nashville, tn - arin · nashville, tn 10 november 2016. welcome. ... system number provisioning...

Nashville, TN10 November 2016

Welcome. Here today from ARIN…

• Jan Blacka, Senior User Experience Specialist

• Susan Hamlin, Director, Communications and Member Services

• Aaron Hughes, ARIN Board of Trustees

• Andy Newton, Chief Engineer

• Jon Worley, Technical Services Manager

Agenda10:00 – 10:15 Welcome and Getting Started

10:15 - 10:45 ARIN: Mission, Role and Services

10:45 -11:20 Security Overlays on Core Internet Protocols – DNSSEC

11:20 - 12:00 Life After IPv4 Depletion

Noon - 1:00 Lunch

Agenda

1:00 - 1:30 ARIN Services and Tools1:30 - 2:00 Policy Development Process2:00 - 2:30 Security Overlays on Core Internet Protocols

– Resource Certification (RPKI)2:30- 3:00 IPv6 Adoption – Where are we Now?3:00- 3:15 Q&A / Open Mic Session & Ask ARIN

(3:30 to 4:00 PM User Feedback Session)

Let’s Get Started!

• Self introductions –Name–Organization– I would like to learn more about

“___________.”

ARIN and the RIR System: Mission, Role and Services

Aaron HughesBoard of Trustees

What is an RIR?A Regional Internet Registry (RIR) manages the allocation and registration of Internet number resources* in a particular region of the world.

*Internet number resources include IP addressesand autonomous system (AS) numbers.

Regional Internet Registries

RIR StructureNot-for-profit Membership

OrganizationCommunity Regulated

• Fee for services, not number resources

• 100% community funded

• Open• Broad-based

- Private sector- Public sector- Civil society

• Community developed policies

• Member-elected executive board

• Open and transparent

IP Address and Autonomous System Number Provisioning

Process

ARIN, a nonprofit member-based organization, supports the operation of the Internet through the management of Internet number resources throughout its service region; coordinates the

development of policies by the community for the management of Internet Protocol number resources; and advances the Internet through

informational outreach.

ARIN’sServiceRegion

The ARIN Region includes many Caribbean and North Atlantic islands, Canada, the United States and outlying areas.

The ARIN Community includes…Anyone with an interest in Internet numberresource management in the ARIN region

• 20,000+ customers • 5,350+ members • 80+ professional staff• 7 member Board of Trustees

• elected by the membership• 15 member Advisory Council

• elected by the membership• Number Resource Organization Number Council

• 3 members from the ARIN Community

2016 Organizational Objectives

• Continue IPv4/IPv6 transition awareness campaign

• Participate in global Internet governance discussions to maintain the community-based multi-stakeholder policy development model

• Continue to enhance ARIN Online – user interface improvements

2016 Organizational Objectives• Focus on smaller, community suggested,

customer-facing, high-impact software development efforts

• Provide high level of Caribbean outreach• Strengthen ARIN accountability to

membership• Improve customer service

ARIN’s strategic plan and objectives:https://www.arin.net/about_us/corp_docs/stratplan.pdf

ARIN Manages:

• IP address allocations & assignments• ASN assignment• Transfers• Reverse DNS• Record Maintenance• Directory services – Whois…

ARIN develops technologies for managing Internet number resources:

• ARIN Online – customer web portal• DNSSEC - security• Resource Certification (RPKI)• Community Software Project Repository• Whois-RWS• RDAP• Reg-RWS

ARIN Offers Training and Education

18

• Educational Materials library (RIR/IPv6/Technical Information and Statistics) https://www.arin.net/knowledge

• Instructional Video Library– http://youtube.com/teamarin

• In-person Training/Education–ARIN on the Road, ARIN + NANOG on

the Road, other fora upon request

Outreach and Community Engagement

19

1. Engage members and customers in Policy Development through Public Policy Meetings and Consultations

2. Work closely with NANOG, Internet Society, and other industry groups to ensure education, empowerment, engagement

Outreach and Community Engagement

20

3. Collaborate with Caribbean organizations to maximize inclusion:

• Caribbean Association of National Telecommunication Organizations (CANTO)

• Caribbean Telecommunications Union (CTU)• Caribbean Network Operators Group

(CaribNOG)• Caribbean Internet Governance Forum

International Community Engagement

21

International Internet Governance Participation• Fostering working relationships on a

global scale• Being a key resource for Internet

governance debate participants• Supporting cooperation and direct

involvement alongside governments and international organizations

Get 6 – Websites on IPv6http://teamarin.net/get6/ipv6-facts/- FocusingongettingpublicwebsitesIPv6-enabled- https://getipv6.info --wikilistofIPv6webhosters andDNS

providers

HowtoParticipate• AttendPublicPolicyandMembersMeetings&PublicPolicyConsultations– Remoteparticipationavailable

• ApplyforMeetingFellowship• DiscusspoliciesonPublicPolicyMailingList(ppml)

• SubscribetoanARINmailinglist• Attendoutreachevents

MoreWaystoParticipate• Voiceyouropinionincommunityconsultations

• Submitasuggestiontoimproveorcreatenewservices

• ContributetotheIPv6wiki• WriteaguestblogforTeamARIN.net• Connectwithusonsocialmedia• Members– Voteinannualelections

ARIN Mailing Lists

http://www.arin.net/participate/mailing_lists/index.html

ARIN Announce: arin-announce@arin.net

ARIN Discussion: arin-discuss@arin.net (members only)

ARIN Public Policy: arin-ppml@arin.net

ARIN Consultation: arin-consult@arin.net

ARIN Issued: arin-issued@arin.net

ARIN Technical Discussions: arin-tech-discuss@arin.net

Suggestions: arin-suggestions@arin.net

ARIN on Social Mediawww.TeamARIN.net

www.facebook.com/TeamARIN

@TeamARIN

www.gplus.to/TeamARIN

www.linkedin.com/company/ARIN

www.youtube.com/TeamARIN

Q&A

Security Overlays on Core Internet Protocols – DNSSEC

Andy NewtonChief Engineer

Core Internet Protocols• Two critical resources that are

unsecured– Domain Name Servers– Routing

• Hard to tell if compromised– From the user point of view– From the ISP/Enterprise

29

DNS

30

How DNS Works

Resolver

Question: www.arin.net A

www.arin.net A?

