Louisville, Kentucky 11 September 2012 ARIN Speakers • Einar Bohlin, Senior Policy Analyst • Tim Christensen, Quality Assurance Manager • Jon Worley, Senior Resource.
Download ReportTranscript Louisville, Kentucky 11 September 2012 ARIN Speakers • Einar Bohlin, Senior Policy Analyst • Tim Christensen, Quality Assurance Manager • Jon Worley, Senior Resource.
Louisville, Kentucky
11 September 2012
ARIN Speakers
• Einar Bohlin, Senior Policy Analyst • Tim Christensen, Quality Assurance Manager • Jon Worley, Senior Resource Analyst
Special Guest
•
Bill Darte
, ARIN Advisory Council
• • • • • • • • • • • •
Today’s Agenda
ARIN and Internet Governance Requesting and Managing Internet Number Resources Automating Your Interactions with ARIN IPv4 Depletion and IPv6 Adoption in the ARIN Region Number Resource Policies and Procedures Networking Lunch ARIN’s Policy Development Process Current Number Resource Policy Discussions Securing DNS and Routing: DNSSEC and RPKI IPv4 Transfer Market Why Participate in the ARIN Community?
Q&A / Open Mic Session
Let’s Get Started!
• Self introductions – Name – Organization • Suggestions for discussion topics – ARIN topic that you are especially interested in
ARIN and Internet Governance
Einar Bohlin
Senior Policy Analyst
What is an RIR?
• An RIR is an organization that manages the allocation and registration of Internet number resources within a particular region of the world. – Internet number resources include IP addresses and autonomous system (AS) numbers.
Regional Internet Registries
Historical Timeline
Historical Timeline
RIR Structure
Not-for-profit
• • Fee for services, not number resources 100% community funded
Membership Organization
• Broad-based - Private sector - Public sector - Civil society
Community Regulated
• • • Community developed policies Member-elected executive board Open and transparent
RIR Services
Number Resources Organization
• • • • IP address allocation & assignment ASN assignment Directory services • • Whois IRR Reverse DNS • • • • Elections Meetings Information dissemination • • • Website Newsletters Roundtables Training
Policy Development
• • • Maintain email discussion lists Conduct public policy meetings Publish policy documents
Number Resource Organization
The NRO exists to protect the unallocated number resource pool, to promote and protect the bottom-up policy development process, and to act as a focal point for Internet community input into the RIR system.
Who Provisions IP Addresses & ASNs?
ICANN
IANA
RIR ISP/LIR
• • Top level technical coordination of the Internet (Names, Numbers, Root Servers) Manage global unallocated IP address pool •
Allocate number resources to RIRs
• Manage regional unallocated IP address pool • •
Allocate number resources to ISPs/LIRs Assign number resources to End-users
• Manage local IP address pool for use by customers and for infrastructure • •
Allocate number resources to ISPs Assign number resources to End-users
Number Resource Provisioning Hierarchy ICANN / IANA (Internet Assigned Numbers Authority) Manage global unallocated IP address pool Allocate RIRs (AfriNIC, APNIC, ARIN, LACNIC, RIPE NCC) Manage regional unallocated IP address pool Re-Allocate ISPs Allocate ISPs Re-Assign End Users Assign End Users
"Applying the principles of stewardship, ARIN, a nonprofit corporation, allocates Internet Protocol resources; develops consensus based policies; and facilitates the advancement of the Internet through information and educational outreach."
About ARIN
• One of five Regional Internet Registries (RIRs) • Established December 1997 • Provides services related to the technical coordination and management of Internet number resources • Is a non-profit, community-based organization governed by a member-elected executive board
ARIN
’
s Service Region
ARIN
’
s region includes Canada, many Caribbean and North Atlantic islands, and the United States.
