Halifax, Ontario21 May 2015

Wireless Access:

SSID: Conference PW: ARIN

Welcome. Here today from ARIN…

• Paul Andersen, ARIN Board of Trustees,

Vice Chair and Treasurer

• Susan Hamlin, Director, Communications

and Member Services

• Mark Kosters, Chief Technology Officer

• Chris Tacit, ARIN Advisory Council

• Avneet Wadhwani, Senior Software

Engineer

Morning Agenda10:15 - 10:45 ARIN: Mission, Services and Community

Engagement; Paul Andersen 

10:45 -11:15 Number Resource Policy Discussions and How to Participate; Chris Tacit 11:15 - 11:30 DNS Talk; Shawn Beaton

11:30 - 12:00 Security Overlays on Core Internet Protocols – DNSSEC; Mark Kosters

12:00 PM  -  1:00 PM Lunch

• :

Afternoon Agenda1:00 - 1:45 Security Overlays on Core Internet Protocols - Resource Certification (RPKI); Mark Kosters1:45- 2:15   Life After IPv4 Depletion: IPv4 Inventory, Waiting List and Transfers; Susan Hamlin

2:15 - 2:45 Automating Interactions with ARIN: Mark Kosters

3:00 - 3:10 IXPs in Canada; John Sherwood 

3:15 - 3:45 Moving to IPv6 - Getting IPv6 from ARIN/Current Uptake;

Mark Kosters

3:45 - 4:15 IPv6 Deployment: A Service Provider Prospective;

Moshin Sohail 

4:15 - 4:30 Q&A / Open Mic Session; Susan Hamlin

Happy Hour

4:30 PM  -  5:30 PM

Sponsored by:

Let’s Get Started!

• Self introductions – Name– Organization

ARIN and the RIR System: Mission, Role and Services

Paul Andersen ARIN Board of Trustees

What is an RIR?

A Regional Internet Registry (RIR) is an organization that manages the allocation and registration of Internet number resources within a particular region of the world. Internet number resources include IP addresses and autonomous system (AS) numbers.

Regional Internet Registries

Not-for-profitMembership Organization

Community Regulated

• Fee for services, not number resources

• 100% community funded

• Open

• Broad-based - Private sector - Public sector - Civil society

• Community developed policies

• Member-elected executive board

• Open and transparent

RIR Structure

The NRO exists to protect the unallocated number resource pool, to promote and protect the bottom-up policy development process, and to act as a focal point for Internet community input intothe RIR system.

Number Resource Organization

ARIN, a nonprofit member-based organization, supports the operation of the Internet through the management of Internet number resources throughout its service region; coordinates the development of policies by the community for the management of Internet Protocol number resources; and advances the Internet through

informational outreach.

ARIN’s Service Region

The ARIN Region includes many Caribbean and North Atlantic islands, Canada, the United States and outlying areas.

IP Address and Autonomous System Number Provisioning Process

Who is the ARIN community?

Anyone with an interest in Internet number resource management in the ARIN region

The ARIN Community includes…• 20,000+ customers • 5,000+ members • 60+ professional staff • 7 member Board of Trustees

• elected by the membership

• 15 member Advisory Council• elected by the membership

• 3 person Number Resource Organization Number Council

• elected by the ARIN Community

ARIN Board of Trustees• Paul Andersen, Vice Chair and Treasurer• Vinton G. Cerf, Chair• John Curran, President and CEO• Timothy Denton, Secretary• Aaron Hughes• Bill Sandiford• Bill Woodcock

18

ARIN Advisory Council• Dan Alexander, Chair • Cathy Aronson• Kevin Blumberg, Vice Chair• Owen DeLong• Andrew Dul• David Farmer• David Huberman• Scott Leibrand• Tina Morris• Milton Mueller• Leif Sawyer• Heather Schiller• Robert Seastrom• John Springer• Chris Tacit

19

ARIN Services and ProductsARIN Manages:

• IP address allocations & assignments• ASN assignment• Transfers• Reverse DNS• Record Maintenance• Directory service

Whois Routing Information (Internet Routing Registry) WhoWas

20

ARIN Services and ProductsARIN coordinates and administers:• Policy Development

Community meetingsDiscussionPublication

• Elections• Information publication and dissemination

and public relations • Community outreach • Education and training

21

ARIN Services and Products

ARIN develops technologies for managing Internet number resources:

• ARIN Online• Community Software Project Repository • DNSSEC• Resource Certification (RPKI)• Whois-RWS• Reg-RWS

22

Globalization of IANA Oversight

On 14 March 2014, the US Government announced plans to transition oversight of the IANA functions contract to the global multistakeholder community

Current IANA functions contract expires 30 September 2015

NTIA Conditions for Transition Proposal

1. Support and enhance the multi-stakeholder model

2. Maintain the security, stability, and resiliency of the Internet DNS

3. Meet the needs and expectation of the global customers and partners of the IANA services

4. Maintain the openness of the Internet

Current Status of IANA Stewardship Proposal

Number Resources (RIR community) – CRISP Team

https://www.nro.net/wp-content/uploads/ICG-RFP-Number-Resource-Proposal.pdf - submitted 15 Jan 2015

