Columbia, SC30 October 2014

Wireless Access:

SSID: HHonorsPW:Hilton16

Welcome. Here today from ARIN…

• Susan Hamlin, Director,

Communications and Member Services

• Andy Newton, Chief Engineer

• John Sweeting, Advisory Council

Chair

• Jon Worley, Principal Technical

Analyst

Today’s Agenda• Welcome and Getting Started• ARIN: Mission, Role, and Services• IPv4 Inventory, Depletion Projections, Countdown Plan• Securing Internet Infrastructure I: DNSSEC• IPv4 Waiting List and Transfers• LUNCH - 12:00 PM  -  1:00 PM Breakout Rooms I & II• IPv6 Addresses • Automating Interactions with ARIN• Other Items of Interest • BREAK 2:20 – 2:30 PM• Securing Internet Infrastructure II: RPKI - Andy Newton • Current Number Resource Policy Discussions and How to

Participate• Q&A / Open Microphone Session• Optional Ask ARIN - Opportunity for a one-on-one conversation with ARIN staff

Let’s Get Started!

• Self introductions – Name– Organization

ARIN: Mission, Role and Services

Susan HamlinDirector, Communications

and Member Services

”ARIN, a nonprofit member-based organization, supports the operation of the Internet through

the management of Internet number resources throughout its service region;

coordinates the development of policies by the community for the management of Internet Protocol number resources; and advances the Internet through informational outreach."

ARIN’s Service Region

ARIN’s region includes many (20) Caribbean and North Atlantic islands, Canada and the United States and

outlying areas.

Regional Internet Registries

Who Provisions IP Addresses & ASNs?

ICANNIANA

• Top level technical coordination of the Internet (Names, Numbers, Root Servers)• Manage global unallocated IP address pool

• Allocate number resources to RIRs

RIR• Manage regional unallocated IP address pool

• Allocate number resources to ISPs/LIRs• Assign number resources to End-users

ISP/LIR

• Manage local IP address pool for use by customers and for infrastructure

• Allocate number resources to ISPs• Assign number resources to End-users

ARIN Structure:• Not-for-profit• Fee for services, not number resources• 100% community funded• Membership organization (private and public

sector, civil society)• Member-elected Board of Trustees• Community regulated…Internet number resource

policies developed by the Community• Open and transparent

ARIN Support Organization

ARIN Board of Trustees• Paul Andersen, Vice Chair and Treasurer• Vinton G. Cerf, Chair• John Curran, President and CEO• Timothy Denton, Secretary• Aaron Hughes• Bill Sandiford• Bill Woodcock

13

ARIN Advisory Council• Dan Alexander, Vice Chair • Cathy Aronson• Kevin Blumberg• Bill Darte• Owen DeLong• Andrew Dul• David Farmer• Scott Leibrand• Tina Morris• Milton Mueller• Heather Schiller• Robert Seastrom• John Springer• John Sweeting, Chair

14

Number Resources Organization Policy

Development• IP address allocation

& assignment• ASN assignment• Directory services

• Whois -RWS• WhoWas• IRR

• Reverse DNS• DNSSEC• Resource Certification

(RPKI)• Community Software

Repository

• Information dissemination

• Websites• Educational

materials• IPv6 Wiki

• Social media

• Meetings• Elections• Outreach

• IPv6• Internet

Governance

• Maintain email discussion lists

• Conduct public policy meetings and public policy consultations

• Publish policy documents

ARIN Services

Information on Joining in the Internet Governance Discussion

Visit ARIN’s webpage:Ways to Participate in Internet Governance

https://www.arin.net/participate/governance/participate.html

ARIN Community Input• 14 March 2014 the US government announced desire to

transition oversight of the Internet Assigned Numbers Authority (IANA) functions contract from the National Telecommunications and Information Administration (NTIA) to the global multistakeholder community.

• Coordination Group formed to facilitate the transition process – input from the Number Resource Organization , Address Supporting Organization, ISOC, IETF, IAB

• All RIRs will engage their respective communities • ARIN 34 in Baltimore – on agenda and a ly consultation via

email on the issue• New mailing list created: iana-transition@arin.net• Currently ARIN is seeking volunteers to join the Consolidated

RIR IANA Stewardship Proposal (CRISP) team

http://teamarin.net/education/internet-governance/iana-globalization/

Participate in ARINContribute your Opinions and Ideas:

• Public Policy Mailing List• IPv6 Wiki• Attend Public Policy and Members Meetings,

Public Public Policy Consultations – remote participation

• Outreach events• Submit a suggestion• Participate in community consultations• Write a guest blog – TeamARIN.net• Members – Vote in annual elections

ARIN Mailing Lists

http://www.arin.net/participate/mailing_lists/index.html

ARIN Announce: arin-announce@arin.net

ARIN Discussion: arin-discuss@arin.net (members only)

