tampa, fl - american registry for internet numbers · • community software project repository 22...

Tampa, FL 18 February 2016

Welcome. Here today from ARIN…

•  Jan Blacka, Senior User Experience Specialist

•  Kevin Blumberg, ARIN Advisory Council

•  John Curran, President and CEO

•  Susan Hamlin, Director of Communications & Member Services

•  Frank Hill, Senior Software Engineer

•  Wendy Leedy, Member Engagement Coordinator

•  Debra Martin, Senior Project Manager

•  Jon Worley , Senior Director Global Registry Services

Agenda 10:00 AM Welcome and Getting Started 10:15 AM ARIN: Mission, Role and Services; John Curran 10:45 AM Security Overlays on Core Internet Protocols –

DNSSEC; Frank Hill 11:20 AM Life After IPv4 Depletion; Jon Worley Noon Networking Lunch

1:00 PM ARIN Services and Tools; Debra Martin

1:30 PM Policy Development Process; Kevin Blumberg

2:00 PM Security Overlays on Core Internet Protocols – Resource Certification (RPKI); Frank Hill

2:30 PM IPv6 Adoption; Debra Martin and Jon Worley

3:00 PM Q&A / Open Mic Session

Let’s Get Started! •  Self introductions

– Name – Organization – I would like to learn more about

“___________.”

ARIN and the RIR System: Mission, Role and Services

John Curran

President and CEO

What is an RIR?

A Regional Internet Registry (RIR) manages the allocation and registration of Internet number resources in a particular region of the world.

Number resources include IP addresses and autonomous system (AS) numbers.

Regional Internet Registries

Not-for-profit Membership Organization

Community Regulated

•  Fee for services, not number resources

•  100% community funded

•  Open

•  Broad-based - Private sector - Public sector - Civil society

•  Community developed policies

•  Member-elected executive board

•  Open and transparent

RIR Structure

IPAddressandAutonomousSystemNumberProvisioningProcess

The NRO exists to protect the unallocated number resource pool, to promote and protect the bottom-up policy development process, and to act as a focal point for Internet community input into the RIR system.

Number Resource Organization

ARIN, a nonprofit member-based organization, supports the operation of the Internet through the management of Internet number resources throughout its service region; coordinates the

development of policies by the community for the management of Internet Protocol number resources; and advances the Internet through

informational outreach.

ARIN’s Service Region

The ARIN Region includes many Caribbean and North Atlantic islands, Canada, the United States and outlying areas.

Who is the ARIN “community”?

Anyone with an interest in Internet number resource management in the ARIN region

The ARIN Community includes…

•  5,200+ members •  20,000+ customers •  79 professional staff •  7 member Board of Trustees

•  elected by the membership

•  15 member Advisory Council •  elected by the membership

•  3 person NRO Number Council •  elected by the ARIN Community

Organizational Chart

CMSD:11employeesENG:42employeesEXEC:6employeesFSD:6employeesHR:4employeesRSD:11employees(includesfuturedirector)Total:80employeesatARIN(includesfutureRSDdirector)

ARIN Board of Trustees •  Paul Andersen, Vice Chair •  Vinton G. Cerf, Chair •  John Curran, President and CEO •  Timothy Denton, Secretary •  Aaron Hughes •  Bill Sandiford, Treasurer •  Bill Woodcock

16

ARIN Advisory Council •  Dan Alexander, Chair •  Cathy Aronson •  Kevin Blumberg, Vice Chair •  Owen DeLong •  Andrew Dul •  David Farmer •  David Huberman •  Scott Leibrand •  Tina Morris •  Milton Mueller •  Amy Potter •  Leif Sawyer •  Robert Seastrom •  John Springer •  Chris Tacit

17

NRO Number Council •  15 member body

–  3 representatives from each RIR •  From ARIN:

–  Jason Schiller –  Louie Lee –  John Sweeting

•  Fulfills role of the ICANN Address Supporting Organization Address Council – Global policy and ICANN Board Seats

18

2016 Focus 1.  Continued IPv4 to IPv6 Transition Awareness 2.  Continued participation in Internet Governance

forums 3.  Continue to review and enhance ARIN Online,

including making significant user interface improvements per user feedback

4.  Participate in planning discussions for the transition of the stewardship of IANA to encourage responsible oversight of critical Internet resources

5.  Continue to focus on community suggested, customer facing, high impact software development efforts in a timely manner

6.  Improve customer service based on feedback and repeat customer satisfaction survey

19

ARIN Services and Products ARIN Manages: •  Number Resources

IP address allocations & assignments ASN assignment Transfers

•  Reverse DNS •  Directory services

Whois Routing Information (Internet Routing Registry [IRR]) WhoWas

20

ARIN Services and Products ARIN coordinates and administers: •  Policy Development

Community meetings Discussion Publication

•  Elections •  Information publication and dissemination

and public relations •  Community outreach •  Education and training

21

ARIN Services and Products ARIN develops technologies for managing Internet number resources:

•  ARIN Online •  DNSSEC •  Resource Certification (RPKI) •  Whois-RWS •  Reg-RWS •  Community Software Project Repository

22

Globalization of IANA Oversight

On 14 March 2014, the US Government announced plans to transition oversight of the IANA functions contract to the global multistakeholder community Current IANA functions contract expires 30 September 2016

NTIA* Conditions for Transition Proposal 1.  Support and enhance the multi-stakeholder

model 2.  Maintain the security, stability, and resiliency of

the “Internet DNS” 3.  Meet the needs and expectation of the global

customers and partners of the IANA services 4.  Maintain the openness of the Internet *National Telecommunications and Information Administration (NTIA) within the U.S. Department of Commerce

Steps in the IANA Stewardship Proposal

1. The three “customer groups” of IANA submitted proposals: •  Number Resources (RIR community) - 15 Jan 2015

https://www.nro.net/wp-content/uploads/ICG-RFP-Number-Resource-Proposal.pdf

•  Domain Names: 25 June 2015https://community.icann.org/x/aJ00Aw

•  Protocol Parameters : 6 January 2015 http://tools.ietf.org/html/draft-ietf-ianaplan-icg-response-09

Steps in the IANA Stewardship Proposal

2.  The IANA Stewardship Transition Coordination Group (ICG) combined the three proposals into a single IANA Stewardship Transition Proposal – Oct. 2015

https://www.ianacg.org/icg-files/documents/IANA-transition-proposal-v9.pdf

3. ICG to send proposal to NTIA via the ICANN Board. Another body, the Cross Community Working Group is working on accountability requirements (implementation, review of work, etc.).

