Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Pittsburgh, PA2 June 2016
Welcome. Here today from ARIN…• Einar Bohlin, Public Policy Analyst
• Richard Jimmerson, CIO & Acting Director of Registration Services
• Andy Newton, Chief Engineer
• Chris Tacit, ARIN Advisory Council
Agenda10:00 – 10:15 Welcome and Getting Started10:15 - 10:45 ARIN: Mission, Role and Services10:45 -11:20 Security Overlays on Core Internet Protocols –
DNSSEC11:20 - 12:00 Life After IPv4 DepletionNoon - 1:00 Lunch1:00 - 1:30 ARIN Services and Tools1:30 - 2:00 Policy Development Process2:00 - 2:30 Security Overlays on Core Internet Protocols –
Resource Certification (RPKI)2:30- 3:00 IPv6 Adoption – Where are we Now?3:00- 3:45 Q&A / Open Mic Session & Ask ARIN(3:30 to 4:00 PM User Feedback Session)
Let’s Get Started!
• Self introductions –Name–Organization– I would like to learn more about
“___________.”
ARIN and the RIR System: Mission, Role and Services
Richard JimmersonCIO & Interim Director of Registration
ServicesARIN
What is an RIR?A Regional Internet Registry (RIR) manages the allocation and registration of Internet number resources* in a particular region of the world.
*Internet number resources include IP addressesand autonomous system (AS) numbers.
Regional Internet Registries
The NRO exists to protect the unallocated number resource pool, to promote and protect the bottom-up policy development process, and to act as a focal point for Internet community input into the RIR system.
Number Resource Organization
IPAddressandAutonomousSystemNumberProvisioningProcess
Not-for-profit Membership Organization
Community Regulated
• Fee for services, not number resources
• 100% community funded
• Open• Broad-based
- Private sector- Public sector- Civil society
• Community developed policies
• Member-elected executive board
• Open and transparent
RIR Structure
ARIN’s MissionARIN, a nonprofit member-based organization, supports the operation of the Internet by:
– managing Internet number resources throughout its service region;
– coordinating the development of policies by the community for the management of Internet Protocol number resources; and
– advancing the Internet through informational outreach. 11
ARIN’s Service Region
The ARIN Region includes many Caribbean and North Atlantic islands, Canada, the United States and outlying areas.
Who is the ARIN “community”?
Anyone with an interest in Internet number resource management in the ARIN region
The ARIN Community includes…• 5,300+ members • 20,000+ customers • 80 professional staff• 7 member Board of Trustees
• elected by the membership• 15 member Advisory Council
• elected by the membership
• 3 person NRO Number Council• elected by the ARIN Community
ARIN Organizational Chart
15
ARIN Board of Trustees• Paul Andersen, Vice Chair• Vinton G. Cerf, Chair• John Curran, President and CEO• Timothy Denton, Secretary• Aaron Hughes• Bill Sandiford, Treasurer• Bill Woodcock
16
ARIN Advisory Council:
• Dan Alexander, Chair
• Cathy Aronson• Kevin Blumberg,
Vice Chair• Owen DeLong• Andrew Dul• David Farmer• David Huberman
• Scott Leibrand• Tina Morris• Milton Mueller• Amy Potter• Leif Sawyer• Robert Seastrom• John Springer• Chris Tacit
17
Primary facilitator of policy process
NRO Number Council• 15 member body– 3 representatives from each RIR
• From ARIN:– Jason Schiller– Louie Lee– John Sweeting
• Fulfills role of the ICANN Address Supporting Organization Address Council – Global policy and ICANN Board Seats
18
2016 Operational Focus• IPv4 to IPv6 Transition Awareness
– Targeting ISPs and Content Providers• Continued enhancements to ARIN Online
– User interface improvements based on user feedback • Focus on community suggested high impact
software development projects• Continued participation in Internet Governance
forums • Participation in IANA stewardship transition
discussions • Customer service improvements based on
feedback and repeat customer satisfaction survey19
ARIN Services and ProductsARIN Manages:• Number Resources
IP address allocations & assignmentsASN assignmentTransfers
• Reverse DNS• Directory services
WhoisRouting Information (Internet Routing Registry [IRR]) WhoWas
20
ARIN Services and ProductsARIN coordinates and administers:• Policy Development
Community meetingsDiscussionPublication
• Elections• Information publication and dissemination
and public relations • Community outreach • Education and training
21
ARIN Services and ProductsARIN develops technologies for managing Internet number resources:
• ARIN Online• DNS Security (DNSSEC) • Resource Public Key Infrastructure (RPKI)• Whois-RWS• Provisioning and Maintenance of Registration
Records (Reg-RWS)• Registry Data Access Protocol (RDAP)• Community Software Project Repository
22
Globalization of IANA Oversight• March 2014 - US Government announced plans
to transition oversight of IANA functions contract to global multistakeholder community
• March 2016 - ICANN submitted combined proposal from Domain Name, Number Resources and Protocol Parameters communities to US Government
• September 2016 - current IANA contract expires• Successful transition of IANA Stewardship
to the Internet community would be an important validation of the Internet’smulti-stakeholder governance model
Get 6 – Websites on IPv6
http://teamarin.net/infographic/
IPv6Wiki
How to Participate in ARIN• Attend Public Policy and Members
Meetings & Public Policy Consultations– Remote participation available
• Apply for Meeting Fellowship• Discuss policies on Public Policy Mailing
List (ppml)• Come to outreach events• Subscribe to an ARIN mailing list
More Ways to Participate• Give your opinion on community
consultations• Submit a suggestion• Contribute to the IPv6 wiki• Write a guest blog for TeamARIN.net• Connect with us on social media• Members – Vote in annual elections
Q&A
Security Overlays on Core Internet Protocols – DNSSEC
Andy NewtonChief Engineer
Core Internet Protocols• Two critical resources that are
unsecured– Domain Name Servers– Routing
• Hard to tell if compromised– From the user point of view– From the ISP/Enterprise
30
DNS
31
How DNS Works
Resolver
Question: www.arin.net A
www.arin.net A?
