Seattle, WA 20 January 2016 Welcome. Here today from ARIN Einar Bohlin, Senior Policy Analyst Mark Kosters, Chief Technology Officer Tina Morris, ARIN Advisory Council Leslie Nobile, Senior Director Global Registry Services Agenda 10:00 10:15 Welcome and Getting Started 10: :45 ARIN: Mission, Role and Services; Einar Bohlin 10:45 -11:20 Security Overlays on Core Internet Protocols DNSSEC; Mark Kosters 11: :00 Life After IPv4 Depletion; Leslie Nobile Noon - 1:00 Lunch 1:00 - 1:30 ARIN Services and Tools; Mark Kosters 1:30 - 2:00 Policy Development Process; Tina Morris 2:00 - 2:30 Security Overlays on Core Internet Protocols Resource Certification (RPKI); Mark Kosters 2:30- 3:00 IPv6 Adoption; Leslie Nobile and Mark Kosters 3:00- 3:30 Q&A / Open Mic Session Lets Get Started! Self introductions Name Organization I would like to learn more about ___________. ARIN and the RIR System: Mission, Role and Services Einar Bohlin Senior Policy Analyst What is an RIR? A Regional Internet Registry (RIR) manages the allocation and registration of Internet number resources in a particular region of the world. Number resources include IP addresses and autonomous system (AS) numbers. Regional Internet Registries Not-for-profit Membership Organization Community Regulated Fee for services, not number resources 100% community funded Open Broad-based - Private sector - Public sector - Civil society Community developed policies Member- elected executive board Open and transparent RIR Structure IP Address and Autonomous System Number Provisioning Process The NRO exists to protect the unallocated number resource pool, to promote and protect the bottom-up policy development process, and to act as a focal point for Internet community input into the RIR system. Number Resource Organization ARIN, a nonprofit member-based organization, supports the operation of the Internet through the management of Internet number resources throughout its service region; coordinates the development of policies by the community for the management of Internet Protocol number resources; and advances the Internet through informational outreach. ARINs Service Region The ARIN Region includes many Caribbean and North Atlantic islands, Canada, the United States and outlying areas. Who is the ARIN community? Anyone with an interest in Internet number resource management in the ARIN region The ARIN Community includes 5,200+ members 20,000+ customers 79 professional staff 7 member Board of Trustees elected by the membership 15 member Advisory Council elected by the membership 3 person NRO Number Council elected by the ARIN Community Organizational Chart CMSD: 11 employees ENG: 42 employees EXEC: 6 employees FSD: 6 employees HR: 4 employees RSD: 11 employees (includes future director) Total: 80 employees at ARIN (includes future RSD director) ARIN Board of Trustees Paul Andersen Vinton G. Cerf John Curran, President and CEO Timothy Denton Aaron Hughes Bill Sandiford Bill Woodcock 16 ARIN Advisory Council Dan Alexander, Chair Cathy Aronson Kevin Blumberg, Vice Chair Owen DeLong Andrew Dul David Farmer David Huberman Scott Leibrand Tina Morris Milton Mueller Amy Potter Leif Sawyer Robert Seastrom John Springer Chris Tacit 17 NRO Number Council 15 member body 3 representatives from each RIR From ARIN: Jason Schiller Louie Lee John Sweeting Fulfills role of the ICANN Address Supporting Organization Address Council Global policy and ICANN Board Seats 18 2016 Focus 1.Continued IPv4 to IPv6 Transition Awareness Targeting ISPs and Content Providers 2.Continued participation in Internet Governance forums To maintain the community-based multi-stakeholder policy development model 3.Continue to review and enhance ARIN Online, including making significant user interface improvements per user feedback 4.Participate in planning discussions for the transition of the stewardship of IANA to encourage responsible oversight of critical Internet resources 5.Continue to focus on community suggested, customer facing, high impact software development efforts in a timely manner 6.Improve customer service based on feedback and repeat customer satisfaction survey 19 ARIN Services and Products ARIN Manages : Number Resources IP address allocations & assignments ASN assignment Transfers Reverse DNS Directory services Whois Routing Information (Internet Routing Registry [IRR]) WhoWas 20 ARIN Services and Products ARIN coordinates and administers : Policy Development Community meetings Discussion Publication Elections Information publication and dissemination and public relations Community outreach Education and training 21 ARIN Services and Products ARIN develops technologies for managing Internet number resources : ARIN Online DNSSEC Resource Certification (RPKI) Whois-RWS Reg-RWS Community Software Project Repository 22 Globalization of IANA Oversight On 14 March 2014, the US Government announced plans to transition oversight of the IANA functions contract to the global multistakeholder community Current IANA functions contract expires 30 September 2016 NTIA* Conditions for Transition Proposal 1.Support and enhance the multi-stakeholder model 2.Maintain the security, stability, and resiliency of the Internet DNS 3.Meet the needs and expectation of the global customers and partners of the IANA services 4.Maintain the openness of the Internet * National Telecommunications and Information Administration (NTIA) within the