IANA Stewardship – Potential Implications •  Successful transition of IANA Stewardship from the USG to the Internet community would be an important validation of the Internet’s multi-stakeholder governance model •  Inability to transition could raise concerns about the validity of the multi-stakeholder process and fuel discussion of the perceived need for intergovernmental mechanisms for Internet Governance

Get 6 – Websites on IPv6

http://teamarin.net/infographic/

IPv6Wiki

How to Participate in ARIN

•  Attend Public Policy and Members Meetings & Public Policy Consultations – Remote participation available

•  Apply for Meeting Fellowship •  Discuss policies on Public Policy Mailing

List (ppml) •  Come to outreach events •  Subscribe to an ARIN mailing list

More Ways to Participate

•  Give your opinion on community consultations

•  Submit a suggestion •  Contribute to the IPv6 wiki •  Write a guest blog for TeamARIN.net •  Connect with us on social media •  Members – Vote in annual elections

h;ps://www.arin.net/parAcipate/meeAngs/fellowship.html

SecurityOverlaysonCoreInternetProtocols–DNSSEC

Frank Hill Sr Software Engineer

Core Internet Protocols

•  Two critical resources that are unsecured – Domain Name Servers – Routing

•  Hard to tell if compromised – From the user point of view – From the ISP/Enterprise

How DNS Works

Resolver

Question: www.arin.net A

www.arin.netA?

Cachingforwarder(recursive)

root-serverwww.arin.netA?

[email protected](+glue)

gtld-serverwww.arin.netA?

[email protected](+glue)

arin-server

www.arin.netA?

192.168.5.10

192.168.5.10

Add to cache

What Is DNSSEC? Why Use It?

•  Standard DNS (forward or reverse) responses are not secure – Easy to spoof – Notable malicious attacks

•  DNSSEC attaches signatures – Validates responses – Can not spoof

Reverse DNS at ARIN

• ARIN issues blocks without any working DNS – Registrant must establish

delegations after registration – Then employ DNSSEC if desired

•  Just as susceptible as forward DNS if you do not use DNSSEC

Reverse DNS at ARIN

• Authority to manage reverse zones follows allocations – “Shared Authority” model – Multiple sub-allocation recipient

entities may have authority over a particular zone

Setting up DNSSEC at ARIN

•  Must have a RSA/LRSA signed – We need to know who you are

•  Create entry method for DS Records – ARIN Online – RESTful interface – Not available via templates

•  Only key holders may create and submit Delegation Signer (DS) records

Reverse DNS in ARIN Online First identify the network that you want to put Reverse DNS nameservers on…

Reverse DNS in ARIN Online …then enter the Reverse DNS nameservers…

DNSSEC in ARIN Online …then apply DS record to apply to the delegation

Reverse DNS: Querying ARIN’s Whois

Query for the zone directly: whois> 81.147.204.in-addr.arpa Name: 81.147.204.in-addr.arpa. Updated: 2006-05-15 NameServer: AUTHNS2.DNVR.QWEST.NET NameServer: AUTHNS3.STTL.QWEST.NET NameServer: AUTHNS1.MPLS.QWEST.NET Ref: http://whois.arin.net/rest/rdns/81.147.204.in-addr.arpa.

DNSSEC in Zone Files ; File written on Mon Feb 24 17:00:53 2014 ; dnssec_signzone version 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 0.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM. 86400 IN NS NS4.COVAD.COM. 10800 NSEC 1.74.in-addr.arpa. NS RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. oNk3GVaCWj2j8+EAr0PncqnZeQjm8h4w51nS D2VUi7YtR9FvYLF/j4KO+8qYZ3TAixb9c05c 8EVIhtY1grXEdOm30zJpZyaoaODpbHt8FdWY vwup9Tq4oVbxVyuSNXriZ2Mq55IIMgDR3nAT BLP5UClxUWkgvS/6poF+W/1H4QY= ) 1.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM. 86400 IN NS NS4.COVAD.COM. 10800 NSEC 10.74.in-addr.arpa. NS RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. DKYGzSDtIypDVcer5e+XuwoDW4auKy6G/OCV VTcfQGk+3iyy2CEKOZuMZXFaaDvXnaxey9R1 mjams519Ghxp2qOnnkOw6iB6mR5cNkYlkL0h lu+IC4Buh6DqM4HbJCZcMXKEtWE0a6dMf+tH sa+5OV7ezX5LCuDvQVp6p0LftAE= )

DNSSEC in Zone Files 0.121.74.in-addr.arpa. 86400 IN NS DNS1.ACTUSA.NET. 86400 IN NS DNS2.ACTUSA.NET. 86400 IN NS DNS3.ACTUSA.NET. 86400 DS 46693 5 1 ( AEEDA98EE493DFF5F3F33208ECB0FA4186BD 8056 ) 86400 DS 46693 5 2 ( 66E6D421894AFE2AF0B350BD8F4C54D2EBA5 DA72A615FE64BE8EF600C6534CEF ) 86400 RRSIG DS 5 5 86400 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. n+aPxBHuf+sbzQN4LmHzlOi0C/hkaSVO3q1y 6J0KjqNPzYqtxLgZjU+IL9qhtIOocgNQib9l gFRmZ9inf2bER435GMsa/nnjpVVWW/MBRKxf Pcc72w2iOAMu2G0prtVT08ENxtu/pBfnsOZK nhCY8UOBOYLOLE5Whtk3XOuX9+U= ) 10800 NSEC 1.121.74.in-addr.arpa. NS DS RRSIG NSEC 10800 RRSIG NSEC 5 5 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. YvRowkdVDfv+PW42ySNUwW8S8jRyV6EKKRxe …