ARIN Public Policy: arin-ppml@arin.net

ARIN Consultation: arin-consult@arin.net

ARIN Issued: arin-issued@arin.net

ARIN Technical Discussions: arin-tech-discuss@arin.net

Suggestions: arin-suggestions@arin.net

Q&A

ARIN’s IPv4 Inventory, Depletion Projections, and Countdown Plan

Jon WorleyPrincipal Technical Analyst

Updated daily @ 8PM ET

IPv4 inventory published on

ARIN’s website: www.arin.net

ARIN’s IPv4 InventoryAs of 27 Oct 2014, ARIN has 0.61 /8 equivalents of

IPv4 addresses remaining

Prefix Length Breakdown

IPv4 Annual Burn Rate

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 20130

0.5

1

1.5

2

2.5

3

3.5

/8 Equivalents Issued

ARIN’s IPv4 Free Pool

2/2/1

1

3/8/1

1

4/11/1

1

5/15/1

1

6/18/1

1

7/22/1

1

8/25/1

1

9/28/1

1

11/1/1

1

12/5/1

1

1/8/1

2

2/11/1

2

3/16/1

2

4/19/1

2

5/23/1

2

6/26/1

2

7/30/1

2

9/2/1

2

10/6/1

2

11/9/1

2

12/13/1

2

1/16/1

3

2/19/1

3

3/25/1

3

4/28/1

3

6/1/1

3

7/5/1

3

8/8/1

3

9/11/1

3

10/15/1

3

11/18/1

3

12/22/1

3

1/25/1

4

2/28/1

4

4/3/1

4

5/7/1

4

6/10/1

4

7/14/1

4

8/17/1

4

9/20/1

4

10/24/1

40

1

2

3

4

5

6

/8 Equivalents in ARIN Free Pool

Linear Depletion Projection

2/2/1

1

3/16/1

1

4/27/1

1

6/8/1

1

7/20/1

1

8/31/1

1

10/12/1

1

11/23/1

1

1/4/1

2

2/15/1

2

3/28/1

2

5/9/1

2

6/20/1

2

8/1/1

2

9/12/1

2

10/24/1

2

12/5/1

2

1/16/1

3

2/27/1

3

4/10/1

3

5/22/1

3

7/3/1

3

8/14/1

3

9/25/1

3

11/6/1

3

12/18/1

3

1/29/1

4

3/12/1

4

4/23/1

4

6/4/1

4

7/16/1

4

8/27/1

4

10/8/1

4

11/19/1

4

12/31/1

4

2/11/1

5

3/25/1

50

1

2

3

4

5

6

/8 Equivalents in ARIN Free Pool

Depletion Notes• Could come at any time

– ARIN has issued 0.41 /8 equivalents in ~2 weeks before

• Policy requirement to only fill requests with one block will prevent large ISPS from depleting all of the small blocks

IPv4 Countdown Plan

IPv4 Countdown Plan – Phase 4

• Started at 1 /8 equivalent left • All IPv4 requests team-reviewed and

processed on a first in, first out basis• Org has 60 days from approval to

complete payment and RSA• IPv4 hold period drops to 2 months

New IPv4 Policy – “Reduce All Minimum

Allocation/Assignment Units to /24”

• Will be implemented on 17 Sept 2014• /24 minimum allocation/assignment• No longer a multi-homed

requirement

Minimum Requirements for IPv4 - ISPs

• ISPs qualify for a /24 by having one /24 reassigned and efficiently used

• Allocations > /24 based on demonstrated utilization history and renumbering (if applicable)

• Allocation size not based on predicted customer base (see Slow Start policy NRPM 4.2.1.4)

• 3 month supply per policy

IPv4 ISP Data Typically Requested

• Static: Mapping of static IPs/subnets to customer names and street addresses

• Dynamic: List of all dynamic pools with prefix/range assigned, area served (location), peak util %

• Internal Infrastructure: Mapping of internal subnets with description and # IPs used

Example

Other IPv4 ISP Data Requested

• Typically ask for:– Customer justification data

• If necessary, may ask for:– Customer contact information and proof

of customer payments– Proof of equipment lease/purchase

Minimum Requirements for IPv4 – End Users

• /24 minimum assignment size• Show 25% immediate utilization rate

(within 30 days) and 50% projected one-year utilization rate

• If requesting additional assignment, must show that each previous assignment is 80% utilized

IPv4 End User Data Requested

• Subnet mapping for previous ARIN assignments– Each subnet with description and # IPs

currently used

• Planned subnet mapping for requested block– Each subnet with description, # IPs used

within 30 days, # IPs used within one year

Example

The Bottom Line

• ARIN has v4 space today, but can’t guarantee future availability

• Plan appropriately to ensure continued growth of your network– Waiting List – Specified Recipient Transfers– IPv6

Q&A

Securing Internet Infrastructure: Using DNSSEC

with ARIN OnlineAndy NewtonChief Engineer

Why DNSSEC? What is it?