Cachingforwarder(recursive)

root-serverwww.arin.net A?

Asknetserver@X.gtld-servers.net (+glue)

gtld-serverwww.arin.net A?

Askarin server@ns1.arin.net(+glue)

arin-server

www.arin.netA?

192.168.5.10

192.168.5.10

Add to cache

31

Why DNSSEC? What is it?

• Standard DNS (forward or reverse) responses are not secure– Easy to spoof– Notable malicious attacks

• DNSSEC attaches signatures– Validates responses– Can not spoof

Reverse DNS at ARIN

• ARIN issues blocks without any working DNS–Registrant must establish

delegations after registration–Then employ DNSSEC if desired

• Just as susceptible as forward DNS if you do not use DNSSEC

Reverse DNS at ARIN

• Authority to manage reverse zones follows allocations–“Shared Authority”model–Multiple sub-allocation recipient

entities may have authority over a particular zone

Changes completed to make DNSSEC work at ARIN• Permit by-delegation management• Sign in-addr.arpa. and ip6.arpa.

delegations that ARIN manages• Create entry method for DS Records– ARIN Online– RESTful interface– Not available via templates

Changes completed to make DNSSEC work at ARIN• Key holders create and submit

Delegation Signer (DS) records after securing their zones locally

• DNSSEC users should have signed a registration services agreement with ARIN to use these services

Reverse DNS in ARIN OnlineFirst identify the network that you want to put Reverse DNS nameservers on…

Reverse DNS in ARIN Online…then enter the Reverse DNS nameservers…

DNSSEC in ARIN Online…then apply DS record to apply to the delegation

Reverse DNS: Querying ARIN’s WhoisQuery for the zone directly:Whois> whois -h whois.arin.net 136.136.192.in-addr.arpa

Name: 252.149.192.in-addr.arpa.Updated: 2014-08-20NameServer: SEC1.APNIC.NETNameServer: NS1.ARIN.NETNameServer: NS2.LACNIC.NETNameServer: SEC1.AUTHDNS.RIPE.NETNameServer: NS2.ARIN.NETKeyTag: 18508Algorithm: 5DigestType: 1Digest: 84A741F15E878A088F3884EBE1F0E56EA8599295KeyTag: 18508Algorithm: 5DigestType: 2Digest: A9B8659C7795166863DE6FEC47808B58ED0CC6ADB0AA5E25B8F46FE87D3D7CBARef: https://whois.arin.net/rest/rdns/252.149.192.in-addr.arpa.

DNSSEC in Zone Files; File written on Mon Feb 24 17:00:53 2014; dnssec_signzone version 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.60.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM.

86400 IN NS NS4.COVAD.COM.10800 NSEC 1.74.in-addr.arpa. NS RRSIG NSEC10800 RRSIG NSEC 5 4 10800 20140306210053 (

20140224210053 57974 74.in-addr.arpa.oNk3GVaCWj2j8+EAr0PncqnZeQjm8h4w51nSD2VUi7YtR9FvYLF/j4KO+8qYZ3TAixb9c05c8EVIhtY1grXEdOm30zJpZyaoaODpbHt8FdWYvwup9Tq4oVbxVyuSNXriZ2Mq55IIMgDR3nATBLP5UClxUWkgvS/6poF+W/1H4QY= )

1.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM.86400 IN NS NS4.COVAD.COM.10800 NSEC 10.74.in-addr.arpa. NS RRSIG NSEC10800 RRSIG NSEC 5 4 10800 20140306210053 (

20140224210053 57974 74.in-addr.arpa.DKYGzSDtIypDVcer5e+XuwoDW4auKy6G/OCVVTcfQGk+3iyy2CEKOZuMZXFaaDvXnaxey9R1mjams519Ghxp2qOnnkOw6iB6mR5cNkYlkL0hlu+IC4Buh6DqM4HbJCZcMXKEtWE0a6dMf+tHsa+5OV7ezX5LCuDvQVp6p0LftAE= )

DNSSEC in Zone Files0.121.74.in-addr.arpa. 86400 IN NS DNS1.ACTUSA.NET.

86400 IN NS DNS2.ACTUSA.NET.86400 IN NS DNS3.ACTUSA.NET.86400 DS 46693 5 1 (

AEEDA98EE493DFF5F3F33208ECB0FA4186BD8056 )

86400 DS 46693 5 2 (66E6D421894AFE2AF0B350BD8F4C54D2EBA5DA72A615FE64BE8EF600C6534CEF )

86400 RRSIG DS 5 5 86400 20140306210053 (20140224210053 57974 74.in-addr.arpa.n+aPxBHuf+sbzQN4LmHzlOi0C/hkaSVO3q1y6J0KjqNPzYqtxLgZjU+IL9qhtIOocgNQib9lgFRmZ9inf2bER435GMsa/nnjpVVWW/MBRKxfPcc72w2iOAMu2G0prtVT08ENxtu/pBfnsOZKnhCY8UOBOYLOLE5Whtk3XOuX9+U= )

10800 NSEC 1.121.74.in-addr.arpa. NS DS RRSIG NSEC

10800 RRSIG NSEC 5 5 10800 20140306210053 (20140224210053 57974 74.in-addr.arpa.YvRowkdVDfv+PW42ySNUwW8S8jRyV6EKKRxe

…

What Is DNSSEC? Why Use It?