Cachingforwarder(recursive)
root-serverwww.arin.net A?
[email protected] (+glue)
gtld-serverwww.arin.net A?
Askarin [email protected](+glue)
arin-server
www.arin.netA?
192.168.5.10
192.168.5.10
Add to cache
32
Why DNSSEC? What is it?
• Standard DNS (forward or reverse) responses are not secure– Easy to spoof– Notable malicious attacks
• DNSSEC attaches signatures– Validates responses– Can not spoof
Reverse DNS at ARIN
• ARIN issues blocks without any working DNS–Registrant must establish
delegations after registration–Then employ DNSSEC if desired
• Just as susceptible as forward DNS if you do not use DNSSEC
Reverse DNS at ARIN
• Authority to manage reverse zones follows allocations–“Shared Authority”model–Multiple sub-allocation recipient
entities may have authority over a particular zone
Changes completed to make DNSSEC work at ARIN• Permit by-delegation management• Sign in-addr.arpa. and ip6.arpa.
delegations that ARIN manages• Create entry method for DS Records– ARIN Online– RESTful interface– Not available via templates
Changes completed to make DNSSEC work at ARIN• Key holders create and submit
Delegation Signer (DS) records after securing their zones locally
• DNSSEC users should have signed a registration services agreement with ARIN to use these services
Reverse DNS in ARIN OnlineFirst identify the network that you want to put Reverse DNS nameservers on…
Reverse DNS in ARIN Online…then enter the Reverse DNS nameservers…
DNSSEC in ARIN Online…then apply DS record to apply to the delegation
Reverse DNS: Querying ARIN’s WhoisQuery for the zone directly:Whois> whois -h whois.arin.net 136.136.192.in-addr.arpa
Name: 252.149.192.in-addr.arpa.Updated: 2014-08-20NameServer: SEC1.APNIC.NETNameServer: NS1.ARIN.NETNameServer: NS2.LACNIC.NETNameServer: SEC1.AUTHDNS.RIPE.NETNameServer: NS2.ARIN.NETKeyTag: 18508Algorithm: 5DigestType: 1Digest: 84A741F15E878A088F3884EBE1F0E56EA8599295KeyTag: 18508Algorithm: 5DigestType: 2Digest: A9B8659C7795166863DE6FEC47808B58ED0CC6ADB0AA5E25B8F46FE87D3D7CBARef: https://whois.arin.net/rest/rdns/252.149.192.in-addr.arpa.
DNSSEC in Zone Files; File written on Mon Feb 24 17:00:53 2014; dnssec_signzone version 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.60.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM.
86400 IN NS NS4.COVAD.COM.10800 NSEC 1.74.in-addr.arpa. NS RRSIG NSEC10800 RRSIG NSEC 5 4 10800 20140306210053 (
20140224210053 57974 74.in-addr.arpa.oNk3GVaCWj2j8+EAr0PncqnZeQjm8h4w51nSD2VUi7YtR9FvYLF/j4KO+8qYZ3TAixb9c05c8EVIhtY1grXEdOm30zJpZyaoaODpbHt8FdWYvwup9Tq4oVbxVyuSNXriZ2Mq55IIMgDR3nATBLP5UClxUWkgvS/6poF+W/1H4QY= )
1.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM.86400 IN NS NS4.COVAD.COM.10800 NSEC 10.74.in-addr.arpa. NS RRSIG NSEC10800 RRSIG NSEC 5 4 10800 20140306210053 (
20140224210053 57974 74.in-addr.arpa.DKYGzSDtIypDVcer5e+XuwoDW4auKy6G/OCVVTcfQGk+3iyy2CEKOZuMZXFaaDvXnaxey9R1mjams519Ghxp2qOnnkOw6iB6mR5cNkYlkL0hlu+IC4Buh6DqM4HbJCZcMXKEtWE0a6dMf+tHsa+5OV7ezX5LCuDvQVp6p0LftAE= )
DNSSEC in Zone Files0.121.74.in-addr.arpa. 86400 IN NS DNS1.ACTUSA.NET.
86400 IN NS DNS2.ACTUSA.NET.86400 IN NS DNS3.ACTUSA.NET.86400 DS 46693 5 1 (
AEEDA98EE493DFF5F3F33208ECB0FA4186BD8056 )
86400 DS 46693 5 2 (66E6D421894AFE2AF0B350BD8F4C54D2EBA5DA72A615FE64BE8EF600C6534CEF )
86400 RRSIG DS 5 5 86400 20140306210053 (20140224210053 57974 74.in-addr.arpa.n+aPxBHuf+sbzQN4LmHzlOi0C/hkaSVO3q1y6J0KjqNPzYqtxLgZjU+IL9qhtIOocgNQib9lgFRmZ9inf2bER435GMsa/nnjpVVWW/MBRKxfPcc72w2iOAMu2G0prtVT08ENxtu/pBfnsOZKnhCY8UOBOYLOLE5Whtk3XOuX9+U= )
10800 NSEC 1.121.74.in-addr.arpa. NS DS RRSIG NSEC
10800 RRSIG NSEC 5 5 10800 20140306210053 (20140224210053 57974 74.in-addr.arpa.YvRowkdVDfv+PW42ySNUwW8S8jRyV6EKKRxe
…
What Is DNSSEC? Why Use It?
• Standard DNS (forward or reverse) responses are not secure– Easy to spoof– Notable malicious attacks
• DNSSEC attaches signatures– Validates responses– Can not spoof
44
Reverse DNS at ARIN• ARIN issues blocks without any working
DNS– Registrant must establish delegations
after registration– Then employ DNSSEC if desired
• Just as susceptible as forward DNS if you do not use DNSSEC
45
Reverse DNS at ARIN
• Authority to manage reverse zones follows allocations–“Shared Authority”model–Multiple sub-allocation recipient
entities may have authority over a particular zone
46
Setting up DNSSEC at ARIN
• Create entry method for DS Records– ARIN Online– RESTful interface– Not available via templates
• Only key holders may create and submit Delegation Signer (DS) records
47
Reverse DNS in ARIN OnlineFirst identify the network that you want to put Reverse DNS nameservers on…
48
Reverse DNS in ARIN Online…then enter the Reverse DNS nameservers…
49
DNSSEC in ARIN Online…then apply DS record to apply to the delegation
50
Reverse DNS: Querying ARIN’s WhoisQuery for the zone directly:whois> 81.147.204.in-addr.arpa
Name: 81.147.204.in-addr.arpa.Updated: 2006-05-15NameServer: AUTHNS2.DNVR.QWEST.NETNameServer: AUTHNS3.STTL.QWEST.NETNameServer: AUTHNS1.MPLS.QWEST.NET
Ref: http://whois.arin.net/rest/rdns/81.147.204.in-addr.arpa.