• Standard DNS (forward or reverse) responses are not secure– Easy to spoof– Notable malicious attacks

• DNSSEC attaches signatures– Validates responses– Can not spoof

Reverse DNS at ARIN

• ARIN issues blocks without any working DNS–Registrant must establish delegations after registration

–Then employ DNSSEC if desired

• Just as susceptible as forward DNS if you do not use DNSSEC

Reverse DNS at ARIN

• Authority to manage reverse zones follows allocations–“Shared Authority” model–Multiple sub-allocation recipient entities may have authority over a particular zone

Changes completed to make DNSSEC work at ARIN

• Permit by-delegation management• Sign in-addr.arpa. and ip6.arpa.

delegations that ARIN manages• Create entry method for DS Records

– ARIN Online– RESTful interface– Not available via templates

Changes completed to make DNSSEC work at ARIN

• Only key holders may create and submit Delegation Signer (DS) records

Reverse DNS in ARIN Online

First identify the network that you want to put Reverse DNS nameservers on…

Reverse DNS in ARIN Online

…then enter the Reverse DNS nameservers…

DNSSEC in ARIN Online…then apply DS record to apply to the delegation

Reverse DNS: Querying ARIN’s WhoisQuery for the zone directly:whois> 81.147.204.in-addr.arpa

Name: 81.147.204.in-addr.arpa.Updated: 2006-05-15NameServer: AUTHNS2.DNVR.QWEST.NETNameServer: AUTHNS3.STTL.QWEST.NETNameServer: AUTHNS1.MPLS.QWEST.NET

Ref: http://whois.arin.net/rest/rdns/81.147.204.in-addr.arpa.

DNSSEC in Zone Files; File written on Mon Feb 24 17:00:53 2014; dnssec_signzone version 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.60.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM. 86400 IN NS NS4.COVAD.COM. 10800 NSEC 1.74.in-addr.arpa. NS RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. oNk3GVaCWj2j8+EAr0PncqnZeQjm8h4w51nS D2VUi7YtR9FvYLF/j4KO+8qYZ3TAixb9c05c 8EVIhtY1grXEdOm30zJpZyaoaODpbHt8FdWY vwup9Tq4oVbxVyuSNXriZ2Mq55IIMgDR3nAT BLP5UClxUWkgvS/6poF+W/1H4QY= )1.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM. 86400 IN NS NS4.COVAD.COM. 10800 NSEC 10.74.in-addr.arpa. NS RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. DKYGzSDtIypDVcer5e+XuwoDW4auKy6G/OCV VTcfQGk+3iyy2CEKOZuMZXFaaDvXnaxey9R1 mjams519Ghxp2qOnnkOw6iB6mR5cNkYlkL0h lu+IC4Buh6DqM4HbJCZcMXKEtWE0a6dMf+tH sa+5OV7ezX5LCuDvQVp6p0LftAE= )

DNSSEC in Zone Files0.121.74.in-addr.arpa. 86400 IN NS DNS1.ACTUSA.NET. 86400 IN NS DNS2.ACTUSA.NET. 86400 IN NS DNS3.ACTUSA.NET. 86400 DS 46693 5 1 ( AEEDA98EE493DFF5F3F33208ECB0FA4186BD 8056 ) 86400 DS 46693 5 2 ( 66E6D421894AFE2AF0B350BD8F4C54D2EBA5 DA72A615FE64BE8EF600C6534CEF ) 86400 RRSIG DS 5 5 86400 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. n+aPxBHuf+sbzQN4LmHzlOi0C/hkaSVO3q1y 6J0KjqNPzYqtxLgZjU+IL9qhtIOocgNQib9l gFRmZ9inf2bER435GMsa/nnjpVVWW/MBRKxf Pcc72w2iOAMu2G0prtVT08ENxtu/pBfnsOZK nhCY8UOBOYLOLE5Whtk3XOuX9+U= ) 10800 NSEC 1.121.74.in-addr.arpa. NS DS RRSIG NSEC 10800 RRSIG NSEC 5 5 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. YvRowkdVDfv+PW42ySNUwW8S8jRyV6EKKRxe…

Use REG-RWS for Bulk Changes• If you have a lot of changes,

copy&paste over the Web will be tedious.– Use REG-RWS.– Or ARINcli (which is a REG-RWS client)

• Reads zone files• http://projects.arin.net/arinr/rdns.1.html

DNSSEC Validating Resolvers

• www.internetsociety.org/deploy360/dnssec/• www.isc.org/downloads/bind/dnssec/

Reverse DNS Management and DNSSEC in ARIN Online• Available on ARIN’s websitehttp://www.arin.net/knowledge/dnssec/

Q&A

Jon WorleyPrincipal Technical Analyst

ARIN’s IPv4 Waiting List and the IPv4 Transfer

Market

IPv4 Waiting List

How It Works• If ARIN can’t fill a justified request,

option to specify smallest acceptable size

• If no block available between approved and smallest acceptable size, option to go on the waiting list

