaCWj2j8+EAr0PncqnZeQjm8h4w51nS D2VUi7YtR9FvYLF/j4KO+8qYZ3TAixb9c05c 8EVIhtY1grXEdOm30zJpZyaoaODpbHt8FdWY vwup9Tq4oVbxVyuSNXriZ2Mq55IIMgDR3nAT BLP5UClxUWkgvS/6poF+W/1H4QY= )1.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM. 86400 IN NS NS4.COVAD.COM. 10800 NSEC 10.74.in-addr.arpa. NS RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. DKYGzSDtIypDVcer5e+XuwoDW4auKy6G/OCV VTcfQGk+3iyy2CEKOZuMZXFaaDvXnaxey9R1 mjams519Ghxp2qOnnkOw6iB6mR5cNkYlkL0h lu+IC4Buh6DqM4HbJCZcMXKEtWE0a6dMf+tH sa+5OV7ezX5LCuDvQVp6p0LftAE= )
DNSSEC in Zone Files0.121.74.in-addr.arpa. 86400 IN NS DNS1.ACTUSA.NET. 86400 IN NS DNS2.ACTUSA.NET. 86400 IN NS DNS3.ACTUSA.NET. 86400 DS 46693 5 1 ( AEEDA98EE493DFF5F3F33208ECB0FA4186BD 8056 ) 86400 DS 46693 5 2 ( 66E6D421894AFE2AF0B350BD8F4C54D2EBA5 DA72A615FE64BE8EF600C6534CEF ) 86400 RRSIG DS 5 5 86400 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. n+aPxBHuf+sbzQN4LmHzlOi0C/hkaSVO3q1y 6J0KjqNPzYqtxLgZjU+IL9qhtIOocgNQib9l gFRmZ9inf2bER435GMsa/nnjpVVWW/MBRKxf Pcc72w2iOAMu2G0prtVT08ENxtu/pBfnsOZK nhCY8UOBOYLOLE5Whtk3XOuX9+U= ) 10800 NSEC 1.121.74.in-addr.arpa. NS DS RRSIG NSEC 10800 RRSIG NSEC 5 5 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. YvRowkdVDfv+PW42ySNUwW8S8jRyV6EKKRxe…
DNSSEC Validating Resolvers
• www.internetsociety.org/deploy360/dnssec/• www.isc.org/downloads/bind/dnssec/
Reverse DNS Management and DNSSEC in ARIN Online• Available on ARIN’s websitehttp://www.arin.net/knowledge/dnssec/
Q&A
Life After IPv4 DepletionEddie Diego, Senior Resource Analyst
Overview
• ARIN’s IPv4 inventory• Trends and Observations• Ways to obtain IP addresses post
IPv4 depletion– IPv4– Transfers– IPv6
55 55
Check ARIN’s Available IPv4 Inventory
ARIN’s IPv4 inventorypublished on ARIN’s website: www.arin.net
Updated daily at @ 12 am ET
56
Available IPv4 Inventory
• Today, only /24s remain to fill general IPv4 requests (104 as of 8/28)– Per policy, ARIN issues only contiguous prefixes
(cannot issue multiple /24s to satisfy a request)
• Excludes space being held or reserved under policy
.00159
57
*ARIN has issued ~1 /8 equivalent per year over the past several years
57
Other IPv4 Inventory
• Quarantined space (60 day hold)– ~19 /16 equivalents held in “quarantine” to clear
filters
(returned and revoked space)
• Reserved space (indefinite hold)– 64 /16s (1 /10) for NRPM 4.10 “Dedicated IPv4 block to
facilitate IPv6 Deployment”
– ~218 /24s remaining in the original /16 for NRPM 4.4 “Micro-allocation”. 2nd /16 recently added under new policy
– ~8 /16 equivalents needing further research (reclaimed space that needs further chain of custody research)
58
Trends and Observations• Surprisingly smooth transition to depletion
– Very few complaints or escalations– Community seems to have general
understanding of the situation• ARIN put depletion plan and communications into
place well in advance of the actual event
– Most criticism directed at policy not allowing issuance of multiple prefixes
• More organizations opting to be placed on ARIN’s Wait List for Unmet Resources; 50+ organizations on the list
59 59
Post-IPv4 Depletion Options• More efficient use of existing IPv4
resources
• IPv4 Wait List
• Specified Recipient and Inter-RIR Transfers
• Adopt IPv6
60 60
IPv4 Wait List• If ARIN can’t fill your qualified request, you
have the option to specify the smallest block size you’ll accept
• If available, your request will be filled and you’ll be unable to request additional addresses for 3 months
• If no block available between approved and smallest acceptable, you can be added to the IPv4 Wait List
61 61
How the IPv4 Wait List Works• Oldest request filled first (based on
approval date)– E.g. - if ARIN gets a /16 back and the oldest
request is for a /24, we issue a /24 to that org
• One approved request per organization on the list at a time
• Limit of one allocation or assignment every 3 months
https://www.arin.net/resources/request/waiting_list.html
62
63
How Long Might You Wait?• IPv4 space can become available
periodically– Return = voluntary– Revoke = for cause (usually non-payment)
• 3.54 /8 equivalents returned/revoked since 2005
– IANA issued – per global policy for “post exhaustion IPv4 allocation mechanisms by IANA”
» /11 (issued 5/14), /12 (issued 9/14) and /13 (issued 3/15) by IANA to each RIR
• Demand will be far greater than availability
64 64
Transfers of IPv4 Addresses
• Mergers and Acquisitions (NRPM 8.2)
• Transfers to Specified Recipients (NRPM 8.3)
• Inter-RIR transfers (NRPM 8.4)
65 65
Transfers to Specified Recipients (NRPM 8.3)