Join in Internet Governance Discussions

Visit ARIN’s webpage:Ways to Participate in Internet Governance

https://www.arin.net/participate/governance/participate.html

Get 6 – Websites on IPv6

http://teamarin.net/infographic/

How to Participate in ARIN

• Attend Public Policy and Members Meetings & Public Policy Consultations– Remote participation available

• Apply for Meeting Fellowship• Discuss policies on Public Policy

Mailing List (ppml)• Come to outreach events• Subscribe to an ARIN mailing list

More Ways to Participate

• Give your opinion on community consultations

• Submit a suggestion• Contribute to the IPv6 wiki• Write a guest blog for TeamARIN.net• Connect with us on social media• Members – Vote in annual elections

ARIN Mailing Lists

http://www.arin.net/participate/mailing_lists/index.html

ARIN Announce: arin-announce@arin.net

ARIN Discussion: arin-discuss@arin.net (members only)

ARIN Public Policy: arin-ppml@arin.net

ARIN Consultation: arin-consult@arin.net

ARIN Issued: arin-issued@arin.net

ARIN Technical Discussions: arin-tech-discuss@arin.net

Suggestions: arin-suggestions@arin.net

ARIN on Social Media

www.TeamARIN.net

www.facebook.com/TeamARIN

@TeamARIN

www.gplus.to/TeamARIN

www.linkedin.com/company/ARIN

www.youtube.com/TeamARIN

#ARIN35

Apply now for ARIN 36 October 2015 in Montrealhttps://www.arin.net/participate/meetings/fellowship.html

NEW: Includes attendance at NANOG

Upcoming ARIN Meetings

NANOG 64 in San Francisco(1-3 June 2015)

Halifax, Nova Scotia - 21 Helena, MT - 9 June Dominica - 18 June

Q&A

ARIN’s Policy Development ProcessCurrent Number Resource Policy

Discussions and How to Participate

Chris TacitARIN Advisory Council

Number Resource Policy Manual

ARIN’s Policy Document – Version 2015.1 (24 February 2015)– 37th version

Change LogsHTML/PDF/txt

http://www.arin.net/policy/nrpm.html

Policy Development Process (PDP)

Process FlowchartProposal Template

http://www.arin.net/policy/pdp.html

PDP Goals

• "open, transparent, and inclusive manner that allows anyone to participate in the process."

• "clear, technically sound and useful policies"

• "Policies, not Processes, Fees, or Services”

Basic Steps1. Proposal from community member

2. AC works with author ensure it is clear and in scope

3. AC promotes proposal to Draft Policy for community discussion/feedback (PPML and possibly PPC/PPM)

4. AC recommends fully developed Draft Policy (fair, sound and supported by community) for adoption

5. Recommended Draft Policy must be presented at a face-to-face meeting (PPC/PPM)

6. If AC still recommends adoption, then Last Call, review of last call, and send to Board

7. Board reviews

8. Staff implements

Current Draft Policies/Proposals

41

1. Recommended Policy ARIN-2014-6: Remove Operational Reverse DNS Text (last call)

2. ARIN-2014-17: Change Utilization Requirements from last-allocation to total-aggregate (to be implemented)

3. Recommended Draft Policy ARIN-2014-21: Modification to CI Pool Size per Section 4.4 (last call)

4. ARIN-2015-1: Modification to Criteria for IPv6 Initial End-User Assignments5. ARIN-prop-216 Modify 8.4 (Inter-RIR Transfers to Specified Recipients)6. ARIN-prop-217 Remove 30 day utilization requirement in end-user IPv4

policy7. ARIN-prop-218 Modify 8.2 section to better reflect how ARIN handles

reorganizationshttps://www.arin.net/policy/proposals/

Recommended Draft Policy ARIN-2014-17: Change Utilization Requirements from last-allocation to total-aggregate

• Changes IPv4 utilization requirement from 80% of last allocation to 50% overall and at least 50% of last allocation (easier for smaller ISPs to come back for more space)

• Discussed on PPML beginning in May 2014• Presented at ARIN 34 (October 2014)• Revised in November 2014 and advanced to Recommended

Draft Policy• Presented at NANOG 63• Last call was 24 February through 10 March 2015

ARIN-2014-17 continued

• AC reviewed last call, advanced to Board

• Board review– Ensured PDP had been followed– Ensured compliance with law and ARIN’s

mission– Adopted 2014-7

• Staff announced “will be implemented no later than 17 July 2015”

How Can You Get Involved?

There are two ways to voice your opinion:

– Public Policy Mailing List

– Public Policy Consultations/Meetings

• In person or remotely

• ARIN meetings and Public Policy Consultations at NANOG

References

Policy Development Processhttp://www.arin.net/policy/pdp.html

Draft Policies and Proposalshttp://www.arin.net/policy/proposals/index.html

Number Resource Policy Manualhttp://www.arin.net/policy/nrpm.html

Q&A

Security Overlays on Core Internet Protocols – DNSSEC

Mark KostersChief Technology Officer

Core Internet Protocols

• Two critical resources that are unsecured– Domain Name Servers– Routing

• Hard to tell if compromised– From the user point of view– From the ISP/Enterprise

• Focus on government funding

DNS

How DNS Works

Resolver

Question: www.arin.net A

www.arin.net A ?