• May receive only one allocation every three months

• Only one request on the list at a time

Filling Waiting List Requests

• Oldest request filled first– Example

• /19 is oldest request• /16 returned to ARIN • ARIN breaks up the /16 and issues the /19

• Subject to re-verification • Removed from list once a block is

issued

IPv4 Churn • IPv4 addresses go back into ARIN’s free pool 4

ways– Return = voluntary– Revoke = for cause (usually nonpayment)– Reclaimed = fraud or business dissolution– IANA issued – per global policy for “post

exhaustion IPv4 allocation mechanisms by IANA”

• 3.54 /8s recovered since 2005– /8 equivalent returned to IANA in 2012

• /11(May 2014) & /12 (Sept 2014) issued by IANA

Global Policy for Post Exhaustion IPv4 Allocation Mechanisms by the

IANA• RIRS may return IPv4 space of any

prefix size to IANA• IANA will issue this returned space in

equal allocation sizes to the 5 RIRs twice per year

• Policy activated when first RIR reaches /9 in its IPv4 inventory (Lacnic in May 2014)

Burn Rate vs. Churn Rate

2005 2006 2007 2008 2009 2010 2011 2012 20130

50000

100000

150000

200000

250000

300000

# /24s issued# /24s received back

Reality Check

• At the rate at which IPv4 addresses were recovered in 2013, it would take 51 years to fill all of 2013’s approved requests

IPv4 Transfer Market

Types of Transfers

• Mergers and Acquisitions (8.2)• Transfers to Specified Recipients

(8.3)• Inter-RIR transfers (8.4)

Transfers to Specified Recipients

• 12 month waiting period (anti-flip provision)

• Recipient must qualify to receive resources under current ARIN policy

• Recipient may receive up to a 24 month supply

Specified Recipient Transfer Notes

• 82 transfers completed (53,124 /24s)*

• Transactions typically arranged through IPv4 brokers

*As of Jul 31, 2014

Inter-RIR Transfers From ARIN

• RIR must have reciprocal, compatible needs-based policies

• Currently: APNIC – Under discussion in the RIPE NCC, LACNIC, &

AFRINIC regions

• Org releasing resources must not have received IPv4 from ARIN within the past 12 months

• Recipient must meet other RIR’s Inter-RIR transfer policy requirements

Inter-RIR Transfers To ARIN

• RIR must have reciprocal, compatible needs-based policies– Currently: APNIC

• Recipient must qualify to receive resources under current policy

• Recipient may request up to a 24 month supply

Inter-RIR Transfer Notes

• 34 transfers completed (5,040 /24s total)*

• ARIN & APNIC for now• Expectation is primarily ARIN to

APNIC given the early exhaustion of IPv4 in the APNIC region

*As of Jul 31, 2014

Specified Transfer Listing Service(STLS)

• 3 ways to participate– Listers: have available IPv4 addresses– Needers: looking for more IPv4 addresses– Facilitators: available to help listers and

needers find each other

• Major Uses– Matchmaking– Obtain preapproval for a transaction

arranged outside STLS

Misconceptions About Specified Recipient Transfers

• IPv4 transactions will never be allowed– Fact: Transfer of unused IPv4 started June

2009

• It’s a ploy to take my unused addresses back– Fact: ARIN does not require the return of

address space

• ARIN recognizes all IPv4 transactions– Fact: Must meet policy requirements

Tips and Tricks• Make sure you are applying under the

correct transfer policy• Involve ARIN as early as possible

– Make sure a contemplated specified transfer meets ARIN requirements before finalizing

• Make sure that all registration information is current and accurate

• Use ARIN’s STLS to pre-qualify• Provide detailed information to support 24

month need

IPv4 Transfer Market

Reality Check

• Reports say current asking prices are around $10/IPv4 address

• Prices will likely rise once ARIN’s depletes its IPv4 pool (supply and demand)

• Supply not guaranteed; need willing participants

• Temporary measure; does not preclude need to transition to IPv6

Q&A

Lunch Break

Take your valuables as the room will not be locked.

This Afternoon’s Agenda• IPv6 Addresses • Automating Interactions with ARIN• Other Items of Interest • BREAK 2:20 – 2:30 PM• Securing Internet Infrastructure II: RPKI -

Andy Newton • Current Number Resource Policy

Discussions and How to Participate• Q&A / Open Microphone Session• Optional Ask ARIN - Opportunity for a one-on-

one conversation with ARIN staff

Jon WorleyPrincipal Technical Analyst

Registration Services Department

Obtaining IPv6 Address Space

Why Adopt IPv6?

• Global IPv4 pool is depleted• ARIN’s IPv4 free pool will be gone soon• IPv4 Waiting list is uncertain and sure to

be loooooooooooong• IPv4 Transfer Market = $$$$$• How will you continue to grow your

network?• What other options do you have?

Qualifying for IPv6 - ISPs

• Have a previous v4 allocation from ARIN OR

• Intend to multi-home OR• Provide a technical justification which

details at least 50 assignments made within 5 years

IPv6 ISP Data Typically Requested

• If requesting more than a /32, a spreadsheet/text file with– # of serving sites (PoPs, datacenters)– # of customers served by largest

serving site– Block size to be assigned to each

customer (/48 typical)

Qualifying for IPv6 – End Users

• Have a v4 direct assignment OR• Intend to multi-home OR• Show how you will use 2000 IPv6

addresses or 200 IPv6 subnets within a year OR

• Technical justification as to why provider-assigned IPs are unsuitable

IPv6 End Users – Data Requested

• List of sites in your network– Site = distinct geographic location– Street address for each

• Campus may count as multiple sites– Technical justification showing how

they’re configured like geographically separate sites

ISP Members with IPv4 and IPv6

*4,818 total members

2010Q3 2011Q3 2012Q3 2013Q3 2014Q3

% IPv4 Only 0.75 0.66 0.62 0.59 0.58

% IPv4 and IPv6

0.25 0.34 0.38 0.41 0.42

5%15%25%35%45%55%65%75%85%95%

IPv4-only and IPv4+v6 ISPs

ARIN Resources

IPv6 Info Centerwww.arin.net/knowledge/ipv6_info_center.html

www.GetIPv6.info

www.TeamARIN.net

Operational Guidance

www.InternetSociety.org/Deploy360/

www.NANOG.org/archives/

www.hpc.mil/cms2/index.php/ipv6-knowledge-base-general-info

bcop.NANOG.org

Q&A

Automating Your Interactions with ARIN

Andy NewtonChief Engineer

Why Automate?

• Interact with ARIN faster• Not dependent on ARIN’s systems for

user interface issues• Build a customized system using

standards-based technologies• Improved accuracy• Integrate multiple services

Why Automate (continued)

• We have a rich set of interfaces• Focused on reliability and

completeness• Welcome to share your tools with the

community at projects.arin.net

REST – Service Summary

• ARIN’s RESTful Web Services (RWS)– Whois-RWS

• Provides public Whois data via REST

– Reg-RWS (or Registration-RWS)• Allows ARIN customers to register and

maintain data in a programmatic fashion

– Report Request/Retrieval Automation• Permits request and download of various

ARIN data (subject to AUP)

– RPKI using Reg-RWS

What is REST?• Representational State Transfer

• As applied to web services– defines a pattern of usage with HTTP to

create, read, update, and delete (CRUD) data

– “Resources” are addressable in URLs

• Very popular protocol model– Amazon S3, Yahoo & Google services, …

The BIG Advantage of REST• Easily understood

– Any modern programmer can incorporate it– Can look like web pages

• Re-uses HTTP in a simple manner– Many, many clients– Other HTTP advantages

• This is why it is very, very popular with Google, Amazon, Yahoo, Twitter, Facebook, YouTube, Flickr, …

What does it look like?Who can use it?

http://whois.arin.net/rest/poc/KOSTE-ARIN

Where the data is.

What type of data it is.

The ID of the data.

It is a standard URL. Anyone can use it.Go ahead, put it into your browser.

Where can more information on REST be found?

• RESTful Web Services– O’Reilly Media

– Leonard Richardson

– Sam Ruby

Whois-RWS• Publicly accessible, just like traditional

Whois• Searches and lookups on IP addresses,

AS numbers, POCs, Orgs, etc…• Very popular

– As of October 2014, constitutes 65% of our query load

• For more information:– http://www.arin.net/resources/whoisrws/index.html

Registration RWS (Reg-RWS)

• Programmatic way to interact with ARIN– Intended to be used for automation– Not meant to be used by humans

• Useful for ISPs that manage a large number of SWIP records

• Requires an investment of time to achieve those benefits

Reg-RWS

• Requires an API Key– You generate one in ARIN Online on the

“Web Account” page• Permits you to register and manage

your data (ORGs, POCs, NETs, ASes)– But only your data

• More information– http://www.arin.net/resources/restful-interfaces.htm

l

Anatomy of a RESTful request• Uses a URL (just like you would type into

your browser)• Uses a request type, known as a “method”,

of GET, PUT, POST or DELETE• Usually requires a payload

– Adheres to a published structure– Depends upon the type of data– Depends upon the method

• Method, Payload, and XML schema info is found at “RESTful Provisioning Downloads”

Example – Reassign Detailed• Your automated system issues a PUT

command to ARIN using the following URL:http://www.arin.net/rest/net/NET-10-129-0-0-1/reassign?apikey=API-1234-5678-9A

BC-DEFG

The payload contains the following data:

<net xmlns="http://www.arin.net/regrws/core/v1" > <version>4</version> <comment></comment> <registrationDate></registrationDate> <orgHandle>HW-1</orgHandle> <handle></handle> <netBlocks> <netBlock> <type>A</type> <description>Reassigned</description> <startAddress>10.129.0.0</startAddress> <endAddress>10.129.0.255</endAddress> <cidrLength>24</cidrLength> </netBlock> </netBlocks> <parentNetHandle>NET-10-129-0-0-1</parentNetHandle> <netName>HELLOWORLD</netName> <originASes></originASes> <pocLinks></pocLinks></net>

Example – Reassign DetailedARIN’s web server returns the

following to your automated system:<net xmlns="http://www.arin.net/regrws/core/v1" > <version>4</version> <comment></comment> <registrationDate>Tue Jan 25 16:17:18 EST 2011</registrationDate> <orgHandle>HW-1</orgHandle> <handle>NET-10-129-0-0-2</handle> <netBlocks> <netBlock> <type>A</type> <description>Reassigned</description> <startAddress>10.129.0.0</startAddress> <endAddress>10.129.0.255</endAddress> <cidrLength>24</cidrLength> </netBlock> </netBlocks> <parentNetHandle>NET-10-129-0-0-1</parentNetHandle> <netName>netName>HELLOWORLD</netName> <originASes></originASes> <pocLinks></pocLinks></net>

Reg-RWS Has More Than Templates

• Only programmatic way to do IPv6 Reassign Simple

• Only programmatic way to manage Reverse DNS

• Only programmatic way to access your ARIN tickets

Reg-RWS adoption at ARIN

– In 2012…• 1.09 Million transactions processed

– 375K processed via Reg-RWS (34%)– 371K processed via Template (34%)– Remainder via ARIN Online

– In 2013…• 4.72 Million transactions processed

– 3.66M processed via Reg-RWS (78%)– 488K processed via Template (10%)– Remainder via ARIN online

Testing Your Reg-RWS Client• We offer an Operational Test &

Evaluation environment for Reg-RWS• Your real data, but isolated

– Helps you develop against a real system without the worry that real data could get corrupted

• For more information:– http://www.arin.net/resources/ote.html

Obtaining RESTful Assistance

• http://www.arin.net/resources/restful-interfaces.html• Pay attention to Method, Payload, and XML schema

documents under “RESTful Provisioning Downloads”• Or use ARIN Online’s Ask ARIN feature• Or use the arin-tech-discuss mailing list

– Make sure to subscribe– Someone on the list will help you ASAP– Archives on the web site

• Registration Services Help Desk telephone not a good fit– Debugging these problems requires a detailed look at

the URL, method, and payload being used

Report Request/Retrieval

• For customer-specific data, access is restricted by user– Permits you to request and retrieve

reports– But only your data

• For public services, you must first sign an AUP or TOU (Bulk Whois, Registered ASNs, WhoWas)– ARIN staff may review your need to access this data

• Requires an API Key

New Feature: RPKI thru Reg-RWS• Delegated – very complex• Hosted – easy but tedious if

managing a large network through the UI

• Solution: Interface to sign ROAs using the RESTful API– Ease of Hosted– Programmatic way of managing a large

number of ROAs

Whois-RWS and the Future

• Whois-RWS is ARIN’s RESTful interface to Whois.– RIPE also has a RESTful interface for

Whois but it is not compatible

• IETF will hopefully be ratifying RDAP by the end of this year.– Will be supported by all 5 RIRs and some

domain registries.

Q&A

Other Items of Interest

Securing Internet Infrastructure:

Route Origin Securityusing RPKI at ARINAndy Newton

Chief Engineer

What is RPKI?• Resource Public Key Infrastructure

• Attaches digital certificates to network resources– AS Numbers

– IP Addresses

• Allows ISPs to associate the two– Route Origin Authorizations (ROAs)– Can follow the address allocation chain

to the top

What does RPKI accomplish?

• Allows routers or other processes to validate route origins

• Simplifies validation authority information– Trust Anchor Locator

• Distributes trusted information– Through repositories

AFRINIC RIPE NCC APNIC ARIN LACNIC

LIR1 ISP2

ISP ISP ISP ISP4 ISP ISP ISP

Issued Certificates

Resource Allocation Hierarchy

Route Origination Authority“ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24”

Attachment: <isp4-ee-cert>

Signed, ISP4 <isp4-ee-key-priv>

ICANN

Resource Cert Validation

AFRINIC RIPE NCC APNIC ARIN LACNIC

LIR1 ISP2

ISP ISP ISP ISP4 ISP ISP ISP

Resource Allocation Hierarchy

Route Origination Authority“ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24”

Attachment: <isp4-ee-cert>

Signed, ISP4 <isp4-ee-key-priv>

1. Did the matching private key sign this text?

ICANN

Issued Certificates

Resource Cert Validation

AFRINIC RIPE NCC APNIC ARIN LACNIC

LIR1 ISP2

ISP ISP

Route Origination Authority“ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24”

Attachment: <isp4-ee-cert>

Signed, ISP4 <isp4-ee-key-priv>

ISP ISP4

2. Is this certificate valid?

ISP ISP ISP

Issued Certificates

Resource Allocation Hierarchy

ICANN

Resource Cert Validation

AFRINIC RIPE NCC APNIC ARIN LACNIC

LIR1 ISP2

ISP ISP

Route Origination Authority“ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24”

Attachment: <isp4-ee-cert>

Signed, ISP4 <isp4-ee-key-priv>

ISP ISP4 ISP ISP ISP

Issued Certificates

Resource Allocation Hierarchy

ICANN

3. Is there a valid certificate path from a Trust Anchor to this certificate?

Resource Cert Validation

What does RPKI Create?

• It creates a repository– RFC 3779 (RPKI) Certificates– ROAs– CRLs– Manifest records

Repository View./ba/03a5be-ddf6-4340-a1f9-1ad3f2c39ee6/1:total 40-rw-r--r-- 1 143 143 1543 Jun 26 2009 ICcaIRKhGHJ-TgUZv8GRKqkidR4.roa-rw-r--r-- 1 143 143 1403 Jun 26 2009 cKxLCU94umS-qD4DOOkAK0M2US0.cer-rw-r--r-- 1 143 143 485 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.crl-rw-r--r-- 1 143 143 1882 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.mnf-rw-r--r-- 1 143 143 1542 Jun 26 2009 nB0gDFtWffKk4VWgln-12pdFtE8.roa

A Repository Directory containing an RFC3779 Certificate, two ROAs, a CRL, and a manifest

Repository Use

• Pull down these files using a manifest-validating mechanism

• Validate the ROAs contained in the repository

• Communicate with the router marking routes “valid”, “invalid”, “unknown”

• Up to ISP to use local policy on how to route

Possible Flow

• RPKI Web interface -> Repository

• Repository aggregator -> Validator

• Validated entries -> Route Checking

• Route checking results -> local routing decisions (based on local policy)

How you can use ARIN’s RPKI System?• Hosted• Hosted using ARIN’s RESTful service• Delegated using Up/Down Protocol

Hosted RPKI

• Pros– Easier to use– ARIN managed

• Cons– No current support for downstream

customers to manage their own space (yet)

– Tedious through the UI if you have a large network

– We hold your private key

Hosted RPKI with RESTful Interace• Pros

– Easier to use– ARIN managed– Programatic interface for large networks

• Cons– No current support for downstream

customers to manage their own space (yet)

– We hold your private key

Delegated RPKI with Up/Down• Pros

– You keep your own private key– Follows the IETF up/down protocol

• Cons– Extremely hard to setup– Need to operate your own RPKI

environment

Hosted RPKI in ARIN Online

Hosted RPKI in ARIN Online

Hosted RPKI in ARIN Online

Hosted RPKI in ARIN Online

Hosted RPKI in ARIN OnlineSAMPLE-ORG

Hosted RPKI in ARIN OnlineSAMPLE-ORG

Hosted RPKI in ARIN Online

Your ROA request is automatically processed and the ROA is placed in ARIN’s repository, accompanied by its certificate and a manifest. Users of the repository can now validate the ROA using RPKI validators.

Delegated with Up/Down

Delegated with Up/Down

Delegated with Up/Down

Delegated with Up/Down

• You have to do all the ROA creation• Need to setup a CA• Have a highly available repository• Create a CPS

Updates within RPKI outside of ARIN• The four other RIRs are in production

with Hosted CA services• ARIN and APNIC have delegated

working for the public• Major routing vendor support being

tested• Announcement of public domain

routing code support

ARIN Status

• Hosted CA deployed 15 Sept 2012• Web Delegated CA deployed 16 Feb

2013 (now deprecated)• Delegated using “Up/Down” protocol

deployed 7 Sept 2013• RESTful interface deployed 1 Feb

2014

RPKI Usage

Oct 2012 Apr 2013 Oct 2013 Apr 2014

RPAs Signed 27 72 130 162

Certified Orgs 47 68 108

ROAs 19 60 106 162

Covered Resources 30 82 147 258

Web Delegated 0 0 0

Up/Down Delegated 0 0

Why is this important?

• Provides more credibility to identify resource holders

• Leads to better routing security

Q&A

ARIN’s Policy Development ProcessCurrent Number Resource Policy

Discussions and How to Participate

John SweetingChair, ARIN Advisory Council

Policy Development Process (PDP)

FlowchartProposal TemplateArchivePetitions

http://www.arin.net/policy/pdp.html

Policy Development PrinciplesOpen

– Developed in open forum• Public Policy Mailing List• Public Policy Meetings / Consultations

– Anyone can participate

Transparent– All aspects documented and available on

website• Policy process, meetings, and policies

Bottom-up – Policies developed by the community– Staff implements, but does not make policy

Who Plays a Role in the Policy Process?Community

– Submits proposals – Participates in discussions and petitions

Advisory Council (elected volunteers)– Facilitates the policy process– Develops policy that:

• enables fair and impartial resource administration• is technically sound• is supported by the Community

