Columbia, SC 30 October 2014. Wireless Access: SSID: HHonors PW:Hilton16.
-
Upload
phyllis-garrison -
Category
Documents
-
view
217 -
download
2
Transcript of Columbia, SC 30 October 2014. Wireless Access: SSID: HHonors PW:Hilton16.
Columbia, SC30 October 2014
Wireless Access:
SSID: HHonorsPW:Hilton16
Welcome. Here today from ARIN…
• Susan Hamlin, Director,
Communications and Member Services
• Andy Newton, Chief Engineer
• John Sweeting, Advisory Council
Chair
• Jon Worley, Principal Technical
Analyst
Today’s Agenda• Welcome and Getting Started• ARIN: Mission, Role, and Services• IPv4 Inventory, Depletion Projections, Countdown Plan• Securing Internet Infrastructure I: DNSSEC• IPv4 Waiting List and Transfers• LUNCH - 12:00 PM - 1:00 PM Breakout Rooms I & II• IPv6 Addresses • Automating Interactions with ARIN• Other Items of Interest • BREAK 2:20 – 2:30 PM• Securing Internet Infrastructure II: RPKI - Andy Newton • Current Number Resource Policy Discussions and How to
Participate• Q&A / Open Microphone Session• Optional Ask ARIN - Opportunity for a one-on-one conversation with ARIN staff
Let’s Get Started!
• Self introductions – Name– Organization
ARIN: Mission, Role and Services
Susan HamlinDirector, Communications
and Member Services
”ARIN, a nonprofit member-based organization, supports the operation of the Internet through
the management of Internet number resources throughout its service region;
coordinates the development of policies by the community for the management of Internet Protocol number resources; and advances the Internet through informational outreach."
ARIN’s Service Region
ARIN’s region includes many (20) Caribbean and North Atlantic islands, Canada and the United States and
outlying areas.
Regional Internet Registries
Who Provisions IP Addresses & ASNs?
ICANNIANA
• Top level technical coordination of the Internet (Names, Numbers, Root Servers)• Manage global unallocated IP address pool
• Allocate number resources to RIRs
RIR• Manage regional unallocated IP address pool
• Allocate number resources to ISPs/LIRs• Assign number resources to End-users
ISP/LIR
• Manage local IP address pool for use by customers and for infrastructure
• Allocate number resources to ISPs• Assign number resources to End-users
ARIN Structure:• Not-for-profit• Fee for services, not number resources• 100% community funded• Membership organization (private and public
sector, civil society)• Member-elected Board of Trustees• Community regulated…Internet number resource
policies developed by the Community• Open and transparent
ARIN Support Organization
ARIN Board of Trustees• Paul Andersen, Vice Chair and Treasurer• Vinton G. Cerf, Chair• John Curran, President and CEO• Timothy Denton, Secretary• Aaron Hughes• Bill Sandiford• Bill Woodcock
13
ARIN Advisory Council• Dan Alexander, Vice Chair • Cathy Aronson• Kevin Blumberg• Bill Darte• Owen DeLong• Andrew Dul• David Farmer• Scott Leibrand• Tina Morris• Milton Mueller• Heather Schiller• Robert Seastrom• John Springer• John Sweeting, Chair
14
Number Resources Organization Policy
Development• IP address allocation
& assignment• ASN assignment• Directory services
• Whois -RWS• WhoWas• IRR
• Reverse DNS• DNSSEC• Resource Certification
(RPKI)• Community Software
Repository
• Information dissemination
• Websites• Educational
materials• IPv6 Wiki
• Social media
• Meetings• Elections• Outreach
• IPv6• Internet
Governance
• Maintain email discussion lists
• Conduct public policy meetings and public policy consultations
• Publish policy documents
ARIN Services
Information on Joining in the Internet Governance Discussion
Visit ARIN’s webpage:Ways to Participate in Internet Governance
https://www.arin.net/participate/governance/participate.html
ARIN Community Input• 14 March 2014 the US government announced desire to
transition oversight of the Internet Assigned Numbers Authority (IANA) functions contract from the National Telecommunications and Information Administration (NTIA) to the global multistakeholder community.