Cachingforwarder(recursive)

root-serverwww.arin.net A ?

Ask net server @ X.gtld-servers.net (+ glue)

gtld-serverwww.arin.net A ?

Ask arin server @ ns1.arin.net (+ glue)

arin-server

www.arin.net A ?

192.168.5.10

192.168.5.10

Add to cache

Why DNSSEC? What is it?

• Standard DNS (forward or reverse) responses are not secure– Easy to spoof– Notable malicious attacks

• DNSSEC attaches signatures– Validates responses– Can not spoof

Reverse DNS at ARIN

• ARIN issues blocks without any working DNS–Registrant must establish delegations after registration

–Then employ DNSSEC if desired

• Just as susceptible as forward DNS if you do not use DNSSEC

Reverse DNS at ARIN

• Authority to manage reverse zones follows allocations–“Shared Authority” model–Multiple sub-allocation recipient entities may have authority over a particular zone

Changes completed to make DNSSEC work at ARIN

• Permit by-delegation management• Sign in-addr.arpa. and ip6.arpa.

delegations that ARIN manages• Create entry method for DS Records

– ARIN Online– RESTful interface– Not available via templates

Changes completed to make DNSSEC work at ARIN

• Only key holders may create and submit Delegation Signer (DS) records

• DNSSEC users need to have signed a registration services agreement with ARIN to use these services

Reverse DNS in ARIN Online

First identify the network that you want to put Reverse DNS nameservers on…

Reverse DNS in ARIN Online

…then enter the Reverse DNS nameservers…

DNSSEC in ARIN Online…then apply DS record to apply to the delegation

Reverse DNS: Querying ARIN’s WhoisQuery for the zone directly:whois> 81.147.204.in-addr.arpa

Name: 81.147.204.in-addr.arpa.Updated: 2006-05-15NameServer: AUTHNS2.DNVR.QWEST.NETNameServer: AUTHNS3.STTL.QWEST.NETNameServer: AUTHNS1.MPLS.QWEST.NET

Ref: http://whois.arin.net/rest/rdns/81.147.204.in-addr.arpa.

DNSSEC in Zone Files; File written on Mon Feb 24 17:00:53 2014; dnssec_signzone version 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.60.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM. 86400 IN NS NS4.COVAD.COM. 10800 NSEC 1.74.in-addr.arpa. NS RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. oNk3GVaCWj2j8+EAr0PncqnZeQjm8h4w51nS D2VUi7YtR9FvYLF/j4KO+8qYZ3TAixb9c05c 8EVIhtY1grXEdOm30zJpZyaoaODpbHt8FdWY vwup9Tq4oVbxVyuSNXriZ2Mq55IIMgDR3nAT BLP5UClxUWkgvS/6poF+W/1H4QY= )1.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM. 86400 IN NS NS4.COVAD.COM. 10800 NSEC 10.74.in-addr.arpa. NS RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. DKYGzSDtIypDVcer5e+XuwoDW4auKy6G/OCV VTcfQGk+3iyy2CEKOZuMZXFaaDvXnaxey9R1 mjams519Ghxp2qOnnkOw6iB6mR5cNkYlkL0h lu+IC4Buh6DqM4HbJCZcMXKEtWE0a6dMf+tH sa+5OV7ezX5LCuDvQVp6p0LftAE= )

DNSSEC in Zone Files0.121.74.in-addr.arpa. 86400 IN NS DNS1.ACTUSA.NET. 86400 IN NS DNS2.ACTUSA.NET. 86400 IN NS DNS3.ACTUSA.NET. 86400 DS 46693 5 1 ( AEEDA98EE493DFF5F3F33208ECB0FA4186BD 8056 ) 86400 DS 46693 5 2 ( 66E6D421894AFE2AF0B350BD8F4C54D2EBA5 DA72A615FE64BE8EF600C6534CEF ) 86400 RRSIG DS 5 5 86400 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. n+aPxBHuf+sbzQN4LmHzlOi0C/hkaSVO3q1y 6J0KjqNPzYqtxLgZjU+IL9qhtIOocgNQib9l gFRmZ9inf2bER435GMsa/nnjpVVWW/MBRKxf Pcc72w2iOAMu2G0prtVT08ENxtu/pBfnsOZK nhCY8UOBOYLOLE5Whtk3XOuX9+U= ) 10800 NSEC 1.121.74.in-addr.arpa. NS DS RRSIG NSEC 10800 RRSIG NSEC 5 5 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. YvRowkdVDfv+PW42ySNUwW8S8jRyV6EKKRxe…

DNSSEC Validating Resolvers

• www.internetsociety.org/deploy360/dnssec/• www.isc.org/downloads/bind/dnssec/

Reverse DNS Management and DNSSEC in ARIN Online• Available on ARIN’s websitehttp://www.arin.net/knowledge/dnssec/

Q&A

LUNCH Sponsored by:

Take your valuables as the room will not be locked.