• Standard DNS (forward or reverse) responses are not secure– Easy to spoof– Notable malicious attacks

• DNSSEC attaches signatures– Validates responses– Can not spoof

43

Reverse DNS at ARIN• ARIN issues blocks without any working

DNS– Registrant must establish delegations

after registration– Then employ DNSSEC if desired

• Just as susceptible as forward DNS if you do not use DNSSEC

44

Reverse DNS at ARIN

• Authority to manage reverse zones follows allocations–“Shared Authority”model–Multiple sub-allocation recipient

entities may have authority over a particular zone

45

Setting up DNSSEC at ARIN

• Create entry method for DS Records– ARIN Online– RESTful interface– Not available via templates

• Only key holders may create and submit Delegation Signer (DS) records

46

Reverse DNS in ARIN OnlineFirst identify the network that you want to put Reverse DNS nameservers on…

47

Reverse DNS in ARIN Online…then enter the Reverse DNS nameservers…

48

DNSSEC in ARIN Online…then apply DS record to apply to the delegation

49

Reverse DNS: Querying ARIN’s WhoisQuery for the zone directly:whois> 81.147.204.in-addr.arpa

Name: 81.147.204.in-addr.arpa.Updated: 2006-05-15NameServer: AUTHNS2.DNVR.QWEST.NETNameServer: AUTHNS3.STTL.QWEST.NETNameServer: AUTHNS1.MPLS.QWEST.NET

Ref: http://whois.arin.net/rest/rdns/81.147.204.in-addr.arpa.

50

DNSSEC in Zone Files; File written on Mon Feb 24 17:00:53 2014; dnssec_signzone version 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.60.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM.

86400 IN NS NS4.COVAD.COM.10800 NSEC 1.74.in-addr.arpa. NS RRSIG NSEC10800 RRSIG NSEC 5 4 10800 20140306210053 (

20140224210053 57974 74.in-addr.arpa.oNk3GVaCWj2j8+EAr0PncqnZeQjm8h4w51nSD2VUi7YtR9FvYLF/j4KO+8qYZ3TAixb9c05c8EVIhtY1grXEdOm30zJpZyaoaODpbHt8FdWYvwup9Tq4oVbxVyuSNXriZ2Mq55IIMgDR3nATBLP5UClxUWkgvS/6poF+W/1H4QY= )

1.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM.86400 IN NS NS4.COVAD.COM.10800 NSEC 10.74.in-addr.arpa. NS RRSIG NSEC10800 RRSIG NSEC 5 4 10800 20140306210053 (

20140224210053 57974 74.in-addr.arpa.DKYGzSDtIypDVcer5e+XuwoDW4auKy6G/OCVVTcfQGk+3iyy2CEKOZuMZXFaaDvXnaxey9R1mjams519Ghxp2qOnnkOw6iB6mR5cNkYlkL0hlu+IC4Buh6DqM4HbJCZcMXKEtWE0a6dMf+tHsa+5OV7ezX5LCuDvQVp6p0LftAE= )

51

DNSSEC in Zone Files0.121.74.in-addr.arpa. 86400 IN NS DNS1.ACTUSA.NET.

86400 IN NS DNS2.ACTUSA.NET.86400 IN NS DNS3.ACTUSA.NET.86400 DS 46693 5 1 (

AEEDA98EE493DFF5F3F33208ECB0FA4186BD8056 )

86400 DS 46693 5 2 (66E6D421894AFE2AF0B350BD8F4C54D2EBA5DA72A615FE64BE8EF600C6534CEF )

86400 RRSIG DS 5 5 86400 20140306210053 (20140224210053 57974 74.in-addr.arpa.n+aPxBHuf+sbzQN4LmHzlOi0C/hkaSVO3q1y6J0KjqNPzYqtxLgZjU+IL9qhtIOocgNQib9lgFRmZ9inf2bER435GMsa/nnjpVVWW/MBRKxfPcc72w2iOAMu2G0prtVT08ENxtu/pBfnsOZKnhCY8UOBOYLOLE5Whtk3XOuX9+U= )

10800 NSEC 1.121.74.in-addr.arpa. NS DS RRSIG NSEC

10800 RRSIG NSEC 5 5 10800 20140306210053 (20140224210053 57974 74.in-addr.arpa.YvRowkdVDfv+PW42ySNUwW8S8jRyV6EKKRxe

…

52

DNSSEC Validating Resolvers• www.internetsociety.org/deploy360/dnssec/• www.isc.org/downloads/bind/dnssec/

53

Reverse DNS Management and DNSSEC in ARIN Online• Available on ARIN’s websitehttp://www.arin.net/knowledge/dnssec/

54

DNSSEC Statistics

55

ARIN 38

Number of Orgs with DNSSEC 137

Total Number of Delegations 603,296

DNSSEC Secured Zones 632

Percentage Secured 0.1 %

Q&A

LifeAfterIPv4Depletion

Jon WorleyTechnical Services Manager

Overview

• IPv4 Request Activity• Reserved IPv4 Space• IPv4 Waiting List• IPv4 Transfer Market• Specified Transfer Listing Service

IPv4 Requests Since Depletion

------- =IPv4depletion

050100150200250300350400450

IPv4 Waiting List• Must qualify under current ARIN policy– Maximum approved size determined by ARIN– Minimum acceptable size specified by requester– One request per org on the list at a time

• Waiting List published on ARIN’s web sitehttps://www.arin.net/resources/request/waiting_list.html

IPv4 Waiting List Growth

------- =IPv4depletion

050100150200250300350400450Jun-15

Jul-1

5

Aug-15

Sep-15

Oct-15

Nov-15

Dec-15

Jan-16

Feb-16

Mar-16

Apr-1

6

May-16

Jun-16

Jul-1

6

Aug-16

Sep-16

Oct-16

IPv4 Waiting List – The Reality

Of the 543 requests added:• 42 have been filled– Last request filled waited 393 days

• 107 dropped off–Most got IPv4 via the transfer market

• 394 still waiting–Oldest added 10 Jul 2015

IPv4 Critical Infrastructure Reserve

• 2 /16s reserved for: – Public exchange points– ICANN-sanctioned Core DNS operators– RIRs– IANA

• New gTLDs not eligible• 11.52% used

Reserved IPv4 for IPv6 Deployment• /10 reserved under policy in April 2009 – 60 /24s issued to date (99.6% remains available)