U.S. Department of Commerce Steps in the IANA Stewardship Proposal 1. The three customer groups of IANA submitted proposals: Number Resources (RIR community) - 15 Jan 2015 https://www.nro.net/wp-content/uploads/ICG-RFP-Number- Resource-Proposal.pdf Domain Names: 25 June 2015https://community.icann.org/x/aJ00Awhttps://community.icann.org/x/aJ00Aw Protocol Parameters : 6 January response-09 Steps in the IANA Stewardship Proposal 2.The IANA Stewardship Transition Coordination Group (ICG) combined the three proposals into a single IANA Stewardship Transition Proposal Oct https://www.ianacg.org/icg-files/documents/IANA-transition-proposal-v9.pdf 3. ICG to send proposal to NTIA via the ICANN Board. Another body, the Cross Community Working Group is working on accountability requirements (implementation, review of work, etc.). IANA Stewardship Potential Implications Successful transition of IANA Stewardship from the USG to the Internet community would be an important validation of the Internets multi-stakeholder governance model Inability to transition could raise concerns about the validity of the multi-stakeholder process and fuel discussion of the perceived need for intergovernmental mechanisms for Internet Governance Get 6 Websites on IPv6IPv6 Wiki How to Participate in ARIN Attend Public Policy and Members Meetings & Public Policy Consultations Remote participation available Apply for Meeting Fellowship Discuss policies on Public Policy Mailing List (ppml) Come to outreach events Subscribe to an ARIN mailing list More Ways to Participate Give your opinion on community consultations Submit a suggestion Contribute to the IPv6 wiki Write a guest blog for TeamARIN.net Connect with us on social media Members Vote in annual elections Apply now for ARIN 37 April 2016 in Jamaica https://www.arin.net/participate/meetings/fellowship.html NEW: Includes attendance at CaribNOG Q&A Take Aways Apply for IPv6 addresses and get started. Subscribe to an ARIN mailing list Participate in ARIN 37 in person or remotely Apply for a future meeting fellowship Think about implementing DNSSEC/Resource Certification Member organizations please update your Voting Contact linked to an ARIN Web User account Reach out though various channels with questions or suggestions ARIN Mailing Lists ARIN Consultation - Open to the general public. Used in conjunction with the ARIN Consultation and Suggestion Process (ACSP) to gather comments, this list is only open when there is a call for comments ARIN Issued - Read-only list open to the general public. Used by ARIN staff to provide a daily report of IPv4 and IPv6 addresses returned and IPv4 and IPv6 addresses issued directly by ARIN or address blocks returned to ARIN's free pool. ARIN Technical Discussions - Open to the general public. Provided for those interested in providing technical feedback to ARIN on experiences in the use or evaluation of current ARIN services and features in development.ARIN Announce: ARIN Discussion: (members ARIN Public Policy: ARIN Consultation: ARIN Issued: ARIN Technical Discussions: Suggestions: ARIN on Social Media Security Overlays on Core Internet Protocols DNSSEC Mark Kosters CTO Core Internet Protocols Two critical resources that are unsecured Domain Name Servers Routing Hard to tell if compromised From the user point of view From the ISP/Enterprise Focus on government funding DNS How DNS Works Resolver Question:AA ? Caching forwarder (recursive) root-serverA ? Ask net X.gtld-servers.net (+ glue) gtld-serverA ? Ask arin ns1.arin.net (+ glue) arin-serverA ? Add to cache Why DNSSEC? What is it? Standard DNS (forward or reverse) responses are not secure Easy to spoof Notable malicious attacks DNSSEC attaches signatures Validates responses Cannot spoof Reverse DNS at ARIN ARIN issues blocks without any working DNS Registrant must establish delegations after registration Then employ DNSSEC if desired Just as susceptible as forward DNS if you do not use DNSSEC Reverse DNS at ARIN Authority to manage reverse zones follows allocations Shared Authority model Multiple sub-allocation recipient entities may have authority over a particular zone Changes Completed to Make DNSSEC Work at ARIN Must have a RSA/LRSA signed We need to know who you are Create entry method for DS Records ARIN Online RESTful interface Not available via templates Only key holders may create and submit Delegation Signer (DS) records Reverse DNS in ARIN Online First identify the network that you want to put Reverse DNS nameservers on Reverse DNS in ARIN Online then enter the Reverse DNS nameservers DNSSEC in ARIN Online then apply DS record to apply to the delegation Reverse DNS: Querying ARINs Whois Query for the zone directly: whois> in-addr.arpa Name: in-addr.arpa. Updated: NameServer: AUTHNS2.DNVR.QWEST.NET NameServer: AUTHNS3.STTL.QWEST.NET NameServer: AUTHNS1.MPLS.QWEST.NET Ref: DNSSEC in Zone Files ; File written on Mon Feb 24 17:00: ; dnssec_signzone version P1-RedHat P1.el5_ in-addr.arpa IN NS NS3.COVAD.COM IN NS NS4.COVAD.COM NSEC 1.74.in-addr.arpa. NS RRSIG NSEC RRSIG NSEC ( in-addr.arpa. oNk3GVaCWj2j8+EAr0PncqnZeQjm8h4w51nS D2VUi7YtR9FvYLF/j4KO+8qYZ3TAixb9c05c 8EVIhtY1grXEdOm30zJpZyaoaODpbHt8FdWY vwup9Tq4oVbxVyuSNXriZ2Mq55IIMgDR3nAT BLP5UClxUWkgvS/6poF+W/1H4QY= ) 1.74.in-addr.arpa IN NS NS3.COVAD.COM IN NS NS4.COVAD.COM NSEC in-addr.arpa. NS RRSIG NSEC RRSIG NSEC ( in-addr.arpa. DKYGzSDtIypDVcer5e+XuwoDW4auKy6G/OCV