• Coordination Group formed to facilitate the transition process – input from the Number Resource Organization , Address Supporting Organization, ISOC, IETF, IAB
• All RIRs will engage their respective communities • ARIN 34 in Baltimore – on agenda and a ly consultation via
email on the issue• New mailing list created: [email protected]• Currently ARIN is seeking volunteers to join the Consolidated
RIR IANA Stewardship Proposal (CRISP) team
http://teamarin.net/education/internet-governance/iana-globalization/
Participate in ARINContribute your Opinions and Ideas:
• Public Policy Mailing List• IPv6 Wiki• Attend Public Policy and Members Meetings,
Public Public Policy Consultations – remote participation
• Outreach events• Submit a suggestion• Participate in community consultations• Write a guest blog – TeamARIN.net• Members – Vote in annual elections
ARIN Mailing Lists
http://www.arin.net/participate/mailing_lists/index.html
ARIN Announce: [email protected]
ARIN Discussion: [email protected] (members only)
ARIN Public Policy: [email protected]
ARIN Consultation: [email protected]
ARIN Issued: [email protected]
ARIN Technical Discussions: [email protected]
Suggestions: [email protected]
Q&A
ARIN’s IPv4 Inventory, Depletion Projections, and Countdown Plan
Jon WorleyPrincipal Technical Analyst
Updated daily @ 8PM ET
IPv4 inventory published on
ARIN’s website: www.arin.net
ARIN’s IPv4 InventoryAs of 27 Oct 2014, ARIN has 0.61 /8 equivalents of
IPv4 addresses remaining
Prefix Length Breakdown
IPv4 Annual Burn Rate
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 20130
0.5
1
1.5
2
2.5
3
3.5
/8 Equivalents Issued
ARIN’s IPv4 Free Pool
2/2/1
1
3/8/1
1
4/11/1
1
5/15/1
1
6/18/1
1
7/22/1
1
8/25/1
1
9/28/1
1
11/1/1
1
12/5/1
1
1/8/1
2
2/11/1
2
3/16/1
2
4/19/1
2
5/23/1
2
6/26/1
2
7/30/1
2
9/2/1
2
10/6/1
2
11/9/1
2
12/13/1
2
1/16/1
3
2/19/1
3
3/25/1
3
4/28/1
3
6/1/1
3
7/5/1
3
8/8/1
3
9/11/1
3
10/15/1
3
11/18/1
3
12/22/1
3
1/25/1
4
2/28/1
4
4/3/1
4
5/7/1
4
6/10/1
4
7/14/1
4
8/17/1
4
9/20/1
4
10/24/1
40
1
2
3
4
5
6
/8 Equivalents in ARIN Free Pool
Linear Depletion Projection
2/2/1
1
3/16/1
1
4/27/1
1
6/8/1
1
7/20/1
1
8/31/1
1
10/12/1
1
11/23/1
1
1/4/1
2
2/15/1
2
3/28/1
2
5/9/1
2
6/20/1
2
8/1/1
2
9/12/1
2
10/24/1
2
12/5/1
2
1/16/1
3
2/27/1
3
4/10/1
3
5/22/1
3
7/3/1
3
8/14/1
3
9/25/1
3
11/6/1
3
12/18/1
3
1/29/1
4
3/12/1
4
4/23/1
4
6/4/1
4
7/16/1
4
8/27/1
4
10/8/1
4
11/19/1
4
12/31/1
4
2/11/1
5
3/25/1
50
1
2
3
4
5
6
/8 Equivalents in ARIN Free Pool
Depletion Notes• Could come at any time
– ARIN has issued 0.41 /8 equivalents in ~2 weeks before
• Policy requirement to only fill requests with one block will prevent large ISPS from depleting all of the small blocks
IPv4 Countdown Plan
IPv4 Countdown Plan – Phase 4
• Started at 1 /8 equivalent left • All IPv4 requests team-reviewed and
processed on a first in, first out basis• Org has 60 days from approval to
complete payment and RSA• IPv4 hold period drops to 2 months
New IPv4 Policy – “Reduce All Minimum
Allocation/Assignment Units to /24”
• Will be implemented on 17 Sept 2014• /24 minimum allocation/assignment• No longer a multi-homed
requirement
Minimum Requirements for IPv4 - ISPs
• ISPs qualify for a /24 by having one /24 reassigned and efficiently used
• Allocations > /24 based on demonstrated utilization history and renumbering (if applicable)
• Allocation size not based on predicted customer base (see Slow Start policy NRPM 4.2.1.4)
• 3 month supply per policy
IPv4 ISP Data Typically Requested
• Static: Mapping of static IPs/subnets to customer names and street addresses
• Dynamic: List of all dynamic pools with prefix/range assigned, area served (location), peak util %
• Internal Infrastructure: Mapping of internal subnets with description and # IPs used
Example
Other IPv4 ISP Data Requested
• Typically ask for:– Customer justification data
• If necessary, may ask for:– Customer contact information and proof
of customer payments– Proof of equipment lease/purchase
Minimum Requirements for IPv4 – End Users
• /24 minimum assignment size• Show 25% immediate utilization rate
(within 30 days) and 50% projected one-year utilization rate
• If requesting additional assignment, must show that each previous assignment is 80% utilized
IPv4 End User Data Requested
• Subnet mapping for previous ARIN assignments– Each subnet with description and # IPs
currently used
• Planned subnet mapping for requested block– Each subnet with description, # IPs used
within 30 days, # IPs used within one year
Example
The Bottom Line
• ARIN has v4 space today, but can’t guarantee future availability
• Plan appropriately to ensure continued growth of your network– Waiting List – Specified Recipient Transfers– IPv6
Q&A
Securing Internet Infrastructure: Using DNSSEC
with ARIN OnlineAndy NewtonChief Engineer
Why DNSSEC? What is it?