ARIN Structure
ARIN
’
s Core Services
• Like the other RIRs, ARIN: – Allocates and assigns Internet number resources – Maintains Whois, in-addr.arpa, and other technical services – Facilitates policy development – Provides training, education and outreach – Participates in the global Internet community
2012 Community Outreach Events Upcoming Events include:
– Caribbean Telecommunications Union ICT Roadshow – Barbados – ARIN on the Road (Louisville, Minneapolis) – – – – Interop New York ICANN 45 NANOG 56 Canadian ISP Summit
Internet Governance
Q&A
Requesting & Managing Internet Number Resources
Jon Worley
Senior Resource Analyst
• • • •
Overview
Request and Manage Number Resources – – Recently Added ARIN Online Functionality RESTful Provisioning Recently Implemented Policies Status of IPv4 Future Services
Major Changes in Functionality
1) Resource Requests 2) POC Validation 3) Reverse DNS Zone Management 4) DNSSEC 5) View Invoices 6) WhoWas
Requesting IP addresses & ASNs
• • • Via ARIN Online only Officer attestation for IP requests now done via a signed form (instead of email) Can no longer specify resource POCs or reverse DNS delegation in request
•
Annual POC Validation
Annual validation of each POC handle required (NRPM 3.6) • If an ARIN Online account is linked to any POC that has been unvalidated for 60+ days, the system forces validation by preventing the account from performing normal actions.
Reverse DNS
• All reverse zones managed individually now • All zone management takes place inside ARIN Online or via REST calls (no templates!)
Reverse DNS in ARIN Online
Reverse DNS in ARIN Online
Querying ARIN
’
s Whois
Query for the zone directly: whois> 81.147.204.in-addr.arpa
Name: 81.147.204.in-addr.arpa.
Updated: 2006-05-15 NameServer: AUTHNS2.DNVR.QWEST.NET
NameServer: AUTHNS3.STTL.QWEST.NET
NameServer: AUTHNS1.MPLS.QWEST.NET
Ref: http://whois.arin.net/rest/rdns/81.147.204.in-addr.arpa.
Reverse DNS
•
ARIN issues blocks without any working DNS
– Must establish delegations after registration
Reverse DNS
•
Authority to manage reverse zones follows SWIP
– “ Shared Authority ” model
Reverse DNS - Shared Authority
Joe ’ s Bar and Grill has reassigned a /24 to HELLO WORLD. Both can manage the /24 zone.
DNSSEC
• Same interface as reverse DNS • DS records generated by user • Zone must have nameservers before you can add DS records
1) Paste DS Record 2) Parse DS Record 3) Apply
View Invoices
• Can now view paid and open invoices via ARIN Online • Goes back 2 years • Available to Admin, Tech, and Billing POC
WhoWas
• • • • Made publicly available in March 2012 Historical Information for registration of IP addresses and AS numbers Provided as a series of TSV files in .zip
Requires agreement to WhoWas ToU
Template Changes
• • • Resource request templates deprecated Transfers and SWIPs still done with templates API key required to authorize processing – – Generated via ARIN Online http://www.arin.net/features/api_keys.ht
ml
Routing Registry Upgrade
• • • New software deployed 9/29/2011 Support for MD5-PW and PGP authentication Mail-from works a little differently – If you encounter problems, contact us directly for a manual upgrade
Q&A
Automating Your Interactions with ARIN
Tim Christensen
Quality Assurance Manager
REST – The New Services
• Three RESTful Web Services – – – Whois-RWS • Exposes our public Whois data via REST Reg-RWS (or Registration-RWS) • Registration and maintenance of your data in a programmatic fashion Bulk Whois • Download of Bulk Whois is now done RESTfully
•
What is REST?
Representational State Transfer • As applied to web services – – defines a pattern of usage with HTTP to create, read, update, and delete (CRUD) data “ Resources ” are addressable in URLs • Very popular protocol model – Amazon S3, Yahoo & Google services, …
• • •
The BIG Advantage of REST
Easily understood – Any modern programmer can incorporate it – Can look like web pages Re-uses HTTP in a simple manner – Many, many clients – Other HTTP advantages This is why it is very, very popular with Google, Amazon, Yahoo, Twitter, Facebook, YouTube, Flickr, …
What does it look like?
And who can use it?
Where the data is.
What type of data it is.
The ID of the data.
It is a standard URL.
Go ahead, put it into your browser.
Where can more information on REST be found?