VTcfQGk+3iyy2CEKOZuMZXFaaDvXnaxey9R1 mjams519Ghxp2qOnnkOw6iB6mR5cNkYlkL0h lu+IC4Buh6DqM4HbJCZcMXKEtWE0a6dMf+tH sa+5OV7ezX5LCuDvQVp6p0LftAE= ) DNSSEC in Zone Files in-addr.arpa IN NS DNS1.ACTUSA.NET IN NS DNS2.ACTUSA.NET IN NS DNS3.ACTUSA.NET DS ( AEEDA98EE493DFF5F3F33208ECB0FA4186BD 8056 ) DS ( 66E6D421894AFE2AF0B350BD8F4C54D2EBA5 DA72A615FE64BE8EF600C6534CEF ) RRSIG DS ( in-addr.arpa. n+aPxBHuf+sbzQN4LmHzlOi0C/hkaSVO3q1y 6J0KjqNPzYqtxLgZjU+IL9qhtIOocgNQib9l gFRmZ9inf2bER435GMsa/nnjpVVWW/MBRKxf Pcc72w2iOAMu2G0prtVT08ENxtu/pBfnsOZK nhCY8UOBOYLOLE5Whtk3XOuX9+U= ) NSEC in-addr.arpa. NS DS RRSIG NSEC RRSIG NSEC ( in-addr.arpa. YvRowkdVDfv+PW42ySNUwW8S8jRyV6EKKRxe DNSSEC Validating Resolvers Reverse DNS Management and DNSSEC in ARIN Online Available on ARINs website DNSSEC Statistics ARIN 36 Number of Orgs with DNSSEC123 Total Number of Delegations 583,442 DNSSEC Secured Zones586 Percentage Secured 0.1 % Q&A Life After IPv4 Depletion Jon Worley Analyst Leslie Nobile Senior Director Global Registry Knowledge Overview IPv4 depletion recap Post-depletion observations Post-depletion IPv4 options IPv4 Waiting List IPv4 Transfers Dedicated IPv4 block to facilitate IPv6 deployment 56 ARIN IPv4 Depletion Recap ARIN reached full IPv4 depletion 9/24/2015 Only single /24s had been available for approximately 3 months before full depletion Full depletion refers to the available pool of IPv4 addresses it does not include any space being held or reserved for specific policies IPv4 Address Space in ARIN Free Pool /8s IPv4 Space Held/Reserved Held space (minimum 60 days) Space returned to ARIN or revoked for non-payment Held for at least 60 days Research required to verify ARIN can reissue Space reserved per policy /10 to facilitate IPv6 deployment 2 /16s for exchange points/critical infrastructure Post-IPv4 Depletion Observations The need for IPv4 is still great More people seeking IPv4 space in the transfer market Increase in specified and inter-rir transfers Seeing more attempted hijackings (mostly legacy space) Important to keep resource and POC records up to date to prevent attempted hijackings Starting to get more requests for /24s from the /10 block reserved for IPv6 deployment Hearing lots of questions and confusion around transfers, waiting list, pre-approvals and STLS 60 Post-IPv4 Depletion Options IPv4 Waiting List (for Unmet Requests) IPv4 Transfer Market Dedicated IPv4 block to facilitate IPv6 deployment Adopt IPv6 IPv4 Waiting List Policy enacted first time ARIN did not have a contiguous block of addresses of sufficient size to fulfill a qualified request Must request to be added to the list and qualify under current ARIN policy Maximum approved size determined by ARIN Minimum acceptable size specified by requester One request per org on the list at a time Limit of one allocation or assignment every 3 months Waiting List published on ARINs web site Approximately /12 needed to fill all pending requests https://www.arin.net/resources/request/waiting_list.html Does IPv4 Space Become Available? IPv4 space can become available periodically Return = voluntary Revoke = for cause (usually non-payment) 3.54 /8 equivalents returned/revoked since 2005 IANA issued per global policy for post exhaustion IPv4 allocation mechanisms by IANA /11 (issued 5/14), /12 (issued 9/14), /13 (issued 3/15), and /14 (issued 9/15) by IANA to each RIR Demand will be far greater than availability How Long Might You Wait? 297 tickets added since wait list started 27 wait list requests filled 13 filled with IANA /14 equivalent issued in 9/2015 13 filled with blocks previously held for organizations who did not respond within their allotted timeframe or who opted to stay on the waiting list and not accept a smaller block 1 filled with space that had been revoked 19 filled via 8.3 transfer and removed from list (as required per policy) Again, demand is far greater than availability 64 2015 IPv4 Requests = waiting list initiated = IPv4 depletion Requests Added to IPv4 Wait List = waiting list initiated = IPv4 depletion Transfers of IPv4 Addresses 3 ARIN Transfer Policies Available: Mergers and Acquisitions (NRPM 8.2) Traditional transfer based on change in business structure, including company reorganizations, supported by legal documentation Transfers to Specified Recipients (NRPM 8.3) IPv4 market transfer based on financial transaction, supported by justified need (within region) Inter-RIR transfers to Specified Recipients (NRPM 8.4) IPv4 market transfer based on financial transaction, supported by justified need (outside region) Transfers to Specified Recipients (NRPM 8.3) Allows orgs with unused IPv4 resources to transfer them to orgs in need of IPv4 resources Source Must be current registrant, no disputes Not have received addresses from ARIN for 12 months prior Recipient Must demonstrate need for 24-month supply under current ARIN policy Specified Recipient Transfers = waiting list initiated = IPv4 depletion Inter-RIR Transfers (NRPM 8.4) RIR must have reciprocal, compatible needs-based policies Currently APNIC and RIPE NCC Transfers from ARIN Source cannot have received IPv4 from ARIN 12 months prior to transfer Must be current registrant, no disputes Recipient meets destination RIR policies Transfers to ARIN Must demonstrate need for 24-month supply under current ARIN policy Inter-RIR Transfers = waiting list initiated = IPv4 depletion FAQs Specified and Inter-RIR Transfers