• Standard DNS (forward or reverse) responses are not secure– Easy to spoof– Notable malicious attacks
• DNSSEC attaches signatures– Validates responses– Can not spoof
Reverse DNS at ARIN
• ARIN issues blocks without any working DNS–Registrant must establish delegations after registration
–Then employ DNSSEC if desired
• Just as susceptible as forward DNS if you do not use DNSSEC
Reverse DNS at ARIN
• Authority to manage reverse zones follows allocations–“Shared Authority” model–Multiple sub-allocation recipient entities may have authority over a particular zone
Changes completed to make DNSSEC work at ARIN
• Permit by-delegation management• Sign in-addr.arpa. and ip6.arpa.
delegations that ARIN manages• Create entry method for DS Records
– ARIN Online– RESTful interface– Not available via templates
Changes completed to make DNSSEC work at ARIN
• Only key holders may create and submit Delegation Signer (DS) records
Reverse DNS in ARIN Online
First identify the network that you want to put Reverse DNS nameservers on…
Reverse DNS in ARIN Online
…then enter the Reverse DNS nameservers…
DNSSEC in ARIN Online…then apply DS record to apply to the delegation
Reverse DNS: Querying ARIN’s WhoisQuery for the zone directly:whois> 81.147.204.in-addr.arpa
Name: 81.147.204.in-addr.arpa.Updated: 2006-05-15NameServer: AUTHNS2.DNVR.QWEST.NETNameServer: AUTHNS3.STTL.QWEST.NETNameServer: AUTHNS1.MPLS.QWEST.NET
Ref: http://whois.arin.net/rest/rdns/81.147.204.in-addr.arpa.
DNSSEC in Zone Files; File written on Mon Feb 24 17:00:53 2014; dnssec_signzone version 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.60.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM. 86400 IN NS NS4.COVAD.COM. 10800 NSEC 1.74.in-addr.arpa. NS RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. oNk3GVaCWj2j8+EAr0PncqnZeQjm8h4w51nS D2VUi7YtR9FvYLF/j4KO+8qYZ3TAixb9c05c 8EVIhtY1grXEdOm30zJpZyaoaODpbHt8FdWY vwup9Tq4oVbxVyuSNXriZ2Mq55IIMgDR3nAT BLP5UClxUWkgvS/6poF+W/1H4QY= )1.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM. 86400 IN NS NS4.COVAD.COM. 10800 NSEC 10.74.in-addr.arpa. NS RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. DKYGzSDtIypDVcer5e+XuwoDW4auKy6G/OCV VTcfQGk+3iyy2CEKOZuMZXFaaDvXnaxey9R1 mjams519Ghxp2qOnnkOw6iB6mR5cNkYlkL0h lu+IC4Buh6DqM4HbJCZcMXKEtWE0a6dMf+tH sa+5OV7ezX5LCuDvQVp6p0LftAE= )
DNSSEC in Zone Files0.121.74.in-addr.arpa. 86400 IN NS DNS1.ACTUSA.NET. 86400 IN NS DNS2.ACTUSA.NET. 86400 IN NS DNS3.ACTUSA.NET. 86400 DS 46693 5 1 ( AEEDA98EE493DFF5F3F33208ECB0FA4186BD 8056 ) 86400 DS 46693 5 2 ( 66E6D421894AFE2AF0B350BD8F4C54D2EBA5 DA72A615FE64BE8EF600C6534CEF ) 86400 RRSIG DS 5 5 86400 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. n+aPxBHuf+sbzQN4LmHzlOi0C/hkaSVO3q1y 6J0KjqNPzYqtxLgZjU+IL9qhtIOocgNQib9l gFRmZ9inf2bER435GMsa/nnjpVVWW/MBRKxf Pcc72w2iOAMu2G0prtVT08ENxtu/pBfnsOZK nhCY8UOBOYLOLE5Whtk3XOuX9+U= ) 10800 NSEC 1.121.74.in-addr.arpa. NS DS RRSIG NSEC 10800 RRSIG NSEC 5 5 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. YvRowkdVDfv+PW42ySNUwW8S8jRyV6EKKRxe…
Use REG-RWS for Bulk Changes• If you have a lot of changes,
copy&paste over the Web will be tedious.– Use REG-RWS.– Or ARINcli (which is a REG-RWS client)
• Reads zone files• http://projects.arin.net/arinr/rdns.1.html
DNSSEC Validating Resolvers
• www.internetsociety.org/deploy360/dnssec/• www.isc.org/downloads/bind/dnssec/
Reverse DNS Management and DNSSEC in ARIN Online• Available on ARIN’s websitehttp://www.arin.net/knowledge/dnssec/
Q&A
Jon WorleyPrincipal Technical Analyst
ARIN’s IPv4 Waiting List and the IPv4 Transfer
Market
IPv4 Waiting List
How It Works• If ARIN can’t fill a justified request,
option to specify smallest acceptable size
• If no block available between approved and smallest acceptable size, option to go on the waiting list
• May receive only one allocation every three months
• Only one request on the list at a time
Filling Waiting List Requests
• Oldest request filled first– Example
• /19 is oldest request• /16 returned to ARIN • ARIN breaks up the /16 and issues the /19
• Subject to re-verification • Removed from list once a block is
issued
IPv4 Churn • IPv4 addresses go back into ARIN’s free pool 4