Security Overlays on Core Internet Protocols –RPKI

Mark KostersChief Technology Officer

Core Internet Protocols

• Two critical resources that are unsecured – Domain Name Servers– Routing

• Hard to tell if compromised– From the user point of view– From the ISP/Enterprise

• Focus on government funding

Routing

Routing Architecture• The Internet uses a two level routing hierarchy:

– Interior Routing Protocols, used by each network to determine how to reach all destinations that line within the network

– Interior Routing protocols maintain the current topology of the network

Routing Architecture• The Internet uses a two level routing hierarchy:

– Exterior Routing Protocol, used to link each component network together into a single whole

– Exterior protocols assume that each network is fully interconnected internally

Exterior Routing: BGP• BGP is a large set of bilateral (1:1)

routing sessions– A tells B all the destinations (prefixes)

that A is capable of reaching– B tells A all the destinations that B is

capable of reaching

A B

10.0.0.0/2410.1.0.0/1610.2.0.0/18

192.2.200.0/24

What is RPKI?• Resource Public Key Infrastructure

• Attaches digital certificates to network resources– AS Numbers

– IP Addresses

• Allows ISPs to associate the two– Route Origin Authorizations (ROAs)– Can follow the address allocation chain

to the top

What does RPKI accomplish?

• Allows routers or other processes to validate route origins

• Simplifies validation authority information– Trust Anchor Locator

• Distributes trusted information– Through repositories

AFRINIC RIPE NCC APNIC ARIN LACNIC

LIR1 ISP2

ISP ISP ISP ISP4 ISP ISP ISP

Issued Certificates

Resource Allocation Hierarchy

Route Origination Authority“ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24”

Attachment: <isp4-ee-cert>

Signed, ISP4 <isp4-ee-key-priv>

ICANN

Resource Cert Validation

AFRINIC RIPE NCC APNIC ARIN LACNIC

LIR1 ISP2

ISP ISP ISP ISP4 ISP ISP ISP

Resource Allocation Hierarchy

Route Origination Authority“ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24”

Attachment: <isp4-ee-cert>

Signed, ISP4 <isp4-ee-key-priv>

1. Did the matching private key sign this text?

ICANN

Issued Certificates

Resource Cert Validation

AFRINIC RIPE NCC APNIC ARIN LACNIC

LIR1 ISP2

ISP ISP

Route Origination Authority“ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24”

Attachment: <isp4-ee-cert>

Signed, ISP4 <isp4-ee-key-priv>

ISP ISP4

2. Is this certificate valid?

ISP ISP ISP

Issued Certificates

Resource Allocation Hierarchy

ICANN

Resource Cert Validation

AFRINIC RIPE NCC APNIC ARIN LACNIC

LIR1 ISP2

ISP ISP

Route Origination Authority“ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24”

Attachment: <isp4-ee-cert>

Signed, ISP4 <isp4-ee-key-priv>

ISP ISP4 ISP ISP ISP

Issued Certificates

Resource Allocation Hierarchy

ICANN

3. Is there a valid certificate path from a Trust Anchor to this certificate?

Resource Cert Validation

What does RPKI Create?

• It creates a repository– RFC 3779 (RPKI) Certificates– ROAs– CRLs– Manifest records

Repository View./ba/03a5be-ddf6-4340-a1f9-1ad3f2c39ee6/1:total 40-rw-r--r-- 1 143 143 1543 Jun 26 2009 ICcaIRKhGHJ-TgUZv8GRKqkidR4.roa-rw-r--r-- 1 143 143 1403 Jun 26 2009 cKxLCU94umS-qD4DOOkAK0M2US0.cer-rw-r--r-- 1 143 143 485 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.crl-rw-r--r-- 1 143 143 1882 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.mnf-rw-r--r-- 1 143 143 1542 Jun 26 2009 nB0gDFtWffKk4VWgln-12pdFtE8.roa

A Repository Directory containing an RFC3779 Certificate, two ROAs, a CRL, and a manifest

Repository Use

• Pull down these files using a manifest-validating mechanism

• Validate the ROAs contained in the repository

• Communicate with the router marking routes “valid”, “invalid”, “unknown”

• Up to ISP to use local policy on how to route

Possible Flow

• RPKI Web interface -> Repository

• Repository aggregator -> Validator

• Validated entries -> Route Checking

• Route checking results -> local routing decisions (based on local policy)

How you can use ARIN’s RPKI System?• Hosted• Hosted using ARIN’s RESTful service• Delegated using Up/Down Protocol

Hosted RPKI

• Pros– Easier to use– ARIN managed

• Cons– No current support for downstream

customers to manage their own space (yet)

– Tedious through the IU if you have a large network

– We hold your private key

Hosted RPKI with RESTful Interace• Pros

– Easier to use– ARIN managed– Programmatic interface for large networks

• Cons– No current support for downstream

customers to manage their own space (yet)

– We hold your private key

Delegated RPKI with Up/Down• Pros

– Same as web delegated– Follows the IETF up/down protocol

• Cons– Extremely hard to setup– Need to operate your own RPKI

environment

Hosted RPKI in ARIN Online

Hosted RPKI in ARIN Online

Hosted RPKI in ARIN Online

Hosted RPKI in ARIN Online

Hosted RPKI in ARIN OnlineSAMPLE-ORG

Hosted RPKI in ARIN OnlineSAMPLE-ORG

Hosted RPKI in ARIN Online

Your ROA request is automatically processed and the ROA is placed in ARIN’s repository, accompanied by its certificate and a manifest. Users of the repository can now validate the ROA using RPKI validators.