•
RESTful Web Services
– O ’ Reilly Media – Leonard Richardson – Sam Ruby
• • • •
Whois-RWS
Publicly accessible, just like traditional Whois Searches and lookups on IP addresses, AS numbers, POCs, Orgs, etc… Very popular – As of March 2012, constitutes 60% of our query load For more information: – http://www.arin.net/resources/whoisrws/inde x.html
Registration RESTful Web Service (Reg-RWS)
• • • Programmatic way to interact with ARIN – – Intended to be used for automation Not meant to be used by humans Useful for ISPs that manage a large number of SWIP records Requires an investment of time to achieve those benefits
Reg-RWS
• • • Requires an API Key – You generate one in ARIN Online Register and manage your data – But only your data More information – – http://www.arin.net/resources/restful interfaces.html
We are working on enhanced documentation – to be released soon
•
Example – Reassign Detailed
Your automated system issues a PUT call to ARIN using the following URL:
http://www.arin.net/rest/net/NET-10-129-0-0-1/reassign?apikey=API-1234-5678-9ABC-DEFG
The call contains the following data:
Example – Reassign Detailed
ARIN ’ s web server returns the following to your automated system: Reg date and net handle added
Reg-RWS Has More Than Templates
• • • Only programmatic way to do IPv6 Reassign Simple Only programmatic way to manage Reverse DNS Only programmatic way to access your ARIN tickets
Testing Your Reg-RWS Client
• • • We offer an Operational Test & Evaluation environment for Reg-RWS Your real data, but isolated – Helps you develop against a real system without the worry that real data could get corrupted.
For more information: – http://www.arin.net/announcements/201 1/20110215.html
• • •
Obtaining RESTful Assistance
ARIN Online ’ s Ask ARIN feature arin-tech-discuss mailing list – – Make sure to subscribe Someone on the list will help you ASAP – Archives on the web site Registration Services Help Desk telephone not a good fit – Debugging these problems requires a detailed look at the method, URL, and payload being used
Bulk Whois
• • • You must first sign an AUP – ARIN staff will review your need to access bulk Whois data Also requires an API Key More information – http://www.arin.net/resources/request/bu lkwhois.html
Q&A
IPv4 Depletion and IPv6 Adoption in the ARIN Region
Jon Worley
Senior Resource Analyst
• • •
Inventory Report
IANA IPv4 free pool now exhausted – ARIN received its last /8 from IANA in mid February At that time, ARIN had ~5.49 /8 equivalents in its available pool Daily inventory published on ARIN ’ s web site – Now includes CIDR breakdown
ARIN’s IPv4 Inventory
As of 6 September 2012, ARIN has 3.03 /8s of IPv4 addresses remaining IPv4 inventory published on ARIN ’ s website: www.arin.net
Updated daily @ 8PM ET 61
ARIN 2012 Requests for IPv4 Address Space
(by category)
2012 IPv4 Delegations Issued by ARIN
(listed in /24s)
250000 200000 150000 100000 50000 0
IPv4 ISP Annual Burn Rate
# /24s Issued
# /24s Issued
7 6 5 4 1 0 3 2
ARIN’s IPv4 Free Pool
/8 Equivalents
4 1 0 3 2 5 6
Corrected IPv4 Free Pool
/8 Equivalents
2 1 0 5 4 3 6
Linear Depletion Projection
/8 Equivalents
4 1 0 3 2 5 6
Run On The Bank Projection
ARIN’s IPv4 Countdown Plan
• • Phased implementation Phase 2: 3 /8 Equivalents Left – – – /16 and larger requests team-reviewed in a first in, first out fashion 60 days to complete payment/RSA for IPv4 requests IPv4 hold period moves from 6 to 3 months
ARIN’s IPv4 Countdown Plan
• • Phase 3: 2 /8 Equivalents Left – Examine process changes implemented in phase 2 and adjust as necessary Phase 4: 1 /8 Equivalent Left – – All IPv4 requests team-reviewed and processed on a first in, first out basis IPv4 hold period drops to 1 month
IPv4 Waiting List
• • • • Starts when ARIN can ’ t fill a justified request Option to specify smallest acceptable size If no block available between approved and smallest acceptable size, option to go on the waiting list May receive only one allocation every three months
•
IPv4 Churn
IPv4 addresses go back into ARIN’s free pool 3 ways – – – Return = voluntary Revoke = for cause (usually nonpayment) Reclaimed = fraud or business dissolution • 3.54 /8s received back since 2005 – /8 equivalent returned to IANA in 2012