51
DNSSEC in Zone Files; File written on Mon Feb 24 17:00:53 2014; dnssec_signzone version 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.60.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM.
86400 IN NS NS4.COVAD.COM.10800 NSEC 1.74.in-addr.arpa. NS RRSIG NSEC10800 RRSIG NSEC 5 4 10800 20140306210053 (
20140224210053 57974 74.in-addr.arpa.oNk3GVaCWj2j8+EAr0PncqnZeQjm8h4w51nSD2VUi7YtR9FvYLF/j4KO+8qYZ3TAixb9c05c8EVIhtY1grXEdOm30zJpZyaoaODpbHt8FdWYvwup9Tq4oVbxVyuSNXriZ2Mq55IIMgDR3nATBLP5UClxUWkgvS/6poF+W/1H4QY= )
1.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM.86400 IN NS NS4.COVAD.COM.10800 NSEC 10.74.in-addr.arpa. NS RRSIG NSEC10800 RRSIG NSEC 5 4 10800 20140306210053 (
20140224210053 57974 74.in-addr.arpa.DKYGzSDtIypDVcer5e+XuwoDW4auKy6G/OCVVTcfQGk+3iyy2CEKOZuMZXFaaDvXnaxey9R1mjams519Ghxp2qOnnkOw6iB6mR5cNkYlkL0hlu+IC4Buh6DqM4HbJCZcMXKEtWE0a6dMf+tHsa+5OV7ezX5LCuDvQVp6p0LftAE= )
52
DNSSEC in Zone Files0.121.74.in-addr.arpa. 86400 IN NS DNS1.ACTUSA.NET.
86400 IN NS DNS2.ACTUSA.NET.86400 IN NS DNS3.ACTUSA.NET.86400 DS 46693 5 1 (
AEEDA98EE493DFF5F3F33208ECB0FA4186BD8056 )
86400 DS 46693 5 2 (66E6D421894AFE2AF0B350BD8F4C54D2EBA5DA72A615FE64BE8EF600C6534CEF )
86400 RRSIG DS 5 5 86400 20140306210053 (20140224210053 57974 74.in-addr.arpa.n+aPxBHuf+sbzQN4LmHzlOi0C/hkaSVO3q1y6J0KjqNPzYqtxLgZjU+IL9qhtIOocgNQib9lgFRmZ9inf2bER435GMsa/nnjpVVWW/MBRKxfPcc72w2iOAMu2G0prtVT08ENxtu/pBfnsOZKnhCY8UOBOYLOLE5Whtk3XOuX9+U= )
10800 NSEC 1.121.74.in-addr.arpa. NS DS RRSIG NSEC
10800 RRSIG NSEC 5 5 10800 20140306210053 (20140224210053 57974 74.in-addr.arpa.YvRowkdVDfv+PW42ySNUwW8S8jRyV6EKKRxe
…
53
DNSSEC Validating Resolvers• www.internetsociety.org/deploy360/dnssec/• www.isc.org/downloads/bind/dnssec/
54
Reverse DNS Management and DNSSEC in ARIN Online• Available on ARIN’s websitehttp://www.arin.net/knowledge/dnssec/
55
DNSSEC Statistics
56
ARIN 37
Number of Orgs with DNSSEC 134
Total Number of Delegations 593,946
DNSSEC Secured Zones 619
Percentage Secured 0.1 %
Q&A
Life after IPv4 DepletionRichard Jimmerson
Overview
• IPv4 depletion recap• Post-depletion observations• Post-depletion IPv4 options– IPv4 Waiting List– IPv4 Transfers– Dedicated IPv4 block to facilitate IPv6
deployment• IPv6 deployment
59
IPv4 Address Space in ARIN Free Pool
/8s
IPv4 Depletion Recap
• June 2015: IPv4 requests reach peak volume– 414 total requests – A mad rush for the last IPv4 blocks
• July 1st, 2015: First unmet IPv4 request– An org qualified for a block size that was no longer available– Within a few weeks, only single /24s remained in the free pool
• September 24th, 2015: Full IPv4 depletion– No IPv4 blocks available other than those reserved for specific
policies– Significant drop in monthly # of IPv4 requests
IPv4 Requests – Past Year
------- =waitinglistinitiated------- =IPv4depletion
0
50
100
150
200
250
300
350
400
450
Mar-15 Apr-15 May-15 Jun-15 Jul-15 Aug-15 Sep-15 Oct-15 Nov-15 Dec-15 Jan-16 Feb-16
Reserved IPv4 Space
• /10 reserved to facilitate IPv6 deployment
• 2 /16s reserved for critical Internet infrastructure– Public exchange points– Core DNS service providers (excluding new gTLDs)– Regional Internet Registries– IANA
Post-IPv4 Depletion Observations
• IPv4 demand remains strong
• Lots of questions from customers– Not all aware we’ve reach full IPv4 depletion– Education needed on post-depletion options
• Keeping registration info current is essential– Increase in # of blocks targeted for hijacking– Blocks with bad org/contact info, especially legacy
ones, are the biggest target
64
Post-IPv4 Depletion Options
• IPv4 Waiting List
• IPv4 Transfers
• Dedicated IPv4 block to facilitate IPv6 deployment
• IPv6 Adoption
IPv4 Waiting List
• Policy enacted first time ARIN did not have a contiguous block of addresses of sufficient size to fulfill a qualified request – Must qualify under current ARIN policy and request to be
added to the list– Maximum approved size determined by ARIN– Minimum acceptable size specified by requester– One request per org on the list at a time– Limit of one allocation or assignment every 3 months
• Waiting List published on ARIN’s web site– Approximately /12 needed to fill all pending requestshttps://www.arin.net/resources/request/waiting_list.html
IPv4 Waiting List Growth
------- =waitinglistinitiated------- =IPv4depletion
0
50
100
150
200
250
300
350
Jun-15 Jul-15 Aug-15 Sep-15 Oct-15 Nov-15 Dec-15 Jan-16 Feb-16
Transfers of IPv4 Addresses
3 ARIN Transfer Policies Available:
– Mergers and Acquisitions (NRPM 8.2)• Traditional transfer resulting from a merger, acquisition, or
reorganization supported by legal documentation
– Transfers to Specified Recipients (NRPM 8.3)• IPv4 transfer from one organization to another that it
specifies, supported by justified need (within region)
– Inter-RIR transfers to Specified Recipients (NRPM 8.4)• IPv4 market transfer from one organization to another that
it specifies, supported by justified need (between regions)
Transfers to Specified Recipients (NRPM 8.3)
• Allows orgs with unused IPv4 resources to transfer them to orgs in need of IPv4 resources
• Source– Must be current registrant, no disputes– Not have received addresses from ARIN for
12 months prior• Recipient– Must demonstrate need for 24-month supply
under current ARIN policy
8.3 Transfers Completed
------- =waitinglistinitiated------- =IPv4depletion
0
10
20
30
40
50
60
70
80
Mar-15 Apr-15 May-15 Jun-15 Jul-15 Aug-15 Sep-15 Oct-15 Nov-15 Dec-15 Jan-16 Feb-16
Inter-RIR Transfers (NRPM 8.4)
• RIR must have reciprocal, compatible needs-based policies– Currently APNIC and RIPE NCC
• Transfers from ARIN– Source cannot have received IPv4 from ARIN
12 months prior to transfer – Must be current registrant, no disputes– Recipient meets destination RIR policies
• Transfers to ARIN– Must demonstrate need for 24-month supply
under current ARIN policy
Inter-RIR Transfers Completed
------- =waitinglistinitiated------- =IPv4depletion
0
1
2
3
4
5
6
7
8
9
10
Mar-15 Apr-15 May-15 Jun-15 Jul-15 Aug-15 Sep-15 Oct-15 Nov-15 Dec-15 Jan-16 Feb-16
Documentation Required for IPv4 Source
• Verification current registrant is active and in good standing within the ARIN region– If there was a merger or acquisition, an M&A transfer may
be required before you can release your IPv4 addresses
• Notarized officer acknowledgement
• Additional items may be needed
IPv4 Recipient Documentation
– Utilization data for ARIN-issued IPv4 space
– Data to support 24 month projected need• Historical IPv4 utilization rate• New services/markets to be deployed• Customer growth projections
– Signed officer attestation certifying data is accurate
Useful Transfer Information
• ARIN cannot provide detailed information about your source/recipient partner’s status– Can provide general status (e.g. “we’re waiting on them to
provide additional info”)– If you need details on what’s required, ask your
source/recipient partner
• If you’re on the IPv4 waiting list, you’ll be removed if/when you receive IPv4 addresses via transfer
Pre-Approval for Recipients
• Optional free service to confirm your 24 month projected need for IPv4 addresses– Same documentation requirements as transfers
• Used to receive IPv4 addresses via specified or Inter-RIR transfers up to the pre-approved amount– Eliminates the need to re-justify need on each transfer– Good for 24 months from the pre-approval date
Specified Transfer Listing Service (STLS)
• Optional fee-based service to facilitate specified recipient and inter-RIR transfers– Sources have IPv4 addresses verified as available– Recipients have a verified need for IPv4 addresses– Facilitators arrange transfers between parties
• Approved participants can view detailed information for all other participants
• Public summary available on ARIN’s website– Available block sizes– # of source ORGs and approved block sizes– List of facilitators with contact information
Tips for Faster Transfer Processing
• Ensure all registration information is current– If not, we can help you get it up to date– Allows for faster processing when acting as a transfer
source
• Request pre-approval– Ensures you know your approved block size when
seeking a source for your IPv4 addresses– Allows for faster transfer process when you submit your
transfer recipient ticket
• Provide detailed information to support 24-month need when submitting transfer/pre-approval
Reserved IPv4 Block for IPv6 Deployment Requirements
• Used to facilitate IPv6 deployment • Need cannot be met from your existing
ARIN IPv4 space• Have an IPv6 block registered• One /24 per organization every six months
IPv6 Deployment
IPv6 Requests – Past Year
81
0
20
40
60
80
100
120
Mar-15 Apr-15 May-15 Jun-15 Jul-15 Aug-15 Sep-15 Oct-15 Nov-15 Dec-15 Jan-16 Feb-16
waiting list initiated IPv4 depletion
ARIN ISP Members with IPv4 and IPv6
5,268 total members as of 31 January 201682
Requesting IPv6 - ISPs
• Have a previous v4 allocation from ARIN or predecessor registry
OR• Intend to IPv6 multi-home
OR• Provide a technical justification
which details at least 50 assignments made within 5 years
83 83
Data ARIN Will Typically Ask From - ISPs
• If requesting more than a /32, a spreadsheet/text file with– # of serving sites (PoPs, datacenters)– # of customers served by largest serving
site– Block size to be assigned to each
customer (/48 typical)
84 84
Requesting IPv6 – End Users
• Have a v4 assignment from ARIN or predecessor registryOR
• Intend to IPv6 multi-home OR
• Use 2000 IPv6 addresses or 200 IPv6 subnets within a yearOR
• Have a contiguous network that has a minimum of 13 active sites within 12 months
OR• Technical justification as to why provider-assigned IPs
are unsuitable
85 85
Data ARIN Will Typically Ask From End users
• If requesting more than a /48, a spreadsheet/text file with– List of sites in your network• Site = distinct geographic location• Street address for each
– Campus may count as multiple sites• Technical justification showing how they’re
configured like geographically separate sites
86 37
IPv6 Info Centerwww.arin.net/knowledge/ipv6_info_center.html
www.GetIPv6.info
www.TeamARIN.net
41
88
ARINTechnicalServices
Andy NewtonChief Engineer
Major Services• ARIN Online• Email (including templates)• Directory Services
– Whois– Whois-RWS– Registration Data Access Protocol (RDAP)
• Domain Name System (DNS)– Reverse DNS– DNS Security (DNSSEC)
• Internet Routing Registry (IRR)• Resource Public Key Infrastructure (RPKI)• Operational Test & Evaluation environment
(OT&E)
Terms• Resources
– IP Addresses (Networks)– Autonomous System Numbers (ASNs)
• Organization– The legal entity holding resources– Shows up in Whois/RDAP
• Points of Contact– Associated with Organizations– Show up in Whois/RDAP– Tech, Admin, NOC, Abuse
• SWIP– “Shared Whois Project”– Registration of reassigned or reallocated networks in the
ARIN registry
ARINOnline(www.arin.net)
What Can I Do in ARIN Online?• Resource management (IPs/ASNs)– Requests and Transfers– Technical services (Reverse DNS/RPKI)
• Record management (POCs/Org IDs)• Downloadable reports– Associations/reassignments/bulk Whois/WhoWas
• Billing & Payments• Voting (Board, AC, NRO NC)
ARIN Online Usage• 110290 accounts activated since
inception through Q1 of 2016
2008
2010
2012
2014
2016*
Number of Accounts Activated
5000 10000 15000 20000
* Through Q1 of 2016
94
Active Usage of ARIN Online
0
10000
20000
30000
40000
50000
0 1 2 - 5 6 - 10 11 - 15 >16
Logins
# o
f Use
rs
Times logged in
• Logins from inception through Q1 of 2016• One user logged in 1,205,887 times!
95
Linking?• Way of managing resources put into
place before ARIN Online was unveiled
• A good set of videos at – https://www.youtube.com/user/teamarin– Teaches you how to:• Create an ARIN Online account • Create and manage POCs and Org IDs• Request transfers
Ask ARIN and Message Center• Ask ARIN
A way to ask ARIN staff a question on the web
• Message Center– Tracks ticketed requests– Ticketed requests are things like resource
requests and correspondence, RPKI notifications, reports
Reports• Associations Report– POCs linked to your ARIN Online account,
including roles served by these POCs for any associated Organization (Admin, Tech, Abuse, etc.)
– Organization associated with your ARIN Online account
– Network records (NETs) and Autonomous System Number records (ASNs) associated with your linked POCs, directly or via an associated Organization
Reports (Cont)• User Reassignment Report
– Reassignments/reallocations associated with your ARIN Online account via associated Organization
– ”Holes" in all Network records (NETs) associated with your ARIN Online account, where no reassignment or reallocation has been made
• Whowas– History of a resource
• Bulk Whois– Directory services information placed in files
• Reports are ticketed and delivered into your Message Center
Billing
• Pay bills• Calculate fees• View current and past-due invoices
RESTServices
• Reg-RWS– SWiP– Reports– ManageDNS/RPKI
• Whois– RDAP(thenewWhois)– Whois-RWS
What is REST?• Representational State Transfer
• As applied to web services– defines a pattern of usage with HTTP to create,
read, update, and delete (CRUD) data– “Resources” are addressable in URLs
• Very popular protocol model– Amazon S3, Yahoo & Google services, …
The BIG Advantage of REST• Easily understood– Any modern programmer can incorporate it– Can look like web pages
• Re-uses HTTP in a simple manner– Many, many clients– Other HTTP advantages
• This is why it is very, very popular with Google, Amazon, Yahoo, Twitter, Facebook, YouTube, Flickr, …
What does it look like?Who can use it?
http://whois.arin.net/rest/poc/KOSTE-ARIN
Wherethedatais.
Whattypeofdataitis.
TheIDofthedata.
ItisastandardURL.Anyonecanuseit.Goahead,putitintoyourbrowser.
Where can more information on REST be found?
• RESTful Web Services– O’Reilly Media– Leonard Richardson– Sam Ruby
Email/Templates• Before ARIN Online,
only way of communicating with ARIN
• Now only– Reassignment
information– Inter-RIR Transfers– Email Questions
• Lots of Spam
Reg-RWS Transactions(cumulative)
107
408,383595,858
846,9431,066,037
1,311,4031,498,204
1,749,3832,006,440
2,225,894
40,374320,197 841,105
3,524,124
4,296,734
4,715,2315,034,717
5,662,4775,987,836
0
1,000,000
2,000,000
3,000,000
4,000,000
5,000,000
6,000,000
7,000,000
ARIN29 ARIN30 ARIN31 ARIN32 ARIN33 ARIN34 ARIN35 ARIN36 ARIN37
Template REST
Directory Services• Whois– Resource Information as per RFC812
• RDAP (the new Whois)– Resource Information as per RFCs 7480-
7484• Whois-RWS– RESTful Implementation of ARIN Whois– XML-based, proprietary
Registration Data Access Protocol (RDAP)• Long, fancy, official-sounding name
for a simple idea:– All the RIRs will now have a common
query interface– Also will be used by many domain
registries
Bootstrapping (RFC 7484)
• IANA will publish a set of JSON files containing IP Address, Autonomous System Number, and Domain Name allocations with URLs to authoritative servers.– Clients will be able to pre-determine
where to initiate queries.
110
Bootstrapping In the Real World
111
Client ARIN APNIC
45.65.1.1?
AskARIN
45.65.1.1?
AskAPNIC
BootstrapServer
45.65.1.1?
JSON
DNS• Provide Reverse DNS delegation
management for IPv4 and IPv6• This includes DNSSEC• More Detail later
IRR• Provides coarse routing information for
routing filters• Processed through templates sent via
email• Has a Whois interface using RPSL (RFC
2622)• Documented at – https://www.arin.net/resources/routing/
OT&E (Operational Test & Evaluation)
• Lots of people test in production– Is not the best place to test– Things do get stuck – may impact others– Operational Test & Evaluation
• Goodness of OT&E– Place to test code– Place to test process– All services now under ote.arin.net except email– Need to register to participate– https://www.arin.net/resources/ote.html
RPKI
• We will talk about this in detail later
Feedback
• Users can notify us of Internet Number Resource Fraud and Whois Inaccuracy
• Can provide feedback on the application via the feedback button
• Suggestions through “ARIN Consultation and Suggestion Process” (ACSP)
Tools
• Lots of APIs• You can build your own tools• Some have shared their tools with
others• Repository for these tools– https://github.com/arineng– http://projects.arin.net
Q&A
ARIN’s Policy Development Process
Chris TacitARIN Advisory Council
Overview
Basic steps
Major policy changes
A recent proposal
How to get involved
Policy Development Process (PDP) Steps1) Proposal – Someone in the community thinks a policy can
be improved and documents2) Draft Policy- Discussion on the list and possibly at
meeting(s) - Is there really a problem? Is this a good solution?
3) Recommended Draft Policy - More discussion and presentation at meeting(s). Does community support turning this into policy?
4) Last call5) Board Review6) Staff Implementation (NRPM)
If you submit a proposal, you can either leave it completely in the hands of the AC or keep participating along with the formal process
Past Policy Changes: IPv6 PolicyCirca 2001: Initial IPv6 policy aligned with IPv4 at that time,
conservation was important, small amounts issued for short periods, hierarchical distribution from upstreams, and, no direct end user policy at all
2003-2016 Dozens of proposals to improve IPv6 policy
Changes included: Minimum allocation size increased (/35 to /32), larger allocations from IANA, policy for end users, community networks (mesh networks), assignment sizes from ISPs to customers (added /56s), larger amounts for ISPs and easier criteria, larger amounts for end users and easier criteria, bit boundary assignments and allocations, etc.
Past Policy Changes: Transfers1997 thru 2007: Policy for Mergers and Acquisitions existed,
everything else should go back to ARIN
2007 thru 2016: Many proposals to improve transfers.
Changes included: Allow needs-based transfers of unused or underutilized address space between organizations via ARIN, increase supply period from one year to two, allow ASN transfers, allow Inter-RIR transfers, etc.
Still seeing proposals to make transfers easier, there are some who are trying to reduce the needs requirement, some want ARIN to simply record the transfers.
Recently Under Discussion• ARIN-2015-5: Out of Region Use
Would allow an organization to receive Internet number resources from ARIN for use out of region as long as the applicant is currently using at least the equivalent of a /22 of IPv4 space, /44 of IPv6, or 1 ASN within the ARIN service region.
• Earlier Abandoned ProposalsARIN-2014-1: Out of Region UseARIN-2013-6: Allocation of IPv4 and IPv6 Address Space to Out-of-region RequestorsARIN-2011-13: IPv4 Number Resources for Use Within Region
(continued on next slide)
2015-5 continued• ARIN-2015-5 presented at ARIN 36 in Oct 2015• AC found draft to be fair, technically sound and
supported and promoted to recommended state (late Oct 2015)
• Presented as Recommended Draft Policy at NANOG 66
• Last Call was 24 February thru 9 March 2016• AC recommended Board adopt on 17 March• Adopted as policy by the ARIN Board, 19 April• Next step - Implementation by Staff (no later than
31 July 2016)
How Can You Get Involved?Two ways to learn and be heard
1. Public Policy Mailing List
2. Public Policy Consultations/MeetingsARIN meetings (April and October) ARIN Public Policy Consultations at NANOG (twice a year, usually February and June)Remote participation supported
Takeaways1) ARIN doesn't create number policy, you
do.
2) Well documented policy development process includes assistance from ARIN AC and staff throughout the process.
3) Stay informed. Join the policy list and/or attend meetings (in person or remotely).
References
Policy Development Process (PDP)http://www.arin.net/policy/pdp.html
Draft Policies and Proposalshttp://www.arin.net/policy/proposals/index.html
Number Resource Policy Manual (NRPM)http://www.arin.net/policy/nrpm.html
Q&A
Security Overlays on Core Internet Protocols – RPKI
Andy NewtonChief Engineer
Core Internet Protocols• Two critical resources that are
unsecured– Domain Name Servers– Routing
• Hard to tell if compromised– From the user point of view– From the ISP/Enterprise
131
Routing
132
Routing Architecture• The Internet uses a two level routing hierarchy:– Interior Routing Protocols, used by each network
to determine how to reach all destinations that line within the network
– Interior Routing protocols maintain the current topology of the network
133
Routing Architecture• The Internet uses a two level routing hierarchy:– Exterior Routing Protocol, used to link each
component network together into a single whole– Exterior protocols assume that each network is
fully interconnected internally
134
Exterior Routing: BGP• BGP is a large set of bilateral (1:1)
routing sessions– A tells B all the destinations (prefixes) that
A is capable of reaching– B tells A all the destinations that B is
capable of reaching
A B
10.0.0.0/2410.1.0.0/1610.2.0.0/18
192.2.200.0/24
135
What is RPKI?• Resource Public Key Infrastructure• Attaches digital certificates to network
resources– AS Numbers– IP Addresses
• Allows ISPs to associate the two– Route Origin Authorizations (ROAs)– Can follow the address allocation chain
to the top136
What does RPKI accomplish?• Allows routers or other processes
to validate route origins• Simplifies validation authority
information– Trust Anchor Locator
• Distributes trusted information– Through repositories
137
Hierarchy of Resource CertificatesICANN
0.0.0.0/00::/0
ARIN128.0.0.0/8192.0.0.0/8
RegionalISP128.177.0.0/16
SomeSmallISP128.177.46.0/20
OtherSmallISP192.78.12.0/24
LACNIC AFRINICRIPENCC
APNIC
138
Route Origin AttestationsICANN
0.0.0.0/00::/0
ARIN128.0.0.0/8192.0.0.0/8
RegionalISP128.177.0.0/16
SomeSmallISP128.177.46.0/20
OtherSmallISP192.78.12.0/24
LACNIC AFRINICRIPENCC
APNIC
128.177.46.0/20AS53659
128.177.0.0/16AS17025 192.78.12.0/24
AS2000
139
Current PracticesICANN
0.0.0.0/00::/0
ARIN128.0.0.0/8192.0.0.0/8
RegionalISP128.177.0.0/16
SomeSmallISP128.177.46.0/20
OtherSmallISP192.78.12.0/24
LACNIC AFRINICRIPENCC
APNIC
128.177.0.0/16AS17025 192.78.12.0/24
AS2000128.177.46.0/20AS53659
140
What does RPKI Create?
• It creates a repository– RFC 3779 (RPKI) Certificates– ROAs– CRLs– Manifest records
141
Relationships
CertificatelistofIP&ASNResourcesAIA,URIoftheparentcertSIA,URIofthethemanifest
ManifestEECertificate
URI/hashofCRLURIhashofallROAsURIofallchildcerts
CRLSerialnumbersofallrevokedcerts
ROA
ROAEEcertificate
ASNlistofIPprefixes&maxlengths
Childcert
ChildCert
ParentKey
ParentCert
ParentManifest
Signs
Pointsto(hasURIfor)
CertificateKey
142
Repository View./ba/03a5be-ddf6-4340-a1f9-1ad3f2c39ee6/1:total 40-rw-r--r-- 1 143 143 1543 Jun 26 2009 ICcaIRKhGHJ-TgUZv8GRKqkidR4.roa-rw-r--r-- 1 143 143 1403 Jun 26 2009 cKxLCU94umS-qD4DOOkAK0M2US0.cer-rw-r--r-- 1 143 143 485 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.crl-rw-r--r-- 1 143 143 1882 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.mnf-rw-r--r-- 1 143 143 1542 Jun 26 2009 nB0gDFtWffKk4VWgln-12pdFtE8.roa
A Repository Directory containing an RFC3779 Certificate, two ROAs, a CRL, and a manifest
143
Repository Use• Pull down these files using a manifest-
validating mechanism• Validate the ROAs contained in the
repository• Communicate with the router marking
routes “valid”, “invalid”, “unknown”• Up to ISP to use local policy on how to
route144
Possible Data Flow for Operations
• RPKI Web interface -> Repository• Repository aggregator -> Validator• Validated entries -> Route Checking• Route checking results -> local routing
decisions (based on local policy)
145
How you can use ARIN’s RPKI System?• Hosted– create ROAs through ARIN Online– create ROAs using ARIN’s RESTful service
• Delegated using Up/Down Protocol
146
Hosted RPKI - ARIN Online• Pros– Easy to pick up and use– ARIN managed
• Cons– No current support for downstream
customers to manage their own space– Tedious through the UI if you have a large
network– We hold your private key
147
Hosted RPKI - RESTful Interace• Pros– Programmatic interface for large networks– ARIN managed
• Cons– No current support for downstream
customers to manage their own space– We hold your private key
148
Delegated RPKI with Up/Down• Pros– You safeguard your own private key– Follows the IETF up/down protocol
• Cons– Extremely hard to setup– Need to operate your own RPKI
environment
149
Hosted RPKI in ARIN Online
150
Hosted RPKI in ARIN Online
151
Hosted RPKI in ARIN Online
152
Hosted RPKI in ARIN Online
153
Hosted RPKI in ARIN OnlineSAMPLE-ORG
154
Hosted RPKI in ARIN OnlineSAMPLE-ORG
155
Hosted RPKI in ARIN Online
156
Your ROA request is automatically processed and the ROA is placed in ARIN’srepository, accompanied by its certificate and a manifest. Users of the repository can now validate the ROA using RPKI validators.
157
Delegated with Up/Down
158
Delegated with Up/Down
159
Delegated with Up/Down
160
Delegated with Up/Down
• You have to do all the ROA creation• Need to setup a Certificate Authority• Have a highly available repository• Create a CPS
161
RPKI StatisticsOct
2012Apr
2013Oct
2013Apr
2014Oct
2014Apr
2015Oct
2015Apr
2016CertifiedOrgs 47 68 108 153 187 220 250
ROAs 19 60 106 162 239 308 338 370
Covered Resources 30 82 147 258 332 430 482 528
Up/Down Delegated 0 0 0 1 2 1
162
Q&A
IPv6 Adoption: Where Are We Now?
Andy NewtonChief Engineer
Richard JimmersonChief Information Officer
The Amazing Success of the Internet• 2.92 billion users!• 4.5 online hours per day per user!• 5.5% of GDP for G-20 countries
Time
Just about anything about the Internet
165
The Original IPv6 Plan - 1995
IPv6 Deployment
Time
IPv6 Transition – Dual Stack
IPv4 Pool Size
Size of the Internet
166
The Revised IPv6 Plan - 2005
IPv6 Deployment
2004
IPv6 Transition – Dual Stack
IPv4 Pool Size
Size of the Internet
2006 2008 2010 2012Date
167
Oops!We were meant to have completed the transition to IPv6 BEFORE we completely exhausted the supply channels of IPv4 addresses!
168
Today’s IPv6 Plan
IPv6 Deployment
IPv4 PoolSize
Size of the Internet IPv6 Transition
Today
Time
?