Delegated with Up/Down

Delegated with Up/Down

Delegated with Up/Down

Delegated with Up/Down

• You have to do all the ROA creation• Need to setup a CA• Have a highly available repository• Create a CPS

Q&A

Life After IPv4 Depletion• Life After IPv4 Depletion

• Jon Worley –Analyst

Susan HamlinDirector Communications & Member

Services

Overview

• ARIN’s current IPv4 inventory• Trends and observations• Ways to obtain IP addresses post

IPv4 depletion– IPv4– Transfers– IPv6

100

Check on ARIN’s IPv4 Inventory

ARIN’s IPv4 inventorypublished on ARIN’s website: www.arin.net

Updated daily at @ 12 am ET

Current IPv4 Inventory

• Space available to fill general IPv4 requests

• Excludes space held/reserved

• Over the past few years, ARIN has issued approximately 1 /8 equivalent per year

Available inventory:.16 /8 equivalent

.16

102

Current IPv4 Prefix Inventory

103

Block Size (CIDR)

Number of Blocks Available

/11 1

/14 1

/16 1

/17 1

/19 1

/20 1

/21 6

/22 3

/23 143

/24 518

* as of 20 May 2015

Other IPv4 Inventory

• Quarantined space (60 day hold)– ~19 /16 equivalents held in “quarantine” to clear

filters

(returned and revoked space)

• Reserved space– 64 /16s (1 /10) for NRPM 4.10 “Dedicated IPv4 block to

facilitate IPv6 Deployment”

– 218 /24s remaining in the /16 for NRPM 4.4 “Micro-allocation”

– ~8 /16 equivalents needing further research (reclaimed space that needs further chain of custody research)

IPv4 Reality Check

• Larger block sizes (/8, /9, /10) unavailable

• Blocks larger than /16 will be unavailable in the near future

• Soon after that, only /24s will remain

• Eventually, only blocks reserved for specific policies will remain in ARIN’s inventory

105

Post-IPv4 Depletion Options• More efficient use of existing IPv4

resources

• IPv4 Wait List

• Specified Recipient and Inter-RIR Transfers

• Adopt IPv6

106

IPv4 Wait List• If ARIN can’t fill your qualified request, you

have the option to specify the smallest block size you’ll accept

• If available, your request will be filled and you’ll be unable to request additional addresses for 3 months

• If no block available between approved and smallest acceptable, you can be added to the IPv4 Wait List

107

How the IPv4 Wait List Works

• Oldest request filled first (based on approval date)– E.g. - if ARIN gets a /16 back and the oldest

request is for a /24, we issue a /24 to that org

• One approved request per organization on the list at a time

• Limit of one allocation or assignment every 3 months

How long will I have to wait?

• Space becomes available in several ways– Return = voluntary– Revoke = for cause (usually non-payment)– IANA issued – per global policy for “post

exhaustion IPv4 allocation mechanisms by IANA”

• 3.54 total /8s returned/revoked since 2005• /11 (issued 5/14), /12 (issued 9/14) and /13

(issued in 3/15) by IANA to each RIR• Demand will be far greater than availability

109

Transfers of IPv4 Addresses

• Mergers and Acquisitions (NRPM 8.2)

• Transfers to Specified Recipients (NRPM 8.3)

• Inter-RIR transfers (NRPM 8.4)

110

Transfers to Specified Recipients• Allows orgs with unused IPv4 resources to transfer

them to orgs in need of IPv4 resources• Source

– Must be current registrant, no disputes– Not have received addresses from ARIN for 12 months

prior– Ineligible for further addresses from ARIN for 12

months after

• Recipient – Must demonstrate need for 24-month supply under

current ARIN policy

111

Inter-RIR Transfers (NRPM 8.4)

• RIR must have reciprocal, compatible needs-based policies– Currently APNIC, soon to be RIPE NCC

• Transfers from ARIN– Source cannot have received IPv4 from ARIN 12

months prior to transfer or receive IPv4 for 12 months after transfer

– Must be current registrant, no disputes– Recipient meets destination RIR policies

• Transfers to ARIN– Must demonstrate need for 24-month supply under

current ARIN policy112

Pre-approval for Specified Recipient Transfers

• Pre-approval based on 24 month need

• Valid for 2 years

• Can use multiple transfers to fill need without being subject to re-verification

113

Specified Transfer Listing Service (STLS)

• Optional service intended to facilitate specified recipient and inter-RIR transfers

• All participants have access to each others contact information– Listers: have available IPv4 addresses