ways– Return = voluntary– Revoke = for cause (usually nonpayment)– Reclaimed = fraud or business dissolution– IANA issued – per global policy for “post
exhaustion IPv4 allocation mechanisms by IANA”
• 3.54 /8s recovered since 2005– /8 equivalent returned to IANA in 2012
• /11(May 2014) & /12 (Sept 2014) issued by IANA
Global Policy for Post Exhaustion IPv4 Allocation Mechanisms by the
IANA• RIRS may return IPv4 space of any
prefix size to IANA• IANA will issue this returned space in
equal allocation sizes to the 5 RIRs twice per year
• Policy activated when first RIR reaches /9 in its IPv4 inventory (Lacnic in May 2014)
Burn Rate vs. Churn Rate
2005 2006 2007 2008 2009 2010 2011 2012 20130
50000
100000
150000
200000
250000
300000
# /24s issued# /24s received back
Reality Check
• At the rate at which IPv4 addresses were recovered in 2013, it would take 51 years to fill all of 2013’s approved requests
IPv4 Transfer Market
Types of Transfers
• Mergers and Acquisitions (8.2)• Transfers to Specified Recipients
(8.3)• Inter-RIR transfers (8.4)
Transfers to Specified Recipients
• 12 month waiting period (anti-flip provision)
• Recipient must qualify to receive resources under current ARIN policy
• Recipient may receive up to a 24 month supply
Specified Recipient Transfer Notes
• 82 transfers completed (53,124 /24s)*
• Transactions typically arranged through IPv4 brokers
*As of Jul 31, 2014
Inter-RIR Transfers From ARIN
• RIR must have reciprocal, compatible needs-based policies
• Currently: APNIC – Under discussion in the RIPE NCC, LACNIC, &
AFRINIC regions
• Org releasing resources must not have received IPv4 from ARIN within the past 12 months
• Recipient must meet other RIR’s Inter-RIR transfer policy requirements
Inter-RIR Transfers To ARIN
• RIR must have reciprocal, compatible needs-based policies– Currently: APNIC
• Recipient must qualify to receive resources under current policy
• Recipient may request up to a 24 month supply
Inter-RIR Transfer Notes
• 34 transfers completed (5,040 /24s total)*
• ARIN & APNIC for now• Expectation is primarily ARIN to
APNIC given the early exhaustion of IPv4 in the APNIC region
*As of Jul 31, 2014
Specified Transfer Listing Service(STLS)
• 3 ways to participate– Listers: have available IPv4 addresses– Needers: looking for more IPv4 addresses– Facilitators: available to help listers and
needers find each other
• Major Uses– Matchmaking– Obtain preapproval for a transaction
arranged outside STLS
Misconceptions About Specified Recipient Transfers
• IPv4 transactions will never be allowed– Fact: Transfer of unused IPv4 started June
2009
• It’s a ploy to take my unused addresses back– Fact: ARIN does not require the return of
address space
• ARIN recognizes all IPv4 transactions– Fact: Must meet policy requirements
Tips and Tricks• Make sure you are applying under the
correct transfer policy• Involve ARIN as early as possible
– Make sure a contemplated specified transfer meets ARIN requirements before finalizing
• Make sure that all registration information is current and accurate
• Use ARIN’s STLS to pre-qualify• Provide detailed information to support 24
month need
IPv4 Transfer Market
Reality Check
• Reports say current asking prices are around $10/IPv4 address
• Prices will likely rise once ARIN’s depletes its IPv4 pool (supply and demand)
• Supply not guaranteed; need willing participants
• Temporary measure; does not preclude need to transition to IPv6
Q&A
Lunch Break
Take your valuables as the room will not be locked.
This Afternoon’s Agenda• IPv6 Addresses • Automating Interactions with ARIN• Other Items of Interest • BREAK 2:20 – 2:30 PM• Securing Internet Infrastructure II: RPKI -
Andy Newton • Current Number Resource Policy
Discussions and How to Participate• Q&A / Open Microphone Session• Optional Ask ARIN - Opportunity for a one-on-
one conversation with ARIN staff
Jon WorleyPrincipal Technical Analyst
Registration Services Department
Obtaining IPv6 Address Space
Why Adopt IPv6?
• Global IPv4 pool is depleted• ARIN’s IPv4 free pool will be gone soon• IPv4 Waiting list is uncertain and sure to
be loooooooooooong• IPv4 Transfer Market = $$$$$• How will you continue to grow your
network?• What other options do you have?