What will ARIN ask for if I want to transfer my space to another organization (source)? Chain of custody questions to ensure you are current registrant If your organization went through a merger or acquisition, an M&A transfer may be required first Organization must be active, registered business Must provide a notarized officer acknowledgement FAQs continued What will ARIN ask for if I have found a block to transfer to my organization (recipient)? Must demonstrate justified need by showing historical use of IPv4 addresses, providing documentation to support projections, etc. Must provide an officer attestation Will submitting an 8.3 or 8.4 transfer remove my organization from the waiting list? If your organization receives any size block of IPv4 address space from an 8.3 or 8.4 transfer, your organization will be removed from the waiting list (per policy) FAQs continued Who can ARIN share information with and give status updates to about a transfer? Can give a general status on your partners transfer (for example, if youre the source, the general status of the linked recipient ticket) Cannot give you specifics due to ARINs non- disclosure commitment to our customers If you need detailed information on the status of the transfer, need contact the other party directly IPv4 Transfer Stats Transfers to Specified Recipients (8.3) 452 prefixes transferred, ranging from /24s to /10 23 ASNs Inter-RIR Transfers (8.4) 201 prefixes transferred, ranging from /24s to /13s 188 ARIN to APNIC 10 ARIN to RIPE NCC 3 APNIC to ARIN https://www.arin.net/knowledge/statistics/transfers. html 75 Officer Attestation Officer attestation enacted in May 2007 at the direction of ARINs Board of Trustees in anticipation of IPv4 depletion Additional step added to the request process to ensure legitimacy of the request Requested by staff just prior to ticket approval Staff will send appropriate document to requester for completion by officer of the company Once the signed document is received, approval is issued Officer Attestation vs Officer Acknowledgement Officer Attestation is used to verify the legitimacy and accuracy of the information submitted in a resource request or transfer Officer Acknowledgement is used to ensure that an authorized representative of the company (source) is releasing the IPv4 resources in a transfer (or in preparation for a transfer). Must be notarized. Officer Attestation and Officer Acknowledgement Requirements IPv4 requests : Officer attestation 8.3 transfers 8.3 source: notarized Officer acknowledgement 8.3 recipient: Officer attestation 8.4 transfers 8.4 source going out of region: notarized Officer acknowledgement 8.4 recipient coming in region: Officer attestation STLS Listers: notarized Officer acknowledgement Needers: Officer attestation Pre-approvals : Officer attestation Specified Transfer Listing Service (STLS) Optional service to facilitate specified recipient and inter-RIR transfers Listers : have available IPv4 addresses Must be the authorized resource holder Needers/Seekers : looking for IPv4 addresses Must be approved under ARIN policy (2 year justified need) Facilitators : available to help listers and needers find each other Public information available on ARIN website: Number of available and needed IPv4 address blocks https://www.arin.net/resources/transfer_listing/listings.txt List of registered Facilitators (IPv4 brokers) https://www.arin.net/resources/transfer_listing/facilitator_list.html Pre-approval for Specified Recipient Transfers Optional service, done through ARIN online Only used for 8.3 and 8.4 transfers Pre-approval not necessary if you have already been added as a needer to the STLS Dont need pre-approval to request 8.3 or 8.4 transfer, but could be helpful Based on 24-month need & valid for 2 years You wont need to re-justify within that timeframe Once you are pre-approved, must still submit 8.3 or 8.4 transfer request in new ARIN online ticket Can use multiple 8.3 or 8.4 transfers to fill pre- approved amount Tips for Faster Transfer Processing Make sure all registration information is current and accurate before requesting an 8.3 or 8.4 transfer Work with ARIN staff to get your records up to date in advance of your transfer request Request pre-approval for your 24-month need in advance of the transfer so that you are ready to go once you find your IPv4 space Provide detailed information to support 24- month need to minimize back and forth questions Reserved IPv4 Block for IPv6 Deployment /10 reserved under policy in April 2009 ( /10) 12 /24s issued to date Must be used to facilitate IPv6 deployment Examples include IPv4 addresses for key dual stack DNS servers, and NAT-PT or NAT464 translators You must already have your IPv6 allocation or assignment in order receive a /24 from this block One per organization every six months, /24 maximum size Should be enough to last several years Good interim option if IPv4 needs are small In Closing Smaller organizations should request an IPv6 block and get a /24 from the reserved /10 every six months to help with their deployment Any organization who needs IPv4 address space should begin contacting organizations with available space or facilitators to help you find available IPv4 address space sooner than later Use the waiting list as an option, but remember it could be years before you get filled If you need IPv4 addresses immediately, use another option