• Allows orgs with unused IPv4 resources to transfer them to orgs in need of IPv4 resources
• Source– Must be current registrant, no disputes– Not have received addresses from ARIN for 12 months
prior– Ineligible for further addresses from ARIN for 12
months after
• Recipient – Must demonstrate need for 24-month supply under
current ARIN policy
66 66
Inter-RIR Transfers (NRPM 8.4)
• RIR must have reciprocal, compatible needs-based policies– Currently APNIC, soon to be RIPE NCC
• Transfers from ARIN– Source cannot have received IPv4 from ARIN 12
months prior to transfer or receive IPv4 for 12 months after transfer
– Must be current registrant, no disputes– Recipient meets destination RIR policies
• Transfers to ARIN– Must demonstrate need for 24-month supply
under current ARIN policy67 67
Pre-approval for Specified Recipient Transfers • Pre-approval offered through ARIN
online– Based on 24 month need (per policy)– Valid for 2 years (no need for re-
verification)
•Must meet current ARIN policy• Can use multiple transfers to fill need
without being subject to re-verification
68 68
Specified Transfer Listing Service (STLS)• Optional service intended to facilitate specified
recipient and inter-RIR transfers• All participants have access to each others contact
information– Listers: have available IPv4 addresses
• Resources must be covered under RSA/LRSA
– Needers: looking for IPv4 addresses• Must be pre-approved under ARIN policy to be listed
– Facilitators: available to help listers and needers find each other
• Public summary provided– Lists number of available and needed IPv4 address blocks
69 69
Tips for Faster Transfer Processing
• Make sure that all registration information is current and accurate
• Request pre-approval for your 24 month need in advance of the transfer
• Provide detailed information to support 24 month need
• Apply under the correct transfer policy
70 70
Requesting IPv6 - ISPs
• Have a previous v4 allocation from ARIN or predecessor registry
OR• Intend to multi-home OR• Provide a technical justification
which details at least 50 assignments made within 5 years
71 71
Data ARIN Will Typically Ask For - ISPs
• If requesting more than a /32, a spreadsheet/text file with– # of serving sites (PoPs, datacenters)– # of customers served by largest
serving site– Block size to be assigned to each
customer (/48 typical)
72 72
Requesting IPv6 – End Users• Have a v4 direct assignment from ARIN or
predecessor registry OR• Intend to multi-home OR• Show how you will use 2000 IPv6 addresses
or 200 IPv6 subnets within a year OR• Technical justification as to why provider-
assigned IPs are unsuitable
73 73
Data ARIN Will Typically Ask For – End users• If requesting more than a /48, a
spreadsheet/text file with– List of sites in your network
• Site = distinct geographic location• Street address for each
– Campus may count as multiple sites• Technical justification showing how they’re
configured like geographically separate sites
74 74
Summary• ARIN will deplete its available
IPv4 pool sometime this year• No perfect solution
– CGN = potential problems– Waiting list = uncertainty– Transfers = subject to market prices– IPv6 = transition effort
• Begin planning now
75 75
76
Security Overlays on Core Internet Protocols –RPKI
Avneet WadhwaniSoftware Engineer
Core Internet Protocols
• Two critical resources that are unsecured – Domain Name Servers– Routing
• Hard to tell if compromised– From the user point of view– From the ISP/Enterprise
• Focus on government funding
Routing
Routing Architecture• The Internet uses a two level routing hierarchy:
– Interior Routing Protocols, used by each network to determine how to reach all destinations that line within the network
– Interior Routing protocols maintain the current topology of the network
Routing Architecture• The Internet uses a two level routing hierarchy:
– Exterior Routing Protocol, used to link each component network together into a single whole
– Exterior protocols assume that each network is fully interconnected internally
Exterior Routing: BGP• BGP is a large set of bilateral (1:1)
routing sessions– A tells B all the destinations (prefixes)
that A is capable of reaching– B tells A all the destinations that B is
capable of reaching
A B
10.0.0.0/2410.1.0.0/1610.2.0.0/18
192.2.200.0/24
What is RPKI?• Resource Public Key Infrastructure
• Attaches digital certificates to network resources– AS Numbers
– IP Addresses
• Allows ISPs to associate the two– Route Origin Authorizations (ROAs)– Can follow the address allocation chain
to the top
What does RPKI accomplish?