250000
Burn Rate vs. Churn Rate
200000 150000 100000 50000 0 2005 2006 2007 2008 2009 2010 2011 # /24s received back # /24s issued
ARIN 2012 IPv6 Address Allocations & Requests
IPv4 vs IPv6 Subscribers
Total of 4,190 ISP Subscriber Members
*as of 6 Sept 2012
ISP Members with IPv4 and IPv6
IPv4-only and IPv4+v6 ISPs
90% 80% 70% 60% 50% 40% 30% 20% 10% 0% % IPv4 Only % IPv4 and IPv6 2010Q1 80% 20% 2010Q3 75% 25% 2011Q1 70% 30% 2011Q3 66% 34% 2012Q1 64% 36%
The Solution to IPv4 Depletion
• IPv6 must be adopted for continued internet growth • Now is the time to deploy IPv6
Interest in IPv6
ARIN IPv6 Address Requests
IPv6 on the Rise
ARIN IPv6 Allocations and Assignments
Everyone needs an IPv6 Plan
• Each organization must decide on a unique IPv6 deployment plan right for them – – Timeline will vary Investment level will vary
Your IPv6 Check List
IPv6 address space IPv6 connectivity (native or tunneled) Operating systems, software, and network management tool upgrades Router, firewall, and other hardware upgrades IT staff and customer service training
Take steps toward IPv6
• Visit the ARIN IPv6 Info Center www.arin.net/knowledge/ipv6_info_center.html
Resources
www.ARIN.net
www.GetIPv6.info
www.TeamARIN.net
http://www.InternetSociety.org/ Deploy360/ http://www.NANOG.org/archives/
Q&A
Number Resource Policies and Procedures
Jon Worley
Senior Resource Analyst
3 Month Supply For ISPs
• • Prior to IANA IPv4 exhaustion, experienced ISPs could get a 12 month supply Dropped to 3 month supply immediately upon IANA exhaustion
• •
IPv6 End-user Changes
Before: Block size based on HD-Ratio – Complex (used logarithms) After: Block size based solely on number of sites within a network
Number of Sites
1 2-12 13-192 193-3,072 3,073-49,152
Block Size Justified
/48 /44 /40 /36 /32
IPv6 End User Block Sizes
/36 5% /32 2% /40 15% /48 54% /44 24% * Since new policy implemented on 3/16/2011
Better IPv6 Allocation for ISPs
• • • • Block size based on three things: – – – number of serving sites number of customers at largest serving site prefix length to be assigned to customers Nibble-aligned Can request a second initial allocation Not required to deploy in this manner
IPv6 ISP Block Sizes
/28 4% /24 3% * Since new policy implemented 9/27/2011 /32 93%
Standardize IP Reassignment Registration Requirements
• • • Abuse contact required Residential ISPs with dynamic pools: – – must submit SWIP information for each market area must show 80% assigned with a 50-80% utilization rate across markets IPv6 /64 and larger static reassignments must be visible via SWIP/RWhois
IPv6 Subsequent Allocations for Transitional Technologies
• Additional allocation for IPv4 -> IPv6 transitional technology (usually 6rd) • /24 maximum allocation – Allows a typical ISP to map a /56 to each of their existing IPv4 addresses in a 6rd deployment • 8 allocations issued – 2 /24s, 2 /28s, 4 /32s
M&A Transfer Changes
• Must develop a plan to show justified use via growth, returning resources, or transferring unused IPv4 addresses to another org
Q&A
• • • • • • • • • • • •
Today’s Agenda
ARIN and Internet Governance Requesting and Managing Internet Number Resources Automating Your Interactions with ARIN IPv4 Depletion and IPv6 Adoption in the ARIN Region Number Resource Policies and Procedures Networking Lunch ARIN’s Policy Development Process Current Number Resource Policy Discussions Securing DNS and Routing: DNSSEC and RPKI IPv4 Transfer Market Why Participate in the ARIN Community?
Q&A / Open Mic Session
ARIN’s Policy Development Process
Einar Bohlin
Senior Policy Analyst
Policy Development Process (PDP)
Flowchart Proposal Template Archive Movie
http://www.arin.net/policy/pdp.html
Policy Development Principles
Open
– – Developed in open forum • • Public Policy Mailing List Public Policy Meetings Anyone can participate
Transparent
– All aspects documented and available on website • Policy process, meetings, and policies
Bottom-up
– Policies developed by the community – Staff implements, but does not make policy
Who Plays a Role in the Policy Process?