• Must be used to facilitate IPv6 deployment– Examples include IPv4 addresses for key dual

stack DNS servers, and NAT-PT or NAT464 translators

• Must already have an IPv6 block to qualify

• One per organization every six months, /24 maximum size

– Mergers and Acquisitions (NRPM 8.2)• Traditional transfer resulting from a merger, acquisition,

or reorganization supported by legal documentation

– Transfers to Specified Recipients (NRPM 8.3)• IPv4 transfer from one organization to another that it

specifies, supported by justified need (within region)

– Inter-RIR transfers to Specified Recipients (NRPM 8.4)• IPv4 market transfer from one organization to another

that it specifies, supported by justified need (between regions)

IPv4 Transfer Policies

Transfers To Specified Recipients• Allows orgs with unused IPv4 resources to

transfer them to orgs in need of IPv4 resources

• Source– Must be current registrant, no disputes– Not have received addresses from ARIN for

12 months prior• Recipient– Demonstrate need for 24-month supply under

current ARIN policy

Specified Recipient Transfer Growth

------- =IPv4depletion

0102030405060708090100

Jul-1

5

Aug-15

Sep-15

Oct-15

Nov-15

Dec-15

Jan-16

Feb-16

Mar-16

Apr-1

6

May-16

Jun-16

Jul-1

6

Aug-16

Sep-16

Oct-16

Inter-RIR Transfers• RIR must have reciprocal, compatible

needs-based policies– Currently APNIC and RIPE NCC

• Transfers from ARIN– Source cannot have received IPv4 from ARIN 12

months prior to transfer – Must be current registrant, no disputes– Recipient meets destination RIR policies

• Transfers to ARIN– Must demonstrate need for 24-month supply

under current ARIN policy

Inter-RIR Transfers Completed

------- =IPv4depletion

02468101214161820

Jul-1

5

Aug-15

Sep-15

Oct-15

Nov-15

Dec-15

Jan-16

Feb-16

Mar-16

Apr-1

6

May-16

Jun-16

Jul-1

6

Aug-16

Sep-16

Oct-16

No Drop In IPv4 Consumption

0

50000

100000

150000

200000

250000

300000

Total/24

s

FreePool TransferMarket

Minimal Drop in IPv4 Workload

050100150200250300350400450500

Jul-1

5

Aug-15

Sep-15

Oct-15

Nov-15

Dec-15

Jan-16

Feb-16

Mar-16

Apr-1

6

May-16

Jun-16

Jul-1

6

Aug-16

Sep-16

Oct-16

IPv4Requests Need-BasedTransferRequests

Transfer Pre-Approval

• Optional free service to confirm your 24 month projected IPv4 need

• Receive IPv4 addresses via multiple need-based transfers up to the pre-approved amount over the next 24 months

• $500 fee to complete each transfer

Specified Transfer Listing Service• Optional fee-based service to facilitate

specified recipient and inter-RIR transfers– Sources have IPv4 addresses verified as available– Recipients have a verified need for IPv4 addresses– Facilitators arrange transfers between parties

• Approved participants can view detailed information for all other participants

• Public summary available on ARIN’s website– Available block sizes– # of source ORGs and approved block sizes– List of facilitators with contact information

Takeaways• IPv4 consumption still strong• If you need IPv4:–Get pre-approved & look at transfer

market–Get an IPv6 block & use reserved IPv6

block for IPv6 deployment policy–Wait List an option if you can defer need

• IPv6 is the future

Q&A

Lunch Break

Take your valuables as the room will not be locked.

This Afternoon’s Agenda

1:00 - 1:30 ARIN Services and Tools1:30 - 2:00 Policy Development Process2:00 - 2:30 Security Overlays on Core Internet Protocols

– Resource Certification (RPKI)2:30- 3:00 IPv6 Adoption – Where are we Now?3:00- 3:15 Q&A / Open Mic Session & Ask ARIN

(3:30 to 4:00 PM User Feedback Session)

ARINTechnicalServices

Andy NewtonChief Engineer

Major Services• ARIN Online• Email (including templates)• Directory Services

– Whois– Whois-RWS– Registration Data Access Protocol (RDAP)

• Domain Name System (DNS)– Reverse DNS– DNS Security (DNSSEC)

• Internet Routing Registry (IRR)• Resource Public Key Infrastructure (RPKI)• Operational Test & Evaluation environment (OT&E)

Terms• Resources

– IP Addresses (Networks)– Autonomous System Numbers (ASNs)

• Organization– The legal entity holding resources– Shows up in Whois/RDAP

• Points of Contact– Associated with Organizations– Show up in Whois/RDAP– Tech, Admin, NOC, Abuse

• SWIP– “Shared Whois Project”– Registration of reassigned or reallocated networks in the

ARIN registry

ARINOnline(www.arin.net)

What Can I Do in ARIN Online?• Resource management (IPs/ASNs)– Requests and Transfers– Technical services (Reverse DNS/RPKI)

• Record management (POCs/Org IDs)• Downloadable reports– Associations/reassignments/bulk Whois/WhoWas

• Billing & Payments• Voting (Board, AC, NRO NC)

ARIN Online Usage• 117929 accounts activated since

inception through Q1 of 2016

2008

2010

2012

2014

2016*

Number of Accounts Activated

5000 10000 15000 20000

* Through Q1 of 2016

83

Active Usage of ARIN Online

0

10000

20000

30000

40000

50000

0 1 2 - 5 6 - 10 11 - 15 >16

Logins

# o

f Use

rs

Times logged in

• Logins from inception through Q3 of 2016• One user logged in 1,205,887 times!

84

Linking?• Way of managing resources put into

place before ARIN Online was unveiled

• A good set of videos at – https://www.youtube.com/user/teamarin– Teaches you how to:• Create an ARIN Online account • Create and manage POCs and Org IDs• Request transfers

Ask ARIN and Message Center• Ask ARIN

A way to ask ARIN staff a question on the web

• Message Center– Tracks ticketed requests– Ticketed requests are things like resource

requests and correspondence, RPKI notifications, reports

Reports• Associations Report– POCs linked to your ARIN Online account,

including roles served by these POCs for any associated Organization (Admin, Tech, Abuse, etc.)