• Resources must be covered under RSA/LRSA

– Needers: looking for IPv4 addresses• Must be pre-approved under ARIN policy to be listed

– Facilitators: available to help listers and needers find each other

• Public summary provided– Lists number of available and needed IPv4 address blocks

114

Tips for Faster Transfer Processing

• Make sure that all registration information is current and accurate

• Request pre-approval for your 24 month need

• Apply under the correct transfer policy

• Provide detailed information to support 24 month need

115

Summary• ARIN will deplete its available IPv4 pool

sometime this year• No perfect solution

– CGN = potential problems– Waiting list = uncertainty– Transfers = subject to market prices– IPv6 = transition effort

• Begin planning now

116

Automating Your Interactions with ARIN

Mark KostersChief Technology Officer

Why Automate?

• Interact with ARIN faster• Not dependent on ARIN’s systems for

user interface issues• Build a customized system using

standards-based technologies• Improved accuracy• Integrate multiple services

Why Automate (continued)

• We have a rich set of interfaces• Focused on reliability and

completeness• Welcome to share your tools with the

community at projects.arin.net

REST – Service Summary

• ARIN’s RESTful Web Services (RWS)– Whois-RWS

• Provides public Whois data via REST

– Reg-RWS (or Registration-RWS)• Allows ARIN customers to register and

maintain data in a programmatic fashion

– Report Request/Retrieval Automation• Permits request and download of various

ARIN data (subject to AUP)

– RPKI using Reg-RWS

What is REST?• Representational State Transfer

• As applied to web services– defines a pattern of usage with HTTP to

create, read, update, and delete (CRUD) data

– “Resources” are addressable in URLs

• Very popular protocol model– Amazon S3, Yahoo & Google services, …

The BIG Advantage of REST• Easily understood

– Any modern programmer can incorporate it– Can look like web pages

• Re-uses HTTP in a simple manner– Many, many clients– Other HTTP advantages

• This is why it is very, very popular with Google, Amazon, Yahoo, Twitter, Facebook, YouTube, Flickr, …

What does it look like?Who can use it?

http://whois.arin.net/rest/poc/KOSTE-ARIN

Where the data is.

What type of data it is.

The ID of the data.

It is a standard URL. Anyone can use it.Go ahead, put it into your browser.

Where can more information on REST be found?

• RESTful Web Services– O’Reilly Media

– Leonard Richardson

– Sam Ruby

Whois-RWS• Publicly accessible, just like traditional

Whois• Searches and lookups on IP addresses,

AS numbers, POCs, Orgs, etc…• Very popular

– As of October 2014, constitutes 65% of our query load

• For more information:– http://www.arin.net/resources/whoisrws/index.html

Whois Queries Per Second

2001-07 2002-06 2003-05 2004-04 2005-03 2006-02 2007-01 2007-12 2008-11 2009-10 2010-09 2011-08 2012-07 2013-06 2014-050

500

1000

1500

2000

2500

3000

3500

4000

RESTfulPort 43

Registration RWS (Reg-RWS)

• Programmatic way to interact with ARIN– Intended to be used for automation– Not meant to be used by humans

• Useful for ISPs that manage a large number of SWIP records

• Requires an investment of time to achieve those benefits

Reg-RWS

• Requires an API Key– You generate one in ARIN Online on the

“Web Account” page• Permits you to register and manage

your data (ORGs, POCs, NETs, ASes)– But only your data

• More information– http://www.arin.net/resources/restful-interfaces.htm

l

Anatomy of a RESTful request• Uses a URL (just like you would type into

your browser)• Uses a request type, known as a “method”,

of GET, PUT, POST or DELETE• Usually requires a payload

– Adheres to a published structure– Depends upon the type of data– Depends upon the method

• Method, Payload, and XML schema info is found at “RESTful Provisioning Downloads”

Example – Reassign Detailed• Your automated system issues a PUT

command to ARIN using the following URL:http://www.arin.net/rest/net/NET-10-129-0-0-1/reassign?apikey=API-1234-5678-9A

BC-DEFG

The payload contains the following data:

<net xmlns="http://www.arin.net/regrws/core/v1" > <version>4</version> <comment></comment> <registrationDate></registrationDate> <orgHandle>HW-1</orgHandle> <handle></handle> <netBlocks> <netBlock> <type>A</type> <description>Reassigned</description> <startAddress>10.129.0.0</startAddress> <endAddress>10.129.0.255</endAddress> <cidrLength>24</cidrLength> </netBlock> </netBlocks> <parentNetHandle>NET-10-129-0-0-1</parentNetHandle> <netName>HELLOWORLD</netName> <originASes></originASes> <pocLinks></pocLinks></net>

Example – Reassign DetailedARIN’s web server returns the

following to your automated system:<net xmlns="http://www.arin.net/regrws/core/v1" > <version>4</version> <comment></comment> <registrationDate>Tue Jan 25 16:17:18 EST 2011</registrationDate> <orgHandle>HW-1</orgHandle> <handle>NET-10-129-0-0-2</handle> <netBlocks> <netBlock> <type>A</type> <description>Reassigned</description> <startAddress>10.129.0.0</startAddress> <endAddress>10.129.0.255</endAddress> <cidrLength>24</cidrLength> </netBlock> </netBlocks> <parentNetHandle>NET-10-129-0-0-1</parentNetHandle> <netName>netName>HELLOWORLD</netName> <originASes></originASes> <pocLinks></pocLinks></net>