0.8%
169
Transition...The downside of an end-to-end architecture:
– There is no backwards compatibility across protocol families– A V6-only host cannot communicate with a V4-only host
We have been forced to undertake a Dual Stack transition:
– Provision the entire network with both IPv4 AND IPv6– In Dual Stack, hosts configure the hosts’ applications to
prefer IPv6 to IPv4– When the traffic volumes of IPv4 dwindle to insignificant
levels, then it’s possible to shut down support for IPv4
170
Dual Stack Transition ...We did not appreciate the operational problems with this dual stack plan while it was just a paper exercise:
• The combination of an end host preference for IPv6 and a disconnected set of IPv6 “islands” created operational problems – Protocol “failover” from IPv6 to IPv4 takes between 19 and 108 seconds
(depending on the operating system configuration)– This is unacceptably slow
• Attempting to “bridge” the islands with IPv6-in-IPv4 tunnels created a new collection of IPv6 path MTU Discovery operational problems– There are too many deployed network paths containing firewall filters that
block all forms of ICMP, including ICMP6 Packet Too Big
• Attempts to use end-host IPv6 tunneling also presents operational problems– Widespread use of protocol 41 (IP-in-IP) firewall filters– Path MTU problems
171
Dual Stack TransitionSignal to the ISPs:
– Deploy IPv6 and expose your users to operational problems with IPv6 connectivity
Or
– Delay IPv6 deployment and wait for these operational issues to be solved by someone else
So we wait...
172
And while we wait...The Internet continues its growth.
• And without an abundant supply of IPv4 addresses to support this level of growth, the industry is increasingly reliant on NATs:
– Edge NATs are now the de facto choice for residential broadband services at the CPE
– ISP NATs are now the de facto choice for 3G and 4G mobile IP services
173
What is ARIN Hearing from the Community About IPv6?
• Movement to IPv6 is slow, but progress being made– ISPs slowly rolling out IPv6– Steady increase in IPv6 traffic– Increase in IPv6 requests– IPv6 entertainment offerings may be a driver
• Still high demand for IPv4– Many ISPs purchasing CGN boxes– More turning to the IPv4 market
• Rent by month• Purchasing space outright (costs will increase)
174
What will be the tipping point?
• CGN’s running V4– Cost per IP will rise based on…– Cost of device and support• Why does <insert service here not work>• Gamers have a need for speed
• User base that supports V6• Social Effect
175
ARIN’s Network
• We eat our own dogfood• Every new service must have v6• Evolution on v6 to a robust
infrastructure• Have had challenges getting
robustness
176
ARIN’s Current Challenges for Networking• Dual-Stacked Internally
– Challenges over time with our VPN (OpenVPN)• One interface works with v6 • One does not
• Middleware Boxes– Claims do not support reality (“we support IPv6”) Yes, but…– No 1-1 feature set– Limits ARIN’s ability to support new services like https
support for Whois-RWS
177
However, there is some good news for the future...
Google’s IPv6 Traffic Growing
> 25% of US customers connected to Google via IPv6 - up from 10% one year ago today & growing rapidly
179
Facebook•Over 10% of the world uses facebook over IPv6
Over10%2015
1%6/6/2012
180
Global IPv6 StatusPercentage of Members with IPv6
181
IPv6 Blocks Issued Over Time
ARIN IPv6 Allocations and Assignments182
0
500
1000
1500
2000
2500
3000
2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
EU
ISP
ARIN ISP Members with IPv4 and IPv6
5,268 total members as of 31 January 2016
183
IPv6 Requests – Past Year
184
0
20
40
60
80
100
120
Mar-15 Apr-15 May-15 Jun-15 Jul-15 Aug-15 Sep-15 Oct-15 Nov-15 Dec-15 Jan-16 Feb-16
waiting list initiated IPv4 depletion
Why Move to IPv6 Now?• Being IPv4-only has costs– Transfer market, latency, CGN boxes, NAT
• Many operational issues solved by early adopters
• If not IPv6, then what?
185
Requesting IPv6 - ISPs• Have a previous v4 allocation from
ARIN or predecessor registryOR
• Intend to IPv6 multi-home OR
• Provide a technical justification which details at least 50 assignments made within 5 years
186 186
Data ARIN Will Typically Ask For - ISPs• If requesting more than a /32, a
spreadsheet/text file with– # of serving sites (PoPs, datacenters)– # of customers served by largest serving
site– Block size to be assigned to each
customer (/48 typical)
187 187
Requesting IPv6 – End Users• Have a v4 assignment from ARIN or predecessor registry
OR• Intend to IPv6 multi-home
OR• Use 2000 IPv6 addresses or 200 IPv6 subnets within a year
OR• Have a contiguous network that has a minimum of 13
active sites within 12 monthsOR
• Technical justification as to why provider-assigned IPs are unsuitable
188 188
Data ARIN Will Typically Ask For End users• If requesting more than a /48, a
spreadsheet/text file with– List of sites in your network• Site = distinct geographic location• Street address for each
– Campus may count as multiple sites• Technical justification showing how they’re
configured like geographically separate sites
189 37
Your IPv6 Checklistq Get your IPv6 address spaceq Set up IPv6 connectivity (native or tunneled)q Configure your operating systems, software,
and network management toolsq Upgrade your router, firewall, and other
hardwareq Get your IT staff trainingq Enable IPv6 on your website
190
Talk to Your ISP About IPv6 Services• You want access to the entire
Internet!– ISPs must connect customers via IPv4
only, IPv4-IPv6, and IPv6 only– They must plan for IPv4-IPv6 transition
services• Many transition technologies available• Research options and make architectural
decisions191
Dual-stack Your Network– IPv6 not backwards compatible with IPv4– Both will run simultaneously for years
192
Make Your Servers Reachable Over IPv6
–Mail, Web, Applications–Operating systems, software, and
network management tools
193
Audit Your Equipment and Software–Are your devices and applications IPv6 ready?
194
Encourage Vendors to Support IPv6–If not already, when will IPv6 support be part of their product cycle?
195
Get IPv6 Training for Staff–Free resources available
196
Enable IPv6 on Your Website
197
Steps To Get Your Website IPv6-Enabled
TeamARIN.net/get6
198
Operational Guidance
www.NANOG.org/archives/
http://nabcop.org/index.php/Main_Page
199
http://www.internetsociety.org/deploy360/
http://www.intgovforum.org/cms/best-practice-forums/2015-bpf-outs
Internet Governance Forum – Enabling Environment for IPv6 Adoption
IPv6 Info Centerwww.arin.net/knowledge/ipv6_info_center.html
www.GetIPv6.info
www.TeamARIN.net
41