– Organization associated with your ARIN Online account

– Network records (NETs) and Autonomous System Number records (ASNs) associated with your linked POCs, directly or via an associated Organization

Reports (Cont)• User Reassignment Report

– Reassignments/reallocations associated with your ARIN Online account via associated Organization

– ”Holes" in all Network records (NETs) associated with your ARIN Online account, where no reassignment or reallocation has been made

• Whowas– History of a resource

• Bulk Whois– Directory services information placed in files

• Reports are ticketed and delivered into your Message Center

Billing

• Pay bills• Calculate fees• View current and past-due invoices

In the Works… a new desgin!

90

RESTServices

• Reg-RWS– SWiP– Reports– ManageDNS/RPKI

• Whois– RDAP(thenewWhois)– Whois-RWS

What is REST?• Representational State Transfer

• As applied to web services– defines a pattern of usage with HTTP to create,

read, update, and delete (CRUD) data– “Resources” are addressable in URLs

• Very popular protocol model– Amazon S3, Yahoo & Google services, …

The BIG Advantage of REST• Easily understood– Any modern programmer can incorporate it– Can look like web pages

• Re-uses HTTP in a simple manner– Many, many clients– Other HTTP advantages

• This is why it is very, very popular with Google, Amazon, Yahoo, Twitter, Facebook, YouTube, Flickr, …

What does it look like?Who can use it?

http://whois.arin.net/rest/poc/KOSTE-ARIN

Wherethedatais.

Whattypeofdataitis.

TheIDofthedata.

ItisastandardURL.Anyonecanuseit.Goahead,putitintoyourbrowser.

Where can more information on REST be found?

• RESTful Web Services– O’Reilly Media– Leonard Richardson– Sam Ruby

Email/Templates• Before ARIN Online,

only way of communicating with ARIN

• Now only– Reassignment

information– Inter-RIR Transfers– Email Questions

• Lots of Spam

Reg-RWS Transactions (cumulative)

97

408,383595,858

846,9431,066,037

1,311,4031,498,204

1,749,3832,006,440

2,225,8942,435,265

40,374320,197 841,105

3,524,124

4,296,734

4,715,2315,034,717

5,662,4775,987,836

6,153,205

0

1,000,000

2,000,000

3,000,000

4,000,000

5,000,000

6,000,000

7,000,000

ARIN29 ARIN30 ARIN31 ARIN32 ARIN33 ARIN34 ARIN35 ARIN36 ARIN37 ARIN38

Template REST

Directory Services• Whois– Resource Information as per RFC812

• RDAP (the new Whois)– Resource Information as per RFCs 7480-

7484• Whois-RWS– RESTful Implementation of ARIN Whois– XML-based, proprietary

Registration Data Access Protocol (RDAP)• Long, fancy, official-sounding name

for a simple idea:– All the RIRs will now have a common

query interface– Also will be used by many domain

registries

Bootstrapping (RFC 7484)

• IANA will publish a set of JSON files containing IP Address, Autonomous System Number, and Domain Name allocations with URLs to authoritative servers.– Clients will be able to pre-determine

where to initiate queries.

100

Bootstrapping In the Real World

101

Client ARIN APNIC

45.65.1.1?

AskARIN

45.65.1.1?

AskAPNIC

BootstrapServer

45.65.1.1?

JSON

DNS• Provide Reverse DNS delegation

management for IPv4 and IPv6• This includes DNSSEC• More Detail later

IRR• Provides coarse routing information for

routing filters• Processed through templates sent via

email• Has a Whois interface using RPSL (RFC

2622)• Documented at – https://www.arin.net/resources/routing/

OT&E (Operational Test & Evaluation)

• Lots of people test in production– Is not the best place to test– Things do get stuck – may impact others– Operational Test & Evaluation

• Goodness of OT&E– Place to test code– Place to test process– All services now under ote.arin.net except email– Need to register to participate– https://www.arin.net/resources/ote.html

RPKI

• We will talk about this in detail later

Feedback

• Users can notify us of Internet Number Resource Fraud and Whois Inaccuracy

• Can provide feedback on the application via the feedback button

• Suggestions through “ARIN Consultation and Suggestion Process” (ACSP)

Tools

• Lots of APIs• You can build your own tools• Some have shared their tools with

others• Repository for these tools– https://github.com/arineng– http://projects.arin.net

Q&A

ARIN’s Policy Development Process

Susan HamlinDirector, Communications

and Member Services

Overview

Principles and Basic steps

Major policy changes

A recent proposal

How to get involved

Policy Development Process Principles

Open– Developed in open forum

• Public Policy Mailing List (PPML)• Public Policy Meetings/Consultations

(PPMs/PPCs)– Anyone can participate

Transparent– All aspects documented and available on

website• PDP, meeting information, and current/draft

policy textBottom-up

– Policies developed by the community– Staff implements, but does not make policy111

Policy Development Process (PDP) Steps1) Proposal – Someone in the community thinks a policy can be

improved and documents2) Draft Policy- Discussion on the list and possibly at meeting(s) -

Is there really a problem? Is this a good solution? 3) Recommended Draft Policy - More discussion and

presentation at meeting(s). Does community support turning this into policy?

4) Last call5) Board Review6) Staff Implementation (NRPM)

If you submit a proposal, you can either leave it completely in the hands of the Advisory Council or keep participating along with the

formal process

Past Policy Changes: IPv6 PolicyCirca 2001: Initial IPv6 policy aligned with IPv4 at that time,

conservation was important, small amounts issued for short periods, hierarchical distribution from upstreams, and, no direct end user policy at all

2003-2016 Dozens of proposals to improve IPv6 policy

Changes included: Minimum allocation size increased (/35 to /32), larger allocations from IANA, policy for end users, community networks (mesh networks), assignment sizes from ISPs to customers (added /56s), larger amounts for ISPs and easier criteria, larger amounts for end users and easier criteria, bit boundary assignments and allocations, etc.

Past Policy Changes: Transfers1997 thru 2007: Policy for Mergers and Acquisitions existed,

everything else should go back to ARIN

2007 thru 2016: Many proposals to improve transfers.