DNSSEC Validating Resolvers

•  www.internetsociety.org/deploy360/dnssec/ •  www.isc.org/downloads/bind/dnssec/

Reverse DNS Management and DNSSEC in ARIN Online •  Available on ARIN’s website http://www.arin.net/knowledge/dnssec/

DNSSEC Statistics

ARIN 36

Number of Orgs with DNSSEC 123

Total Number of Delegations 583,442

DNSSEC Secured Zones 586

Percentage Secured 0.1 %

Life After IPv4 Depletion •  Life After IPv4 Depletion

•  Jon Worley –Analyst

JonWorleyTechnicalServicesManager

Overview

•  IPv4 depletion recap •  Post-depletion observations •  Post-depletion IPv4 options

–  IPv4 Waiting List –  IPv4 Transfers – Dedicated IPv4 block to facilitate IPv6

deployment

53

IPv4 Address Space in ARIN Free Pool /8s

IPv4 Depletion Recap

•  June 2015: IPv4 requests reach peak volume –  414 total requests –  A mad rush for the last IPv4 blocks

•  July 1st, 2015: First unmet IPv4 request –  An org qualified for a block size that was no longer available –  Within a few weeks, only single /24s remained in the free pool

•  September 24th, 2015: Full IPv4 depletion –  No IPv4 blocks available other than those reserved for specific

policies –  Significant drop in monthly # of IPv4 requests

2015 IPv4 Requests

-------=waiXnglistiniXated-------=IPv4depleXon

0

50

100

150

200

250

300

350

400

450

Jan-15 Feb-15 Mar-15 Apr-15 May-15 Jun-15 Jul-15 Aug-15 Sep-15 Oct-15 Nov-15 Dec-15

Reserved IPv4 Space

•  /10 reserved to facilitate IPv6 deployment

•  2 /16s reserved for critical Internet infrastructure –  Public exchange points

–  Core DNS service providers (excluding new gTLDs)

–  Regional Internet Registries

–  IANA

Post-IPv4 Depletion Observations

•  IPv4 demand remains strong

•  Lots of questions/confusion from customers –  Not all aware we’ve reach full IPv4 depletion –  Education needed on post-depletion options

•  Keeping registration info current is essential –  Increase in # of blocks targeted for hijacking –  Blocks with bad org/contact info, especially legacy

ones, are the biggest target

58

Post-IPv4 Depletion Options

•  IPv4 Waiting List

•  IPv4 Transfer Market

•  Dedicated IPv4 block to facilitate IPv6 deployment

•  Adopt IPv6

IPv4 Waiting List •  Policy enacted first time ARIN did not have a

contiguous block of addresses of sufficient size to fulfill a qualified request –  Must qualify under current ARIN policy and request to be

added to the list –  Maximum approved size determined by ARIN –  Minimum acceptable size specified by requester –  One request per org on the list at a time –  Limit of one allocation or assignment every 3 months

•  Waiting List published on ARIN’s web site

–  Approximately /12 needed to fill all pending requests https://www.arin.net/resources/request/waiting_list.html

Requests Added to IPv4 Waiting List


0

10

20

30

40

50

60

70

80

90

Jun-15 Jul-15 Aug-15 Sep-15 Oct-15 Nov-15 Dec-15

Sources of IPv4 for the Waiting List

•  Returned to ARIN or revoked for non-payment –  In both cases, lengthy review required to

confirm space is eligible for reissue

•  Redistributed by IANA per global policy for “post exhaustion IPv4 allocation mechanisms by IANA”

»  /11 (issued 5/14), /12 (issued 9/14), /13 (issued 3/15), and /14 (issued 9/15) by IANA to each RIR

How Long Might You Wait? •  297 tickets added since wait list started •  27 wait list requests filled

–  13 filled with IANA /14 equivalent issued in 9/2015 –  13 filled with blocks previously held for organizations

deciding whether to go on the waiting –  1 filled with space that had been revoked

•  19 filled via 8.3 transfer and removed from list (as required per policy)

•  Demand is far greater than availability

63

Transfers of IPv4 Addresses 3 ARIN Transfer Policies Available:

–  Mergers and Acquisitions (NRPM 8.2) •  Traditional transfer based on change in business

structure, including company reorganizations, supported by legal documentation

–  Transfers to Specified Recipients (NRPM 8.3) •  IPv4 market transfer based on financial transaction,

supported by justified need (within region)

–  Inter-RIR transfers to Specified Recipients (NRPM 8.4) •  IPv4 market transfer based on financial transaction,

supported by justified need (outside region)

Transfers to Specified Recipients (NRPM 8.3)

•  Allows orgs with unused IPv4 resources to transfer them to orgs in need of IPv4 resources

•  Source – Must be current registrant, no disputes – Not have received addresses from ARIN for

12 months prior •  Recipient

– Must demonstrate need for 24-month supply under current ARIN policy

Specified Recipient Transfers


0

5

10

15

20

25

30

35

40

45


Inter-RIR Transfers (NRPM 8.4) •  RIR must have reciprocal, compatible

needs-based policies –  Currently APNIC and RIPE NCC

•  Transfers from ARIN –  Source cannot have received IPv4 from ARIN

12 months prior to transfer –  Must be current registrant, no disputes –  Recipient meets destination RIR policies

•  Transfers to ARIN –  Must demonstrate need for 24-month supply

under current ARIN policy

Inter-RIR Transfers


0

1

2

3

4

5

6

7

8


Documentation Required for IPv4 Source

•  Verification current registrant is active and in good standing within the ARIN region –  If there was a merger or acquisition, an M&A transfer may

be required before you can release your IPv4 addresses

•  Notarized officer acknowledgement

•  Additional items may be needed

IPv4 Recipient Documentation –  Utilization data for ARIN-issued IPv4 space

–  Data to support 24 month projected need •  Historical IPv4 utilization rate •  New services/markets to be deployed •  Customer growth projections