ARIN Technical Services & Tools Mark Kosters CTO Major Services ARIN Online Mail Directory Services Whois Whois-RWS RDAP Domain Name System (DNS) Internet Routing Registry (IRR) Resource Public Key Infrastructure (RPKI) Operational Test & Evaluation (OT&E) ARIN Online Web Interface Creating an account Linking to existing Points of Contact (POCs) Creating/linking to Organizations Managing Reverse DNS Managing Resource Requests Specified Transfer Listing Service Ask ARIN Message Center RPKI Reporting Billing and Payments Voting ARIN Online Usage 104,312 accounts activated since inception through Q3 of Number of Accounts Activated * Through Q3 of 2015 Active Usage of ARIN Online 89 # of Users Times logged in Logins from inception through Q3 of 2015 One user logged in 1,205,887 times! Linking? Way of managing resources put into place before ARIN Online was unveiled A good set of videos at: https://www.youtube.com/user/teamarin https://www.youtube.com/user/teamarin Videos teach you about: Creating an account via Manage your Records video Relationships with POCs Point of Contact Records video Ask ARIN and Message Center Ask ARIN A way to ask ARIN staff a question via the web Message Center Tracks ticketed requests Ticketed requests are things like resource request and correspondence, RPKI notifications, reports Reports Associations Report POCs linked to your ARIN Online account, including roles served by these POCs for any associated Org IDs (Admin, Tech, Abuse, etc.) Org IDs associated with your ARIN Online account Network records (NETs) and Autonomous System Number (ASN) records associated with your linked POCs, directly or via an associated Org ID Reports (cont.) User Reassignment Report Reassignments associated with your ARIN Online account via associated Org IDs Holes" in all Network (NET) records associated with your ARIN Online account, where no reassignment or reallocation has been made WhoWas History of a resource Bulk Whois Directory services information placed in files Reports are ticketed and delivered to your Message Center Billing Can see what invoices are currently and past due REST Services Provisioning Reassignment Information Points of Contact Organizations Requesting Reports What is REST? Representational State Transfer As applied to web services Defines a pattern of usage with HTTP to create, read, update, and delete (CRUD) data Resources are addressable in URLs Very popular protocol model Amazon S3, Yahoo & Google services, The BIG Advantage of REST Easily understood Any modern programmer can incorporate it Can look like web pages Re-uses HTTP in a simple manner Many, many clients Other HTTP advantages This is why it is very, very popular with Google, Amazon, Yahoo, Twitter, Facebook, YouTube, Flickr, What does it look like? Who can use it? Where the data is. What type of data it is. The ID of the data. It is a standard URL. Anyone can use it. Go ahead, put it into your browser. Where can more information on REST be found? RESTful Web Services OReilly Media Leonard Richardson Sam Ruby RESTful Services Whois-RWS RDAP RPKI Provisioning Reporting Mail/Templates Before ARIN Online, only way of communicating with ARIN Now only: Reassignment information Inter-RIR Transfers Questions Lots of spam Reg-RWS Transactions (cumulative) 102 Directory Services Whois Resource Information as per RFC 812 Whois-RWS RESTful Implementation of Whois RDAP Resource Information as per RFCs Whois Queries Per Second 104 DNS Provide Reverse DNS delegation management for IPv4 and IPv6 This includes DNSSEC More detail later IRR Provides coarse routing information for routing filters Processed through templates sent viaHas a Whois interface using RPSL (RFC 2622) ARIN will be upgrading this service starting Q3 of 2016 Documented at https://www.arin.net/resources/routing/ https://www.arin.net/resources/routing/ OT&E (Operational Test & Evaluation) Lots of people test in production Not the best place to test Things do get stuck may impact others Operational Test & Evaluation Goodness of OT&E Place to test code Place to test process All services now under ote.arin.net except Need to register to participate https://www.arin.net/resources/ote.html https://www.arin.net/resources/ote.html RPKI We will talk about this in detail later Feedback Users can notify us of Internet Number Resource Fraud and Whois Inaccuracy Can provide feedback on the application via the feedback button Suggestions through ARIN Consultation and Suggestion Process (ACSP) Tools Lots of APIs You can build your own tools Some have shared their tools with others Repository for these tools is at Q&A ARINs Policy Development Process Tina Morris ARIN Advisory Council Overview Basic steps Examples of past policy changes A current proposal How to get involved Policy Development Process (PDP) Steps 1)Proposal Someone in the community thinks a policy can be improved and documents 2)Draft Policy- Discussion on the list and possibly at meeting(s) - Is there really a problem? Is this a good solution? 3)Recommended Draft Policy - More discussion and presentation at meeting(s). Does community support turning this into policy? 4)Last call 5)Board Review 6)Staff Implementation (NRPM) If you submit a proposal, you can participate further, or let the ARIN process shepherd it through the steps Past Policy Changes: IPv6 Policy Circa 2001: Initial IPv6 policy aligned with IPv4 at that time, conservation was important, small amounts issued for short periods, hierarchical distribution from upstreams, and, no end user policy at all Dozens of proposals to improve IPv6 policy Changes included: Minimum allocation size increased (/35 to /32), larger allocations from IANA, policy for end users, community networks (mesh networks), assignment sizes from ISPs to customers (/56s), larger amounts for ISPs and easier criteria, larger amounts for end users and easier criteria, bit boundary assignments and allocations, etc. Past Policy Changes: Transfers 1997 thru 2007: Policy for Mergers and Acquisitions existed, everything else should go back to ARIN 2007 thru 2016: Many proposals to improve transfers. Changes included: Allow needs-based transfers of unused or underutilized address space between organizations via ARIN, increase supply period from one year to two, allow ASN transfers, allow Inter-RIR transfers, etc. Still seeing proposals to make transfers easier, there are some who are trying to reduce the needs requirement, some want ARIN to simply record the transfers. Policy Currently Under Discussion ARIN : Out of Region Use Would allow an organization to receive Internet number resources from ARIN for use out of region as long as the applicant is currently using at least the equivalent of a /22 of IPv4 space, /44 of IPv6, or 1 ASN within the ARIN service region. Earlier Abandoned Proposals ARIN : Out of Region Use ARIN : Allocation of IPv4 and IPv6 Address Space to Out-of-region Requestors ARIN : IPv4 Number Resources for Use Within Region (continued on next slide) ARIN : Out of Region Use ARIN presented at ARIN 36 in Oct 2015 AC found draft to be fair, technically sound and supported Promoted to recommended state (late Oct 2015) Remaining steps Present as a Recommended Draft Policy at NANOG 66 and/or ARIN 37 Last Call and review of last call comments Board Review Implementation by Staff How Can You Get Involved? Two ways to learn and be heard 1.Public Policy Mailing List 2.Public Policy Consultations/Meetings ARIN meetings (April and October) ARIN Public Policy Consultations at NANOG (twice a year, usually February and June) Remote participation supported Takeaways 1)ARIN doesn't make up number policy, you do. 2)Well documented policy development process includes assistance from ARIN AC and staff throughout the process. 3)Stay informed. Join the policy list and/or attend meetings (in person or remotely). Q&A References Policy Development Process (PDP) Draft Policies and Proposals Number Resource Policy Manual (NRPM) PDP Goals 1)"open, transparent, and inclusive manner that allows anyone to participate in the process. 2)"clear, technically sound and useful policies 3)policies, not processes, fees, or services Security Overlays on Core Internet Protocols RPKI Mark Kosters CTO Core Internet Protocols Two critical resources that are unsecured Domain Name Servers Routing Hard to tell if compromised From the user point of view From the ISP/Enterprise Focus on government funding Routing Routing Architecture The Internet uses a two-level routing hierarchy: Interior Routing Protocols, used by each network to determine how to reach all destinations that line within the network Interior Routing protocols maintain the current topology of the network Routing Architecture The Internet uses a two-level routing hierarchy: Exterior Routing Protocol, used to link each component network together into a single whole Exterior protocols assume that each network is fully interconnected internally Exterior Routing: BGP BGP is a large set of bilateral (1:1) routing sessions A tells B all the destinations (prefixes) that A is capable of reaching B tells A all the destinations that B is capable of reaching A A B B / / / /24 What is RPKI? R esource P ublic K ey I nfrastructure Attaches digital certificates to network resources Autonomous System Numbers (ASNs) IP Addresses Allows ISPs to associate the two Route Origin Authorizations (ROAs) Can follow the address allocation chain to the top What does RPKI accomplish? Allows routers or other processes to validate route origins Simplifies validation authority information Trust Anchor Locator Distributes trusted information Through repositories AFRINICRIPE NCCAPNICARINLACNIC LIR1 ISP2 ISP ISP4ISP Issued Certificates Resource Allocation Hierarchy Route Origination Authority ISP4 permits AS65000 to originate a route for the prefix /24 Attachment: Signed, ISP4 Route Origination Authority ISP4 permits AS65000 to originate a route for the prefix /24 Attachment: Signed, ISP4 ICANN Resource Certificate Validation AFRINICRIPE NCCAPNIC ARIN LACNIC LIR1 ISP2 ISP ISP4 ISP Resource Allocation Hierarchy Route Origination Authority ISP4 permits AS65000 to originate a route for the prefix /24 Attachment: Signed, ISP4 Route Origination Authority ISP4 permits AS65000 to originate a route for the prefix /24 Attachment: Signed, ISP4 1. Did the matching private key sign this text? ICANN Issued Certificates Resource Certificate Validation AFRINICRIPE NCCAPNIC ARIN LACNIC LIR1 ISP2 ISP Route Origination Authority ISP4 permits AS65000 to originate a route for the prefix /24 Attachment: Signed, ISP4 Route Origination Authority ISP4 permits AS65000 to originate a route for the prefix /24 Attachment: Signed, ISP4 ISP ISP4 2. Is this certificate valid? ISP Issued Certificates Resource Allocation Hierarchy ICANN Resource Certificate Validation AFRINICRIPE NCCAPNIC ARIN LACNIC LIR1 ISP2 ISP Route Origination Authority ISP4 permits AS65000 to originate a route for the prefix /24 Attachment: Signed, ISP4 Route Origination Authority ISP4 permits AS65000 to originate a route for the prefix /24 Attachment: Signed, ISP4 ISP ISP4 ISP Issued Certificates Resource Allocation Hierarchy ICANN 3. Is there a valid certificate path from a Trust Anchor to this certificate? Resource Certificate Validation What does RPKI Create? It creates a repository RFC 3779 (RPKI) Certificates ROAs CRLs Manifest records Repository View./ba/03a5be-ddf a1f9-1ad3f2c39ee6/1: total 40 -rw-r--r Jun ICcaIRKhGHJ-TgUZv8GRKqkidR4.roa -rw-r--r Jun cKxLCU94umS-qD4DOOkAK0M2US0.cer -rw-r--r Jun dSmerM6uJGLWMMQTl2esy4xyUAA.crl -rw-r--r Jun dSmerM6uJGLWMMQTl2esy4xyUAA.mnf -rw-r--r Jun nB0gDFtWffKk4VWgln-12pdFtE8.roa A Repository Directory containing an RFC 3779 Certificate, two ROAs, a CRL, and a manifest Repository Use Pull down these files using a manifest- validating mechanism Validate the ROAs contained in the repository Communicate with the router marking routes valid, invalid, unknown Up to ISP to use local policy on how to route Possible Data Flow for Operations RPKI Web interface -> Repository Repository aggregator -> Validator Validated entries -> Route Checking Route checking results -> local routing decisions (based on local policy) How you can use ARINs RPKI System? Hosted Hosted using ARINs RESTful service Delegated using Up/Down Protocol HostedRPKI Pros Easier to use Managed by ARIN Cons No current support for downstream customers to manage their own space (yet) Tedious through the UI if you have a large network We hold your private key Hosted RPKI with RESTful Interface Pros Easier to use Managed by ARIN Programmatic interface for large networks Cons No current support for downstream customers to manage their own space (yet) We hold your private key Delegated RPKI with Up/Down Pros You safeguard your own private key Follows the IETF up/down protocol Cons Extremely hard to set up Need to operate your own RPKI environment More later Hosted RPKI in ARIN Online SAMPLE-ORG Hosted RPKI in ARIN Online SAMPLE-ORG Hosted RPKI in ARIN Online Your ROA request is automatically processed and the ROA is placed in ARINs repository, accompanied by its certificate and a manifest. Users of the repository can now validate the ROA using RPKI validators. Delegated with Up/Down You have to do all the ROA creation Need to set up a CA Have a highly available repository Create a CPS RPKI Statistics ARIN XXX ARIN XXXI ARIN XXXII ARIN33ARIN34ARIN 35ARIN 36 RPAs Signed Certified Orgs ROAs Covered Resources Up/Down Delegated 00012 Q&A Moving to IPv6 Mark Kosters, Chief Technical Officer Leslie Nobile, Senior Director, Global Registry Knowledge The Amazing Success of the Internet 2.92 billion users! 4.5 online hours per day per user! 5.5% of GDP for G-20 countries Time Just about anything about the Internet 159 The Original IPv6 Plan IPv6 Deployment Time IPv6 Transition Dual Stack IPv4 Pool Size Size of the Internet 160 The Revised IPv6 Plan IPv6 Deployment 2004 IPv6 Transition Dual Stack IPv4 Pool Size Size of the Internet Date 161 Oops! We were meant to have completed the transition to IPv6 BEFORE we completely exhausted the supply channels of IPv4 addresses! 162 Todays Plan IPv6 Deployment IPv4 Pool Size Size of the Internet IPv6 Transition Today Time ? 0.8 % 163 Transition... The downside of an end-to-end architecture: There is no backwards compatibility across protocol families A V6-only host cannot communicate with a V4-only host We have been forced to undertake a Dual Stack transition: Provision the entire network with both IPv4 AND IPv6 In Dual Stack, hosts configure the hosts applications to prefer IPv6 to IPv4 When the traffic volumes of IPv4 dwindle to insignificant levels, then its possible to shut down support for IPv4 164 Dual Stack Transition... We did not appreciate the operational problems with this dual stack plan while it was just a paper exercise: The combination of an end host preference for IPv6 and a disconnected set of IPv6 islands created operational problems Protocol failover from IPv6 to IPv4 takes between 19 and 108 seconds (depending on the operating system configuration) This is unacceptably slow Attempting to bridge the islands with IPv6-in-IPv4 tunnels created a new collection of IPv6 path MTU Discovery operational problems There are too many deployed network paths containing firewall filters that block all forms of ICMP, including ICMP6 Packet Too Big Attempts to use end-host IPv6 tunneling also presents operational problems Widespread use of protocol 41 (IP-in-IP) firewall filters Path MTU problems 165 Dual Stack Transition Signal to the ISPs: Deploy IPv6 and expose your users to operational problems with IPv6 connectivity Or Delay IPv6 deployment and wait for these operational issues to be solved by someone else So we wait And while we wait... The Internet continues its growth. And without an abundant supply of IPv4 addresses to support this level of growth, the industry is increasingly reliant on NATs: Edge NATs are now the de facto choice for residential broadband services at the CPE ISP NATs are now the de facto choice for 3G and 4G mobile IP services 167 What is ARIN Hearing from the Community About IPv6? Movement to IPv6 is slow, but progress being made ISPs slowly rolling out IPv6 Steady increase in IPv6 