Reg-RWS Has More Than Templates

• Only programmatic way to do IPv6 Reassign Simple

• Only programmatic way to manage Reverse DNS

• Only programmatic way to access your ARIN tickets

Reg-RWS Adoption

ARIN 29

ARIN 30

ARIN 31

ARIN 32

ARIN 33

ARIN 34

ARIN 35

Tem-plate

408383 595858 846943 1066037

1311403

1498204

1749383

REST 40374 320197 841105 3524124

4296734

4715231

5034717

500,000

1,500,000

2,500,000

3,500,000

4,500,000

5,500,000

TemplateREST

Testing Your Reg-RWS Client• We offer an Operational Test &

Evaluation environment for Reg-RWS• Your real data, but isolated

– Helps you develop against a real system without the worry that real data could get corrupted

• For more information:– http://www.arin.net/resources/ote.html

Obtaining RESTful Assistance

• http://www.arin.net/resources/restful-interfaces.html• Pay attention to Method, Payload, and XML schema

documents under “RESTful Provisioning Downloads”• Or use ARIN Online’s Ask ARIN feature• Or use the arin-tech-discuss mailing list

– Make sure to subscribe– Someone on the list will help you ASAP– Archives on the web site

• Registration Services Help Desk telephone not a good fit– Debugging these problems requires a detailed look at

the URL, method, and payload being used

Report Request/Retrieval

• For customer-specific data, access is restricted by user– Permits you to request and retrieve

reports– But only your data

• For public services, you must first sign an AUP or TOU (Bulk Whois, Registered ASNs, WhoWas)– ARIN staff may review your need to access this data

• Requires an API Key

New Feature: RPKI thru Reg-RWS• Delegated – very complex• Hosted – easy but tedious if

managing a large network through the UI

• Solution: Interface to sign ROAs using the RESTful API– Ease of Hosted– Programmatic way of managing a large

number of ROAs

Whois-RWS and the Future

• Whois-RWS is ARIN’s RESTful interface to Whois.– RIPE also has a RESTful interface for

Whois but it is not compatible

• IETF will hopefully be ratifying RDAP by the end of this year.– Will be supported by all 5 RIRs and some

domain registries.

Q&A

Moving to IPv6

Mark Kosters, CTO

With some help from Geoff Huston

The Amazing Success of the Internet• 2.92 billion users!• 4.5 online hours per day per user!• 5.5% of GDP for G-20 countries

Time

Just about anything about the Internet

142

Success-Disaster

143

The Original IPv6 Plan - 1995

IPv6 Deployment

Time

IPv6 Transition – Dual Stack

IPv4 Pool Size

Size of the Internet

144

The Revised IPv6 Plan - 2005

IPv6 Deployment

2004

IPv6 Transition – Dual Stack

IPv4 Pool Size

Size of the Internet

2006 2008 2010 2012Date

145

Oops!

We were meant to have completed the transition to IPv6 BEFORE we completely exhausted the supply channels of IPv4 addresses! 146

Today’s Plan

IPv6 Deployment

IPv4 PoolSize

Size of the Internet

IPv6 Transition

Today

Time

?

0.8%

147

Transition...The downside of an end-to-end architecture:

– There is no backwards compatibility across protocol families

– A V6-only host cannot communicate with a V4-only host

We have been forced to undertake a Dual Stack transition:

– Provision the entire network with both IPv4 AND IPv6– In Dual Stack, hosts configure the hosts’ applications

to prefer IPv6 to IPv4– When the traffic volumes of IPv4 dwindle to

insignificant levels, then it’s possible to shut down support for IPv4 148

Dual Stack Transition ...We did not appreciate the operational problems with this dual stack plan while it was just a paper exercise:

• The combination of an end host preference for IPv6 and a disconnected set of IPv6 “islands” created operational problems

– Protocol “failover” from IPv6 to IPv4 takes between 19 and 108 seconds (depending on the operating system configuration)

– This is unacceptably slow

• Attempting to “bridge” the islands with IPv6-in-IPv4 tunnels created a new collection of IPv6 path MTU Discovery operational problems

– There are too many deployed network paths containing firewall filters that block all forms of ICMP, including ICMP6 Packet Too Big

• Attempts to use end-host IPv6 tunneling also presents operational problems

– Widespread use of protocol 41 (IP-in-IP) firewall filters– Path MTU problems

149

Dual Stack Transition

Signal to the ISPs:

– Deploy IPv6 and expose your users to operational problems with IPv6 connectivity

Or

– Delay IPv6 deployment and wait for these operational issues to be solved by someone else

So we wait...

150

And while we wait...The Internet continues its growth.