–  Signed officer attestation certifying data is accurate

Useful Transfer Information

•  ARIN cannot provide detailed information about your source/recipient partner’s status –  Can provide general status (e.g. “we’re waiting on them to

provide additional info”) –  If you need details on what’s required, ask your source/

recipient partner

•  If you’re on the IPv4 waiting list, you’ll be removed if/when you receive IPv4 addresses via transfer

IPv4 Transfer Stats

•  Transfers to Specified Recipients (8.3) –  452 prefixes transferred, ranging from /24s to /10 –  23 ASNs

•  Inter-RIR Transfers (8.4) –  201 prefixes transferred, ranging from /24s to /13s

•  188 ARIN to APNIC •  10 ARIN to RIPE NCC •  3 APNIC to ARIN

https://www.arin.net/knowledge/statistics/transfers.html

72

Pre-Approval for Recipients

•  Optional free service to confirm your 24 month projected need for IPv4 addresses –  Same documentation requirements as transfers

•  Used to receive IPv4 addresses via specified or Inter-RIR transfers up to the pre-approved amount –  Eliminates the need to re-justify need on each transfer –  Good for 24 months from the pre-approval date

Specified Transfer Listing Service (STLS)

•  Optional fee-based service to facilitate specified recipient and inter-RIR transfers –  Sources have IPv4 addresses verified as available –  Recipients have a verified need for IPv4 addresses –  Facilitators arrange transfers between parties

•  Approved participants can view detailed information for all other participants

•  Public summary available on ARIN’s website –  Available block sizes –  # of needers and approved block sizes –  List of facilitators with contact information

Tips for Faster Transfer Processing

•  Ensure all registration information is current –  If not, we can help you get it up to date

•  Request pre-approval –  Ensures you can bid confidently –  Turns transfers into a point-click-ship exercise

•  Provide detailed information to support 24- month need when submitting transfer/pre-approval

Reserved IPv4 Block for IPv6 Deployment Requirements

•  Used to facilitate IPv6 deployment (dual stacking, IPv4->IPv6 translation, etc)

•  Need cannot be met from your existing ARIN IPv4 space

•  Have an IPv6 block registered •  One /24 per organization every six months

Help! What Should I Do? •  Small networks can get a /24 once per six

months for IPv6 transition –  Cost likely to be lower than the transfer market –  Reserved block likely to last several years –  Can also have a request on the waiting list

•  Larger networks can get pre-approved for 24 month need and seek IPv4 on the transfer market –  Waiting list probably not a realistic option unless you can

delay your IPv4 needs indefinitely

•  All networks should begin IPv6 adoption

Waiting List vs. Transfer Market

IPv4,1,255

TransferMarket,260

Requests

WaiXngList,1,071

TransferMarket,83,154

/24sObtained

Since7/1/2015

LUNCH

Take your valuables as the room will not be locked.

ARINTechnicalServices

Debra Martin Senior Project Manager

Major Services •  ARIN Online •  Mail •  Directory Services

– Whois – Whois-RWS – RDAP

•  DNS •  IRR •  RPKI •  OT&E

ARIN Online •  Web Interface

–  Creating an account –  Linking to existing Points of Contacts (POCs) –  Creating/linking to Organizations –  Managing Reverse DNS –  Managing Resource Requests –  Specified Transfer Listing Service –  Ask ARIN –  Message Center –  RPKI –  Reporting –  Billing and Payments –  Voting

ARIN Online Usage •  104,312 accounts activated since

inception through Q3 of 2015

84

2008 2009 2010 2011 2012 2013 2014

2015*

Number of Accounts Activated

5000 10000 15000 20000

* Through Q3 of 2015

Active Usage of ARIN Online

85

0

10000

20000

30000

40000

50000

0 1 2 - 5 6 - 10 11 - 15 >16

Logins

# o

f Use

rs

Times logged in

•  Logins from inception through Q3 of 2015 •  One user logged in 1,205,887 times!

Linking? •  Way of managing resources put into

place before ARIN Online was unveiled

•  A good set of videos at – https://www.youtube.com/user/teamarin – Teaches you how to:

•  Create an account via “Manage your Records” video

•  Relationships with POCs “Point of Contact Records” video

Ask ARIN and Message Center •  Ask ARIN

A way to ask ARIN staff a question on the web

•  Message Center – Tracks ticketed requests – Ticketed requests are things like resource

requests and correspondence, RPKI notifications, reports

Reports •  Associations Report

– POCs linked to your ARIN Online account, including roles served by these POCs for any associated Org IDs (Admin, Tech, Abuse, etc.)

– Org IDs associated with your ARIN Online account

– Network records (NETs) and Autonomous System Number records (ASNs) associated with your linked POCs, directly or via an associated Org ID

Reports (Cont) •  User Reassignment Report

–  Reassignments associated with your ARIN Online account via associated Org IDs

–  ”Holes" in all Network records (NETs) associated with your ARIN Online account, where no reassignment or reallocation has been made

•  Whowas –  History of a resource

•  Bulk Whois –  Directory services information placed in files

•  Reports are ticketed and delivered into your Message Center

Billing

•  Can View and pay current and past-due invoices

REST Services

•  Provisioning – Reassignment Information – Points of Contacts – Organizations

•  Requesting Reports

What is REST? •  Representational State Transfer

•  As applied to web services – defines a pattern of usage with HTTP to create,

read, update, and delete (CRUD) data –  “Resources” are addressable in URLs

•  Very popular protocol model – Amazon S3, Yahoo & Google services, …

The BIG Advantage of REST •  Easily understood

– Any modern programmer can incorporate it – Can look like web pages

•  Re-uses HTTP in a simple manner – Many, many clients – Other HTTP advantages

•  This is why it is very, very popular with Google, Amazon, Yahoo, Twitter, Facebook, YouTube, Flickr, …

What does it look like? Who can use it? Wherethedatais.

Whattypeofdataitis.

TheIDofthedata.

ItisastandardURL.Anyonecanuseit.Goahead,putitintoyourbrowser.

Where can more information on REST be found?

•  RESTful Web Services – O’Reilly Media

–  Leonard Richardson

–  Sam Ruby

RESTful Services

•  Whois-RWS •  RDAP •  RPKI •  Provisioning •  Reporting

Mail/Templates

•  Before ARIN Online, only way of communicating with ARIN

•  Now only – Reassignment information –  Inter-RIR Transfers – Email Questions

•  Lots of Spam

Reg-RWS Transactions (cumulative)

98

408,383595,858

846,9431,066,037

1,311,4031,498,204

1,749,3832,006,440

40,374320,197

841,105

3,524,124

4,296,734

4,715,231

5,034,717

5,662,477

0

1,000,000

2,000,000

3,000,000

4,000,000

5,000,000

6,000,000

ARIN29 ARIN30 ARIN31 ARIN32 ARIN33 ARIN34 ARIN35 ARIN36

Template REST

Directory Services

•  Whois – Resource Information as per RFC812

•  Whois-RWS – RESTful Implementation of Whois

•  RDAP – Resource Information as per RFCs

7480-7484

Whois Queries Per Second

100

0

500

1000

1500

2000

2500

3000

3500

4000

2007-01

2007-04

2007-07

2007-10

2008-01

2008-04

2008-07

2008-10

2009-01

2009-04

2009-07

2009-10

2010-01

2010-04

2010-07

2010-10

2011-01

2011-04

2011-07

2011-10

2012-01

2012-04

2012-07

2012-10

2013-01

2013-04

2013-07

2013-10

2014-01

2014-04

2014-07

2014-10

2015-01

2015-04

2015-07

RESTful

Port43

DNS •  Provide Reverse DNS delegation

management for IPv4 and IPv6 •  This includes DNSSEC •  More Detail later

IRR •  Provides coarse routing information for

routing filters •  Processed through templates sent via

email •  Has a whois interface using RPSL (RFC

2622) •  ARIN will be upgrading this service

starting Q3 of 2016 •  Documented at

– https://www.arin.net/resources/routing/

OT&E (Operational Test & Evaluation) •  Lots of people test in production

–  Is not the best place to test –  Things do get stuck – may impact others –  Operational Test & Evaluation

•  Goodness of OT&E –  Place to test code –  Place to test process –  All services now under ote.arin.net except email –  Need to register to participate –  https://www.arin.net/resources/ote.html

RPKI

•  We will talk about this in detail later

Feedback

•  Users can notify us of Internet Number Resource Fraud and Whois Inaccuracy

•  Can provide feedback on the application via the feedback button

•  Suggestions through “ARIN Consultation and Suggestion Process” (ACSP)

Tools

•  Lots of API’s •  You can build your own tools •  Some have shared their tools with

others •  Repository for these tools is at http://

projects.arin.net

ARIN’s Policy Development Process

Kevin Blumberg Vice Chair, ARIN Advisory Council

Overview

Basic steps

Examples of past policy changes

A current proposal

How to get involved

Policy Development Process (PDP) Steps 1)  Proposal – Someone in the community thinks a policy can

be improved and documents 2)  Draft Policy- Discussion on the list and possibly at

meeting(s) - Is there really a problem? Is this a good solution?

3)  Recommended Draft Policy - More discussion and presentation at meeting(s). Does community support turning this into policy?

4)  Last call 5)  Board Review 6)  Staff Implementation (NRPM)

If you submit a proposal, you can participate further, or let the ARIN process “shepherd” it through the steps

Past Policy Changes: IPv6 Policy Circa 2001: Initial IPv6 policy aligned with IPv4 at that time,

conservation was important, small amounts issued for short periods, hierarchical distribution from upstreams, and, no end user policy at all

2003-2016 Dozens of proposals to improve IPv6 policy

Changes included: Minimum allocation size increased (/35 to /32), larger allocations from IANA, policy for end users, community networks (mesh networks), assignment sizes from ISPs to customers (/56s), larger amounts for ISPs and easier criteria, larger amounts for end users and easier criteria, bit boundary assignments and allocations, etc.

Past Policy Changes: Transfers 1997 thru 2007: Policy for Mergers and Acquisitions existed,

everything else should go back to ARIN

2007 thru 2016: Many proposals to improve transfers.

Changes included: Allow needs-based transfers of unused or underutilized address space between organizations via ARIN, increase supply period from one year to two, allow ASN transfers, allow Inter-RIR transfers, etc.

Still seeing proposals to make transfers easier, there are some who are trying to reduce the needs requirement, some want ARIN to simply record the transfers.

Policy Currently Under Discussion •  ARIN-2015-5: Out of Region Use

Would allow an organization to receive Internet number resources from ARIN for use out of region as long as the applicant is currently using at least the equivalent of a /22 of IPv4 space, /44 of IPv6, or 1 ASN within the ARIN service region.

•  Earlier Abandoned Proposals ARIN-2014-1: Out of Region Use ARIN-2013-6: Allocation of IPv4 and IPv6 Address Space to Out-of-region Requestors ARIN-2011-13: IPv4 Number Resources for Use Within Region

(continued on next slide)

2015-5 continued •  ARIN-2015-5 presented at ARIN 36 in Oct 2015 •  AC found draft to be fair, technically sound and

supported and promoted to recommended state (late Oct 2015)

•  Presented as Recommended Draft Policy at NANOG 66

•  Next steps –  Last call or present again at ARIN 37? –  After Last Call could be:

•  Review of last call comments •  Board Review •  Implementation by Staff

How Can You Get Involved? Two ways to learn and be heard

1.  Public Policy Mailing List

2.  Public Policy Consultations/Meetings

ARIN meetings (April and October)

ARIN Public Policy Consultations at NANOG (twice a year, usually February and June)

Remote participation supported

Takeaways 1)  ARIN doesn't make up number policy,

you do.

2)  Well documented policy development process includes assistance from ARIN AC and staff throughout the process.

3)  Stay informed. Join the policy list and/or attend meetings (in person or remotely).

