PPTX - ARIN | studyslide.com

PPTX - ARIN

Transcript PPTX - ARIN

Tampa, FL
18 February 2016
Welcome. Here today from ARIN…
• Jan Blacka, Senior User Experience Specialist
• Kevin Blumberg, ARIN Advisory Council
• John Curran, President and CEO
• Susan Hamlin, Director of Communications &
Member Services
• Frank Hill, Senior Software Engineer
• Wendy Leedy, Member Engagement Coordinator
• Debra Martin, Senior Project Manager
• Jon Worley , Senior Director Global Registry Services
Agenda
10:00 AM Welcome and Getting Started
10:15 AM ARIN: Mission, Role and Services; John Curran
10:45 AM Security Overlays on Core Internet Protocols –
DNSSEC; Frank Hill
11:20 AM Life After IPv4 Depletion; Jon Worley
Noon
Networking Lunch
1:00 PM
ARIN Services and Tools; Debra Martin
1:30 PM
Policy Development Process; Kevin Blumberg
2:00 PM
Security Overlays on Core Internet Protocols –
Resource Certification (RPKI); Frank Hill
2:30 PM
IPv6 Adoption; Debra Martin and Jon Worley
3:00 PM
Q&A / Open Mic Session
Let’s Get Started!
• Self introductions
– Name
– Organization
– I would like to learn more about
“___________.”
ARIN and the RIR System:
Mission, Role and Services
John Curran
President and CEO
What is an RIR?
A Regional Internet Registry (RIR)
manages the allocation and
registration of Internet number
resources in a particular region of the
world.
Number resources include IP addresses
and autonomous system (AS) numbers.
Regional Internet Registries
RIR Structure
Not-for-profit
•
•
Fee for services,
not number
resources
100%
community
funded
Membership
Organization
•
Open
•
Broad-based
- Private sector
- Public sector
- Civil society
Community
Regulated
•
•
•
Community
developed
policies
Memberelected
executive
board
Open and
transparent
IP Address and Autonomous System
Number Provisioning Process
Number Resource Organization
The NRO exists to protect the unallocated number
resource pool, to promote and protect the bottom-up
policy development process, and to act as a focal
point for Internet community input into
the RIR system.
ARIN, a nonprofit member-based organization,
supports the operation of the Internet through
the management of Internet number resources
throughout its service region; coordinates the
development of policies by the community for
the management of Internet Protocol number
resources; and advances the Internet through
informational outreach.
ARIN’s Service Region
The ARIN Region includes many Caribbean and North Atlantic
islands, Canada, the United States and outlying areas.
Who is the ARIN “community”?
Anyone with an interest in Internet number
resource management in the ARIN region
The ARIN Community includes…
•
•
•
•
5,200+ members
20,000+ customers
79 professional staff
7 member Board of Trustees
• elected by the membership
• 15 member Advisory Council
• elected by the membership
• 3 person NRO Number Council
• elected by the ARIN Community
Organizational
Chart
CMSD: 11 employees
ENG: 42 employees
EXEC: 6 employees
FSD: 6 employees
HR: 4 employees
RSD: 11 employees (includes
future director)
Total: 80 employees at ARIN
(includes future RSD director)
ARIN Board of Trustees
•
•
•
•
•
•
•
Paul Andersen, Vice Chair
Vinton G. Cerf, Chair
John Curran, President and CEO
Timothy Denton, Secretary
Aaron Hughes
Bill Sandiford, Treasurer
Bill Woodcock
16
ARIN Advisory Council
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
17
Dan Alexander, Chair
Cathy Aronson
Kevin Blumberg, Vice Chair
Owen DeLong
Andrew Dul
David Farmer
David Huberman
Scott Leibrand
Tina Morris
Milton Mueller
Amy Potter
Leif Sawyer
Robert Seastrom
John Springer
Chris Tacit
NRO Number Council
• 15 member body
– 3 representatives from each RIR
• From ARIN:
– Jason Schiller
– Louie Lee
– John Sweeting
• Fulfills role of the ICANN Address
Supporting Organization Address
Council
– Global policy and ICANN Board Seats
18
2016 Focus
1. Continued IPv4 to IPv6 Transition Awareness
2. Continued participation in Internet Governance
forums
3. Continue to review and enhance ARIN Online,
including making significant user interface
improvements per user feedback
4. Participate in planning discussions for the transition
of the stewardship of IANA to encourage
responsible oversight of critical Internet resources
5. Continue to focus on community suggested,
customer facing, high impact software
development efforts in a timely manner
6. Improve customer service based on feedback
and repeat customer satisfaction survey
19
ARIN Services and Products
ARIN Manages:
•
•
•
20
Number Resources
IP address allocations & assignments
ASN assignment
Transfers
Reverse DNS
Directory services
Whois
Routing Information (Internet Routing Registry
[IRR])
WhoWas
ARIN Services and Products
ARIN coordinates and administers:
• Policy Development
Community meetings
Discussion
Publication
• Elections
• Information publication and dissemination
and public relations
• Community outreach
• Education and training
21
ARIN Services and Products
ARIN develops technologies for managing
Internet number resources:
• ARIN Online
• DNSSEC
• Resource Certification (RPKI)
• Whois-RWS
• Reg-RWS
• Community Software Project Repository
22
Globalization of IANA
Oversight
On 14 March 2014, the US Government
announced plans to transition oversight
of the IANA functions contract to the
global multistakeholder community
Current IANA functions contract expires
30 September 2016
NTIA* Conditions for Transition
Proposal
1. Support and enhance the multi-stakeholder
model
2. Maintain the security, stability, and resiliency of
the “Internet DNS”
3. Meet the needs and expectation of the global
customers and partners of the IANA services
4. Maintain the openness of the Internet
*National Telecommunications and Information
Administration (NTIA) within the U.S. Department of
Commerce
Steps in the IANA Stewardship Proposal
1. The three “customer groups” of IANA submitted
proposals:
• Number Resources (RIR community) - 15 Jan 2015
https://www.nro.net/wp-content/uploads/ICG-RFP-NumberResource-Proposal.pdf
• Domain Names: 25 June
2015https://community.icann.org/x/aJ00Aw
• Protocol Parameters : 6 January 2015
http://tools.ietf.org/html/draft-ietf-ianaplan-icgresponse-09
Steps in the IANA Stewardship Proposal
2. The IANA Stewardship Transition Coordination
Group (ICG) combined the three proposals into a
single IANA Stewardship Transition Proposal – Oct.
2015
https://www.ianacg.org/icg-files/documents/IANA-transition-proposal-v9.pdf
3. ICG to send proposal to NTIA via the ICANN Board.
Another body, the Cross Community Working Group is
working on accountability requirements
(implementation, review of work, etc.).
IANA Stewardship – Potential
Implications
• Successful transition of IANA Stewardship
from the USG to the Internet community
would be an important validation of the
Internet’s multi-stakeholder governance
model
• Inability to transition could raise concerns
about the validity of the multi-stakeholder
process and fuel discussion of the
perceived need for intergovernmental
mechanisms for Internet Governance
Get 6 – Websites on IPv6
http://teamarin.net/infographic/
IPv6 Wiki
How to Participate in
ARIN
• Attend Public Policy and Members
Meetings & Public Policy Consultations
– Remote participation available
• Apply for Meeting Fellowship
• Discuss policies on Public Policy Mailing
List (ppml)
• Come to outreach events
• Subscribe to an ARIN mailing list
More Ways to Participate
• Give your opinion on community
consultations
• Submit a suggestion
• Contribute to the IPv6 wiki
• Write a guest blog for TeamARIN.net
• Connect with us on social media
• Members – Vote in annual elections
https://www.arin.net/participate/meetings/fellowship.html
Q&A
Security Overlays on Core Internet
Protocols – DNSSEC
Frank Hill
Sr Software Engineer
Core Internet Protocols
• Two critical resources that are
unsecured
– Domain Name Servers
– Routing
• Hard to tell if compromised
– From the user point of view
– From the ISP/Enterprise
DNS
How DNS Works
Question: www.arin.net A
www.arin.net A ?
Ask net server @ X.gtld-servers.net (+ glue)
www.arin.net A ?
Resolver
192.168.5.10
root-server
Caching
forwarder
(recursive)
www.arin.net A ?
gtld-server
Ask arin server @ ns1.arin.net (+ glue)
Add to cache
www.arin.net A ?
192.168.5.10
arin-server
What Is DNSSEC? Why Use It?
• Standard DNS (forward or reverse)
responses are not secure
– Easy to spoof
– Notable malicious attacks
• DNSSEC attaches signatures
– Validates responses
– Can not spoof
Reverse DNS at ARIN
• ARIN issues blocks without any
working DNS
–Registrant must establish
delegations after registration
–Then employ DNSSEC if desired
• Just as susceptible as forward
DNS if you do not use DNSSEC
Reverse DNS at ARIN
• Authority to manage reverse
zones follows allocations
–“Shared Authority” model
–Multiple sub-allocation recipient
entities may have authority over
a particular zone
Setting up DNSSEC at ARIN
• Must have a RSA/LRSA signed
– We need to know who you are
• Create entry method for DS Records
– ARIN Online
– RESTful interface
– Not available via templates
• Only key holders may create and
submit Delegation Signer (DS) records
Reverse DNS in ARIN Online
First identify the network that you want to
put Reverse DNS nameservers on…
Reverse DNS in ARIN Online
…then enter the Reverse DNS nameservers…
DNSSEC in ARIN Online
…then apply DS record to apply to the delegation
Reverse DNS: Querying ARIN’s Whois
Query for the zone directly:
whois> 81.147.204.in-addr.arpa
Name:
Updated:
NameServer:
NameServer:
NameServer:
Ref:
81.147.204.in-addr.arpa.
2006-05-15
AUTHNS2.DNVR.QWEST.NET
AUTHNS3.STTL.QWEST.NET
AUTHNS1.MPLS.QWEST.NET
http://whois.arin.net/rest/rdns/81.147.204.in-addr.arpa.
DNSSEC in Zone Files
; File written on Mon Feb 24 17:00:53 2014
; dnssec_signzone version 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6
0.74.in-addr.arpa.
86400
IN NS
NS3.COVAD.COM.
86400
IN NS
NS4.COVAD.COM.
10800
NSEC
1.74.in-addr.arpa. NS RRSIG NSEC
10800
RRSIG
NSEC 5 4 10800 20140306210053 (
20140224210053 57974 74.in-addr.arpa.
oNk3GVaCWj2j8+EAr0PncqnZeQjm8h4w51nS
D2VUi7YtR9FvYLF/j4KO+8qYZ3TAixb9c05c
8EVIhtY1grXEdOm30zJpZyaoaODpbHt8FdWY
vwup9Tq4oVbxVyuSNXriZ2Mq55IIMgDR3nAT
BLP5UClxUWkgvS/6poF+W/1H4QY= )
1.74.in-addr.arpa.
86400
IN NS
NS3.COVAD.COM.
86400
IN NS
NS4.COVAD.COM.
10800
NSEC
10.74.in-addr.arpa. NS RRSIG NSEC
10800
RRSIG
NSEC 5 4 10800 20140306210053 (
20140224210053 57974 74.in-addr.arpa.
DKYGzSDtIypDVcer5e+XuwoDW4auKy6G/OCV
VTcfQGk+3iyy2CEKOZuMZXFaaDvXnaxey9R1
mjams519Ghxp2qOnnkOw6iB6mR5cNkYlkL0h
lu+IC4Buh6DqM4HbJCZcMXKEtWE0a6dMf+tH
sa+5OV7ezX5LCuDvQVp6p0LftAE= )
DNSSEC in Zone Files
0.121.74.in-addr.arpa.
86400
86400
86400
86400
IN NS
IN NS
IN NS
DS
86400
DS
86400
RRSIG
10800
NSEC
10800
RRSIG
DNS1.ACTUSA.NET.
DNS2.ACTUSA.NET.
DNS3.ACTUSA.NET.
46693 5 1 (
AEEDA98EE493DFF5F3F33208ECB0FA4186BD
8056 )
46693 5 2 (
66E6D421894AFE2AF0B350BD8F4C54D2EBA5
DA72A615FE64BE8EF600C6534CEF )
DS 5 5 86400 20140306210053 (
20140224210053 57974 74.in-addr.arpa.
n+aPxBHuf+sbzQN4LmHzlOi0C/hkaSVO3q1y
6J0KjqNPzYqtxLgZjU+IL9qhtIOocgNQib9l
gFRmZ9inf2bER435GMsa/nnjpVVWW/MBRKxf
Pcc72w2iOAMu2G0prtVT08ENxtu/pBfnsOZK
nhCY8UOBOYLOLE5Whtk3XOuX9+U= )
1.121.74.in-addr.arpa. NS DS RRSIG
NSEC
…
NSEC 5 5 10800 20140306210053 (
20140224210053 57974 74.in-addr.arpa.
YvRowkdVDfv+PW42ySNUwW8S8jRyV6EKKRxe
DNSSEC Validating Resolvers
• www.internetsociety.org/deploy360/dnssec/
• www.isc.org/downloads/bind/dnssec/
Reverse DNS Management and
DNSSEC in ARIN Online
• Available on ARIN’s website
http://www.arin.net/knowledge/dnssec/
DNSSEC Statistics
ARIN 36
Number of Orgs with DNSSEC
123
Total Number of Delegations
583,442
DNSSEC Secured Zones
Percentage Secured
586
0.1 %
Q&A
Life After IPv4 Depletion
•
Jon Worley –Analyst
•
Life After IPv4 Depletion
Jon Worley
Technical Services Manager
Overview
• IPv4 depletion recap
• Post-depletion observations
• Post-depletion IPv4 options
– IPv4 Waiting List
– IPv4 Transfers
– Dedicated IPv4 block to facilitate IPv6
deployment
53
/8s
IPv4 Address Space
in ARIN Free Pool
IPv4 Depletion Recap
• June 2015: IPv4 requests reach peak volume
– 414 total requests
– A mad rush for the last IPv4 blocks
• July 1st, 2015: First unmet IPv4 request
– An org qualified for a block size that was no longer available
– Within a few weeks, only single /24s remained in the free pool
• September 24th, 2015: Full IPv4 depletion
– No IPv4 blocks available other than those reserved for specific
policies
– Significant drop in monthly # of IPv4 requests
2015 IPv4 Requests
450
400
350
300
250
200
150
100
50
0
Jan-15
Feb-15
Mar-15
Apr-15
------- = waiting list initiated
------- = IPv4 depletion
May-15
Jun-15
Jul-15
Aug-15
Sep-15
Oct-15
Nov-15
Dec-15
Reserved IPv4 Space
• /10 reserved to facilitate IPv6 deployment
• 2 /16s reserved for critical Internet infrastructure
– Public exchange points
– Core DNS service providers (excluding new gTLDs)
– Regional Internet Registries
– IANA
Post-IPv4 Depletion Observations
• IPv4 demand remains strong
• Lots of questions/confusion from customers
– Not all aware we’ve reach full IPv4 depletion
– Education needed on post-depletion options
• Keeping registration info current is essential
– Increase in # of blocks targeted for hijacking
– Blocks with bad org/contact info, especially legacy
ones, are the biggest target
58
Post-IPv4 Depletion Options
• IPv4 Waiting List
• IPv4 Transfer Market
• Dedicated IPv4 block to facilitate IPv6
deployment
• Adopt IPv6
IPv4 Waiting List
• Policy enacted first time ARIN did not have a
contiguous block of addresses of sufficient size to
fulfill a qualified request
– Must qualify under current ARIN policy and request to be
added to the list
– Maximum approved size determined by ARIN
– Minimum acceptable size specified by requester
– One request per org on the list at a time
– Limit of one allocation or assignment every 3 months
• Waiting List published on ARIN’s web site
– Approximately /12 needed to fill all pending requests
https://www.arin.net/resources/request/waiting_list.html
Requests Added to IPv4 Waiting List
90
80
70
60
50
40
30
20
10
0
Jun-15
Jul-15
------- = waiting list initiated
------- = IPv4 depletion
Aug-15
Sep-15
Oct-15
Nov-15
Dec-15
Sources of IPv4 for the Waiting List
• Returned to ARIN or revoked for nonpayment
– In both cases, lengthy review required to
confirm space is eligible for reissue
• Redistributed by IANA per global policy
for “post exhaustion IPv4 allocation
mechanisms by IANA”
» /11 (issued 5/14), /12 (issued 9/14), /13 (issued 3/15),
and /14 (issued 9/15) by IANA to each RIR
How Long Might You Wait?
• 297 tickets added since wait list started
• 27 wait list requests filled
– 13 filled with IANA /14 equivalent issued in 9/2015
– 13 filled with blocks previously held for organizations
deciding whether to go on the waiting
– 1 filled with space that had been revoked
• 19 filled via 8.3 transfer and removed from
list (as required per policy)
• Demand is far greater than availability
63
Transfers of IPv4 Addresses
3 ARIN Transfer Policies Available:
– Mergers and Acquisitions (NRPM 8.2)
• Traditional transfer based on change in business
structure, including company reorganizations,
supported by legal documentation
– Transfers to Specified Recipients (NRPM 8.3)
• IPv4 market transfer based on financial transaction,
supported by justified need (within region)
– Inter-RIR transfers to Specified Recipients (NRPM
8.4)
• IPv4 market transfer based on financial transaction,
supported by justified need (outside region)
Transfers to Specified Recipients
(NRPM 8.3)
• Allows orgs with unused IPv4 resources to
transfer them to orgs in need of IPv4
resources
• Source
– Must be current registrant, no disputes
– Not have received addresses from ARIN for
12 months prior
• Recipient
– Must demonstrate need for 24-month supply
under current ARIN policy
Specified Recipient Transfers
45
40
35
30
25
20
15
10
5
0
Jan-15
Feb-15
Mar-15
------- = waiting list initiated
------- = IPv4 depletion
Apr-15
May-15
Jun-15
Jul-15
Aug-15
Sep-15
Oct-15
Nov-15
Dec-15
Inter-RIR Transfers (NRPM 8.4)
• RIR must have reciprocal, compatible
needs-based policies
– Currently APNIC and RIPE NCC
• Transfers from ARIN
– Source cannot have received IPv4 from ARIN
12 months prior to transfer
– Must be current registrant, no disputes
– Recipient meets destination RIR policies
• Transfers to ARIN
– Must demonstrate need for 24-month supply
under current ARIN policy
Inter-RIR Transfers
8
7
6
5
4
3
2
1
0
Jan-15
Feb-15
Mar-15
------- = waiting list initiated
------- = IPv4 depletion
Apr-15
May-15
Jun-15
Jul-15
Aug-15
Sep-15
Oct-15
Nov-15
Dec-15
Documentation Required for IPv4 Source
• Verification current registrant is active and in
good standing within the ARIN region
– If there was a merger or acquisition, an M&A transfer may
be required before you can release your IPv4 addresses
• Notarized officer acknowledgement
• Additional items may be needed
IPv4 Recipient Documentation
– Utilization data for ARIN-issued IPv4 space
– Data to support 24 month projected need
• Historical IPv4 utilization rate
• New services/markets to be deployed
• Customer growth projections
– Signed officer attestation certifying data is
accurate
Useful Transfer Information
• ARIN cannot provide detailed information
about your source/recipient partner’s status
– Can provide general status (e.g. “we’re waiting on them to
provide additional info”)
– If you need details on what’s required, ask your
source/recipient partner
• If you’re on the IPv4 waiting list, you’ll
be removed if/when you receive IPv4
addresses via transfer
IPv4 Transfer Stats
• Transfers to Specified Recipients (8.3)
– 452 prefixes transferred, ranging from /24s to /10
– 23 ASNs
• Inter-RIR Transfers (8.4)
– 201 prefixes transferred, ranging from /24s to /13s
• 188 ARIN to APNIC
• 10 ARIN to RIPE NCC
• 3 APNIC to ARIN
https://www.arin.net/knowledge/statistics/transfers.
html
72
Pre-Approval for Recipients
• Optional free service to confirm your 24
month projected need for IPv4 addresses
– Same documentation requirements as transfers
• Used to receive IPv4 addresses via
specified or Inter-RIR transfers up to the
pre-approved amount
– Eliminates the need to re-justify need on each transfer
– Good for 24 months from the pre-approval date
Specified Transfer Listing Service (STLS)
• Optional fee-based service to facilitate
specified recipient and inter-RIR transfers
– Sources have IPv4 addresses verified as available
– Recipients have a verified need for IPv4 addresses
– Facilitators arrange transfers between parties
• Approved participants can view detailed
information for all other participants
• Public summary available on ARIN’s website
– Available block sizes
– # of needers and approved block sizes
– List of facilitators with contact information
Tips for Faster Transfer Processing
• Ensure all registration information is current
– If not, we can help you get it up to date
• Request pre-approval
– Ensures you can bid confidently
– Turns transfers into a point-click-ship exercise
• Provide detailed information to support 24month need when submitting transfer/preapproval
Reserved IPv4 Block for IPv6
Deployment Requirements
• Used to facilitate IPv6 deployment (dual
stacking, IPv4->IPv6 translation, etc)
• Need cannot be met from your existing
ARIN IPv4 space
• Have an IPv6 block registered
• One /24 per organization every six months
Help! What Should I Do?
• Small networks can get a /24 once per six
months for IPv6 transition
– Cost likely to be lower than the transfer market
– Reserved block likely to last several years
– Can also have a request on the waiting list
• Larger networks can get pre-approved for 24
month need and seek IPv4 on the transfer
market
– Waiting list probably not a realistic option unless you can
delay your IPv4 needs indefinitely
• All networks should begin IPv6 adoption
Waiting List vs. Transfer Market
Requests
/24s Obtained
Waiting List, 1,071
Transfer Market,
260
IPv4, 1,255
Transfer Market,
83,154
Since 7/1/2015
LUNCH
Take your valuables as the room
will not be locked.
ARIN Technical Services
Debra Martin
Senior Project Manager
Major Services
• ARIN Online
• Mail
• Directory Services
– Whois
– Whois-RWS
– RDAP
•
•
•
•
DNS
IRR
RPKI
OT&E
ARIN Online
• Web Interface
–
–
–
–
–
–
–
–
–
–
–
–
Creating an account
Linking to existing Points of Contacts (POCs)
Creating/linking to Organizations
Managing Reverse DNS
Managing Resource Requests
Specified Transfer Listing Service
Ask ARIN
Message Center
RPKI
Reporting
Billing and Payments
Voting
ARIN Online Usage
• 104,312 accounts activated since
inception through Q3 of 2015
Number of Accounts Activated
2015*
2014
2013
2012
2011
2010
2009
2008
5000
10000
* Through Q3 of 2015
84
15000
20000
Active Usage of ARIN Online
• Logins from inception through Q3 of 2015
• One user logged in 1,205,887 times!
Logins
# of Users
50000
40000
30000
20000
10000
0
0
1
2-5
6 - 10 11 - 15
Times logged in
85
>16
Linking?
• Way of managing resources put into
place before ARIN Online was
unveiled
• A good set of videos at
– https://www.youtube.com/user/teamarin
– Teaches you how to:
• Create an account via “Manage your
Records” video
• Relationships with POCs “Point of Contact
Records” video
Ask ARIN and Message Center
• Ask ARIN
A way to ask ARIN staff a question on
the web
• Message Center
– Tracks ticketed requests
– Ticketed requests are things like resource
requests and correspondence, RPKI
notifications, reports
Reports
• Associations Report
– POCs linked to your ARIN Online account,
including roles served by these POCs for any
associated Org IDs (Admin, Tech, Abuse,
etc.)
– Org IDs associated with your ARIN Online
account
– Network records (NETs) and Autonomous
System Number records (ASNs) associated
with your linked POCs, directly or via an
associated Org ID
Reports (Cont)
• User Reassignment Report
– Reassignments associated with your ARIN Online
account via associated Org IDs
– ”Holes" in all Network records (NETs) associated
with your ARIN Online account, where no
reassignment or reallocation has been made
• Whowas
– History of a resource
• Bulk Whois
– Directory services information placed in files
• Reports are ticketed and delivered into your
Message Center
Billing
• Can View and pay current and pastdue invoices
REST Services
• Provisioning
– Reassignment Information
– Points of Contacts
– Organizations
• Requesting Reports
What is REST?
• Representational State Transfer
• As applied to web services
– defines a pattern of usage with HTTP to create,
read, update, and delete (CRUD) data
– “Resources” are addressable in URLs
• Very popular protocol model
– Amazon S3, Yahoo & Google services, …
The BIG Advantage of REST
• Easily understood
– Any modern programmer can incorporate it
– Can look like web pages
• Re-uses HTTP in a simple manner
– Many, many clients
– Other HTTP advantages
• This is why it is very, very popular with
Google, Amazon, Yahoo, Twitter,
Facebook, YouTube, Flickr, …
What does it look like?
Who can use it?
Where the data is.
What type of data it is.
The ID of the data.
It is a standard URL. Anyone can use it.
Go ahead, put it into your browser.
Where can more information on
REST be found?
• RESTful Web Services
– O’Reilly Media
– Leonard Richardson
– Sam Ruby
RESTful Services
•
•
•
•
•
Whois-RWS
RDAP
RPKI
Provisioning
Reporting
Mail/Templates
• Before ARIN Online, only way of
communicating with ARIN
• Now only
– Reassignment information
– Inter-RIR Transfers
– Email Questions
• Lots of Spam
Reg-RWS Transactions
(cumulative)
6,000,000
5,662,477
Template
REST
5,034,717
5,000,000
4,715,231
4,296,734
4,000,000
3,524,124
3,000,000
2,006,440
2,000,000
1,749,383
1,311,403
1,066,037
1,000,000
846,943
408,383
0
1,498,204
595,858
320,197
841,105
40,374
ARIN 29 ARIN 30 ARIN 31 ARIN 32 ARIN 33 ARIN 34 ARIN 35 ARIN 36
98
Directory Services
• Whois
– Resource Information as per RFC812
• Whois-RWS
– RESTful Implementation of Whois
• RDAP
– Resource Information as per RFCs 74807484
100
2015-07
2015-04
2015-01
2014-10
2014-07
2014-04
2014-01
2013-10
2013-07
2013-04
2013-01
2012-10
2012-07
2012-04
2012-01
2011-10
2011-07
2011-04
2011-01
2010-10
2010-07
2010-04
2010-01
2009-10
2009-07
2009-04
2009-01
2008-10
2008-07
2008-04
2008-01
2007-10
2007-07
2007-04
2007-01
4000
Whois Queries Per Second
3500
3000
2500
2000
RESTful
1500
Port 43
1000
500
0
DNS
• Provide Reverse DNS delegation
management for IPv4 and IPv6
• This includes DNSSEC
• More Detail later
IRR
• Provides coarse routing information for
routing filters
• Processed through templates sent via
email
• Has a whois interface using RPSL (RFC
2622)
• ARIN will be upgrading this service
starting Q3 of 2016
• Documented at
– https://www.arin.net/resources/routing/
OT&E
(Operational Test & Evaluation)
• Lots of people test in production
– Is not the best place to test
– Things do get stuck – may impact others
– Operational Test & Evaluation
• Goodness of OT&E
–
–
–
–
–
Place to test code
Place to test process
All services now under ote.arin.net except email
Need to register to participate
https://www.arin.net/resources/ote.html
RPKI
• We will talk about this in detail later
Feedback
• Users can notify us of Internet Number
Resource Fraud and Whois Inaccuracy
• Can provide feedback on the
application via the feedback button
• Suggestions through “ARIN
Consultation and Suggestion Process”
(ACSP)
Tools
• Lots of API’s
• You can build your own tools
• Some have shared their tools with
others
• Repository for these tools is at
http://projects.arin.net
Q&A
ARIN’s Policy
Development Process
Kevin Blumberg
Vice Chair, ARIN Advisory Council
Overview
Basic steps
Examples of past policy changes
A current proposal
How to get involved
Policy Development Process (PDP) Steps
1) Proposal – Someone in the community thinks a policy can
be improved and documents
2) Draft Policy- Discussion on the list and possibly at
meeting(s) - Is there really a problem? Is this a good
solution?
3) Recommended Draft Policy - More discussion and
presentation at meeting(s). Does community support
turning this into policy?
4) Last call
5) Board Review
6) Staff Implementation (NRPM)
If you submit a proposal, you can participate further, or let the ARIN
process “shepherd” it through the steps
Past Policy Changes: IPv6 Policy
Circa 2001: Initial IPv6 policy aligned with IPv4 at that time,
conservation was important, small amounts issued for short
periods, hierarchical distribution from upstreams, and, no
end user policy at all
2003-2016 Dozens of proposals to improve IPv6 policy
Changes included: Minimum allocation size increased (/35 to
/32), larger allocations from IANA, policy for end users,
community networks (mesh networks), assignment sizes from
ISPs to customers (/56s), larger amounts for ISPs and easier
criteria, larger amounts for end users and easier criteria, bit
boundary assignments and allocations, etc.
Past Policy Changes: Transfers
1997 thru 2007: Policy for Mergers and Acquisitions existed,
everything else should go back to ARIN
2007 thru 2016: Many proposals to improve transfers.
Changes included: Allow needs-based transfers of unused or
underutilized address space between organizations via
ARIN, increase supply period from one year to two, allow
ASN transfers, allow Inter-RIR transfers, etc.
Still seeing proposals to make transfers easier, there are some
who are trying to reduce the needs requirement, some
want ARIN to simply record the transfers.
Policy Currently Under Discussion
• ARIN-2015-5: Out of Region Use
Would allow an organization to receive Internet number
resources from ARIN for use out of region as long as the
applicant is currently using at least the equivalent of a /22
of IPv4 space, /44 of IPv6, or 1 ASN within the ARIN service
region.
• Earlier Abandoned Proposals
ARIN-2014-1: Out of Region Use
ARIN-2013-6: Allocation of IPv4 and IPv6 Address Space to
Out-of-region Requestors
ARIN-2011-13: IPv4 Number Resources for Use Within Region
(continued on next slide)
2015-5 continued
• ARIN-2015-5 presented at ARIN 36 in Oct 2015
• AC found draft to be fair, technically sound and
supported and promoted to recommended state
(late Oct 2015)
• Presented as Recommended Draft Policy at
NANOG 66
• Next steps
– Last call or present again at ARIN 37?
– After Last Call could be:
• Review of last call comments
• Board Review
• Implementation by Staff
How Can You Get Involved?
Two ways to learn and be heard
1. Public Policy Mailing List
2. Public Policy Consultations/Meetings
ARIN meetings (April and October)
ARIN Public Policy Consultations at NANOG
(twice a year, usually February and June)
Remote participation supported
Takeaways
1) ARIN doesn't make up number policy,
you do.
2) Well documented policy development
process includes assistance from ARIN
AC and staff throughout the process.
3) Stay informed. Join the policy list and/or
attend meetings (in person or remotely).
Q&A
References
Policy Development Process (PDP)
http://www.arin.net/policy/pdp.html
Draft Policies and Proposals
http://www.arin.net/policy/proposals/index.html
Number Resource Policy Manual (NRPM)
http://www.arin.net/policy/nrpm.html
PDP Goals
1) "open, transparent, and inclusive
manner that allows anyone to
participate in the process.“
2) "clear, technically sound and useful
policies“
3) “policies, not processes, fees, or
services”
Security Overlays on Core Internet
Protocols – RPKI
Frank Hill
Sr Software Engineer
Core Internet Protocols
• Two critical resources that are
unsecured
– Domain Name Servers
– Routing
• Hard to tell if compromised
– From the user point of view
– From the ISP/Enterprise
Routing
Routing Architecture
• The Internet uses a two level routing hierarchy:
– Interior Routing Protocols, used by each network
to determine how to reach all destinations that
line within the network
– Interior Routing protocols maintain the current
topology of the network
Routing Architecture
• The Internet uses a two level routing hierarchy:
– Exterior Routing Protocol, used to link each
component network together into a single whole
– Exterior protocols assume that each network is
fully interconnected internally
Exterior Routing: BGP
• BGP is a large set of bilateral (1:1)
routing sessions
– A tells B all the destinations (prefixes) that
A is capable of reaching
– B tells A all the destinations that B is
capable of reaching
10.0.0.0/24
10.1.0.0/16
10.2.0.0/18
192.2.200.0/24
A
B
What is RPKI?
• Resource Public Key Infrastructure
• Attaches digital certificates to network
resources
– AS Numbers
– IP Addresses
• Allows ISPs to associate the two
– Route Origin Authorizations (ROAs)
– Can follow the address allocation chain
to the top
What does RPKI accomplish?
• Allows routers or other processes
to validate route origins
• Simplifies validation authority
information
– Trust Anchor Locator
• Distributes trusted information
– Through repositories
Hierarchy of Resource Certificates
ICANN
0.0.0.0/0
0::/0
ARIN
128.0.0.0/8
192.0.0.0/8
LACNIC
AFRINIC
Regional ISP
Other Small ISP
128.177.0.0/16
192.78.12.0/24
Some Small ISP
128.177.46.0/20
RIPE
APNIC
Route Origin Attestations
ICANN
0.0.0.0/0
0::/0
ARIN
128.0.0.0/8
192.0.0.0/8
LACNIC
AFRINIC
RIPE
Regional ISP
Other Small ISP
128.177.0.0/16
192.78.12.0/24
128.177.0.0/16
AS17025
Some Small ISP
128.177.46.0/20
128.177.46.0/20
AS53659
192.78.12.0/24
AS2000
APNIC
Current Practices
ICANN
0.0.0.0/0
0::/0
ARIN
128.0.0.0/8
192.0.0.0/8
LACNIC
AFRINIC
RIPE
Regional ISP
Other Small ISP
128.177.0.0/16
192.78.12.0/24
128.177.0.0/16
AS17025
128.177.46.0/20
AS53659
Some Small ISP
128.177.46.0/20
192.78.12.0/24
AS2000
APNIC
What does RPKI Create?
• It creates a repository
– RFC 3779 (RPKI) Certificates
– ROAs
– CRLs
– Manifest records
Relationships
Signs
Points to (has URI for)
Parent Cert
Parent
Key
Parent Manifest
CRL
Serial numbers of all revoked certs
Certificate
Manifest
ROA
list of IP & ASN Resources
EE Certificate
EE certificate
AIA , URI of the parent cert
URI/hash of CRL
SIA, URI of the the manifest
URI hash of all ROAs
URI of all child certs
Certificate
Key
Child Cert
Child cert
ASN
ROA
list of IP prefixes & max lengths
Repository View
./ba/03a5be-ddf6-4340-a1f9-1ad3f2c39ee6/1:
total 40
-rw-r--r-- 1 143 143 1543 Jun 26 2009 ICcaIRKhGHJ-TgUZv8GRKqkidR4.roa
-rw-r--r-- 1 143 143 1403 Jun 26 2009 cKxLCU94umS-qD4DOOkAK0M2US0.cer
-rw-r--r-- 1 143 143 485 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.crl
-rw-r--r-- 1 143 143 1882 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.mnf
-rw-r--r-- 1 143 143 1542 Jun 26 2009 nB0gDFtWffKk4VWgln-12pdFtE8.roa
A Repository Directory containing an RFC3779
Certificate, two ROAs, a CRL, and a manifest
Repository Use
• Pull down these files using a manifestvalidating mechanism
• Validate the ROAs contained in the
repository
• Communicate with the router marking
routes “valid”, “invalid”, “unknown”
• Up to ISP to use local policy on how to
route
Possible Data Flow for Operations
• RPKI Web interface -> Repository
• Repository aggregator -> Validator
• Validated entries -> Route Checking
• Route checking results -> local routing
decisions (based on local policy)
How you can use ARIN’s RPKI
System?
• Hosted
– create ROAs through ARIN Online
– create ROAs using ARIN’s RESTful service
• Delegated using Up/Down Protocol
Hosted RPKI - ARIN Online
• Pros
– Easy to pick up and use
– ARIN managed
• Cons
– No current support for downstream
customers to manage their own space
– Tedious through the UI if you have a large
network
– We hold your private key
Hosted RPKI - RESTful Interace
• Pros
– Programmatic interface for large networks
– ARIN managed
• Cons
– No current support for downstream
customers to manage their own space
– We hold your private key
Delegated RPKI with Up/Down
• Pros
– You safeguard your own private key
– Follows the IETF up/down protocol
• Cons
– Extremely hard to setup
– Need to operate your own RPKI
environment
Hosted RPKI in ARIN Online
Hosted RPKI in ARIN Online
Hosted RPKI in ARIN Online
Hosted RPKI in ARIN Online
Hosted RPKI in ARIN Online
SAMPLE-ORG
Hosted RPKI in ARIN Online
SAMPLE-ORG
Hosted RPKI in ARIN Online
Your ROA request is automatically
processed and the ROA is placed in ARIN’s
repository, accompanied by its certificate
and a manifest. Users of the repository can
now validate the ROA using RPKI validators.
Delegated with Up/Down
Delegated with Up/Down
Delegated with Up/Down
Delegated with Up/Down
•
•
•
•
You have to do all the ROA creation
Need to setup a CA
Have a highly available repository
Create a CPS
RPKI Statistics
RPAs
Signed
ARIN
XXX
ARIN
XXXI
ARIN
XXXII
ARIN33
27
72
130
162
208
289
358
47
68
108
153
187
220
Certified
Orgs
ARIN34 ARIN 35 ARIN 36
ROAs
19
60
106
162
239
308
338
Covered
Resources
30
82
147
258
332
430
482
0
0
0
1
2
Up/Down
Delegated
Q&A
Moving to IPv6
Deb Martin, Senior Project Manager
Jon Worley, Technical Services Manager
The Amazing Success of the Internet
• 2.92 billion users!
• 4.5 online hours per day per user!
• 5.5% of GDP for G-20 countries
Just about
anything about
the Internet
Time
159
The Original IPv6 Plan - 1995
Size of the Internet
IPv6 Deployment
IPv6 Transition – Dual Stack
IPv4 Pool Size
Time
160
The Revised IPv6 Plan - 2005
IPv4 Pool Size
Size of the Internet
IPv6 Transition – Dual Stack
IPv6 Deployment
2004
2006
2008
Date
2010
2012
161
Oops!
We were meant
to have
completed the
transition to IPv6
BEFORE we
completely
exhausted the
supply channels
of IPv4 addresses!
162
Today’s Plan
IPv4 Pool
Size
Today
Size of the
Internet
?
IPv6 Transition
IPv6 Deployment
0.8%
Time
163
Transition...
The downside of an end-to-end architecture:
– There is no backwards compatibility across protocol
families
– A V6-only host cannot communicate with a V4-only
host
We have been forced to undertake a Dual Stack
transition:
– Provision the entire network with both IPv4 AND IPv6
– In Dual Stack, hosts configure the hosts’ applications
to prefer IPv6 to IPv4
– When the traffic volumes of IPv4 dwindle to
insignificant levels, then it’s possible to shut down
support for IPv4
16
Dual Stack Transition ...
We did not appreciate the operational problems with this dual stack
plan while it was just a paper exercise:
•
The combination of an end host preference for IPv6 and a
disconnected set of IPv6 “islands” created operational problems
– Protocol “failover” from IPv6 to IPv4 takes between 19 and 108 seconds
(depending on the operating system configuration)
– This is unacceptably slow
•
Attempting to “bridge” the islands with IPv6-in-IPv4 tunnels created a
new collection of IPv6 path MTU Discovery operational problems
– There are too many deployed network paths containing firewall filters that
block all forms of ICMP, including ICMP6 Packet Too Big
•
Attempts to use end-host IPv6 tunneling also presents operational
problems
– Widespread use of protocol 41 (IP-in-IP) firewall filters
– Path MTU problems
16
5
Dual Stack Transition
Signal to the ISPs:
– Deploy IPv6 and expose your users to operational problems with
IPv6 connectivity
Or
– Delay IPv6 deployment and wait for these operational issues to
be solved by someone else
So we wait...
1
6
And while we wait...
The Internet continues its growth.
• And without an abundant supply of IPv4
addresses to support this level of growth,
the industry is increasingly reliant on NATs:
– Edge NATs are now the de facto choice for
residential broadband services at the CPE
– ISP NATs are now the de facto choice for 3G
and 4G mobile IP services
16
What is ARIN Hearing from the
Community About IPv6?
• Movement to IPv6 is slow, but progress being
made
– ISPs slowly rolling out IPv6
– Steady increase in IPv6 traffic
– Increase in IPv6 requests
• Still high demand for IPv4
– Many ISPs purchasing CGN boxes
– More turning to the IPv4 market
• Rent by month
• Purchasing space outright (costs will increase)
16
8
Why is there little immediate need
for IPv6?
• Some of the claims are either not true
or taken over by events
– IPv6 gives you better security
– IPv6 gives you better routing
• Some positive things
– IPv6 allows for end-to-end networking to
occur again
– IPv6 has more address bits
– It is cheaper per address
169
2003: Sprint
• T1 via Sprint
• Linux Router with Sangoma T1 Card
• OpenBSD firewall
• Linux-based WWW, DNS, FTP servers
• Segregated network, no dual stack
(security concerns)
• A lot of PMTU issues
• A lot of routing issues
• Service did improve over the years
170
2008: NTT / TiNet IPv6
• 1000 Mbit/s to NTT / TiNet
• Cisco ASR 1000 Router
• Brocade Load Balancers
- IPv6 support was Beta
• DNS, Whois, IRR,
more later
• Dual stack
171
Past Meeting Networks
• IPv6 enabled since 2005
• Tunnels to ARIN, others
• Test bed for transition technology
• NAT-PT (Cisco, OSS)
• CGN / NAT-lite
• IVI
• Training opportunity
• For staff & members
172
ARIN’s Current Challenges for
Networking
• Dual-Stacked Internally
– Challenges over time with our VPN (OpenVPN)
• One interface works with v6
• One does not
• Middleware Boxes
– Claims do not support reality (“we support IPv6”) Yes, but…
– No 1-1 feature set
– Limits ARIN’s ability to support new services like https
support for Whois-RWS
173
However, there is some
good news…
174
US IPv6 Deployment
• > 25% of US customers connected to
Google via IPv6 - up from 10% one year
ago today & growing rapidly
175
The State of IPv6
•Over 10% of the world uses facebook
over IPv6
1%
6/6/2012
1
7
6
Over 10%
2015
Why Move to IPv6 Now?
• IPv4 depletion has occurred
– Cost of IPv4 will only increase
• Lots more addresses and more!
– IPv6 performs better than IPv4
– IPv6 is simpler operationally; not difficult
to deploy
• More efficient network management - allows
for end-to-end networking to occur again
• Designed with security in mind
• IPv6 is your platform for innovation
177
Your IPv6 Checklist
• Get your IPv6 address space
• Set up IPv6 connectivity (native or tunneled)
• Configure your operating systems, software,
and network management tools
• Upgrade your router, firewall, and other
hardware
• Get your IT staff training
• Enable IPv6 on your website
17
Talk to Your ISP About
IPv6 Services
• You want access to the entire
Internet!
– ISPs must connect customers via IPv4
only, IPv4-IPv6, and IPv6 only
– They must plan for IPv4-IPv6 transition
services
• Many transition technologies available
• Research options and make architectural
decisions
17
9
Dual-stack Your Network
– IPv6 not backwards compatible with
IPv4
– Both will run simultaneously for years
180
Make Your Servers Reachable Over
IPv6
– Mail, Web, Applications
– Operating systems, software, and
network management tools
181
Audit Your Equipment and Software
–Are your devices and applications IPv6
ready?
182
Encourage Vendors to Support IPv6
–If not already, when will IPv6 support
be part of their product cycle?
183
Get IPv6 Training for Staff
–Free resources available
184
Enable IPv6 on Your Website
185
Steps To Get Your Website IPv6Enabled
TeamARIN.net/get6
186
IPv6 over time
ARIN IPv6 Allocations and Assignments
187
2015 IPv6 Requests
120
100
80
60
40
20
0
Jan-15
Feb-15
Mar-15
Apr-15
May-15
Jun-15
Jul-15
Aug-15
Sep-15
Oct-15
Nov-15
Dec-15
------- = waiting list initiated
------- = IPv4 depletion
188
ARIN ISP Members with IPv4 and IPv6
5,268 total members as of 31 January 2016
189
Global IPv6 Status
Percentage of Members with IPv6
190
Requesting IPv6 - ISPs
• Have a previous v4 allocation from
ARIN or predecessor registry
OR
• Intend to multi-home
OR
• Provide a technical justification
which details at least 50 assignments
made within 5 years
191
191
Data ARIN Will Typically
Ask For - ISPs
• If requesting more than a /32, a
spreadsheet/text file with
– # of serving sites (PoPs, datacenters)
– # of customers served by largest serving
site
– Block size to be assigned to each
customer (/48 typical)
192
192
Requesting IPv6 – End Users
• Have a v4 direct assignment from ARIN or
predecessor registry
OR
• Intend to multi-home
OR
• Show how you will use 2000 IPv6 addresses or
200 IPv6 subnets within a year
OR
• Technical justification as to why providerassigned IPs are unsuitable
193
193
Data ARIN Will Typically Ask
For – End users
• If requesting more than a /48, a
spreadsheet/text file with
– List of sites in your network
• Site = distinct geographic location
• Street address for each
– Campus may count as multiple sites
• Technical justification showing how they’re
configured like geographically separate
sites
194
37
2015 Best Practices Forum (BPF) on
IPv6 Adoption
“Creating an Enabling Environment for IPv6 Adoption”
• Part of the Internet Governance Forum (IGF), a
multi-stakeholder forum for policy dialogue on
issues of Internet governance
• Project designed to document high level best
practices for IPv6 adoption
– Best practice examples collected via:
• Public survey running mid-July thru mid–November (results
available on the IGF website)
• Mailing list discussion
• E-mail correspondence
38
Final IPv6 BPF Document
• Provides an overview of various capacity building
programs that are available
• Highlights numerous examples and best practices that
can help businesses and governments with their IPv6
deployment projects
• Large section of the document is dedicated to role and
function of IPv6 task forces
http://www.intgovforum.org/cms/documents/best-practiceforums/creating-an-enabling-environment-for-the-development-oflocal-content/581-igf2015-bpfipv6-finalpdf/file
19
Operational Guidance
http://www.internetsociety.org/deploy360/
www.NANOG.org/archives/
http://nabcop.org/index.php/Main_Page
Internet Governance Forum – Enabling Environment for IPv6 Adoption
http://www.intgovforum.org/cms/best-practice-forums/2015-bpf-outs
197
Learn More
www.GetIPv6.info
IPv6 Info Center
www.arin.net/knowledge/ipv6_info_center.html
www.TeamARIN.net
41
Q&A / Open Mic Session
Take Aways
Apply for IPv6 addresses and get started.
Subscribe to an ARIN mailing list
Participate in ARIN 37 – in person or remotely
Apply for a future meeting fellowship
Think about implementing DNSSEC/Resource
Certification
• Member organizations please update your
Voting Contact – linked to an ARIN Web User
account
• Reach out though various channels with
questions or suggestions
•
•
•
•
•
ARIN Mailing Lists
ARIN Announce: [email protected]
ARIN Discussion: [email protected] (members only)
ARIN Public Policy: [email protected]
ARIN Consultation: [email protected]
ARIN Issued: [email protected]
ARIN Technical Discussions: [email protected]
Suggestions: [email protected]
http://www.arin.net/participate/mailing_lists/index.html
ARIN on Social Media
www.TeamARIN.net
www.facebook.com/TeamARIN
@TeamARIN
www.gplus.to/TeamARIN
www.linkedin.com/company/ARIN
www.youtube.com/TeamARIN
https://www.arin.net/participate/meetings/fellowship.html