– Determines consensus based on community input

Roles…ARIN Board of Trustees (elected

volunteers)– Provides corporate fiduciary oversight– Ensures the policy process has been

followed– Adopts policies

ARIN Staff– Provides feedback to community

• Staff and legal assessments• Policy experience reports

– Implements adopted policies

Basic Steps1. Proposal from community member

2. AC works with author ensure it is clear and in scope

3. AC promotes proposal to Draft Policy for community discussion/feedback (PPML and possibly PPC/PPM)

4. AC recommends fully developed Draft Policy (fair, sound and supported by community) for adoption

5. Recommended Draft Policy must be presented at a face-to-face meeting (PPC/PPM)

6. If AC still recommends adoption, then Last Call, review of last call, and send to Board

7. Board reviews

8. Staff implements

Petitions

• Petitions available for:– Delay by the AC

• Proposal to Draft Policy (after 60 days)

• Draft to Recommended Draft (after 90)

• Last Call (after 60)

• Board (after 60)

– Abandonment

– Rejection (proposals out of scope)

• Petitions begin with 5 day duration, needing support from 10 people from 10 different organizations (later stages require more people)

• Despite low bar, attempted petitions are rare

Number Resource Policy Manual

ARIN’s Policy Document – Version 2014.4 (17 September 2014)– 35th version

Contains• Change Logs• HTML/PDF/txt

http://www.arin.net/policy/nrpm.html

Policies in the NRPM

• ARIN Principles

• IPv4 Address Space

• IPv6 Address Space

• Autonomous System Numbers (ASNs)

• Directory Services (Whois)

• Reverse DNS (in-addr)

• Transfers

• Experimental Assignments

• Resource Review Policy

Current Draft Policies/ProposalsRecommended Draft Policies

• ARIN-2014-9: Resolve Conflict Between RSA and 8.2 Utilization Requirements

Last call 15-29 October 2014

https://www.arin.net/policy/proposals/

Current Draft Policies/ProposalsDraft Policies1. ARIN-2014-1: Out of Region Use2. ARIN-2014-6: Remove 7.1 [Maintaining IN-ADDRs]3. ARIN-2014-14: Removing Needs Test from Small IPv4

Transfers4. ARIN-2014-17: Change Utilization Requirements from last-

allocation to total-aggregate5. ARIN-2014-19: New MDN Allocation Based on Past Utilization

Draft Policy

Recently abandoned:ARIN-2014-15: Allow Inter-RIR ASN TransfersARIN-2014-16: Section 4.10 Austerity Policy UpdateARIN-2014-18: Simplifying Minimum Allocations and AssignmentsARIN-2014-20: Transfer Policy Slow Start and Simplified Needs Verificationhttps://www.arin.net/policy/proposals/

Recently Adopted Policy

1. ARIN-2013-7: NRPM 4 (IPv4) Policy Cleanup

2. ARIN-2013-8: Subsequent Allocations for New Multiple Discrete Networks

3. ARIN-2014-5: Remove 7.2 Lame Delegations

4. ARIN-2014-12: Anti-hijack Policy5. ARIN-2014-13: Reduce All Minimum

Allocation/Assignment Units to /24https://www.arin.net/policy/proposals/

How Can You Get Involved?

There are two ways to voice your opinion:

– Public Policy Mailing List

– Public Policy Consultations/Meetings

• In person or remotely

• ARIN meetings and PPCs at NANOG

Public Policy Mailing List (PPML)

• Open to anyone• Easy to subscribe to • Contains: ideas, proposals, draft policies,

last calls, announcements of adoption and implementation, petitions, and more…

• Archived• RSS feed available

https://www.arin.net/participate/mailing_lists/index.html

ARIN Meetings• Two ARIN meetings a year

– Attend and participate in person or remotely• Check the ARIN Participate/Meetings site a few weeks

prior to meeting• Look at the Proposals/Draft Policies on Agenda (what and when?)• Get a copy of the Discussion Guide (summaries and text)• Attend/log in and state your opinion

– Additional Public Policy Consultations• Currently being held during NANOG meetings• Potential for additional ones in different venues in the future

Advisory Council Meetings

• Teleconference meetings held monthly(currently the third Thursday of the

month)• AC meeting results

– Watch PPML for AC’s decisions (once a month)– Read AC meeting minutes– Draft Policies – good or bad ideas, for or against?– Last Calls – For or against?

References

Policy Development Processhttp://www.arin.net/policy/pdp.html

Draft Policies and Proposalshttp://www.arin.net/policy/proposals/index.html

Number Resource Policy Manualhttp://www.arin.net/policy/nrpm.html

Q&A

Q&A / Open Mic Session

Apply now for ARIN 35April 2015 in San Francisco

Fill out & submitthe survey for your chance to win a $100 Amazon Gift Card!

Ask ARIN• ARIN staff available for your

questions one-on-one

Historical Timeline

167

Historical Timeline

168