Community
– – Submit proposals Participate in discussions and petitions
Advisory Council (elected volunteers)
– – – Facilitate the policy process Develop policy that is “ clear, technically sound and useful ” Determine consensus based on community input
Roles…
ARIN Board of Trustees (elected volunteers)
– – – Provide corporate fiduciary oversight Ensure the policy process has been followed Ratify policies
ARIN Staff
– – Provide feedback to community • Staff and legal assessments for all proposals • Policy experience reports Implement ratified policies
Basic Steps
1. Community member submits a proposal 2. Community discusses the proposal on the “ List ” 3. AC creates a draft policy or abandons the proposal 4. Community discusses the draft policy on the “ List ” and at the meeting 5. AC conducts its consensus review 6. Community performs last call 7. Board adopts 8. Staff implements
Petitions
Anyone dissatisfied with a decision by the AC can petition in order to keep a proposal moving forward – – – Occurs between proposal and draft policy stage 5 day petition period Needs 10 different people from 10 different organizations to publicly support the petition
Number Resource Policy Manual
NRPM is ARIN ’ s policy document – – Version 2012.3 (31 July 2012) 27th version • •
Contains
Change Logs HTML/PDF/txt
http://www.arin.net/policy/nrpm.html
• • • • • • • •
Policies in the NRPM
IPv4 Address Space IPv6 Address Space Autonomous System Numbers (ASNs) Directory Services (Whois) Reverse DNS (in-addr) Transfers Experimental Assignments Resource Review Policy
References
Policy Development Process
http://www.arin.net/policy/pdp.html
Draft Policies and Proposals
http://www.arin.net/policy/proposals/index.html
Number Resource Policy Manual
http://www.arin.net/policy/nrpm.html
Q&A
Current Number Resource Policy Discussions
Einar Bohlin
Senior Policy Analyst
Current Draft Policies and Proposals
• 5 Active Draft Policies – On the list for adoption discussion; to be presented at upcoming Public Policy Meeting • 1 Policy Proposal – Newer items; under development
Draft Policies
ARIN-2012-5: Removal of Renumbering Requirement for Small Multihomers
IPv4: Removes a renumbering requirement that affects small, multihomed end users.
ARIN-2012-7: Reassignments for Third Party Internet Access (TPIA) over Cable
IPv4: Makes it easier for certain ISPs to get subsequent IPv4 allocations.
ARIN-2012-6: Revising Section 4.4 C/I Reserved Pool Size
IPv4: Increases the reserve for critical infrastructure from a /16 to a /15.
Text available at: https://www.arin.net/policy/proposals/
Draft Policies…
ARIN-2012-2: IPv6 Subsequent Allocations Utilization Requirement
IPv6: Makes it easier for ISPs to get subsequent allocations.
ARIN-2012-8: Aligning 8.2 and 8.3 Transfer Policy
Transfer Policy: Adds some of the 8.3 criteria to 8.2 transfers. Text available at: https://www.arin.net/policy/proposals/
Proposals
•
ARIN-prop-180 ISP Private Reassignment
– Directory Services: Creates an “unlisted number” state which ISPs may apply to some of their customer IP network address records.
Text available at: https://www.arin.net/policy/proposals/
How Can You Get Involved?
There are two methods to voice your opinion: –
Public Policy Mailing List
–
Public Policy Meeting
(in person or remotely)
ARIN Meetings
• • • Two meetings a year Check the ARIN Public Policy Meeting site 4-
6 weeks prior to meeting
– – – Proposals/Draft Policies on Agenda Discussion Guide (summaries and text) Attend in Person/Remote Participation AC meeting last day – – Watch list for AC ’ s decisions Last Calls – For or against?
Public Policy Mailing List (PPML)
• • • • • Open to anyone Easy to subscribe to Contains: ideas, proposals, draft policies, last calls, announcements of adoption and implementation, and petitions Archived RSS feed
https://www.arin.net/participate/mailing_lists/index.html
References
•
Draft Policies & Proposals
– https://www.arin.net/policy/proposals/index.html
•
ARIN Public Policy Mailing List
– https://www.arin.net/participate/mailing_lists/index.html
Q&A
Securing DNS and Routing: DNSSEC and RPKI
Tim Christensen
Quality Assurance Manager
Agenda
• • DNSSEC – a brief update RPKI – the major focus – – What is it?
What it will look like within ARIN Online?
Why are DNSSEC and RPKI important?
• • • Two critical resources – – DNS Routing Hard to tell when resource is compromised Focus of ARIN-region government funding
What is DNSSEC?
• • DNS responses are not secure – – Easy to spoof Notable malicious attacks DNSSEC attaches signatures – – Validates responses Can not spoof
Changes required to make DNSSEC work
• • Signing in-addr.arpa., ip6.arpa., and delegations that ARIN manages Provisioning of DS Records – ARIN Online – RESTful interface (deployed July 2011)
•
Using DNSSEC in ARIN Online
Available on ARIN ’ s website http://www.arin.net/knowledge/dnssec/
RPKI Pilot
• • • Available since June 2009 – ARIN-branded version of RIPE NCC software http://rpki-pilot.arin.net
> 50 organizations participating Shutting down with the deployment of Productional RPKI system on 15 Sept 2012
• •
What is RPKI?
Attaches certificates to network resources – AS Numbers – IP Addresses Allows ISPs to associate the two – – Route Origin Authorizations (ROAs) Follow the address allocation chain to the top
What is RPKI?
• • • Allows routers to validate Origins Start of validated routing Need minimal bootstrap info – – Trust Anchors Lots of focus on Trust Anchors
What does RPKI Create?
• It creates a repository – – – – – RFC 3779 (RPKI) Certificates ROAs CRLs Manifest records Supports “ ghostbusters ” records
Repository View
./ba/03a5be-ddf6-4340-a1f9-1ad3f2c39ee6/1: total 40 -rw-r--r- -rw-r--r- -rw-r--r- -rw-r--r- -rw-r--r- 1 143 143 1543 Jun 26 2009 ICcaIRKhGHJ-TgUZv8GRKqkidR4.roa
1 143 143 1403 Jun 26 2009 cKxLCU94umS-qD4DOOkAK0M2US0.cer
1 143 143 485 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.crl
1 143 143 1882 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.mnf
1 143 143 1542 Jun 26 2009 nB0gDFtWffKk4VWgln-12pdFtE8.roa
A Repository Directory containing an RFC3779 Certificate, two ROAs, a CRL, and a manifest
Repository Use
• • • • Pull down these files using “ rcynic ” Validate the ROAs contained in the repository Communicate with the router marking routes “ valid ” , “ invalid ” , “ unknown ” Up to ISP to use local policy on how to route
Possible Flow
• • • • RPKI Web interface -> Repository Repository aggregator -> Validator Validated entries -> Route Checking Route checking results -> local routing decisions (based on local policy)
Resource Cert Validation
Resource Allocation Hierarchy AFRINIC RIPE NCC APNIC ICANN ARIN LACNIC Issued Certificates
“ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24”
LIR1
Attachment:
ISP ISP
Signed, ISP4
ISP2 ISP ISP4 ISP ISP ISP
Resource Cert Validation
Resource Allocation Hierarchy AFRINIC RIPE NCC APNIC ICANN ARIN LACNIC Issued Certificates
“ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24”
LIR1 ISP2
Attachment:
ISP ISP
Signed, ISP4
ISP ISP4 ISP ISP ISP 1. Did the matching private key sign this text?
Resource Cert Validation
Resource Allocation Hierarchy AFRINIC RIPE NCC APNIC ICANN ARIN LACNIC Issued Certificates
“ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24”
LIR1 ISP2
Attachment:
ISP ISP
Signed, ISP4
ISP ISP4 ISP ISP 2. Is this certificate valid?
ISP
Resource Cert Validation
Resource Allocation Hierarchy AFRINIC RIPE NCC APNIC ICANN ARIN LACNIC Issued Certificates
“ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24”
LIR1 ISP2
Attachment:
ISP ISP
Signed, ISP4
ISP ISP4 ISP ISP ISP 3. Is there a valid certificate path from a Trust Anchor to this certificate?
Why is RPKI taking awhile?
• • Intense review of liabilities by legal team and Board of Trustees created additional requirements at ARIN XXVI Two new big requirements – – Non-repudiation in ROA generation for hosted CAs Thwart “ Evil Insider making changes ” (rogue employee) from
General Architecture of RPKI Registration Interface
Persistence RPKI Engine HSM Tight coupling between resource certificate / ROA entities and registration dataset at the database layer. Once certs/ROAs are created, they must be maintained if the registered dependents are changed.
Development before ARIN XXVI
With a few finishing touches, ready to go Jan 1, 2011 with Hosted Model, Delegated Model to follow end of Q1.
Highly influenced by RIPE NCC entities.
ARIN Online Persistence RPKI Engine HSM RIPE NCC RPKI Engine with a few tweaks.
Sun SCA 6000 Everything is Java, JBoss, Hibernate.
Changes Underway Since ARIN XXVI
In-browser ROA request signing via AJAX.
Minor changes.
ARIN Online Database Persistence RPKI Engine HSM Message driven engine which delegates to the HSM.
Custom programming on IBM 4764 ’ s to enable all DER encoding and crypto.
HSM coding is in C as extensions to IBM CCA. Libtasn1 used for DER encoding.
Why did RPKI take awhile?
Updates within RPKI outside of ARIN
• • • The four other RIRs are in production with Hosted CA services Major routing vendor support being tested Announcement of public domain routing code support
ARIN Status
• Hosted CA deployment scheduled for 15 Sept 2012 • Delegated CA work underway now and anticipated completion in 2013Q1
Why is this important?
• • • Provides more credibility to identify resource holders Helps in the transfer market to identify real resource holders Bootstraps routing security
Q&A
IPv4 Transfer Market
Jon Worley
Senior Resource Analyst
Transfers to Specified Recipients
• • • Org releasing resources must not have received IPv4 from ARIN in the past 12 months and may not request additional IPv4 for 12 months Recipient must qualify to receive resources under ARIN policy Recipient may receive up to a 24 month supply
IPv4 Specified Recipient Transfers
• 34 transfers completed (20,047 /24s) • Transactions typically arranged through IPv4 brokers
• • •
Inter-RIR Transfers From ARIN
RIR must have reciprocal, compatible needs-based Inter-RIR transfer policy – Currently: APNIC Org releasing resources must not have received IPv4 from ARIN within the past 12 months Recipient must meet other RIR’s Inter RIR transfer policy requirements
Inter-RIR Transfers To ARIN
• • • RIR must have reciprocal, compatible needs-based Inter-RIR transfer policy – Currently: APNIC Recipient must qualify to receive resources under current policy Recipient may request up to a 24 month supply
Inter-RIR Transfer Notes
• None requested thus far • ARIN & APNIC for now • Expectation is primarily ARIN to APNIC given the early exhaustion of IPv4 in the APNIC region
STLS
• • 3 ways to participate – – – Listers: have available IPv4 addresses Needers: looking for more IPv4 addresses Facilitators: available to help listers and needers find each other Major Uses – – Matchmaking Obtain preapproval for a transaction arranged outside STLS
Misconceptions
• IPv4 transactions will never be allowed – Transfer of unused IPv4 started June 2009 • It’s a trap!
– This isn’t a sting operation • ARIN recognizes all IPv4 transactions – Must meet policy requirements
•
Tips and Tricks
Involve ARIN as early as possible – Make sure a contemplated transfer meets ARIN requirements before finalizing • Use ARIN’s STLS to pre-qualify • ISPs must still show efficient use of all previous allocations and 80% of their most recent allocation
More Tips and Tricks
• 12 month waiting period – – – Prevents “flipping” of IPv4 Can’t release unused addresses if you have received IPv4 from ARIN or via specified transfer in the past 12 months Can’t get more IPv4 addresses from ARIN or via specified transfer for 12 months after releasing unused IPv4
Other Notes
• ISPs can receive 24 month supply via transfer vs 3 month supply from ARIN • ARIN still has IPv4 addresses and will have a post-depletion waiting list • IPv6 transition still required
Q&A
Why Participate in the ARIN Community?
Einar Bohlin
Senior Policy Analyst
Learn More and Get Involved
Your participation Important, critical, needed, appreciated… Get Involved in ARIN
Public Policy Mailing List ARIN Suggestion and Consultation Process Member Elections Public Policy and Members Meetings
http://www.arin.net/participate/
ARIN Mailing Lists
http://www.arin.net/participate/mailing_lists/index.html
ARIN Announce: [email protected]
ARIN Discussion: [email protected]
ARIN Public Policy: [email protected]
ARIN Consultation: [email protected]
ARIN Issued: [email protected]
ARIN Technical Discussions: [email protected]
Suggestions: [email protected]
ARIN Consultation & Suggestion Process
2012 Closed Suggestion Archive as of 29 August 2012 • • • • • • • 2012.3 Add language to STLS TOS/AUP Closed 07 May 2012 2012.4 Street Addreess Requirement Closed 21 May 2012 2012.6 Add Suggestion Text to ACSP Announcements 2012 2012.7 Free Pool Netblock Distribution Statistics 2012 Implemented 30 April Implemented 07 June 2012.8 Officer Attestation Acknowledgements 2012.14 Website Deactivation Request Implemented 30 May 2012 2012.10 Publish NRPM in plain text Implemented 01 June 2012 2012.13 Customer identity not required on /29 and smaller reassignments Closed 30 July 2012 Closed 06 August 2012 Prioritization at ARIN meetings.
https://www.arin.net/participate/acsp/index.html
Get Involved in Internet Governance
• • Determines how the Internet is managed and used
now
and in the
future
Outcomes may affect
all stakeholders
164
Current Environment
Internet Governance
• Let’s take a look at the… –
International Telecommunication Union ( )
– World Conference on International Telecommunications ( ) – Internet Governance Forum ( )
• • • •
International Telecommunication Union (ITU)
United Nations ( ) agency for information and communication technologies ( ) Comprised of 193 member states Participation limited to – – – – Member States ITU Sector Members Associates Academia Creates globally recognized treaties
ITU Sectors
• • •
Radiocommunication (ITU-R)
– Coordinates radiocommunication services, radio-frequency spectrum, and satellite orbits
Telecommunication Standardization (ITU-T)
– Produces standards for operation of ICT networks *ARIN a member
Telecommunication Development (ITU-D)
– Focuses on capacity building to increase access to infrastructure and ICT services worldwide *ARIN a member
Current Environment
•
Internet Governance Let’s take a look at the…
– International Telecommunication Union ( ) –
World Conference on International Telecommunications ( )
– Internet Governance Forum ( )
ITU Conducts WCIT
• • World Conference on International Telecommunications ( ) – 3-14 December 2012 in Dubai, UAE To review & modify existing International Telecommunication Regulations ( ) – Set general principles for provision & operation of international telecommunications
What Will Happen at WCIT?
• • Only member states can submit proposals and make decisions on edits & additions to ITRs Result a government negotiated global treaty
Treaty Expansions
• • • • • Overall structure & economics of Internet Number resource management process – Including IP address allocation Internet Exchange Points (IXPs) – Add terms hub, hubbing, transit center Internet networks – Modify Quality of Service (QoS) language Internet interconnectivity – Peering agreements
Treaty Expansions
• • • Procedural directives in a high-level treaty document New definition of telecommunications to include Internet traffic Required compliance with ITU – Mandatory Recommendations
Treaty Expansions
• • • Restricted community involvement Hindered Internet evolution – Definition of misuse and fraud Content Regulation – Definition of SPAM
How Can You Get Involved?
• • • • Get informed – – ITRs: http://www.itu.int/oth/T3F01000001 ARIN’s website: https://www.arin.net/participate/governance/index.html
Contribute to ITU public consultation – http://www.itu.int/en/wcit-12/Pages/public.aspx
Discuss with your government Advocate – Public debate, online forums, etc.
Current Environment
Internet Governance
•
Let’s take a look at the…
– International Telecommunication Union ( ) – World Conference on International Telecommunications ( ) –
Internet Governance Forum ( )
Internet Governance Forum
• • • • Discussion of Internet public policy issues Many stakeholders – Equal opportunity & voice for developing and developed countries Provides info and insight for public & private sector policy makers – No negotiated outcomes 7 th – – Annual IGF Baku, Azerbaijan, 6-9 Nov 2012 Internet Governance for Sustainable Human, Economic and Social Development
You Can Participate in the IGF
• • • Open to all Access all IGF materials at: – http://www.intgovforum.org
2012 IGF – List of current workshops: http://www.intgovforum.org/cms/w2012/proposals – Webcast for remote participation
For More Information on Joining in the Internet Governance Discussion
Visit ARIN’s webpage:
Ways to Participate
in Internet Governance
https://www.arin.net/participate/governance/participate.html
The Discussion Continues…
• Internet governance discussions won’t end in 2012!
• • Already, the World Telecommunication/ICT Policy Forum (WTPF) is scheduled for 2013 Keeping up with the debate is important for all Internet stakeholders
Next ARIN Meetings
Spring 2013 – stay tuned • Discuss policies • Attend tutorials • Enjoy social events • Network with colleagues • Participate remotely •
Your registration fee for ARIN XXX will be waived for attending today
Apply for the fellowship to attend an ARIN meeting for free!
www.arin.net/participate/meetings
ARIN on Social Media
www.TeamARIN.net
www.facebook.com/TeamARIN www.twitter.com/TeamARIN www.gplus.to/TeamARIN www.linkedin.com/groups?gid=834217 www.youtube.com/TeamARIN
Q&A / Open Mic Session
Fill out & submit the survey for your chance to win a $200 Amazon Gift Card!
• •
Ask ARIN
ARIN staff available until 4:00 PM Ask us your questions one-on-one