traffic Increase in IPv6 requests Still high demand for IPv4 Many ISPs purchasing CGN boxes More turning to the IPv4 market Rent by month Purchasing space outright (costs will increase) 168 Why is there little immediate need for IPv6? Some of the claims are either not true or taken over by events IPv6 gives you better security IPv6 gives you better routing Some positive things IPv6 allows for end-to-end networking to occur again IPv6 has more address bits It is cheaper per address 169 2003: Sprint T1 via Sprint Linux Router with Sangoma T1 Card OpenBSD firewall Linux-based WWW, DNS, FTP servers Segregated network, no dual stack (security concerns) A lot of PMTU issues A lot of routing issues Service did improve over the years 170 2008: NTT / TiNet IPv Mbit/s to NTT / TiNet Cisco ASR 1000 Router Brocade Load Balancers - IPv6 support was Beta DNS, Whois, IRR, more later Dual stack 171 Past Meeting Networks IPv6 enabled since 2005 Tunnels to ARIN, others Testbed for transition techology NAT-PT (Cisco, OSS) CGN / NAT-lite IVI Training opportunity For staff & members 172 ARINs Current Challenges for Networking Dual-Stacked Internally Challenges over time with our VPN (OpenVPN) One interface works with v6 One does not Middleware Boxes Claims do not support reality (we support IPv6) Yes, but No 1-1 feature set Limits ARINs ability to support new services like https support for Whois-RWS 173 However, there is some good news 174 US IPv6 Deployment > 25% of US customers connected to Google via IPv6 - up from 10% one year ago today & growing rapidly 175 The State of IPv6 Over 10% of the world uses facebook over IPv6 Over 10% % 6/6/ Why Move to IPv6 Now? IPv4 depletion has occurred Cost of IPv4 will only increase Lots more addresses and more! IPv6 performs better than IPv4 IPv6 is simpler operationally; not difficult to deploy More efficient network management - allows for end-to-end networking to occur again Designed with security in mind IPv6 is your platform for innovation 177 Your IPv6 Checklist Get your IPv6 address space Set up IPv6 connectivity (native or tunneled) Configure your operating systems, software, and network management tools Upgrade your router, firewall, and other hardware Get your IT staff training Enable IPv6 on your website 178 Talk to Your ISP About IPv6 Services You want access to the entire Internet! ISPs must connect customers via IPv4 only, IPv4-IPv6, and IPv6 only They must plan for IPv4-IPv6 transition services Many transition technologies available Research options and make architectural decisions 179 Dual-stack Your Network IPv6 not backwards compatible with IPv4 Both will run simultaneously for years 180 Make Your Servers Reachable Over IPv6 Mail, Web, Applications Operating systems, software, and network management tools 181 Audit Your Equipment and Software Are your devices and applications IPv6 ready? 182 Encourage Vendors to Support IPv6 If not already, when will IPv6 support be part of their product cycle? 183 Get IPv6 Training for Staff Free resources available 184 Enable IPv6 on Your Website 185 Steps To Get Your Website IPv6- Enabled TeamARIN.net/get6 186 IPv6 over time ARIN IPv6 Allocations and Assignments 187 2015 IPv6 Requests = waiting list initiated = IPv4 depletion ARIN ISP Members with IPv4 and IPv6 5,268 total members as of 31 January Global IPv6 Status Percentage of Members with IPv6 190 Requesting IPv6 - ISPs Have a previous v4 allocation from ARIN or predecessor registry OR Intend to multi-home OR Provide a technical justification which details at least 50 assignments made within 5 years 191 Data ARIN Will Typically Ask For - ISPs If requesting more than a /32, a spreadsheet/text file with # of serving sites (PoPs, datacenters) # of customers served by largest serving site Block size to be assigned to each customer (/48 typical) 192 Requesting IPv6 End Users Have a v4 direct assignment from ARIN or predecessor registry OR Intend to multi-home OR Show how you will use 2000 IPv6 addresses or 200 IPv6 subnets within a year OR Technical justification as to why provider- assigned IPs are unsuitable 193 Data ARIN Will Typically Ask For End users If requesting more than a /48, a spreadsheet/text file with List of sites in your network Site = distinct geographic location Street address for each Campus may count as multiple sites Technical justification showing how theyre configured like geographically separate sites 2015 Best Practices Forum (BPF) on IPv6 Adoption Creating an Enabling Environment for IPv6 Adoption Part of the Internet Governance Forum (IGF), a multi-stakeholder forum for policy dialogue on issues of Internet governance Project designed to document high level best practices for IPv6 adoption Best practice examples collected via: Public survey running mid-July thru midNovember (results available on the IGF website) Mailing list discussioncorrespondence 38 Final IPv6 BPF Document Provides an overview of various capacity building programs that are available Highlights numerous examples and best practices that can help businesses and governments with their IPv6 deployment projects Large section of the document is dedicated to role and function of IPv6 task forcesforums/creating-an-enabling-environment-for-the-development-of- local-content/581-igf2015-bpfipv6-finalpdf/file196 Operational Guidance Internet Governance Forum Enabling Environment for IPv6 Adoption Learn More IPv6 Info Center41