Changes included: Allow needs-based transfers of unused or underutilized address space between organizations via ARIN, increase supply period from one year to two, allow ASN transfers, allow Inter-RIR transfers, etc.

Still seeing proposals to make transfers easier, there are some who are trying to reduce the needs requirement, some want ARIN to simply record the transfers.

Recently Under Discussion• ARIN-2015-5: Out of Region Use

Would allow an organization to receive Internet number resources from ARIN for use out of region as long as the applicant is currently using at least the equivalent of a /22 of IPv4 space, /44 of IPv6, or 1 ASN within the ARIN service region.

• Earlier Abandoned ProposalsARIN-2014-1: Out of Region UseARIN-2013-6: Allocation of IPv4 and IPv6 Address Space to Out-of-region RequestorsARIN-2011-13: IPv4 Number Resources for Use Within Region

(continued on next slide)

2015-5 continued• ARIN-2015-5 presented at ARIN 36 in Oct 2015• AC found draft to be fair, technically sound and

supported and promoted to recommended state (late Oct 2015)

• Presented as Recommended Draft Policy at NANOG 66

• Last Call was 24 February thru 9 March 2016• AC recommended Board adopt on 17 March• Adopted as policy by the ARIN Board, 19 April• Implemented by Staff 13 July 2016 (Section 9)

Policy discussions at ARIN 38• Recommended Draft Policy ARIN-2015-2: Modify 8.4 (Inter-RIR Transfers to

Specified Recipients)• Recommended Draft Policy ARIN-2015-7: Simplified requirements for

demonstrated need for IPv4 transfers• Recommended Draft Policy ARIN-2016-1: Reserved Pool Transfer Policy• Recommended Draft Policy ARIN-2016-2: Change timeframes for IPv4

requests to 24 months• Recommended Draft Policy ARIN-2016-4: Transfers for new entrants• Recommended Draft Policy ARIN-2016-5: Post-IPv4-Free-Pool-Depletion

Transfer Policy• Recommended Draft Policy ARIN-2016-6: Eliminate HD-Ratio from NRPM

• Draft Policy ARIN-2016-3: Alternative simplified criteria for justifying small IPv4 transfers

Proposals at Public Policy Meetings (Advisory Council workload)

0

2

4

6

8

10

12

14

16

2002 2004 2006 2008 2010 2012 2014 2016

Adopted Abandoned TBD

How Can You Get Involved?Two ways to learn and be heard

1. Public Policy Mailing List2. Public Policy Consultations/Meetings

a. ARIN meetings (April and October)b. ARIN Public Policy Consultations at

NANOG (twice a year, usually February and June)

Remote participation supported

Takeaways1) ARIN doesn't create number policy, you

do.

2) Well documented policy development process includes assistance from ARIN AC and staff throughout the process.

3) Stay informed. Join the policy list and/or attend meetings (in person or remotely).

References

Policy Development Process (PDP)http://www.arin.net/policy/pdp.html

Draft Policies and Proposalshttp://www.arin.net/policy/proposals/index.html

Number Resource Policy Manual (NRPM)http://www.arin.net/policy/nrpm.html

Q&A

Security Overlays on Core Internet Protocols – RPKI

Andy NewtonChief Engineer

Core Internet Protocols• Two critical resources that are

unsecured– Domain Name Servers– Routing

• Hard to tell if compromised– From the user point of view– From the ISP/Enterprise

124

Routing

125

Routing Architecture• The Internet uses a two level routing hierarchy:– Interior Routing Protocols, used by each network

to determine how to reach all destinations that line within the network

– Interior Routing protocols maintain the current topology of the network

126

Routing Architecture• The Internet uses a two level routing hierarchy:– Exterior Routing Protocol, used to link each

component network together into a single whole– Exterior protocols assume that each network is

fully interconnected internally

127

Exterior Routing: BGP• BGP is a large set of bilateral (1:1)

routing sessions– A tells B all the destinations (prefixes) that

A is capable of reaching– B tells A all the destinations that B is

capable of reaching

A B

10.0.0.0/2410.1.0.0/1610.2.0.0/18

192.2.200.0/24

128

What is RPKI?• Resource Public Key Infrastructure• Attaches digital certificates to network

resources– AS Numbers– IP Addresses

• Allows ISPs to associate the two– Route Origin Authorizations (ROAs)– Can follow the address allocation chain

to the top129

What does RPKI accomplish?• Allows routers or other processes

to validate route origins• Simplifies validation authority

information– Trust Anchor Locator

• Distributes trusted information– Through repositories

130

Hierarchy of Resource CertificatesICANN

0.0.0.0/00::/0

ARIN128.0.0.0/8192.0.0.0/8

RegionalISP128.177.0.0/16

SomeSmallISP128.177.46.0/20

OtherSmallISP192.78.12.0/24

LACNIC AFRINICRIPENCC

APNIC

131

Route Origin AttestationsICANN

0.0.0.0/00::/0

ARIN128.0.0.0/8192.0.0.0/8

RegionalISP128.177.0.0/16

SomeSmallISP128.177.46.0/20

OtherSmallISP192.78.12.0/24

LACNIC AFRINICRIPENCC

APNIC

128.177.46.0/20AS53659

128.177.0.0/16AS17025 192.78.12.0/24

AS2000

132

Current PracticesICANN

0.0.0.0/00::/0

ARIN128.0.0.0/8192.0.0.0/8

RegionalISP128.177.0.0/16

SomeSmallISP128.177.46.0/20

OtherSmallISP192.78.12.0/24

LACNIC AFRINICRIPENCC

APNIC

128.177.0.0/16AS17025 192.78.12.0/24

AS2000128.177.46.0/20AS53659

133

What does RPKI Create?