• Allows routers or other processes to validate route origins
• Simplifies validation authority information– Trust Anchor Locator
• Distributes trusted information– Through repositories
AFRINIC RIPE NCC APNIC ARIN LACNIC
LIR1 ISP2
ISP ISP ISP ISP4 ISP ISP ISP
Issued Certificates
Resource Allocation Hierarchy
Route Origination Authority“ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24”
Attachment: <isp4-ee-cert>
Signed, ISP4 <isp4-ee-key-priv>
ICANN
Resource Cert Validation
AFRINIC RIPE NCC APNIC ARIN LACNIC
LIR1 ISP2
ISP ISP ISP ISP4 ISP ISP ISP
Resource Allocation Hierarchy
Route Origination Authority“ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24”
Attachment: <isp4-ee-cert>
Signed, ISP4 <isp4-ee-key-priv>
1. Did the matching private key sign this text?
ICANN
Issued Certificates
Resource Cert Validation
AFRINIC RIPE NCC APNIC ARIN LACNIC
LIR1 ISP2
ISP ISP
Route Origination Authority“ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24”
Attachment: <isp4-ee-cert>
Signed, ISP4 <isp4-ee-key-priv>
ISP ISP4
2. Is this certificate valid?
ISP ISP ISP
Issued Certificates
Resource Allocation Hierarchy
ICANN
Resource Cert Validation
AFRINIC RIPE NCC APNIC ARIN LACNIC
LIR1 ISP2
ISP ISP
Route Origination Authority“ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24”
Attachment: <isp4-ee-cert>
Signed, ISP4 <isp4-ee-key-priv>
ISP ISP4 ISP ISP ISP
Issued Certificates
Resource Allocation Hierarchy
ICANN
3. Is there a valid certificate path from a Trust Anchor to this certificate?
Resource Cert Validation
What does RPKI Create?
• It creates a repository– RFC 3779 (RPKI) Certificates– ROAs– CRLs– Manifest records
Repository View./ba/03a5be-ddf6-4340-a1f9-1ad3f2c39ee6/1:total 40-rw-r--r-- 1 143 143 1543 Jun 26 2009 ICcaIRKhGHJ-TgUZv8GRKqkidR4.roa-rw-r--r-- 1 143 143 1403 Jun 26 2009 cKxLCU94umS-qD4DOOkAK0M2US0.cer-rw-r--r-- 1 143 143 485 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.crl-rw-r--r-- 1 143 143 1882 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.mnf-rw-r--r-- 1 143 143 1542 Jun 26 2009 nB0gDFtWffKk4VWgln-12pdFtE8.roa
A Repository Directory containing an RFC3779 Certificate, two ROAs, a CRL, and a manifest
Repository Use
• Pull down these files using a manifest-validating mechanism
• Validate the ROAs contained in the repository
• Communicate with the router marking routes “valid”, “invalid”, “unknown”
• Up to ISP to use local policy on how to route
Possible Data Flow for Operations
• RPKI Web interface -> Repository
• Repository aggregator -> Validator
• Validated entries -> Route Checking
• Route checking results -> local routing decisions (based on local policy)
How you can use ARIN’s RPKI System?• Hosted• Hosted using ARIN’s RESTful service• Delegated using Up/Down Protocol
Hosted RPKI
• Pros– Easier to use– ARIN managed
• Cons– No current support for downstream
customers to manage their own space (yet)
– Tedious through the IU if you have a large network
– We hold your private key
Hosted RPKI with RESTful Interace• Pros
– Easier to use– ARIN managed– Programmatic interface for large networks
• Cons– No current support for downstream
customers to manage their own space (yet)
– We hold your private key
Delegated RPKI with Up/Down• Pros
– You safeguard your own private key– Follows the IETF up/down protocol
• Cons– Extremely hard to setup– Need to operate your own RPKI
environment– More later
Hosted RPKI in ARIN Online
Hosted RPKI in ARIN Online
Hosted RPKI in ARIN Online
Hosted RPKI in ARIN Online
Hosted RPKI in ARIN OnlineSAMPLE-ORG
Hosted RPKI in ARIN OnlineSAMPLE-ORG
Hosted RPKI in ARIN Online
Your ROA request is automatically processed and the ROA is placed in ARIN’s repository, accompanied by its certificate and a manifest. Users of the repository can now validate the ROA using RPKI validators.
Delegated with Up/Down
Delegated with Up/Down
Delegated with Up/Down
Delegated with Up/Down
• You have to do all the ROA creation• Need to setup a CA• Have a highly available repository• Create a CPS
Q&A
Fairfield, NJ10 September 2015
ARIN’s Policy Development ProcessCurrent Number Resource Policy
Discussions and How to Participate
Dan AlexanderARIN Advisory Council
Number Resource Policy Manual
ARIN’s Policy Document – Version 2015.3 (29 July 2015)– 39th version
Change LogsHTML/PDF/txt
http://www.arin.net/policy/nrpm.html
Policy Development Process (PDP)
Process FlowchartProposal Template
http://www.arin.net/policy/pdp.html
PDP Goals
• "open, transparent, and inclusive manner that allows anyone to participate in the process."
• "clear, technically sound and useful policies"
• "Policies, not Processes, Fees, or Services”
Basic Steps1. Proposal from community member
2. AC works with author ensure it is clear and in scope
3. AC promotes proposal to Draft Policy for community discussion/feedback (PPML and possibly PPC/PPM)
4. AC recommends fully developed Draft Policy (fair, sound and supported by community) for adoption
5. Recommended Draft Policy must be presented at a face-to-face meeting (PPC/PPM)
6. If AC still recommends adoption, then Last Call, review of last call, and send to Board
7. Board reviews
8. Staff implements
Current Draft Policies/Proposals
116
1. Implemented recentlyARIN-2014-17: Change Utilization Requirements from last-allocation to total-aggregateARIN-2014-6: Remove Operational Reverse DNS TextARIN-2014-21: Modification to CI Pool Size per Section 4.4
2. Under discussionARIN-2015-1: Modification to Criteria for IPv6 Initial End-User AssignmentsARIN-2015-2: Modify 8.4 (Inter-RIR Transfers to Specified Recipients)ARIN-2015-3: Remove 30 day utilization requirement in end-user IPv4 policyARIN-2015-4: Modify 8.2 section to better reflect how ARIN handles reorganizationsARIN-2015-5: Out of region useARIN-2015-6: Transfers and Multi-national NetworksARIN-2015-7: Simplified requirements for demonstrated need for IPv4 transfersARIN-2015-8: Reassignment records for IPv4 End-Users
ARIN-2014-21: Modification to CI Pool Size per Section 4.4
• Increase the pool reserved for Critical Infrastructure (primarily Exchange Points) from a /16 to a /15
• Discussion started on the policy list in October 2014
• Presented at NANOG 63 in February 2015• Advanced to Recommended state in March• Presented at ARIN 35 in April• Last call was 27 April thru 11 May 2015(continued on next slide)
ARIN-2014-21 continued
• AC reviewed last call, advanced proposal to the Board in May
• Board review in June– Ensured PDP had been followed– Ensured compliance with law and ARIN’s mission– Adopted 2014-21
• Implemented by staff in July• 474 /24s available in this pool of address space
How Can You Get Involved?
There are two ways to voice your opinion:
– Public Policy Mailing List
– Public Policy Consultations/Meetings
• In person or remotely
• ARIN meetings and Public Policy Consultations at NANOG
Takeaways
Three things 1. ARIN doesn't make up the policy, ARIN
implements community created/maintained policy.
2. Policy process exists, if you are unhappy with a policy, there is a way for you to try to change it.
3. If you want to participate, you know where you can voice your opinion (email, in person and remote).
References
Policy Development Processhttp://www.arin.net/policy/pdp.html
Draft Policies and Proposalshttp://www.arin.net/policy/proposals/index.html
Number Resource Policy Manualhttp://www.arin.net/policy/nrpm.html
Q&A
Automating Your Interactions with ARIN
Avneet WadhwaniSoftware Engineer
Why Automate?
• Interact with ARIN faster• Not dependent on ARIN’s systems for
user interface issues• Build a customized system using
standards-based technologies• Improved accuracy• Integrate multiple services
Why Automate (continued)
• We have a rich set of interfaces• Focused on reliability and
completeness• Welcome to share your tools with the
community at projects.arin.net
REST – Service Summary
• ARIN’s RESTful Web Services (RWS)– Whois-RWS
• Provides public Whois data via REST
– Reg-RWS (or Registration-RWS)• Allows ARIN customers to register and
maintain data in a programmatic fashion
– Report Request/Retrieval Automation• Permits request and download of various
ARIN data (subject to AUP)
– RPKI using Reg-RWS
What is REST?• Representational State Transfer
• As applied to web services– defines a pattern of usage with HTTP to
create, read, update, and delete (CRUD) data
– “Resources” are addressable in URLs
• Very popular protocol model– Amazon S3, Yahoo & Google services, …
The BIG Advantage of REST• Easily understood
– Any modern programmer can incorporate it– Can look like web pages
• Re-uses HTTP in a simple manner– Many, many clients– Other HTTP advantages
• This is why it is very, very popular with Google, Amazon, Yahoo, Twitter, Facebook, YouTube, Flickr, …
What does it look like?Who can use it?
http://whois.arin.net/rest/poc/KOSTE-ARIN
Where the data is.
What type of data it is.
The ID of the data.
It is a standard URL. Anyone can use it.Go ahead, put it into your browser.
Where can more information on REST be found?
• RESTful Web Services– O’Reilly Media
– Leonard Richardson
– Sam Ruby
Whois-RWS• Publicly accessible, just like traditional
Whois• Searches and lookups on IP addresses,
AS numbers, POCs, Orgs, etc…• Very popular
– As of October 2014, constitutes 65% of our query load
• For more information:– http://www.arin.net/resources/whoisrws/index.html
Whois Queries Per Second
2001-07 2002-06 2003-05 2004-04 2005-03 2006-02 2007-01 2007-12 2008-11 2009-10 2010-09 2011-08 2012-07 2013-06 2014-050
500
1000
1500
2000
2500
3000
3500
4000
RESTfulPort 43
RDAP
• RDAP is a Whois alternative for querying resource registration data from Domain Name Registries (DNRs) and Regional Internet Registries (RIRs).
• IETF published the RDAP series of RFCs in Q1 of 2015.– ARIN has rolled out RDAP– Will be supported by all 5 RIRs and domain
registries.
RDAP vs Whois-RWS
• Both are RESTful sevices• Standardized format used between
all RIRs for RDAP• RDAP responses offer direct referrals
to other RIRs, whereas Whois defines no queries or responses, and interaction with DNRs and RIRs can vary significantly
ARIN RDAP
• ARIN’s RDAP service (w/ bootstrap)– https://rdap.arin.net/bootstrap/
• ARIN’s RDAP service (w/o bootstrap)– http://rdap.arin.net/registry/
• Command Line client called NicInfo– https://github.com/arineng/nicinfo
RDAP IP Querywget https://rdap.arin.net/bootstrap/ip/100.42.0.0
{ "rdapConformance" : [ "rdap_level_0" ], "notices" : [ { "title" : "Terms of Service", "description" : [ "By using the ARIN RDAP/Whois service, you are agreeing to the RDAP/Whois Terms of Use" ], "links" : [ { "value" : "https://rdap.arin.net/registry/ip/100.42.0.0", "rel" : "about", "type" : "text/html", "href" : "https://www.arin.net/whois_tou.html" } ] } ], "handle" : "NET-100-42-0-0-2", "startAddress" : "100.042.000.000", "endAddress" : "100.042.000.255", "ipVersion" : "v4", "name" : "ISOTROPIC-NETWORKS", "parentHandle" : "NET-100-42-0-0-1“,...
Bootstrapped Response
wget https://rdap.arin.net/bootstrap/ip/176.0.0.0
--2015-08-21 16:02:16-- https://rdap.arin.net/bootstrap/ip/176.0.0.0Resolving rdap.arin.net (rdap.arin.net)... 199.212.0.160, 2001:500:13::160Connecting to rdap.arin.net (rdap.arin.net)|199.212.0.160|:443... connected.HTTP request sent, awaiting response... 302 Moved TemporarilyLocation: https://rdap.db.ripe.net/ip/176.0.0.0 [following]--2015-08-21 16:02:16-- https://rdap.db.ripe.net/ip/176.0.0.0Resolving rdap.db.ripe.net (rdap.db.ripe.net)... 193.0.6.142, 2001:67c:2e8:22::c100:68eConnecting to rdap.db.ripe.net (rdap.db.ripe.net)|193.0.6.142|:443... connected.HTTP request sent, awaiting response... 200 OK
RDAP Statistics
• RDAP Released June 20, 2015– 51K queries
• Entity queries: 173 • Domain queries: 290 • IP queries: 40818 • Autnum queries: 9203
• 1 query/2 seconds
Registration RWS (Reg-RWS)
• Programmatic way to interact with ARIN– Intended to be used for automation– Not meant to be used by humans
• Useful for ISPs that manage a large number of SWIP records
• Requires an investment of time to achieve those benefits
Reg-RWS
• Requires an API Key– You generate one in ARIN Online on the
“Web Account” page• Permits you to register and manage
your data (ORGs, POCs, NETs, ASes)– But only your data
• More information– http://www.arin.net/resources/restful-interfaces.htm
l
Anatomy of a RESTful request• Uses a URL (just like you would type into
your browser)• Uses a request type, known as a “method”,
of GET, PUT, POST or DELETE• Usually requires a payload
– Adheres to a published structure– Depends upon the type of data– Depends upon the method
• Method, Payload, and XML schema info is found at “RESTful Provisioning Downloads”
Example – Reassign Detailed• Your automated system issues a PUT
command to ARIN using the following URL:http://www.arin.net/rest/net/NET-10-129-0-0-1/reassign?apikey=API-1234-5678-9A
BC-DEFG
The payload contains the following data:
<net xmlns="http://www.arin.net/regrws/core/v1" > <version>4</version> <comment></comment> <registrationDate></registrationDate> <orgHandle>HW-1</orgHandle> <handle></handle> <netBlocks> <netBlock> <type>A</type> <description>Reassigned</description> <startAddress>10.129.0.0</startAddress> <endAddress>10.129.0.255</endAddress> <cidrLength>24</cidrLength> </netBlock> </netBlocks> <parentNetHandle>NET-10-129-0-0-1</parentNetHandle> <netName>HELLOWORLD</netName> <originASes></originASes> <pocLinks></pocLinks></net>
Example – Reassign DetailedARIN’s web server returns the
following to your automated system:<net xmlns="http://www.arin.net/regrws/core/v1" > <version>4</version> <comment></comment> <registrationDate>Tue Jan 25 16:17:18 EST 2011</registrationDate> <orgHandle>HW-1</orgHandle> <handle>NET-10-129-0-0-2</handle> <netBlocks> <netBlock> <type>A</type> <description>Reassigned</description> <startAddress>10.129.0.0</startAddress> <endAddress>10.129.0.255</endAddress> <cidrLength>24</cidrLength> </netBlock> </netBlocks> <parentNetHandle>NET-10-129-0-0-1</parentNetHandle> <netName>netName>HELLOWORLD</netName> <originASes></originASes> <pocLinks></pocLinks></net>
Reg-RWS Has More Than Templates
• Only programmatic way to do IPv6 Reassign Simple
• Only programmatic way to manage Reverse DNS
• Only programmatic way to access your ARIN tickets
Reg-RWS Adoption
ARIN 29
ARIN 30
ARIN 31
ARIN 32
ARIN 33
ARIN 34
ARIN 35
Tem-plate
408383 595858 846943 1066037
1311403
1498204
1749383
REST 40374 320197 841105 3524124
4296734
4715231
5034717
500,000
1,500,000
2,500,000
3,500,000
4,500,000
5,500,000
TemplateREST
Testing Your Reg-RWS Client• We offer an Operational Test &
Evaluation environment for Reg-RWS• Your real data, but isolated
– Helps you develop against a real system without the worry that real data could get corrupted
• For more information:– http://www.arin.net/resources/ote.html
Obtaining RESTful Assistance
• http://www.arin.net/resources/restful-interfaces.html• Pay attention to Method, Payload, and XML schema
documents under “RESTful Provisioning Downloads”• Or use ARIN Online’s Ask ARIN feature• Or use the arin-tech-discuss mailing list
– Make sure to subscribe– Someone on the list will help you ASAP– Archives on the web site
• Registration Services Help Desk telephone not a good fit– Debugging these problems requires a detailed look at
the URL, method, and payload being used
Report Request/Retrieval
• For customer-specific data, access is restricted by user– Permits you to request and retrieve
reports– But only your data
• For public services, you must first sign an AUP or TOU (Bulk Whois, Registered ASNs, WhoWas)– ARIN staff may review your need to access this data
• Requires an API Key
RPKI thru Reg-RWS
• Delegated – very complex• Hosted – easy but tedious if
managing a large network through the UI
• Solution: Interface to sign ROAs using the RESTful API– Ease of Hosted– Programmatic way of managing a large
number of ROAs
Q&A
Fairfield, NJ9/10/15
Moving to IPv6
Mark Kosters, Chief Technology OfficerWith some help from Geoff Huston
152
The Amazing Success of the Internet• 2.92 billion users!• 4.5 online hours per day per user!• 5.5% of GDP for G-20 countries
Time
Just about anything about the Internet
153
Success-Disaster
154
The Original IPv6 Plan - 1995
IPv6 Deployment
Time
IPv6 Transition – Dual Stack
IPv4 Pool Size
Size of the Internet
155
The Revised IPv6 Plan - 2005
IPv6 Deployment
2004
IPv6 Transition – Dual Stack
IPv4 Pool Size
Size of the Internet
2006 2008 2010 2012Date
156
Oops!We were meant to have completed the transition to IPv6 BEFORE we completely exhausted the supply channels of IPv4 addresses!
157
Today’s Plan
IPv6 Deployment
IPv4 PoolSize
Size of the Internet
IPv6 Transition
Today
Time
?
0.8%
158
Transition...The downside of an end-to-end architecture:
– There is no backwards compatibility across protocol families
– A V6-only host cannot communicate with a V4-only host
We have been forced to undertake a Dual Stack transition:
– Provision the entire network with both IPv4 AND IPv6– In Dual Stack, hosts configure the hosts’ applications to
prefer IPv6 to IPv4– When the traffic volumes of IPv4 dwindle to insignificant
levels, then it’s possible to shut down support for IPv4
159
Dual Stack Transition ...We did not appreciate the operational problems with this dual stack plan while it was just a paper exercise:
• The combination of an end host preference for IPv6 and a disconnected set of IPv6 “islands” created operational problems
– Protocol “failover” from IPv6 to IPv4 takes between 19 and 108 seconds (depending on the operating system configuration)
– This is unacceptably slow
• Attempting to “bridge” the islands with IPv6-in-IPv4 tunnels created a new collection of IPv6 path MTU Discovery operational problems
– There are too many deployed network paths containing firewall filters that block all forms of ICMP, including ICMP6 Packet Too Big
• Attempts to use end-host IPv6 tunneling also presents operational problems
– Widespread use of protocol 41 (IP-in-IP) firewall filters– Path MTU problems
160
Dual Stack Transition
Signal to the ISPs:
– Deploy IPv6 and expose your users to operational problems with IPv6 connectivity
Or
– Delay IPv6 deployment and wait for these operational issues to be solved by someone else
So we wait...
161
And while we wait...The Internet continues its growth.
• And without an abundant supply of IPv4 addresses to support this level of growth, the industry is increasingly reliant on NATs:
– Edge NATs are now the de facto choice for residential broadband services at the CPE
– ISP NATs are now the de facto choice for 3G and 4G mobile IP services
162
What ARIN is hearing from the community
• Movement to IPv6 is slow– Progress is being made– ISPs carefully rolling out IPv6
• Lots of ISPs purchasing CGN boxes
• There is a market for IP space– Rent by month– Purchase outright
163
Why is there little immediate need for IPv6?• Some of the claims are either not
true or taken over by events– IPv6 gives you better security – IPv6 gives you better routing
• Some positive things– IPv6 allows for end-to-end networking to
occur again– IPv6 has more address bits – It is cheaper per address
164
2003: Sprint• T1 via Sprint
• Linux Router with Sangoma T1 Card
• OpenBSD firewall
• Linux-based WWW, DNS, FTP servers
• Segregated network, no dual stack (security concerns)
• A lot of PMTU issues
• A lot of routing issues
• Service did improve over the years
165
2004: Worldcom• T1 via Worldcom in Equinix
• Cisco 2800 router
• OpenBSD firewall
• Linux-based ww6, DNS, FTP servers
• Segregated network, no dual stack (security concerns)
• A lot of PMTU Issues
• A lot of routing issues
166
2006: Equi6IX• 100 Mbit/s Ethernet to
Equi6IX
• Transit via OCCAID
• Cisco 2800 router
• OpenBSD firewall
• WWW, DNS, FTP, SMTP
• Segregated Network
• Some dual stack
167
2008: NTT / TiNet IPv6• 1000 Mbit/s to NTT / TiNet
• Cisco ASR 1000 Router
• Brocade Load Balancers- IPv6 support was Beta
• DNS, Whois, IRR, more later
• Dual stack
168
Past Meeting Networks• IPv6 enabled since 2005
• Tunnels to ARIN, others
• Testbed for transition techology
• NAT-PT (Cisco, OSS)
• CGN / NAT-lite
• IVI
• Training opportunity
• For staff & members
169
ARIN’s Current Challenges for Networking
• Dual-Stacked Internally– Challenges over time with our VPN (OpenVPN)
• One interface works with v6 • One does not
• Middleware Boxes– Claims do not support reality (“we support IPv6”) Yes,
but…– No 1-1 feature set– Limits ARIN’s ability to support new services like https
support for Whois-RWS
170
So why do the move to IPv6?• IPv4 will get more expensive• Move to IPv6 will happen when cost
is too high for IPv4• Don’t want to be caught with gear
that will not support IPv6 before it is end-of-life
• Need to have some experience on IPv6
171
Call to Action for IPv6• ISPs should do it now• Universities should be teaching and making
IPv6 available• Businesses should be asking for IPv6 support
for gear and services they purchase– Want to be available to all on the Internet– If only IPv4 – may miss some IPv6 clientele
• Application developers need to integrate IPv6 support– “Preparing Applications for IPv6”– https://www.arin.net/knowledge/
preparing_apps_for_v6.pdf 172
Call to Action for IPv6
• End user customers– May be behind CGN
• Impacts speed and services• Don’t want to lose in those real-time games!
(CoD gamers in particular)
– Ask for IPv6 support• Faster• Better application support• Less support calls for IPv4
173
What is ARIN doing about it?• What we see with Transfers based on
market reality• What we see with IPv6 Allocations
174
Trends and Observations• Comparing the past 12 months over
the 12 months prior:– 9% increase in IPv4 requests (3641 > 3981)– 18% increase in transfer requests (500 > 648)– 2% increase in IPv6 requests (745 > 758)
• Now that we have run out of IPv4 (or very close to it)– Activity on the Wait List for redistributions
from IANA– Anticipate a larger number of transfer requests
175
5,196 total members as of 31 July 2015
ISP Members with IPv4 and IPv6
176
IPv6 over time
ARIN IPv6 Allocations and Assignments*As of 30 June 2015
177
Get IPv6 from ARIN now!
Most organizations with IPv4 can IPv6 without increasing their annual ARIN fees
178
Learn More
IPv6 Info Centerwww.arin.net/knowledge/ipv6_info_center.html
www.GetIPv6.info
www.TeamARIN.net179
Operational Guidance
www.InternetSociety.org/Deploy360/
www.NANOG.org/archives/
www.hpc.mil/cms2/index.php/ipv6-knowledge-base-general-info
bcop.NANOG.org
180
Q&A / Open Mic Session
Take Aways• Apply for IPv6 addresses and get started.• Subscribe to at a mailing list• Participate in ARIN 36 – in person or
remotely• Apply for a future meeting fellowship• Think about implementing
DNSSEC/Resource Certification• Member organizations please vote• Reach out though various channels with
questions or suggestions
Apply now for ARIN 37 in Jamaicahttps://www.arin.net/participate/meetings/fellowship.html
Fill out & submitthe survey for your chance to win a ????? !