Qualifying for IPv6 - ISPs
• Have a previous v4 allocation from ARIN OR
• Intend to multi-home OR• Provide a technical justification which
details at least 50 assignments made within 5 years
IPv6 ISP Data Typically Requested
• If requesting more than a /32, a spreadsheet/text file with– # of serving sites (PoPs, datacenters)– # of customers served by largest
serving site– Block size to be assigned to each
customer (/48 typical)
Qualifying for IPv6 – End Users
• Have a v4 direct assignment OR• Intend to multi-home OR• Show how you will use 2000 IPv6
addresses or 200 IPv6 subnets within a year OR
• Technical justification as to why provider-assigned IPs are unsuitable
IPv6 End Users – Data Requested
• List of sites in your network– Site = distinct geographic location– Street address for each
• Campus may count as multiple sites– Technical justification showing how
they’re configured like geographically separate sites
ISP Members with IPv4 and IPv6
*4,818 total members
2010Q3 2011Q3 2012Q3 2013Q3 2014Q3
% IPv4 Only 0.75 0.66 0.62 0.59 0.58
% IPv4 and IPv6
0.25 0.34 0.38 0.41 0.42
5%15%25%35%45%55%65%75%85%95%
IPv4-only and IPv4+v6 ISPs
ARIN Resources
IPv6 Info Centerwww.arin.net/knowledge/ipv6_info_center.html
www.GetIPv6.info
www.TeamARIN.net
Operational Guidance
www.InternetSociety.org/Deploy360/
www.NANOG.org/archives/
www.hpc.mil/cms2/index.php/ipv6-knowledge-base-general-info
bcop.NANOG.org
Q&A
Automating Your Interactions with ARIN
Andy NewtonChief Engineer
Why Automate?
• Interact with ARIN faster• Not dependent on ARIN’s systems for
user interface issues• Build a customized system using
standards-based technologies• Improved accuracy• Integrate multiple services
Why Automate (continued)
• We have a rich set of interfaces• Focused on reliability and
completeness• Welcome to share your tools with the
community at projects.arin.net
REST – Service Summary
• ARIN’s RESTful Web Services (RWS)– Whois-RWS
• Provides public Whois data via REST
– Reg-RWS (or Registration-RWS)• Allows ARIN customers to register and
maintain data in a programmatic fashion
– Report Request/Retrieval Automation• Permits request and download of various
ARIN data (subject to AUP)
– RPKI using Reg-RWS
What is REST?• Representational State Transfer
• As applied to web services– defines a pattern of usage with HTTP to
create, read, update, and delete (CRUD) data
– “Resources” are addressable in URLs
• Very popular protocol model– Amazon S3, Yahoo & Google services, …
The BIG Advantage of REST• Easily understood
– Any modern programmer can incorporate it– Can look like web pages
• Re-uses HTTP in a simple manner– Many, many clients– Other HTTP advantages
• This is why it is very, very popular with Google, Amazon, Yahoo, Twitter, Facebook, YouTube, Flickr, …
What does it look like?Who can use it?
http://whois.arin.net/rest/poc/KOSTE-ARIN
Where the data is.
What type of data it is.
The ID of the data.
It is a standard URL. Anyone can use it.Go ahead, put it into your browser.
Where can more information on REST be found?
• RESTful Web Services– O’Reilly Media
– Leonard Richardson
– Sam Ruby
Whois-RWS• Publicly accessible, just like traditional
Whois• Searches and lookups on IP addresses,
AS numbers, POCs, Orgs, etc…• Very popular
– As of October 2014, constitutes 65% of our query load
• For more information:– http://www.arin.net/resources/whoisrws/index.html
Registration RWS (Reg-RWS)
• Programmatic way to interact with ARIN– Intended to be used for automation– Not meant to be used by humans
• Useful for ISPs that manage a large number of SWIP records
• Requires an investment of time to achieve those benefits
Reg-RWS
• Requires an API Key– You generate one in ARIN Online on the
“Web Account” page• Permits you to register and manage
your data (ORGs, POCs, NETs, ASes)– But only your data
• More information– http://www.arin.net/resources/restful-interfaces.htm
l
Anatomy of a RESTful request• Uses a URL (just like you would type into
your browser)• Uses a request type, known as a “method”,
of GET, PUT, POST or DELETE• Usually requires a payload
– Adheres to a published structure– Depends upon the type of data– Depends upon the method
• Method, Payload, and XML schema info is found at “RESTful Provisioning Downloads”
Example – Reassign Detailed• Your automated system issues a PUT
command to ARIN using the following URL:http://www.arin.net/rest/net/NET-10-129-0-0-1/reassign?apikey=API-1234-5678-9A
BC-DEFG
The payload contains the following data:
<net xmlns="http://www.arin.net/regrws/core/v1" > <version>4</version> <comment></comment> <registrationDate></registrationDate> <orgHandle>HW-1</orgHandle> <handle></handle> <netBlocks> <netBlock> <type>A</type> <description>Reassigned</description> <startAddress>10.129.0.0</startAddress> <endAddress>10.129.0.255</endAddress> <cidrLength>24</cidrLength> </netBlock> </netBlocks> <parentNetHandle>NET-10-129-0-0-1</parentNetHandle> <netName>HELLOWORLD</netName> <originASes></originASes> <pocLinks></pocLinks></net>
Example – Reassign DetailedARIN’s web server returns the
following to your automated system:<net xmlns="http://www.arin.net/regrws/core/v1" > <version>4</version> <comment></comment> <registrationDate>Tue Jan 25 16:17:18 EST 2011</registrationDate> <orgHandle>HW-1</orgHandle> <handle>NET-10-129-0-0-2</handle> <netBlocks> <netBlock> <type>A</type> <description>Reassigned</description> <startAddress>10.129.0.0</startAddress> <endAddress>10.129.0.255</endAddress> <cidrLength>24</cidrLength> </netBlock> </netBlocks> <parentNetHandle>NET-10-129-0-0-1</parentNetHandle> <netName>netName>HELLOWORLD</netName> <originASes></originASes> <pocLinks></pocLinks></net>
Reg-RWS Has More Than Templates
• Only programmatic way to do IPv6 Reassign Simple
• Only programmatic way to manage Reverse DNS
• Only programmatic way to access your ARIN tickets
Reg-RWS adoption at ARIN
– In 2012…• 1.09 Million transactions processed
– 375K processed via Reg-RWS (34%)– 371K processed via Template (34%)– Remainder via ARIN Online
– In 2013…• 4.72 Million transactions processed
– 3.66M processed via Reg-RWS (78%)– 488K processed via Template (10%)– Remainder via ARIN online
Testing Your Reg-RWS Client• We offer an Operational Test &
Evaluation environment for Reg-RWS• Your real data, but isolated
– Helps you develop against a real system without the worry that real data could get corrupted
• For more information:– http://www.arin.net/resources/ote.html
Obtaining RESTful Assistance
• http://www.arin.net/resources/restful-interfaces.html• Pay attention to Method, Payload, and XML schema
documents under “RESTful Provisioning Downloads”• Or use ARIN Online’s Ask ARIN feature• Or use the arin-tech-discuss mailing list
– Make sure to subscribe– Someone on the list will help you ASAP– Archives on the web site
• Registration Services Help Desk telephone not a good fit– Debugging these problems requires a detailed look at
the URL, method, and payload being used
Report Request/Retrieval
• For customer-specific data, access is restricted by user– Permits you to request and retrieve
reports– But only your data
• For public services, you must first sign an AUP or TOU (Bulk Whois, Registered ASNs, WhoWas)– ARIN staff may review your need to access this data
• Requires an API Key
New Feature: RPKI thru Reg-RWS• Delegated – very complex• Hosted – easy but tedious if
managing a large network through the UI
• Solution: Interface to sign ROAs using the RESTful API– Ease of Hosted– Programmatic way of managing a large
number of ROAs
Whois-RWS and the Future
• Whois-RWS is ARIN’s RESTful interface to Whois.– RIPE also has a RESTful interface for
Whois but it is not compatible
• IETF will hopefully be ratifying RDAP by the end of this year.– Will be supported by all 5 RIRs and some
domain registries.
Q&A
Other Items of Interest
Securing Internet Infrastructure:
Route Origin Securityusing RPKI at ARINAndy Newton
Chief Engineer
What is RPKI?• Resource Public Key Infrastructure
• Attaches digital certificates to network resources– AS Numbers
– IP Addresses
• Allows ISPs to associate the two– Route Origin Authorizations (ROAs)– Can follow the address allocation chain
to the top
What does RPKI accomplish?
• Allows routers or other processes to validate route origins
• Simplifies validation authority information– Trust Anchor Locator
• Distributes trusted information– Through repositories
AFRINIC RIPE NCC APNIC ARIN LACNIC
LIR1 ISP2
ISP ISP ISP ISP4 ISP ISP ISP
Issued Certificates
Resource Allocation Hierarchy
Route Origination Authority“ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24”
Attachment: <isp4-ee-cert>
Signed, ISP4 <isp4-ee-key-priv>
ICANN
Resource Cert Validation
AFRINIC RIPE NCC APNIC ARIN LACNIC
LIR1 ISP2
ISP ISP ISP ISP4 ISP ISP ISP
Resource Allocation Hierarchy
Route Origination Authority“ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24”
Attachment: <isp4-ee-cert>
Signed, ISP4 <isp4-ee-key-priv>
1. Did the matching private key sign this text?
ICANN
Issued Certificates
Resource Cert Validation
AFRINIC RIPE NCC APNIC ARIN LACNIC
LIR1 ISP2
ISP ISP
Route Origination Authority“ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24”
Attachment: <isp4-ee-cert>
Signed, ISP4 <isp4-ee-key-priv>
ISP ISP4
2. Is this certificate valid?
ISP ISP ISP
Issued Certificates
Resource Allocation Hierarchy
ICANN
Resource Cert Validation
AFRINIC RIPE NCC APNIC ARIN LACNIC
LIR1 ISP2
ISP ISP
Route Origination Authority“ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24”
Attachment: <isp4-ee-cert>
Signed, ISP4 <isp4-ee-key-priv>
ISP ISP4 ISP ISP ISP
Issued Certificates
Resource Allocation Hierarchy
ICANN
3. Is there a valid certificate path from a Trust Anchor to this certificate?
Resource Cert Validation
What does RPKI Create?
• It creates a repository– RFC 3779 (RPKI) Certificates– ROAs– CRLs– Manifest records
Repository View./ba/03a5be-ddf6-4340-a1f9-1ad3f2c39ee6/1:total 40-rw-r--r-- 1 143 143 1543 Jun 26 2009 ICcaIRKhGHJ-TgUZv8GRKqkidR4.roa-rw-r--r-- 1 143 143 1403 Jun 26 2009 cKxLCU94umS-qD4DOOkAK0M2US0.cer-rw-r--r-- 1 143 143 485 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.crl-rw-r--r-- 1 143 143 1882 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.mnf-rw-r--r-- 1 143 143 1542 Jun 26 2009 nB0gDFtWffKk4VWgln-12pdFtE8.roa
A Repository Directory containing an RFC3779 Certificate, two ROAs, a CRL, and a manifest
Repository Use
• Pull down these files using a manifest-validating mechanism
• Validate the ROAs contained in the repository
• Communicate with the router marking routes “valid”, “invalid”, “unknown”
• Up to ISP to use local policy on how to route
Possible Flow
• RPKI Web interface -> Repository
• Repository aggregator -> Validator
• Validated entries -> Route Checking
• Route checking results -> local routing decisions (based on local policy)
How you can use ARIN’s RPKI System?• Hosted• Hosted using ARIN’s RESTful service• Delegated using Up/Down Protocol
Hosted RPKI
• Pros– Easier to use– ARIN managed
• Cons– No current support for downstream
customers to manage their own space (yet)
– Tedious through the UI if you have a large network
– We hold your private key
Hosted RPKI with RESTful Interace• Pros
– Easier to use– ARIN managed– Programatic interface for large networks
• Cons– No current support for downstream
customers to manage their own space (yet)
– We hold your private key
Delegated RPKI with Up/Down• Pros
– You keep your own private key– Follows the IETF up/down protocol
• Cons– Extremely hard to setup– Need to operate your own RPKI
environment
Hosted RPKI in ARIN Online
Hosted RPKI in ARIN Online
Hosted RPKI in ARIN Online
Hosted RPKI in ARIN Online
Hosted RPKI in ARIN OnlineSAMPLE-ORG
Hosted RPKI in ARIN OnlineSAMPLE-ORG
Hosted RPKI in ARIN Online
Your ROA request is automatically processed and the ROA is placed in ARIN’s repository, accompanied by its certificate and a manifest. Users of the repository can now validate the ROA using RPKI validators.
Delegated with Up/Down
Delegated with Up/Down
Delegated with Up/Down
Delegated with Up/Down
• You have to do all the ROA creation• Need to setup a CA• Have a highly available repository• Create a CPS
Updates within RPKI outside of ARIN• The four other RIRs are in production
with Hosted CA services• ARIN and APNIC have delegated
working for the public• Major routing vendor support being
tested• Announcement of public domain
routing code support
ARIN Status
• Hosted CA deployed 15 Sept 2012• Web Delegated CA deployed 16 Feb
2013 (now deprecated)• Delegated using “Up/Down” protocol
deployed 7 Sept 2013• RESTful interface deployed 1 Feb
2014
RPKI Usage
Oct 2012 Apr 2013 Oct 2013 Apr 2014
RPAs Signed 27 72 130 162
Certified Orgs 47 68 108
ROAs 19 60 106 162
Covered Resources 30 82 147 258
Web Delegated 0 0 0
Up/Down Delegated 0 0
Why is this important?
• Provides more credibility to identify resource holders
• Leads to better routing security
Q&A
ARIN’s Policy Development ProcessCurrent Number Resource Policy
Discussions and How to Participate
John SweetingChair, ARIN Advisory Council
Policy Development Process (PDP)
FlowchartProposal TemplateArchivePetitions
http://www.arin.net/policy/pdp.html
Policy Development PrinciplesOpen
– Developed in open forum• Public Policy Mailing List• Public Policy Meetings / Consultations
– Anyone can participate
Transparent– All aspects documented and available on
website• Policy process, meetings, and policies
Bottom-up – Policies developed by the community– Staff implements, but does not make policy
Who Plays a Role in the Policy Process?Community
– Submits proposals – Participates in discussions and petitions
Advisory Council (elected volunteers)– Facilitates the policy process– Develops policy that:
• enables fair and impartial resource administration• is technically sound• is supported by the Community
– Determines consensus based on community input
Roles…ARIN Board of Trustees (elected
volunteers)– Provides corporate fiduciary oversight– Ensures the policy process has been
followed– Adopts policies
ARIN Staff– Provides feedback to community
• Staff and legal assessments• Policy experience reports
– Implements adopted policies
Basic Steps1. Proposal from community member
2. AC works with author ensure it is clear and in scope
3. AC promotes proposal to Draft Policy for community discussion/feedback (PPML and possibly PPC/PPM)
4. AC recommends fully developed Draft Policy (fair, sound and supported by community) for adoption
5. Recommended Draft Policy must be presented at a face-to-face meeting (PPC/PPM)
6. If AC still recommends adoption, then Last Call, review of last call, and send to Board
7. Board reviews
8. Staff implements
Petitions
• Petitions available for:– Delay by the AC
• Proposal to Draft Policy (after 60 days)
• Draft to Recommended Draft (after 90)
• Last Call (after 60)
• Board (after 60)
– Abandonment
– Rejection (proposals out of scope)
• Petitions begin with 5 day duration, needing support from 10 people from 10 different organizations (later stages require more people)
• Despite low bar, attempted petitions are rare
Number Resource Policy Manual
ARIN’s Policy Document – Version 2014.4 (17 September 2014)– 35th version
Contains• Change Logs• HTML/PDF/txt
http://www.arin.net/policy/nrpm.html
Policies in the NRPM
• ARIN Principles
• IPv4 Address Space
• IPv6 Address Space
• Autonomous System Numbers (ASNs)
• Directory Services (Whois)
• Reverse DNS (in-addr)
• Transfers
• Experimental Assignments
• Resource Review Policy
Current Draft Policies/ProposalsRecommended Draft Policies
• ARIN-2014-9: Resolve Conflict Between RSA and 8.2 Utilization Requirements
Last call 15-29 October 2014
https://www.arin.net/policy/proposals/
Current Draft Policies/ProposalsDraft Policies1. ARIN-2014-1: Out of Region Use2. ARIN-2014-6: Remove 7.1 [Maintaining IN-ADDRs]3. ARIN-2014-14: Removing Needs Test from Small IPv4
Transfers4. ARIN-2014-17: Change Utilization Requirements from last-
allocation to total-aggregate5. ARIN-2014-19: New MDN Allocation Based on Past Utilization
Draft Policy
Recently abandoned:ARIN-2014-15: Allow Inter-RIR ASN TransfersARIN-2014-16: Section 4.10 Austerity Policy UpdateARIN-2014-18: Simplifying Minimum Allocations and AssignmentsARIN-2014-20: Transfer Policy Slow Start and Simplified Needs Verificationhttps://www.arin.net/policy/proposals/
Recently Adopted Policy
1. ARIN-2013-7: NRPM 4 (IPv4) Policy Cleanup
2. ARIN-2013-8: Subsequent Allocations for New Multiple Discrete Networks
3. ARIN-2014-5: Remove 7.2 Lame Delegations
4. ARIN-2014-12: Anti-hijack Policy5. ARIN-2014-13: Reduce All Minimum
Allocation/Assignment Units to /24https://www.arin.net/policy/proposals/
How Can You Get Involved?
There are two ways to voice your opinion:
– Public Policy Mailing List
– Public Policy Consultations/Meetings
• In person or remotely
• ARIN meetings and PPCs at NANOG
Public Policy Mailing List (PPML)
• Open to anyone• Easy to subscribe to • Contains: ideas, proposals, draft policies,
last calls, announcements of adoption and implementation, petitions, and more…
• Archived• RSS feed available
https://www.arin.net/participate/mailing_lists/index.html
ARIN Meetings• Two ARIN meetings a year
– Attend and participate in person or remotely• Check the ARIN Participate/Meetings site a few weeks
prior to meeting• Look at the Proposals/Draft Policies on Agenda (what and when?)• Get a copy of the Discussion Guide (summaries and text)• Attend/log in and state your opinion
– Additional Public Policy Consultations• Currently being held during NANOG meetings• Potential for additional ones in different venues in the future
Advisory Council Meetings
• Teleconference meetings held monthly(currently the third Thursday of the
month)• AC meeting results
– Watch PPML for AC’s decisions (once a month)– Read AC meeting minutes– Draft Policies – good or bad ideas, for or against?– Last Calls – For or against?
References
Policy Development Processhttp://www.arin.net/policy/pdp.html
Draft Policies and Proposalshttp://www.arin.net/policy/proposals/index.html
Number Resource Policy Manualhttp://www.arin.net/policy/nrpm.html
Q&A
Q&A / Open Mic Session
Apply now for ARIN 35April 2015 in San Francisco
Fill out & submitthe survey for your chance to win a $100 Amazon Gift Card!
Ask ARIN• ARIN staff available for your
questions one-on-one
Historical Timeline
167
Historical Timeline
168