References

Policy Development Process (PDP) http://www.arin.net/policy/pdp.html

Draft Policies and Proposals http://www.arin.net/policy/proposals/index.html

Number Resource Policy Manual (NRPM) http://www.arin.net/policy/nrpm.html

PDP Goals 1)  "open, transparent, and inclusive

manner that allows anyone to participate in the process.“

2)  "clear, technically sound and useful policies“

3)  “policies, not processes, fees, or services”

SecurityOverlaysonCoreInternetProtocols–RPKI

Frank Hill Sr Software Engineer

Core Internet Protocols

•  Two critical resources that are unsecured – Domain Name Servers – Routing

•  Hard to tell if compromised – From the user point of view – From the ISP/Enterprise

Routing

Routing Architecture •  The Internet uses a two level routing hierarchy:

–  Interior Routing Protocols, used by each network to determine how to reach all destinations that line within the network

–  Interior Routing protocols maintain the current topology of the network

Routing Architecture •  The Internet uses a two level routing hierarchy:

–  Exterior Routing Protocol, used to link each component network together into a single whole

–  Exterior protocols assume that each network is fully interconnected internally

Exterior Routing: BGP •  BGP is a large set of bilateral (1:1)

routing sessions – A tells B all the destinations (prefixes) that

A is capable of reaching – B tells A all the destinations that B is

capable of reaching

A B

10.0.0.0/2410.1.0.0/1610.2.0.0/18

192.2.200.0/24

What is RPKI? •  Resource Public Key Infrastructure

•  Attaches digital certificates to network resources – AS Numbers

–  IP Addresses

•  Allows ISPs to associate the two – Route Origin Authorizations (ROAs) – Can follow the address allocation chain

to the top

What does RPKI accomplish? •  Allows routers or other processes

to validate route origins •  Simplifies validation authority

information – Trust Anchor Locator

•  Distributes trusted information – Through repositories

Hierarchy of Resource Certificates

ICANN0.0.0.0/00::/0

ARIN128.0.0.0/8192.0.0.0/8

RegionalISP128.177.0.0/16

SomeSmallISP128.177.46.0/20

OtherSmallISP192.78.12.0/24

LACNIC AFRINIC RIPE APNIC

Route Origin Attestations ICANN

0.0.0.0/00::/0

ARIN128.0.0.0/8192.0.0.0/8





128.177.46.0/20AS53659

128.177.0.0/16AS17025 192.78.12.0/24

AS2000

Current Practices ICANN

0.0.0.0/00::/0

ARIN128.0.0.0/8192.0.0.0/8





128.177.0.0/16AS17025 192.78.12.0/24

AS2000128.177.46.0/20AS53659

What does RPKI Create?

•  It creates a repository – RFC 3779 (RPKI) Certificates – ROAs – CRLs – Manifest records

Relationships

CerXficatelistofIP&ASNResourcesAIA,URIoftheparentcertSIA,URIofthethemanifest

ManifestEECerXficate

URI/hashofCRLURIhashofallROAsURIofallchildcerts

CRLSerialnumbersofallrevokedcerts

ROA

ROAEEcerXficate

ASNlistofIPprefixes&maxlengths

Childcert

ChildCert

ParentKey

ParentCert

ParentManifest

Signs

Pointsto(hasURIfor)

CerXficateKey

AFRINIC RIPENCC APNIC ARIN LACNIC

LIR1 ISP2

ISP ISP ISP ISP4 ISP ISP ISP

Issued Certificates

Resource Allocation Hierarchy

Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” Attachment: <isp4-ee-cert> Signed, ISP4 <isp4-ee-key-priv>

ICANN

Resource Cert Validation

AFRINIC RIPE NCC APNIC ARIN LACNIC

LIR1 ISP2

ISP ISP ISP ISP4 ISP ISP ISP



1. Did the matching private key sign this text?

ICANN

Issued Certificates



LIR1 ISP2

ISP ISP


ISP ISP4

2. Is this certificate valid?

ISP ISP ISP

Issued Certificates


ICANN



LIR1 ISP2

ISP ISP


ISP ISP4 ISP ISP ISP

Issued Certificates


ICANN

3. Is there a valid certificate path from a Trust Anchor to this certificate?


Repository View ./ba/03a5be-ddf6-4340-a1f9-1ad3f2c39ee6/1:!total 40!-rw-r--r-- 1 143 143 1543 Jun 26 2009 ICcaIRKhGHJ-TgUZv8GRKqkidR4.roa!-rw-r--r-- 1 143 143 1403 Jun 26 2009 cKxLCU94umS-qD4DOOkAK0M2US0.cer!-rw-r--r-- 1 143 143 485 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.crl!-rw-r--r-- 1 143 143 1882 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.mnf!-rw-r--r-- 1 143 143 1542 Jun 26 2009 nB0gDFtWffKk4VWgln-12pdFtE8.roa!

A Repository Directory containing an RFC3779 Certificate, two ROAs, a CRL, and a manifest

Repository Use •  Pull down these files using a manifest-

validating mechanism •  Validate the ROAs contained in the

repository •  Communicate with the router marking

routes “valid”, “invalid”, “unknown” •  Up to ISP to use local policy on how to

route

Possible Data Flow for Operations

•  RPKI Web interface -> Repository

•  Repository aggregator -> Validator

•  Validated entries -> Route Checking

•  Route checking results -> local routing decisions (based on local policy)

How you can use ARIN’s RPKI System? •  Hosted

– create ROAs through ARIN Online – create ROAs using ARIN’s RESTful service

•  Delegated using Up/Down Protocol

Hosted RPKI - ARIN Online •  Pros

– Easy to pick up and use – ARIN managed

•  Cons – No current support for downstream

customers to manage their own space – Tedious through the UI if you have a large

network – We hold your private key

Hosted RPKI - RESTful Interace

•  Pros – Programmatic interface for large networks – ARIN managed

•  Cons – No current support for downstream

customers to manage their own space – We hold your private key

Delegated RPKI with Up/Down

•  Pros – You safeguard your own private key – Follows the IETF up/down protocol

•  Cons – Extremely hard to setup – Need to operate your own RPKI

environment

Hosted RPKI in ARIN Online

Hosted RPKI in ARIN Online SAMPLE-ORG

Hosted RPKI in ARIN Online

Your ROA request is automatically processed and the ROA is placed in ARIN’s repository, accompanied by its certificate and a manifest. Users of the repository can now validate the ROA using RPKI validators.

DelegatedwithUp/Down

Delegated with Up/Down

•  You have to do all the ROA creation •  Need to setup a CA •  Have a highly available repository •  Create a CPS

RPKI Statistics ARIN XXX

ARIN XXXI

ARIN XXXII ARIN33 ARIN34 ARIN 35 ARIN 36

RPAs Signed 27 72 130 162 208 289 358

Certified Orgs 47 68 108 153 187 220

ROAs 19 60 106 162 239 308 338

Covered Resources 30 82 147 258 332 430 482

Up/Down Delegated 0 0 0 1 2

Moving to IPv6

DebMarXn,SeniorProjectManagerJonWorley,TechnicalServicesManager

The Amazing Success of the Internet

•  2.92 billion users! •  4.5 online hours per day per user! •  5.5% of GDP for G-20 countries

Time

Just about anything about the Internet

159

The Original IPv6 Plan - 1995

IPv6 Deployment

Time

IPv6 Transition – Dual Stack

IPv4 Pool Size

Size of the Internet

160

The Revised IPv6 Plan - 2005

IPv6 Deployment

2004

IPv6 Transition – Dual Stack

IPv4 Pool Size


2006 2008 2010 2012 Date

161

Oops! We were meant to have completed the transition to IPv6 BEFORE we completely exhausted the supply channels of IPv4 addresses!

162

Today’s Plan

IPv6 Deployment

IPv4 Pool Size


IPv6 Transition

Today

Time

?

0.8%

163

Transition... The downside of an end-to-end architecture:

–  There is no backwards compatibility across protocol families

–  A V6-only host cannot communicate with a V4-only host

We have been forced to undertake a Dual Stack transition:

–  Provision the entire network with both IPv4 AND IPv6 –  In Dual Stack, hosts configure the hosts’ applications

to prefer IPv6 to IPv4 –  When the traffic volumes of IPv4 dwindle to

insignificant levels, then it’s possible to shut down support for IPv4

164

Dual Stack Transition ... We did not appreciate the operational problems with this dual stack plan while it was just a paper exercise:

•  The combination of an end host preference for IPv6 and a disconnected set of IPv6 “islands” created operational problems

–  Protocol “failover” from IPv6 to IPv4 takes between 19 and 108 seconds (depending on the operating system configuration)

–  This is unacceptably slow

•  Attempting to “bridge” the islands with IPv6-in-IPv4 tunnels created a new collection of IPv6 path MTU Discovery operational problems

–  There are too many deployed network paths containing firewall filters that block all forms of ICMP, including ICMP6 Packet Too Big

•  Attempts to use end-host IPv6 tunneling also presents operational problems

–  Widespread use of protocol 41 (IP-in-IP) firewall filters –  Path MTU problems

165

Dual Stack Transition

Signal to the ISPs:

–  Deploy IPv6 and expose your users to operational problems with IPv6 connectivity

Or

–  Delay IPv6 deployment and wait for these operational issues to be solved by someone else

So we wait...

166

And while we wait... The Internet continues its growth. •  And without an abundant supply of IPv4

addresses to support this level of growth, the industry is increasingly reliant on NATs:

–  Edge NATs are now the de facto choice for residential broadband services at the CPE

–  ISP NATs are now the de facto choice for 3G and 4G mobile IP services

167

What is ARIN Hearing from the Community About IPv6?

•  Movement to IPv6 is slow, but progress being made –  ISPs slowly rolling out IPv6 –  Steady increase in IPv6 traffic –  Increase in IPv6 requests

•  Still high demand for IPv4 –  Many ISPs purchasing CGN boxes –  More turning to the IPv4 market

•  Rent by month •  Purchasing space outright (costs will increase)

168

Why is there little immediate need for IPv6?

•  Some of the claims are either not true or taken over by events –  IPv6 gives you better security –  IPv6 gives you better routing

•  Some positive things –  IPv6 allows for end-to-end networking to

occur again –  IPv6 has more address bits –  It is cheaper per address

169

2003: Sprint •  T1 via Sprint

•  Linux Router with Sangoma T1 Card

•  OpenBSD firewall

•  Linux-based WWW, DNS, FTP servers

•  Segregated network, no dual stack (security concerns)

•  A lot of PMTU issues

•  A lot of routing issues

•  Service did improve over the years

170

2008: NTT / TiNet IPv6 •  1000 Mbit/s to NTT / TiNet

•  Cisco ASR 1000 Router

•  Brocade Load Balancers - IPv6 support was Beta

•  DNS, Whois, IRR, more later

•  Dual stack

171

Past Meeting Networks •  IPv6 enabled since 2005

•  Tunnels to ARIN, others

•  Test bed for transition technology

•  NAT-PT (Cisco, OSS)

•  CGN / NAT-lite

•  IVI

•  Training opportunity

•  For staff & members

172

ARIN’s Current Challenges for Networking

•  Dual-Stacked Internally –  Challenges over time with our VPN (OpenVPN)

•  One interface works with v6 •  One does not

•  Middleware Boxes –  Claims do not support reality (“we support IPv6”) Yes, but… –  No 1-1 feature set –  Limits ARIN’s ability to support new services like https

support for Whois-RWS

173

However, there is some good news…

174

US IPv6 Deployment

•  > 25% of US customers connected to Google via IPv6 - up from 10% one year ago today & growing rapidly

175

TheStateofIPv6• Over10%oftheworldusesfacebookoverIPv6

Over10%2015

1%6/6/2012

176

Why Move to IPv6 Now? •  IPv4 depletion has occurred

–  Cost of IPv4 will only increase •  Lots more addresses and more!

–  IPv6 performs better than IPv4 –  IPv6 is simpler operationally; not difficult to deploy

•  More efficient network management - allows for end-to-end networking to occur again

•  Designed with security in mind •  IPv6 is your platform for innovation

177

Your IPv6 Checklist

•  Get your IPv6 address space •  Set up IPv6 connectivity (native or tunneled) •  Configure your operating systems, software,

and network management tools •  Upgrade your router, firewall, and other

hardware •  Get your IT staff training •  Enable IPv6 on your website

178

Talk to Your ISP About IPv6 Services

•  You want access to the entire Internet! –  ISPs must connect customers via IPv4

only, IPv4-IPv6, and IPv6 only – They must plan for IPv4-IPv6 transition

services •  Many transition technologies available •  Research options and make architectural

decisions 179

Dual-stack Your Network – IPv6 not backwards compatible with

IPv4 – Both will run simultaneously for years

180

Make Your Servers Reachable Over IPv6

– Mail, Web, Applications – Operating systems, software, and

network management tools

181

Audit Your Equipment and Software – AreyourdevicesandapplicaXonsIPv6ready?

182

Encourage Vendors to Support IPv6

– If not already, when will IPv6 support be part of their product cycle?

183

Get IPv6 Training for Staff – Freeresourcesavailable

184

Enable IPv6 on Your Website

185

Steps To Get Your Website IPv6-Enabled

TeamARIN.net/get6

186

IPv6 over time

ARIN IPv6 Allocations and Assignments 187

2015 IPv6 Requests

188


0

20

40

60

80

100

120


ARIN ISP Members with IPv4 and IPv6

5,268 total members as of 31 January 2016

189

Global IPv6 Status Percentage of Members with IPv6

190

Requesting IPv6 - ISPs •  Have a previous v4 allocation from

ARIN or predecessor registry OR •  Intend to multi-home OR •  Provide a technical justification

which details at least 50 assignments made within 5 years

191 191

Data ARIN Will Typically Ask For - ISPs

•  If requesting more than a /32, a spreadsheet/text file with – # of serving sites (PoPs, datacenters) – # of customers served by largest serving

site – Block size to be assigned to each

customer (/48 typical)

192 192

Requesting IPv6 – End Users •  Have a v4 direct assignment from ARIN or

predecessor registry OR •  Intend to multi-home OR •  Show how you will use 2000 IPv6 addresses or

200 IPv6 subnets within a year OR •  Technical justification as to why provider-

assigned IPs are unsuitable

193 193

Data ARIN Will Typically Ask For – End users •  If requesting more than a /48, a

spreadsheet/text file with – List of sites in your network

•  Site = distinct geographic location •  Street address for each

– Campus may count as multiple sites •  Technical justification showing how they’re

configured like geographically separate sites

194 37

2015 Best Practices Forum (BPF) on IPv6 Adoption

“Creating an Enabling Environment for IPv6 Adoption”

•  Part of the Internet Governance Forum (IGF), a multi-stakeholder forum for policy dialogue on issues of Internet governance

•  Project designed to document high level best practices for IPv6 adoption –  Best practice examples collected via:

•  Public survey running mid-July thru mid–November (results available on the IGF website)

•  Mailing list discussion •  E-mail correspondence

38

Final IPv6 BPF Document •  Provides an overview of various capacity building

programs that are available

•  Highlights numerous examples and best practices that can help businesses and governments with their IPv6 deployment projects

•  Large section of the document is dedicated to role and function of IPv6 task forces

http://www.intgovforum.org/cms/documents/best-practice-forums/creating-an-enabling-environment-for-the-development-of-local-content/581-igf2015-bpfipv6-finalpdf/file

196

Operational Guidance

www.NANOG.org/archives/ http://nabcop.org/index.php/Main_Page

197

http://www.internetsociety.org/deploy360/

http://www.intgovforum.org/cms/best-practice-forums/2015-bpf-outs

Internet Governance Forum – Enabling Environment for IPv6 Adoption

Learn More

IPv6 Info Center www.arin.net/knowledge/ipv6_info_center.html

www.GetIPv6.info

www.TeamARIN.net 41

Q&A/OpenMicSession

Take Aways •  Apply for IPv6 addresses and get started. •  Subscribe to an ARIN mailing list •  Participate in ARIN 37 – in person or remotely •  Apply for a future meeting fellowship •  Think about implementing DNSSEC/Resource

Certification •  Member organizations please update your

Voting Contact – linked to an ARIN Web User account

•  Reach out though various channels with questions or suggestions

ARIN Mailing Lists

ARINMailingListsARINConsultaXon-arin-consult@arin.netOpentothegeneralpublic.UsedinconjuncXonwiththeARINConsultaXonandSuggesXonProcess(ACSP)togathercomments,thislistisonlyopenwhenthereisacallforcommentsARINIssued-arin-issued@arin.netRead-onlylistopentothegeneralpublic.UsedbyARINstafftoprovideadailyreportofIPv4andIPv6addressesreturnedandIPv4andIPv6addressesissueddirectlybyARINoraddressblocksreturnedtoARIN'sfreepool.ARINTechnicalDiscussions-arin-tech-discuss@arin.netOpentothegeneralpublic.ProvidedforthoseinterestedinprovidingtechnicalfeedbacktoARINonexperiencesintheuseorevaluaXonofcurrentARINservicesandfeaturesindevelopment.

http://www.arin.net/participate/mailing_lists/index.html

ARIN Announce: [email protected] ARIN Discussion: [email protected] (members only) ARIN Public Policy: [email protected] ARIN Consultation: [email protected] ARIN Issued: [email protected] ARIN Technical Discussions: [email protected] Suggestions: [email protected]

ARIN on Social Media www.TeamARIN.net

www.facebook.com/TeamARIN

@TeamARIN

www.gplus.to/TeamARIN

www.linkedin.com/company/ARIN

www.youtube.com/TeamARIN

h;ps://www.arin.net/parAcipate/meeAngs/fellowship.html

tampa, fl - american registry for internet numbers · • community software project repository 22...

Documents