• And without an abundant supply of IPv4 addresses to support this level of growth, the industry is increasingly reliant on NATs:

– Edge NATs are now the de facto choice for residential broadband services at the CPE

– ISP NATs are now the de facto choice for 3G and 4G mobile IP services 151

What ARIN is hearing from the community

• Movement to IPv6 is slow– Progress is being made– ISPs carefully rolling out IPv6

• Lots of ISPs purchasing CGN boxes• There is a market for IP space

– Rent by month– Purchase outright

152

152

Why is there little immediate need for IPv6?

• Some of the claims are either not true or taken over by events– IPv6 gives you better security – IPv6 gives you better routing

• Some positive things– IPv6 allows for end-to-end networking to

occur again– IPv6 has more address bits – It is cheaper per address 153

2003: Sprint• T1 via Sprint

• Linux Router with Sangoma T1 Card

• OpenBSD firewall

• Linux-based WWW, DNS, FTP servers

• Segregated network, no dual stack (security concerns)

• A lot of PMTU issues

• A lot of routing issues

• Service did improve over the years

154

2004: Worldcom• T1 via Worldcom in Equinix

• Cisco 2800 router

• OpenBSD firewall

• Linux-based ww6, DNS, FTP servers

• Segregated network, no dual stack (security concerns)

• A lot of PMTU Issues

• A lot of routing issues

155

2006: Equi6IX• 100 Mbit/s Ethernet to

Equi6IX

• Transit via OCCAID

• Cisco 2800 router

• OpenBSD firewall

• WWW, DNS, FTP, SMTP

• Segregated Network

• Some dual stack

156

2008: NTT / TiNet IPv6• 1000 Mbit/s to NTT / TiNet

• Cisco ASR 1000 Router

• Brocade Load Balancers- IPv6 support was Beta

• DNS, Whois, IRR, more later

• Dual stack

157

Past Meeting Networks• IPv6 enabled since 2005

• Tunnels to ARIN, others

• Testbed for transition techology

• NAT-PT (Cisco, OSS)

• CGN / NAT-lite

• IVI

• Training opportunity

• For staff & members

158

ARIN’s Current Challenges for Networking

• Dual-Stacked Internally– Challenges over time with our VPN (OpenVPN)

• One interface works with v6 • One does not

• Middleware Boxes– Claims do not support reality (“we support IPv6”) Yes,

but…– No 1-1 feature set– Limits ARIN’s ability to support new services like https

support for Whois-RWS159

So why do the move to IPv6?• IPv4 will get more expensive• Move to IPv6 will happen when cost

is too high for IPv4• Don’t want to be caught with gear

that will not support IPv6 before it is end-of-life

• Need to have some experience on IPv6

160

Call to Action for IPv6

• ISPs should do it now• Universities should be teaching and making

IPv6 available• Businesses should be asking for IPv6

support for gear and services they purchase– Want to be available to all on the Internet– If only IPv4 – may miss some IPv6 clientele

• Application developers need to integrate IPv6 support 161

Call to Action for IPv6

• End users– May be behind CGN

• Impacts speed and services• Don’t want to lose in those real-time games!

(CoD gamers in particular)

– Ask for IPv6 support• Faster• Better application support• Less support calls for IPv4

162

What is ARIN doing about it?

163

• What we see with Transfers based on market reality

• What we see with IPv6 Allocations

Trends and Observations

• Comparing the past 12 months over the 12 months prior:– 18% increase in IPv4 requests – 5% increase in Transfer requests – 8% decrease in IPv6 requests

164

Qualifying for IPv6 – a few definitions

• Allocate – Intention to assign/allocate to others

• Assign – Resting spot for that IP space

• ISPs – ones who allocate to other ISPs or assign to end-users

• End Users –assigned to themselves165

For ISPs, qualifying for IPv6 is easy!

• Have a previous v4 allocation from ARIN OR

• Intend to multi-home OR• Provide a technical justification which

details at least 50 assignments made within 5 years

166

For end-users, qualifying for IPv6 is also easy!

• Have a v4 direct assignment OR• Intend to multi-home OR• Show how you will use 2000 IPv6

addresses or 200 IPv6 subnets within a year OR

• Technical justification as to why provider-assigned IPs are unsuitable

167

ISP Members with IPv4 and IPv6

4,960 ISP members as of 13 February 2015

168

IPv6 over time

ARIN IPv6 Allocations and Assignments169

Get IPv6 from ARIN now!

Most organizations with IPv4 can IPv6 without increasing their annual ARIN fees

170

Learn More

IPv6 Info Centerwww.arin.net/knowledge/ipv6_info_center.html

www.GetIPv6.info

www.TeamARIN.net171

Operational Guidance

www.InternetSociety.org/Deploy360/

www.NANOG.org/archives/

www.hpc.mil/cms2/index.php/ipv6-knowledge-base-general-info

bcop.NANOG.org

172

Q&A

Q&A / Open Mic Session

Apply now for ARIN 36 in Montréal

Fill out & submitthe survey for your chance to win a $100 Best Buy Gift Card!

Happy Hour

4:30 PM  -  5:30 PM – Next door in Salon D

Sponsored by: