Reverse DNS in ARIN Online
Download
Report
Transcript Reverse DNS in ARIN Online
Roseau, Dominica
18 June 2015
Wireless Access
• Network: Fort Young Hotel
• Password: P@radis3
Welcome. Here today from ARIN…
• Susan Hamlin, Director, Communications
and Member Services
• Andrew Dul, ARIN Advisory Council
• Andy Newton, Chief Engineer
• Leslie Nobile, Senior Director of Global
Registry Knowledge
Morning Agenda
10:15 - 10:45
ARIN: Mission, Services and Community
Engagement; Susan Hamlin
10:45 -11:20
Security Overlays on Core Internet Protocols –
DNSSEC; Andy Newton
11:20 - 12:00
Life After IPv4 Depletion: IPv4 Inventory, Waiting
List and Transfers; Leslie Nobile
12:00 PM - 1:00 PM Lunch
Afternoon Agenda
1:00 - 1:30
Security Overlays on Core Internet Protocols - Resource
Certification (RPKI); Andy Newton
1:30- 2:00
Number Resource Policy Discussions and How to
Participate; Andrew Dul
2:00 - 2:30
Automating Interactions with ARIN: Andy Newton
2:30- 3:00
Moving to IPv6 - Getting IPv6 from ARIN/Current Uptake;
Andy Newton and Leslie Nobile
3:00- 3:15
Q&A / Open Mic Session; Susan Hamlin
Let’s Get Started!
• Self introductions
– Name
– Organization
ARIN and the RIR System:
Mission, Role and Services
Susan Hamlin
Director, Communications and
Member Services
What is an RIR?
A Regional Internet Registry (RIR) is an
organization that manages the
allocation and registration of Internet
number resources within a particular
region of the world. Internet number
resources include IP addresses and
autonomous system (AS) numbers.
Regional Internet Registries
RIR Structure
Not-for-profit
•
•
Fee for services,
not number
resources
100%
community
funded
Membership
Organization
•
Open
•
Broad-based
- Private sector
- Public sector
- Civil society
Community
Regulated
•
•
•
Community
developed
policies
Memberelected
executive
board
Open and
transparent
Number Resource Organization
The NRO exists to protect the unallocated number
resource pool, to promote and protect the bottom-up
policy development process, and to act as a focal
point for Internet community input into
the RIR system.
ARIN, a nonprofit member-based organization,
supports the operation of the Internet through
the management of Internet number resources
throughout its service region; coordinates the
development of policies by the community for
the management of Internet Protocol number
resources; and advances the Internet through
informational outreach.
ARIN’s Service Region
The ARIN Region includes many Caribbean and North Atlantic
islands, Canada, the United States and outlying areas.
IP Address and Autonomous System
Number Provisioning Process
Who is the ARIN community?
Anyone with an interest in Internet number
resource management in the ARIN region
The ARIN Community includes…
•
•
•
•
20,000+ customers
5,000+ members
60+ professional staff
7 member Board of Trustees
• elected by the membership
• 15 member Advisory Council
• elected by the membership
• 3 person Number Resource Organization
Number Council
• elected by the ARIN Community
ARIN Board of Trustees
•
•
•
•
•
•
•
Paul Andersen, Vice Chair and Treasurer
Vinton G. Cerf, Chair
John Curran, President and CEO
Timothy Denton, Secretary
Aaron Hughes
Bill Sandiford
Bill Woodcock
17
ARIN Advisory Council
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
18
Dan Alexander, Chair
Cathy Aronson
Kevin Blumberg, Vice Chair
Owen DeLong
Andrew Dul
David Farmer
David Huberman
Scott Leibrand
Tina Morris
Milton Mueller
Leif Sawyer
Heather Schiller
Robert Seastrom
John Springer
Chris Tacit
ARIN Services and Products
ARIN Manages:
• IP address allocations & assignments
• ASN assignment
• Transfers
• Reverse DNS
• Record Maintenance
• Directory service
Whois
Routing Information (Internet Routing
Registry)
WhoWas
19
ARIN Services and Products
ARIN coordinates and administers:
• Policy Development
Community meetings
Discussion
Publication
• Elections
• Information publication and dissemination
and public relations
• Community outreach
• Education and training
20
ARIN Services and Products
ARIN develops technologies for managing
Internet number resources:
• ARIN Online
• Community Software Project Repository
• DNSSEC
• Resource Certification (RPKI)
• Whois-RWS
• Reg-RWS
21
Globalization of IANA
Oversight
On 14 March 2014, the US Government
announced plans to transition oversight
of the IANA functions contract to the
global multistakeholder community
Current IANA functions contract expires
30 September 2015
NTIA Conditions for Transition
Proposal
1. Support and enhance the multistakeholder model
2. Maintain the security, stability, and
resiliency of the Internet DNS
3. Meet the needs and expectation of the
global customers and partners of the
IANA services
4. Maintain the openness of the Internet
Current Status of IANA Stewardship Proposal
Number Resources (RIR community)
– CRISP Team https://www.nro.net/wpcontent/uploads/ICG-RFP-Number-Resource-Proposal.pdf
- submitted 15 Jan 2015
– Draft Service Level Agreement (SLA) for the IANA
Numbering Services – Open for public comment 1 May
2015 – 14 June 2015
https://www.nro.net/news/call-for-comments-for-a-draft-sla-for-theiana-numbering-services
IANA Stewardship Proposal – Victory
Conditions
• A proposal submitted to NTIA by July 2015
which meets NTIA’s conditions and provides
for transition of IANA stewardship to the
global Internet community
• Community support of the ICG proposal,
based on belief that the mechanisms
provided for oversight and accountability
are appropriate
IANA Stewardship – Potential
Implications
• Successful transition of IANA Stewardship
from the USG to the Internet community
would be an important validation of the
Internet’s multi-stakeholder governance
model
• Inability to transition could raise concerns
about the validity of the multi-stakeholder
process and fuel discussion of the
perceived need for intergovernmental
mechanisms for Internet Governance
Join in Internet Governance Discussions
Visit ARIN’s
webpage:
Ways to
Participate
in Internet
Governance
https://www.arin.net/participate/governance/participate.html
Get 6 – Websites on IPv6
http://teamarin.net/infographic/
How to Participate in
ARIN
• Attend Public Policy and Members
Meetings & Public Policy Consultations
– Remote participation available
• Apply for Meeting Fellowship
• Discuss policies on Public Policy Mailing
List (ppml)
• Come to outreach events
• Subscribe to an ARIN mailing list
More Ways to Participate
• Give your opinion on community
consultations
• Submit a suggestion
• Contribute to the IPv6 wiki
• Write a guest blog for TeamARIN.net
• Connect with us on social media
• Members – Vote in annual elections
ARIN Mailing Lists
ARIN Announce: [email protected]
ARIN Discussion: [email protected] (members only)
ARIN Public Policy: [email protected]
ARIN Consultation: [email protected]
ARIN Issued: [email protected]
ARIN Technical Discussions: [email protected]
Suggestions: [email protected]
http://www.arin.net/participate/mailing_lists/index.html
ARIN on Social Media
www.TeamARIN.net
www.facebook.com/TeamARIN
@TeamARIN
#ARIN35
www.gplus.to/TeamARIN
www.linkedin.com/company/ARIN
www.youtube.com/TeamARIN
Apply now for ARIN 36 October 2015 in Montreal
https://www.arin.net/participate/meetings/fellowship.html
NEW: Includes attendance at NANOG
Q&A
Security Overlays on Core Internet
Protocols – DNSSEC
Andy Newton
Chief Engineer
Core Internet Protocols
• Two critical resources that are
unsecured
– Domain Name Servers
– Routing
• Hard to tell if compromised
– From the user point of view
– From the ISP/Enterprise
• Focus on government funding
DNS
How DNS Works
Question: www.arin.net A
Resolver
www.arin.net A
?
192.168.5.10
www.arin.net A ?
root-server
Ask net server @ X.gtld-servers.net (+ glue)
Caching
forwarder
(recursive)
www.arin.net A ?
gtld-server
Ask arin server @ ns1.arin.net (+ glue)
Add to cache
www.arin.net A ?
192.168.5.10
arin-server
Why DNSSEC? What is it?
• Standard DNS (forward or reverse)
responses are not secure
– Easy to spoof
– Notable malicious attacks
• DNSSEC attaches signatures
– Validates responses
– Can not spoof
Reverse DNS at ARIN
• ARIN issues blocks without any
working DNS
–Registrant must establish
delegations after registration
–Then employ DNSSEC if desired
• Just as susceptible as forward
DNS if you do not use DNSSEC
Reverse DNS at ARIN
• Authority to manage reverse
zones follows allocations
–“Shared Authority” model
–Multiple sub-allocation recipient
entities may have authority over
a particular zone
Changes completed to
make DNSSEC work at ARIN
• Permit by-delegation management
• Sign in-addr.arpa. and ip6.arpa.
delegations that ARIN manages
• Create entry method for DS Records
– ARIN Online
– RESTful interface
– Not available via templates
Changes completed to
make DNSSEC work at ARIN
• Only key holders may create and
submit Delegation Signer (DS) records
• DNSSEC users need to have signed a
registration services agreement with
ARIN to use these services
Reverse DNS in ARIN Online
First identify the network that you want to
put Reverse DNS nameservers on…
Reverse DNS in ARIN Online
…then enter the Reverse DNS nameservers…
DNSSEC in ARIN Online
…then apply DS record to apply to the delegation
Reverse DNS: Querying ARIN’s Whois
Query for the zone directly:
whois> 81.147.204.in-addr.arpa
Name:
Updated:
NameServer:
NameServer:
NameServer:
Ref:
81.147.204.in-addr.arpa.
2006-05-15
AUTHNS2.DNVR.QWEST.NET
AUTHNS3.STTL.QWEST.NET
AUTHNS1.MPLS.QWEST.NET
http://whois.arin.net/rest/rdns/81.147.204.in-addr.arpa.
DNSSEC in Zone Files
; File written on Mon Feb 24 17:00:53 2014
; dnssec_signzone version 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6
0.74.in-addr.arpa.
86400
IN NS
NS3.COVAD.COM.
86400
IN NS
NS4.COVAD.COM.
10800
NSEC
1.74.in-addr.arpa. NS RRSIG NSEC
10800
RRSIG
NSEC 5 4 10800 20140306210053 (
20140224210053 57974 74.in-addr.arpa.
oNk3GVaCWj2j8+EAr0PncqnZeQjm8h4w51nS
D2VUi7YtR9FvYLF/j4KO+8qYZ3TAixb9c05c
8EVIhtY1grXEdOm30zJpZyaoaODpbHt8FdWY
vwup9Tq4oVbxVyuSNXriZ2Mq55IIMgDR3nAT
BLP5UClxUWkgvS/6poF+W/1H4QY= )
1.74.in-addr.arpa.
86400
IN NS
NS3.COVAD.COM.
86400
IN NS
NS4.COVAD.COM.
10800
NSEC
10.74.in-addr.arpa. NS RRSIG NSEC
10800
RRSIG
NSEC 5 4 10800 20140306210053 (
20140224210053 57974 74.in-addr.arpa.