• It creates a repository– RFC 3779 (RPKI) Certificates– ROAs– CRLs–Manifest records

134

Relationships

CertificatelistofIP&ASNResourcesAIA,URIoftheparentcert

SIA,URIofthethemanifest

ManifestEECertificate

URI/hashofCRLURIhashofallROAsURIofallchildcerts

CRLSerialnumbersofallrevokedcerts

ROAROA

EEcertificateASN

listofIPprefixes&maxlengths

Childcert

ChildCert

ParentKey

ParentCert

ParentManifest

Signs

Pointsto(hasURIfor)

CertificateKey

135

Repository View./ba/03a5be-ddf6-4340-a1f9-1ad3f2c39ee6/1:total 40-rw-r--r-- 1 143 143 1543 Jun 26 2009 ICcaIRKhGHJ-TgUZv8GRKqkidR4.roa-rw-r--r-- 1 143 143 1403 Jun 26 2009 cKxLCU94umS-qD4DOOkAK0M2US0.cer-rw-r--r-- 1 143 143 485 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.crl-rw-r--r-- 1 143 143 1882 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.mnf-rw-r--r-- 1 143 143 1542 Jun 26 2009 nB0gDFtWffKk4VWgln-12pdFtE8.roa

A Repository Directory containing an RFC3779 Certificate, two ROAs, a CRL, and a manifest

136

Repository Use• Pull down these files using a manifest-

validating mechanism• Validate the ROAs contained in the

repository• Communicate with the router marking

routes “valid”, “invalid”, “unknown”• Up to ISP to use local policy on how to

route137

Possible Data Flow for Operations

• RPKI Web interface -> Repository• Repository aggregator -> Validator• Validated entries -> Route Checking• Route checking results -> local routing

decisions (based on local policy)

138

How you can use ARIN’s RPKI System?• Hosted– create ROAs through ARIN Online– create ROAs using ARIN’s RESTful service

• Delegated using Up/Down Protocol

139

Hosted RPKI - ARIN Online• Pros– Easy to pick up and use– ARIN managed

• Cons– No current support for downstream

customers to manage their own space– Tedious through the UI if you have a large

network–We hold your private key

140

Hosted RPKI - RESTful Interace• Pros– Programmatic interface for large networks– ARIN managed

• Cons– No current support for downstream

customers to manage their own space–We hold your private key

141

Delegated RPKI with Up/Down• Pros– You safeguard your own private key– Follows the IETF up/down protocol

• Cons– Extremely hard to setup– Need to operate your own RPKI

environment

142

Hosted RPKI in ARIN Online

143

Hosted RPKI in ARIN Online

144

Hosted RPKI in ARIN Online

145

Hosted RPKI in ARIN Online

146

Hosted RPKI in ARIN OnlineSAMPLE-ORG

147

Hosted RPKI in ARIN OnlineSAMPLE-ORG

148

Hosted RPKI in ARIN Online

149

Your ROA request is automatically processed and the ROA is placed in ARIN’srepository, accompanied by its certificate and a manifest. Users of the repository can now validate the ROA using RPKI validators.

150

Delegated with Up/Down

151

Delegated with Up/Down

152

Delegated with Up/Down

153

Delegated with Up/Down

• You have to do all the ROA creation• Need to setup a Certificate Authority• Have a highly available repository• Create a CPS

154

RPKI StatisticsOct

2012Apr

2013Oct

2013Apr

2014Oct

2014Apr

2015Oct

2015Apr

2016CertifiedOrgs 47 68 108 153 187 220 250

ROAs 19 60 106 162 239 308 338 370

Covered Resources 30 82 147 258 332 430 482 528

Up/Down Delegated 0 0 0 1 2 1

155

Q&A

IPv6 Adoption: Where Are We Now?

Andy NewtonChief Engineer

Jon WorleyTechnical Services Manager

The Amazing Success of the Internet• 2.92 billion users!• 4.5 online hours per day per user!• 5.5% of GDP for G-20 countries

Time

Just about anything about the Internet

158

The Original IPv6 Plan - 1995

IPv6 Deployment

Time

IPv6 Transition – Dual Stack

IPv4 Pool Size

Size of the Internet

159

The Revised IPv6 Plan - 2005

IPv6 Deployment

2004

IPv6 Transition – Dual Stack

IPv4 Pool Size

Size of the Internet

2006 2008 2010 2012Date

160

Oops!We were meant to have completed the transition to IPv6 BEFORE we completely exhausted the supply channels of IPv4 addresses!

161

Today’s IPv6 Plan

IPv6 Deployment

IPv4 PoolSize

Size of the Internet IPv6 Transition

Today

Time

?

0.8%

162

Transition...The downside of an end-to-end architecture:

– There is no backwards compatibility across protocol families– A V6-only host cannot communicate with a V4-only host

We have been forced to undertake a Dual Stack transition:

– Provision the entire network with both IPv4 AND IPv6– In Dual Stack, hosts configure the hosts’ applications to

prefer IPv6 to IPv4– When the traffic volumes of IPv4 dwindle to insignificant

levels, then it’s possible to shut down support for IPv4

163

Dual Stack Transition ...We did not appreciate the operational problems with this dual stack plan while it was just a paper exercise:

• The combination of an end host preference for IPv6 and a disconnected set of IPv6 “islands” created operational problems – Protocol “failover” from IPv6 to IPv4 takes between 19 and 108 seconds

(depending on the operating system configuration)– This is unacceptably slow

• Attempting to “bridge” the islands with IPv6-in-IPv4 tunnels created a new collection of IPv6 path MTU Discovery operational problems– There are too many deployed network paths containing firewall filters that

block all forms of ICMP, including ICMP6 Packet Too Big

• Attempts to use end-host IPv6 tunneling also presents operational problems– Widespread use of protocol 41 (IP-in-IP) firewall filters– Path MTU problems

164

Dual Stack TransitionSignal to the ISPs:

– Deploy IPv6 and expose your users to operational problems with IPv6 connectivity

Or

– Delay IPv6 deployment and wait for these operational issues to be solved by someone else

So we wait...

165

And while we wait...The Internet continues its growth.

• And without an abundant supply of IPv4 addresses to support this level of growth, the industry is increasingly reliant on NATs:

– Edge NATs are now the de facto choice for residential broadband services at the CPE

– ISP NATs are now the de facto choice for 3G and 4G mobile IP services

166

What is ARIN Hearing from the Community About IPv6?

• Movement to IPv6 is slow, but progress being made– ISPs slowly rolling out IPv6– Steady increase in IPv6 traffic– Increase in IPv6 requests– IPv6 entertainment offerings may be a driver

• Still high demand for IPv4– Many ISPs purchasing CGN boxes– More turning to the IPv4 market

• Rent by month• Purchasing space outright (costs will increase)

167

What will be the tipping point?

• CGN’s running V4– Cost per IP will rise based on…– Cost of device and support• Why does <insert service here not work>• Gamers have a need for speed

• User base that supports V6• Social Effect

168

ARIN’s Network

• We eat our own dogfood• Every new service must have v6• Evolution on v6 to a robust

infrastructure• Have had challenges getting

robustness

169

ARIN’s Current Challenges for Networking• Dual-Stacked Internally

– Challenges over time with our VPN (OpenVPN)• One interface works with v6 • One does not

• Middleware Boxes– Claims do not support reality (“we support IPv6”) Yes, but…– No 1-1 feature set– Limits ARIN’s ability to support new services like https

support for Whois-RWS

170

However, there is some good news for the future...

Global IPv6 StatusPercentage of Members with IPv6

172

ARIN ISP Members with IPv4 and IPv6

173

IPv6 Adoption by ISP Size

0%10%20%30%40%50%60%70%80%90%100%

ISPswithoutIPv6

ISPswithIPv6

Google’s IPv6 Traffic Growing

> 25% of US customers connected to Google via IPv6 - up from 10% one year ago today & growing rapidly

175

Facebook•Over 10% of the world uses facebook over IPv6

Over10%2015

1%6/6/2012

176

IPv6 Requests Since Depletion

177

------- =IPv4depletion

0

20

40

60

80

100

120

Why Move to IPv6 Now?• Being IPv4-only has costs– Transfer market, latency, CGN boxes, NAT

• Generally no additional cost for ISPs & fees recently lowered for end users

• IPv6 gives you access to a reserved IPv4 block– One IPv4 /24 per six month period

178

Requesting IPv6 - ISPs• Have a previous v4 allocation from

ARIN or predecessor registryOR

• Intend to IPv6 multi-home OR

• Provide a technical justification which details at least 50 assignments made within 5 years

179 179

IPv6 ISP Block Size• /48 typically assigned to customers

– Might be smaller, e.g. /56, for residential

• /32 default generally sufficient– Enough to number 65k+ customers

• Larger blocks based on:– # of serving sites (PoPs, datacenters)– # of customers at largest serving site– Block size to be assigned

180 180

Requesting IPv6 – End Users• Have a v4 assignment from ARIN or predecessor registry

OR• Intend to IPv6 multi-home

OR• Use 2000 IPv6 addresses or 200 IPv6 subnets within a year

OR• Have a contiguous network that has a minimum of 13

active sites within 12 monthsOR

• Technical justification as to why provider-assigned IPs are unsuitable

181 181

IPv6 End User Block Size• Block size based on # sites– /48: 1 site– /44: 2-12 sites– /40: 13-192 sites– /36: 192-3,072 sites– /32: 3,073+ sites

• Each site typically gets a /48– /48 has 65,536 /64 subnets

182 37

Your IPv6 Checklistq Get your IPv6 address spaceq Set up IPv6 connectivity (native or tunneled)q Configure your operating systems, software,

and network management toolsq Upgrade your router, firewall, and other

hardwareq Get your IT staff trainingq Enable IPv6 on your website

183

Talk to Your ISP About IPv6 Services• You want access to the entire

Internet!– ISPs must connect customers via IPv4

only, IPv4-IPv6, and IPv6 only– They must plan for IPv4-IPv6 transition

services• Many transition technologies available• Research options and make architectural

decisions184

Dual-stack Your Network– IPv6 not backwards compatible with IPv4– Both will run simultaneously for years

185

Make Your Servers Reachable Over IPv6

–Mail, Web, Applications–Operating systems, software, and

network management tools

186

Audit Your Equipment and Software–Are your devices and applications IPv6 ready?

187

Encourage Vendors to Support IPv6–If not already, when will IPv6 support be part of their product cycle?

188

Get IPv6 Training for Staff–Free resources available

189

Enable IPv6 on Your Website

190

Steps To Get Your Website IPv6-Enabled

TeamARIN.net/get6

191

Operational Guidance

http://www.nanog.org/archives/

192

http://www.internetsociety.org/deploy360/

http://www.intgovforum.org/cms/best-practice-forums/2015-bpf-outs

Internet Governance Forum - Enabling Environment for IPv6 Adoption

IPv6 Info Centerwww.arin.net/knowledge/ipv6_info_center.html

www.GetIPv6.info

www.TeamARIN.net

41

Q&A

Today’s Take Aways:• Apply for IPv6 addresses and get started.• Subscribe to an ARIN mailing list• Participate in ARIN 39 – in person or remotely• Apply for a future meeting fellowship• Consider implementing DNSSEC/Resource

Certification• Member organizations please update your

Voting Contact – linked to an ARIN Web User account

• Reach out though various channels with questions or suggestions

ARIN Mailing Lists

http://www.arin.net/participate/mailing_lists/index.html

ARIN Announce: arin-announce@arin.net

ARIN Discussion: arin-discuss@arin.net (members only)

ARIN Public Policy: arin-ppml@arin.net

ARIN Consultation: arin-consult@arin.net

ARIN Issued: arin-issued@arin.net

ARIN Technical Discussions: arin-tech-discuss@arin.net

Suggestions: arin-suggestions@arin.net

ARIN on Social Mediawww.TeamARIN.net

www.facebook.com/TeamARIN

@TeamARIN

www.gplus.to/TeamARIN

www.linkedin.com/company/ARIN

www.youtube.com/TeamARIN

https://www.arin.net/participate/meetings/fellowship.html

Fill out & submitthe survey for your chance to win a $100 Amazon Gift Card!