DKYGzSDtIypDVcer5e+XuwoDW4auKy6G/OCV
VTcfQGk+3iyy2CEKOZuMZXFaaDvXnaxey9R1
mjams519Ghxp2qOnnkOw6iB6mR5cNkYlkL0h
lu+IC4Buh6DqM4HbJCZcMXKEtWE0a6dMf+tH
sa+5OV7ezX5LCuDvQVp6p0LftAE= )
DNSSEC in Zone Files
0.121.74.in-addr.arpa.
86400
86400
86400
86400
IN NS
IN NS
IN NS
DS
86400
DS
86400
RRSIG
10800
NSEC
10800
RRSIG
DNS1.ACTUSA.NET.
DNS2.ACTUSA.NET.
DNS3.ACTUSA.NET.
46693 5 1 (
AEEDA98EE493DFF5F3F33208ECB0FA4186BD
8056 )
46693 5 2 (
66E6D421894AFE2AF0B350BD8F4C54D2EBA5
DA72A615FE64BE8EF600C6534CEF )
DS 5 5 86400 20140306210053 (
20140224210053 57974 74.in-addr.arpa.
n+aPxBHuf+sbzQN4LmHzlOi0C/hkaSVO3q1y
6J0KjqNPzYqtxLgZjU+IL9qhtIOocgNQib9l
gFRmZ9inf2bER435GMsa/nnjpVVWW/MBRKxf
Pcc72w2iOAMu2G0prtVT08ENxtu/pBfnsOZK
nhCY8UOBOYLOLE5Whtk3XOuX9+U= )
1.121.74.in-addr.arpa. NS DS RRSIG
NSEC
…
NSEC 5 5 10800 20140306210053 (
20140224210053 57974 74.in-addr.arpa.
YvRowkdVDfv+PW42ySNUwW8S8jRyV6EKKRxe
DNSSEC Validating Resolvers
• www.internetsociety.org/deploy360/dnssec/
• www.isc.org/downloads/bind/dnssec/
Reverse DNS Management and
DNSSEC in ARIN Online
• Available on ARIN’s website
http://www.arin.net/knowledge/dnssec/
Q&A
Life After IPv4 Depletion
•
Jon Worley –Analyst
•
Life After IPv4 Depletion
Leslie Nobile
Senior Director
Global Registry Knowledge
Overview
• ARIN’s current IPv4 inventory
• Trends and observations
• Ways to obtain IP addresses post IPv4
depletion
– IPv4
– Transfers
– IPv6
55
Check on ARIN’s IPv4 Inventory
ARIN’s IPv4 inventory
published on
ARIN’s website:
www.arin.net
Updated daily at
@ 12 am ET
Current IPv4 Inventory
Available inventory:
.12 /8 equivalent
.12
• Space available to fill general IPv4 requests
• Excludes space held/reserved
• Over the past few years, ARIN has issued
approximately 1 /8 equivalent per year
57
Current IPv4 Prefix Inventory
Block Size Number of Blocks
(CIDR)
Available
58
/12
1
/13
1
/15
1
/16
1
/18
1
/21
2
/22
3
/23
118
/24
461
* as of 17 June 2015
Other IPv4 Inventory
• Quarantined space (60 day hold)
– ~19 /16 equivalents held in “quarantine” to clear filters
(returned and revoked space)
• Reserved space
– 64 /16s (1 /10) for NRPM 4.10 “Dedicated IPv4 block to
facilitate IPv6 Deployment”
– 218 /24s remaining in the /16 for NRPM 4.4 “Microallocation”
– ~8 /16 equivalents needing further research (reclaimed
space that needs further chain of custody research)
IPv4 Reality Check
• Larger block sizes (/8, /9, /10) unavailable
• Blocks larger than /16 will be unavailable in
the near future
• Soon after that, only /24s will remain
• Eventually, only blocks reserved for specific
policies will remain in ARIN’s inventory
60
Post-IPv4 Depletion Options
• More efficient use of existing IPv4 resources
• IPv4 Wait List
• Specified Recipient and Inter-RIR Transfers
• Adopt IPv6
61
IPv4 Wait List
• If ARIN can’t fill your qualified request, you
have the option to specify the smallest block
size you’ll accept
• If available, your request will be filled and
you’ll be unable to request additional
addresses for 3 months
• If no block available between approved
and smallest acceptable, you can be
added to the IPv4 Wait List
62
How the IPv4 Wait List Works
• Oldest request filled first (based on
approval date)
– E.g. - if ARIN gets a /16 back and the oldest
request is for a /24, we issue a /24 to that org
• One approved request per organization on
the list at a time
• Limit of one allocation or assignment every
3 months
How long will I have to wait?
• Space becomes available in several ways
– Return = voluntary
– Revoke = for cause (usually non-payment)
– IANA issued – per global policy for “post
exhaustion IPv4 allocation mechanisms by
IANA”
• 3.54 total /8s returned/revoked since 2005
• /11 (issued 5/14), /12 (issued 9/14) and /13
(issued in 3/15) by IANA to each RIR
• Demand will be far greater than availability
64
Transfers of IPv4 Addresses
• Mergers and Acquisitions (NRPM 8.2)
• Transfers to Specified Recipients (NRPM
8.3)
• Inter-RIR transfers (NRPM 8.4)
65
Transfers to Specified Recipients
• Allows orgs with unused IPv4 resources to
transfer them to orgs in need of IPv4 resources
• Source
– Must be current registrant, no disputes
– Not have received addresses from ARIN for 12
months prior
– Ineligible for further addresses from ARIN for 12
months after
• Recipient
– Must demonstrate need for 24-month supply
under current ARIN policy
66
Inter-RIR Transfers (NRPM 8.4)
• RIR must have reciprocal, compatible needsbased policies
– Currently APNIC, soon to be RIPE NCC
• Transfers from ARIN
– Source cannot have received IPv4 from ARIN 12
months prior to transfer or receive IPv4 for 12 months
after transfer
– Must be current registrant, no disputes
– Recipient meets destination RIR policies
• Transfers to ARIN
– Must demonstrate need for 24-month supply under
current ARIN policy
67
Pre-approval for Specified
Recipient Transfers
• Pre-approval based on 24 month need
• Valid for 2 years
• Can use multiple transfers to fill need
without being subject to re-verification
68
Specified Transfer Listing Service
(STLS)
• Optional service intended to facilitate specified
recipient and inter-RIR transfers
• All participants have access to each others
contact information
– Listers: have available IPv4 addresses
• Resources must be covered under RSA/LRSA
– Needers: looking for IPv4 addresses
• Must be pre-approved under ARIN policy to be listed
– Facilitators: available to help listers and needers find each
other
• Public summary provided
– Lists number of available and needed IPv4 address blocks
69
Tips for Faster Transfer Processing
• Make sure that all registration information is current
and accurate
• Request pre-approval for your 24 month need
• Apply under the correct transfer policy
• Provide detailed information to support 24 month
need
70
Summary
• ARIN will deplete its available IPv4 pool
sometime this year
• No perfect solution
–
–
–
–
CGN = potential problems
Waiting list = uncertainty
Transfers = subject to market prices
IPv6 = transition effort
• Begin planning now
71
LUNCH
Take your valuables as the room
will not be locked.
Security Overlays on Core Internet
Protocols –RPKI
Andy Newton
Chief Engineer
Core Internet Protocols
• Two critical resources that are
unsecured
– Domain Name Servers
– Routing
• Hard to tell if compromised
– From the user point of view
– From the ISP/Enterprise
• Focus on government funding
Routing
Routing Architecture
• The Internet uses a two level routing hierarchy:
– Interior Routing Protocols, used by each network
to determine how to reach all destinations that
line within the network
– Interior Routing protocols maintain the current
topology of the network
Routing Architecture
• The Internet uses a two level routing hierarchy:
– Exterior Routing Protocol, used to link each
component network together into a single whole
– Exterior protocols assume that each network is
fully interconnected internally
Exterior Routing: BGP
• BGP is a large set of bilateral (1:1)
routing sessions
– A tells B all the destinations (prefixes) that
A is capable of reaching
– B tells A all the destinations that B is
capable of reaching
10.0.0.0/24
10.1.0.0/16
10.2.0.0/18
192.2.200.0/24
A
B
What is RPKI?
• Resource Public Key Infrastructure
• Attaches digital certificates to network
resources
– AS Numbers
– IP Addresses
• Allows ISPs to associate the two
– Route Origin Authorizations (ROAs)
– Can follow the address allocation chain
to the top
What does RPKI accomplish?
• Allows routers or other processes
to validate route origins
• Simplifies validation authority
information
– Trust Anchor Locator
• Distributes trusted information
– Through repositories
Resource Cert Validation
Resource
Allocation
Hierarchy
AFRINIC
ICANN
RIPE NCC
APNIC
ARIN
LACNIC
Issued Certificates
Route Origination Authority
LIR1
“ISP4 permits AS65000 to
originate a route for the
prefix 192.2.200.0/24”
Attachment: <isp4-ee-cert>
ISP
Signed,
ISP4 <isp4-ee-key-priv>
ISP
ISP2
ISP
ISP4
ISP
ISP
ISP
Resource Cert Validation
Resource
Allocation
Hierarchy
AFRINIC
ICANN
RIPE NCC APNIC
ARIN
LACNIC
Issued Certificates
Route Origination Authority
LIR1
“ISP4 permits AS65000 to
originate a route for the
prefix 192.2.200.0/24”
Attachment: <isp4-ee-cert>
ISP
Signed,
ISP4 <isp4-ee-key-priv>
ISP
ISP2
ISP ISP4 ISP ISP ISP
1. Did the matching private key
sign this text?
Resource Cert Validation
Resource
Allocation
Hierarchy
AFRINIC
ICANN
RIPE NCC APNIC
ARIN
LACNIC
Issued Certificates
Route Origination Authority
LIR1
“ISP4 permits AS65000 to
originate a route for the
prefix 192.2.200.0/24”
ISP2
Attachment: <isp4-ee-cert>
ISP
Signed,
ISP4 <isp4-ee-key-priv>
ISP
ISP
ISP4
ISP
ISP
2. Is this certificate valid?
ISP
Resource Cert Validation
Resource
Allocation
Hierarchy
AFRINIC
ICANN
RIPE NCC APNIC
ARIN
LACNIC
Issued Certificates
Route Origination Authority
LIR1
“ISP4 permits AS65000 to
originate a route for the
prefix 192.2.200.0/24”
ISP2
Attachment: <isp4-ee-cert>
ISP
Signed,
ISP4 <isp4-ee-key-priv>
ISP
ISP
ISP4
ISP
ISP
ISP
3. Is there a valid certificate path from a
Trust Anchor to this certificate?
What does RPKI Create?
• It creates a repository
– RFC 3779 (RPKI) Certificates
– ROAs
– CRLs
– Manifest records
Repository View
./ba/03a5be-ddf6-4340-a1f9-1ad3f2c39ee6/1:
total 40
-rw-r--r-- 1 143 143 1543 Jun 26 2009 ICcaIRKhGHJ-TgUZv8GRKqkidR4.roa
-rw-r--r-- 1 143 143 1403 Jun 26 2009 cKxLCU94umS-qD4DOOkAK0M2US0.cer
-rw-r--r-- 1 143 143 485 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.crl
-rw-r--r-- 1 143 143 1882 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.mnf
-rw-r--r-- 1 143 143 1542 Jun 26 2009 nB0gDFtWffKk4VWgln-12pdFtE8.roa
A Repository Directory containing an RFC3779
Certificate, two ROAs, a CRL, and a manifest
Repository Use
• Pull down these files using a manifestvalidating mechanism
• Validate the ROAs contained in the
repository
• Communicate with the router marking
routes “valid”, “invalid”, “unknown”
• Up to ISP to use local policy on how to
route
Possible Data Flow for Operations
• RPKI Web interface -> Repository
• Repository aggregator -> Validator
• Validated entries -> Route Checking
• Route checking results -> local routing
decisions (based on local policy)
How you can use ARIN’s RPKI
System?
• Hosted
• Hosted using ARIN’s RESTful service
• Delegated using Up/Down Protocol
Hosted RPKI
• Pros
– Easier to use
– ARIN managed
• Cons
– No current support for downstream
customers to manage their own space (yet)
– Tedious through the IU if you have a large
network
– We hold your private key
Hosted RPKI with RESTful Interace
• Pros
– Easier to use
– ARIN managed
– Programmatic interface for large networks
• Cons
– No current support for downstream
customers to manage their own space
(yet)
– We hold your private key
Delegated RPKI with Up/Down
• Pros
– You safeguard your own private key
– Follows the IETF up/down protocol
• Cons
– Extremely hard to setup
– Need to operate your own RPKI
environment
– More later
Hosted RPKI in ARIN Online
Hosted RPKI in ARIN Online
Hosted RPKI in ARIN Online
Hosted RPKI in ARIN Online
Hosted RPKI in ARIN Online
SAMPLE-ORG
Hosted RPKI in ARIN Online
SAMPLE-ORG
Hosted RPKI in ARIN Online
Your ROA request is automatically
processed and the ROA is placed in ARIN’s
repository, accompanied by its certificate
and a manifest. Users of the repository can
now validate the ROA using RPKI validators.
Delegated with Up/Down
Delegated with Up/Down
Delegated with Up/Down
Delegated with Up/Down
•
•
•
•
You have to do all the ROA creation
Need to setup a CA
Have a highly available repository
Create a CPS
Q&A
ARIN’s Policy
Development Process
Current Number Resource Policy Discussions
and How to Participate
Andrew Dul
ARIN Advisory Council
IP Number Policy Changes
If it doesn’t fit,
it can be changed
Number Resource Policy Manual
ARIN’s Policy Document
– Version 2015.1 (24 February 2015)
– 37th version
Change Logs
HTML/PDF/txt
http://www.arin.net/policy/nrpm.html
Policy Development Process (PDP)
Process Flowchart
Proposal Template
http://www.arin.net/policy/pdp.html
PDP Goals
• "open, transparent, and inclusive
manner that allows anyone to
participate in the process."
• "clear, technically sound and useful
policies"
• "Policies, not Processes, Fees, or
Services”
Basic Steps
1.
2.
3.
4.
5.
6.
7.
8.
Proposal from community member
AC works with author ensure it is clear and in scope
AC promotes proposal to Draft Policy for community
discussion/feedback (PPML and possibly PPC/PPM)
AC recommends fully developed Draft Policy (fair,
sound and supported by community) for adoption
Recommended Draft Policy must be presented at a
face-to-face meeting (PPC/PPM)
If AC still recommends adoption, then Last Call, review
of last call, and send to Board
Board reviews
Staff implements
Current Draft Policies/Proposals
1.
2.
3.
4.
To be implemented in June:
• ARIN-2014-17: Change Utilization Requirements from last-allocation to totalaggregate
Sent to the Board for ratification:
•
Recommended Policy ARIN-2014-6: Remove Operational Reverse DNS Text
•
Recommended Draft Policy ARIN-2014-21: Modification to CI Pool Size per
Section 4.4
Under discussion:
•
ARIN-2015-1: Modification to Criteria for IPv6 Initial End-User Assignments
•
ARIN-2015-2: Modify 8.4 (Inter-RIR Transfers to Specified Recipients)
•
ARIN-2015-3: Remove 30 day utilization requirement in end-user IPv4 policy
•
ARIN-2015-4: Modify 8.2 section to better reflect how ARIN handles
reorganizations
And 3 new proposals.
https://www.arin.net/policy/proposals/
113
Recommended Draft Policy ARIN-201417: Change Utilization Requirements
from last-allocation to total-aggregate
• Changes IPv4 utilization requirement from 80% of last
allocation to 50% overall and at least 50% of last allocation
(easier for smaller ISPs to come back for more space)
• Discussed on PPML beginning in May 2014
• Presented at ARIN 34 (October 2014)
• Revised in November 2014 and advanced to Recommended
Draft Policy
• Presented at NANOG 63
• Last call was 24 February through 10 March 2015
ARIN-2014-17 continued
• AC reviewed last call, advanced to
Board
• Board review
– Ensured PDP had been followed
– Ensured compliance with law and ARIN’s
mission
– Adopted 2014-7
• Staff announced “will be implemented
no later than 26 June 2015”
How Can You Get Involved?
There are two ways to voice
your opinion:
– Public Policy Mailing List
– Public Policy Consultations/Meetings
• In person or remotely
• ARIN meetings and Public Policy
Consultations at NANOG
Takeaways
Three things
1. ARIN
doesn't make up the policy, ARIN implements
community created/maintained policy.
2. Policy process exists, if you are unhappy with a policy,
there is a way for you to try to change it.
3. If you want to participate, you know where you can voice
your opinion (email, in person and remote).
References
Policy Development Process
http://www.arin.net/policy/pdp.html
Draft Policies and Proposals
http://www.arin.net/policy/proposals/index.html
Number Resource Policy Manual
http://www.arin.net/policy/nrpm.html
Q&A
Automating Your Interactions
with ARIN
Andy Newton
Chief Engineer
Why Automate?
• Interact with ARIN faster
• Not dependent on ARIN’s systems for
user interface issues
• Build a customized system using
standards-based technologies
• Improved accuracy
• Integrate multiple services
Why Automate (continued)
• We have a rich set of interfaces
• Focused on reliability and
completeness
• Welcome to share your tools with the
community at projects.arin.net
REST – Service Summary
• ARIN’s RESTful Web Services (RWS)
– Whois-RWS
• Provides public Whois data via REST
– Reg-RWS (or Registration-RWS)
• Allows ARIN customers to register and maintain
data in a programmatic fashion
– Report Request/Retrieval Automation
• Permits request and download of various ARIN
data (subject to AUP)
– RPKI using Reg-RWS
What is REST?
• Representational State Transfer
• As applied to web services
– defines a pattern of usage with HTTP to create,
read, update, and delete (CRUD) data
– “Resources” are addressable in URLs
• Very popular protocol model
– Amazon S3, Yahoo & Google services, …
The BIG Advantage of REST
• Easily understood
– Any modern programmer can incorporate it
– Can look like web pages
• Re-uses HTTP in a simple manner
– Many, many clients
– Other HTTP advantages
• This is why it is very, very popular with
Google, Amazon, Yahoo, Twitter,
Facebook, YouTube, Flickr, …
What does it look like?
Who can use it?
Where the data is.
What type of data it is.
The ID of the data.
It is a standard URL. Anyone can use it.
Go ahead, put it into your browser.
Where can more information on
REST be found?
• RESTful Web Services
– O’Reilly Media
– Leonard Richardson
– Sam Ruby
Whois-RWS
• Publicly accessible, just like traditional
Whois
• Searches and lookups on IP addresses, AS
numbers, POCs, Orgs, etc…
• Very popular
– As of October 2014, constitutes 65% of our
query load
• For more information:
– http://www.arin.net/resources/whoisrws/index.html
2001-07
2001-11
2002-03
2002-07
2002-11
2003-03
2003-07
2003-11
2004-03
2004-07
2004-11
2005-03
2005-07
2005-11
2006-03
2006-07
2006-11
2007-03
2007-07
2007-11
2008-03
2008-07
2008-11
2009-03
2009-07
2009-11
2010-03
2010-07
2010-11
2011-03
2011-07
2011-11
2012-03
2012-07
2012-11
2013-03
2013-07
2013-11
2014-03
2014-07
2014-11
2015-03
4000
Whois Queries Per Second
3500
3000
2500
2000
RESTful
1500
Port 43
1000
500
0
Registration RWS (Reg-RWS)
• Programmatic way to interact with
ARIN
– Intended to be used for automation
– Not meant to be used by humans
• Useful for ISPs that manage a large
number of SWIP records
• Requires an investment of time to
achieve those benefits
Reg-RWS
• Requires an API Key
– You generate one in ARIN Online on the
“Web Account” page
• Permits you to register and manage
your data (ORGs, POCs, NETs, ASes)
– But only your data
• More information
– http://www.arin.net/resources/restful-interfaces.html
Anatomy of a RESTful request
• Uses a URL (just like you would type into
your browser)
• Uses a request type, known as a
“method”, of GET, PUT, POST or DELETE
• Usually requires a payload
– Adheres to a published structure
– Depends upon the type of data
– Depends upon the method
• Method, Payload, and XML schema info is
found at “RESTful Provisioning Downloads”
Example – Reassign Detailed
• Your automated system issues a PUT
command to ARIN using the following URL:
http://www.arin.net/rest/net/NET-10-129-0-0-1/reassign?apikey=API-1234-5678-9ABC-DEFG
The payload
contains the
following
data:
<net xmlns="http://www.arin.net/regrws/core/v1" >
<version>4</version>
<comment></comment>
<registrationDate></registrationDate>
<orgHandle>HW-1</orgHandle>
<handle></handle>
<netBlocks>
<netBlock>
<type>A</type>
<description>Reassigned</description>
<startAddress>10.129.0.0</startAddress>
<endAddress>10.129.0.255</endAddress>
<cidrLength>24</cidrLength>
</netBlock>
</netBlocks>
<parentNetHandle>NET-10-129-0-0-1</parentNetHandle>
<netName>HELLOWORLD</netName>
<originASes></originASes>
<pocLinks></pocLinks>
</net>
Example – Reassign Detailed
ARIN’s web server returns the following
to your automated system:
<net xmlns="http://www.arin.net/regrws/core/v1" >
<version>4</version>
<comment></comment>
<registrationDate>Tue Jan 25 16:17:18 EST 2011</registrationDate>
<orgHandle>HW-1</orgHandle>
<handle>NET-10-129-0-0-2</handle>
<netBlocks>
<netBlock>
<type>A</type>
<description>Reassigned</description>
<startAddress>10.129.0.0</startAddress>
<endAddress>10.129.0.255</endAddress>
<cidrLength>24</cidrLength>
</netBlock>
</netBlocks>
<parentNetHandle>NET-10-129-0-0-1</parentNetHandle>
<netName>netName>HELLOWORLD</netName>
<originASes></originASes>
<pocLinks></pocLinks>
</net>
Reg-RWS Has More Than Templates
• Only programmatic way to do IPv6
Reassign Simple
• Only programmatic way to manage
Reverse DNS
• Only programmatic way to access
your ARIN tickets
Reg-RWS Adoption
6,000,000
5,000,000
4,000,000
3,000,000
Template
2,000,000
REST
1,000,000
0
ARIN
29
ARIN
30
ARIN
31
ARIN
32
Template 408,383 595,858 846,943 1,066,0
REST
40,374 320,197 841,105 3,524,1
ARIN
33
ARIN
34
ARIN
35
1,311,4
4,296,7
1,498,2
4,715,2
1,749,3
5,034,7
Testing Your Reg-RWS Client
• We offer an Operational Test &
Evaluation environment for Reg-RWS
• Your real data, but isolated
– Helps you develop against a real system
without the worry that real data could get
corrupted
• For more information:
– http://www.arin.net/resources/ote.html
Obtaining RESTful Assistance
• http://www.arin.net/resources/restful-interfaces.html
• Pay attention to Method, Payload, and XML schema
documents under “RESTful Provisioning Downloads”
• Or use ARIN Online’s Ask ARIN feature
• Or use the arin-tech-discuss mailing list
– Make sure to subscribe
– Someone on the list will help you ASAP
– Archives on the web site
• Registration Services Help Desk telephone not a good fit
– Debugging these problems requires a detailed look at
the URL, method, and payload being used
Report Request/Retrieval
• For customer-specific data, access is
restricted by user
– Permits you to request and retrieve reports
– But only your data
• For public services, you must first sign
an AUP or TOU (Bulk Whois, Registered
ASNs, WhoWas)
– ARIN staff may review your need to access this data
• Requires an API Key
RPKI thru Reg-RWS
• Delegated – very complex
• Hosted – easy but tedious if managing
a large network through the UI
• Solution: Interface to sign ROAs using
the RESTful API
– Ease of Hosted
– Programmatic way of managing a large
number of ROAs
Whois-RWS and the Future
• Whois-RWS is ARIN’s RESTful interface to
Whois.
– RIPE also has a RESTful interface for Whois but
it is not compatible
• Wanted to make a directory service
compatible through the IETF
• IETF published the RDAP series of RFCs in
Q1 of 2015.
– ARIN will have RDAP rolled out June 20
– Will be supported by all 5 RIRs and domain
registries.
RDAP Clients
• ARIN has a client available
Nicinfo at http://projects.arin.net
- Or –
- “gem install nicinfo” for linux/mac users
- Other clients coming soon
Q&A
Moving to IPv6
Andy Newton, Chief Engineer
Leslie Nobile, Senior Director
Global Registry Knowledge
With some help from Geoff Huston
The Amazing Success of the Internet
• 2.92 billion users!
• 4.5 online hours per day per user!
• 5.5% of GDP for G-20 countries
Just about
anything about
the Internet
145
Time
Success-Disaster
146
The Original IPv6 Plan - 1995
Size of the Internet
IPv6 Deployment
IPv6 Transition – Dual Stack
IPv4 Pool Size
Time
147
The Revised IPv6 Plan - 2005
IPv4 Pool Size
Size of the Internet
IPv6 Transition – Dual Stack
IPv6 Deployment
2004
148
2006
2008
Date
2010
2012
Oops!
We were meant to have completed the transition
to IPv6 BEFORE we completely exhausted the
supply channels of IPv4 addresses!
149
Today’s Plan
IPv4 Pool
Size
Today
Size of the
Internet
?
IPv6 Transition
IPv6 Deployment
0.8%
150
Time
Transition...
The downside of an end-to-end architecture:
– There is no backwards compatibility across protocol
families
– A V6-only host cannot communicate with a V4-only
host
We have been forced to undertake a Dual Stack
transition:
– Provision the entire network with both IPv4 AND IPv6
– In Dual Stack, hosts configure the hosts’ applications
to prefer IPv6 to IPv4
– When the traffic volumes of IPv4 dwindle to
insignificant levels, then it’s possible to shut down
support for IPv4
151
Dual Stack Transition ...
We did not appreciate the operational problems with this dual stack
plan while it was just a paper exercise:
•
The combination of an end host preference for IPv6 and a
disconnected set of IPv6 “islands” created operational problems
– Protocol “failover” from IPv6 to IPv4 takes between 19 and 108 seconds
(depending on the operating system configuration)
– This is unacceptably slow
•
Attempting to “bridge” the islands with IPv6-in-IPv4 tunnels created a
new collection of IPv6 path MTU Discovery operational problems
– There are too many deployed network paths containing firewall filters that
block all forms of ICMP, including ICMP6 Packet Too Big
•
Attempts to use end-host IPv6 tunneling also presents operational
problems
– Widespread use of protocol 41 (IP-in-IP) firewall filters
– Path MTU problems
152
Dual Stack Transition
Signal to the ISPs:
– Deploy IPv6 and expose your users to operational problems with
IPv6 connectivity
Or
– Delay IPv6 deployment and wait for these operational issues to
be solved by someone else
So we wait...
153
And while we wait...
The Internet continues its growth.
• And without an abundant supply of IPv4
addresses to support this level of growth,
the industry is increasingly reliant on NATs:
– Edge NATs are now the de facto choice for
residential broadband services at the CPE
– ISP NATs are now the de facto choice for 3G
and 4G mobile IP services
154
155
What ARIN is hearing from the
community
• Movement to IPv6 is slow
– Progress is being made
– ISPs carefully rolling out IPv6
• Lots of ISPs purchasing CGN boxes
• There is a market for IP space
– Rent by month
– Purchase outright
155
Why is there little immediate need
for IPv6?
• Some of the claims are either not true
or taken over by events
– IPv6 gives you better security
– IPv6 gives you better routing
• Some positive things
156
– IPv6 allows for end-to-end networking to
occur again
– IPv6 has more address bits
– It is cheaper per address
157
2003: Sprint
• T1 via Sprint
• Linux Router with Sangoma T1 Card
• OpenBSD firewall
• Linux-based WWW, DNS, FTP servers
• Segregated network, no dual stack
(security concerns)
• A lot of PMTU issues
• A lot of routing issues
• Service did improve over the years
158
2004: Worldcom
• T1 via Worldcom in Equinix
• Cisco 2800 router
• OpenBSD firewall
• Linux-based ww6, DNS,
FTP servers
• Segregated network, no
dual stack (security concerns)
• A lot of PMTU Issues
• A lot of routing issues
159
2006: Equi6IX
• 100 Mbit/s Ethernet to
Equi6IX
• Transit via OCCAID
• Cisco 2800 router
• OpenBSD firewall
• WWW, DNS, FTP, SMTP
• Segregated Network
• Some dual stack
160
2008: NTT / TiNet IPv6
• 1000 Mbit/s to NTT / TiNet
• Cisco ASR 1000 Router
• Brocade Load Balancers
- IPv6 support was Beta
• DNS, Whois, IRR,
more later
• Dual stack
161
Past Meeting Networks
• IPv6 enabled since 2005
• Tunnels to ARIN, others
• Testbed for transition techology
• NAT-PT (Cisco, OSS)
• CGN / NAT-lite
• IVI
• Training opportunity
• For staff & members
ARIN’s Current Challenges for
Networking
• Dual-Stacked Internally
– Challenges over time with our VPN (OpenVPN)
• One interface works with v6
• One does not
• Middleware Boxes
– Claims do not support reality (“we support IPv6”) Yes, but…
– No 1-1 feature set
– Limits ARIN’s ability to support new services like https
support for Whois-RWS
162
So why do the move to IPv6?
• IPv4 will get more expensive
• Move to IPv6 will happen when cost is
too high for IPv4
• Don’t want to be caught with gear
that will not support IPv6 before it is
end-of-life
• Need to have some experience on
IPv6
163
Call to Action for IPv6
• ISPs should do it now
• Universities should be teaching and
making IPv6 available
• Businesses should be asking for IPv6
support for gear and services they
purchase
– Want to be available to all on the Internet
– If only IPv4 – may miss some IPv6 clientele
• Application developers need to integrate
IPv6 support
164
Call to Action for IPv6
• End users
– May be behind CGN
• Impacts speed and services
• Don’t want to lose in those real-time games!
(CoD gamers in particular)
– Ask for IPv6 support
• Faster
• Better application support
• Less support calls for IPv4
165
What is ARIN doing about it?
• What we see with Transfers based on
market reality
• What we see with IPv6 Allocations
166
Trends and Observations
• Comparing the past 12 months over
the 12 months prior:
– 18% increase in IPv4 requests
– 5% increase in Transfer requests
– 8% decrease in IPv6 requests
167
Qualifying for IPv6 – a few definitions
• Allocate – Intention to assign/allocate
to others
• Assign – Resting spot for that IP space
• ISPs – ones who allocate to other ISPs
or assign to end-users
• End Users –assigned to themselves
168
For ISPs, qualifying for IPv6 is easy!
• Have a previous v4 allocation from
ARIN OR
• Intend to multi-home OR
• Provide a technical justification which
details at least 50 assignments made
within 5 years
169
For end-users, qualifying for IPv6 is
also easy!
• Have a v4 direct assignment OR
• Intend to multi-home OR
• Show how you will use 2000 IPv6
addresses or 200 IPv6 subnets within a
year OR
• Technical justification as to why
provider-assigned IPs are unsuitable
170
171
ISP Members with IPv4 and IPv6
4,960 ISP members as of 13 February 2015
172
Regional ISP IPv6 Adoption
IPv6 over time
ARIN IPv6 Allocations and Assignments
173
Get IPv6 from ARIN now!
Most
organizations
with IPv4 can
IPv6 without
increasing their
annual ARIN
fees
174
Learn More
www.GetIPv6.info
IPv6 Info Center
www.arin.net/knowledge/ipv6_info_center.html
www.TeamARIN.net
175
Operational Guidance
www.InternetSociety.org/
Deploy360/
www.NANOG.org/archives/
bcop.NANOG.org
www.hpc.mil/cms2/index.php/
ipv6-knowledge-base-general-info
176
Useful Links and Contacts
• Hostmaster – answers questions about
policy, IPv4 & IPv6, ASNs, Transfers, etc
– Email: [email protected]
– Phone: 703 227-0660
• Geoff Huston’s article on IPv4 & IPv6
– http://www.potaroo.net/ispcol/201506/ipv6.html
Useful Links and Contacts
• ARIN links:
Statistics/IPv4,IPv6 & Transfers/General
Education/CIDR chart
– https://www.arin.net/knowledge/statistics/index.
html
– https://www.arin.net/resources/index.html
– https://www.arin.net/knowledge/general.html
– https://www.arin.net/knowledge/cidr.pdf
– https://www.arin.net/fees/index.html
Q&A / Open Mic Session
Take Aways
• Apply for IPv4 addresses tonight! Call the
RSD helpdesk with questions.
• Subscribe to at least one mailing list
• Apply for a meeting fellowship
• Think about implementing
DNSSEC/Resource Certification
• Member organizations please vote
• Reach out though various channels with
questions or suggestions
Apply now for ARIN 36 in Montréal
https://www.arin.net/participate/meetings/fellowship.ht
ml
Fill out & submit
the survey for your
chance to win a
Portable Battery Pack!