Anchorage, Alaska 5 June 2014 Wireless Access: SSID: PW: Welcome. Here today… • Einar Bohlin, Senior Policy Analyst • Aaron Hughes, ARIN Board of Trustees •
Download ReportTranscript Anchorage, Alaska 5 June 2014 Wireless Access: SSID: PW: Welcome. Here today… • Einar Bohlin, Senior Policy Analyst • Aaron Hughes, ARIN Board of Trustees •
Anchorage, Alaska 5 June 2014 Wireless Access: SSID: PW: Welcome. Here today… • Einar Bohlin, Senior Policy Analyst • Aaron Hughes, ARIN Board of Trustees • Mark Kosters, Chief Technology Officer • Leslie Nobile, Director, Registration Services • John Sweeting, Advisory Council Chair Today’s Agenda 1. Welcome and Getting Started 2. ARIN: Mission, Role, and Services 3. Obtaining IP Addresses I: IPv4 Inventory, Depletion Projections, Countdown Plan 4. Securing Internet Infrastructure I: DNSSEC 5. Obtaining IP Addresses II: IPv4 Waiting List and Transfers 6. Lunch (12:00 to 1:00) 7. Obtaining IP Addresses III: IPv6 8. Automating Interactions with ARIN 9. Policy Experience and Other Items of Interest 10. Securing Internet Infrastructure II: RPKI 11. Current Number Resource Policy Discussions and How to Participate 12. Q&A and Open Microphone Let’s Get Started! • Self introductions – Name – Organization ARIN: Our Mission, Role and Services Aaron Hughes ARIN Board of Trustees ”ARIN, a nonprofit member-based organization, supports the operation of the Internet through the management of Internet number resources throughout its service region; coordinates the development of policies by the community for the management of Internet Protocol number resources; and advances the Internet through informational outreach." ARIN’s Service Region ARIN’s region includes many (20) Caribbean and North Atlantic islands, Canada and the United States and outlying areas. Regional Internet Registries Who Provisions IP Addresses & ASNs? Top level technical coordination of the ICANN Internet (Names, Numbers, Root Servers) IANA • Manage global unallocated IP address pool • • RIR • Allocate number resources to RIRs Manage regional unallocated IP address pool Allocate number resources to ISPs/LIRs • Assign number resources to End-users • Manage local IP address pool for use by customers and for infrastructure • ISP/LIR Allocate number resources to ISPs • Assign number resources to End-users • Number Resource Provisioning ARIN Structure Not-for-profit • • Fee for services, not number resources 100% community funded Membership Organization • Broad-based - Private sector - Public sector - Civil society Community Regulated • • • Community developed policies Member-elected executive board Open and transparent ARIN Support Organization ARIN Services Number Resources • • • • • • • IP address allocation & assignment ASN assignment Directory services • Whois -RWS • WhoWas • IRR Reverse DNS DNSSEC Resource Certification (RPKI) Community Software Repository Organization • Information dissemination • Websites • Educational materials • IPv6 Wiki • • • • Social media Meetings Elections Outreach • IPv6 • Internet Governance Policy Development • • • Maintain email discussion lists Conduct public policy meetings and public policy consultations Publish policy documents Information on Joining in the Internet Governance Discussion Visit ARIN’s webpage: Ways to Participate in Internet Governance https://www.arin.net/participate/governance/participate.html Participate in ARIN Contribute your Opinions and Ideas: • Public Policy Mailing List • IPv6 Wiki • Attend Public Policy and Members Meetings, Public Public Policy Consultations, outreach events • Submit a suggestion • Participate in community consultations • Write a guest blog • Members – Vote in annual elections ARIN Mailing Lists ARIN Announce: [email protected] ARIN Discussion: [email protected] (members only) ARIN Public Policy: [email protected] ARIN Consultation: [email protected] ARIN Issued: [email protected] ARIN Technical Discussions: [email protected] Suggestions: [email protected] http://www.arin.net/participate/mailing_lists/index.html Q&A Obtaining IP Addresses I ARIN’s IPv4 Inventory, Depletion Projections, and Countdown Plan Leslie Nobile Director, Registration Services ARIN’s IPv4 Inventory As of 16 May 2014, ARIN has 0.87 /8 equivalents of IPv4 addresses remaining IPv4 inventory published on ARIN’s website: www.arin.net Updated daily @ 8PM ET Prefix Length Breakdown IPv4 Annual Burn Rate /8 Equivalents Issued 3.5 3 2.5 2 1.5 1 0.5 0 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 5/2/14 4/2/14 2/2/14 3/2/14 1/2/14 12/2/13 11/2/13 10/2/13 9/2/13 8/2/13 7/2/13 6/2/13 5/2/13 4/2/13 2/2/13 3/2/13 1/2/13 12/2/12 11/2/12 10/2/12 9/2/12 8/2/12 7/2/12 6/2/12 5/2/12 4/2/12 2/2/12 3/2/12 1/2/12 12/2/11 11/2/11 10/2/11 9/2/11 8/2/11 7/2/11 6/2/11 5/2/11 4/2/11 2/2/11 3/2/11 ARIN’s IPv4 Free Pool /8 Equivalents in ARIN Free Pool 6 5 4 3 2 1 0 Linear Depletion Projection /8 Equivalents in ARIN Free Pool 6 5 4 3 2 1 0 APNIC Depletion “Run On The Bank” Projection /8 Equivalents in ARIN Free Pool 6 5 4 3 2 1 0 Which Projection is More Likely? • Probably somewhere in the middle, but it only takes one unexpected very large request (e.g. /10) to change things completely • Policy requirement to only fill requests with one block will prevent large ISPS from depleting all of the small blocks IPv4 Countdown Plan IPv4 Countdown Plan – Phase 4 • Started at 1 /8 equivalent left • All IPv4 requests team-reviewed and processed on a first in, first out basis • Org has 60 days from approval to complete payment and RSA • IPv4 hold period drops to 2 months Minimum Requirements for IPv4 ISPs • Multi-homed (/22 minimum) – 2 /24s reassigned to you and efficiently used • Single-homed (/20 minimum) – 16 /24s reassigned to you and efficiently used • Immediate need IPv4 ISP Data Typically Requested • Static: Mapping of static IPs/subnets to customer names and street addresses • Dynamic: List of all dynamic pools with prefix/range assigned, area served (location), peak util % • Internal Infrastructure: Mapping of internal subnets with description and # IPs used Example Other IPv4 ISP Data Requested • Typically ask for: – Customer justification data • If necessary, may ask for: – Customer contact information and proof of customer payments – Proof of equipment lease/purchase 3 Month Supply Calculation • Slow Start Policy (NRPM 4.2.1.4) – Allocations based on justified need, not solely predicted growth • Utilization rate of last allocation is the basis for determining additional allocation size • Immediate need policy for exceptional circumstances Minimum Requirements for IPv4 – End Users • Multi-homed (/24 minimum) – Show how you will use 64 IP addresses immediately (25%) – Show how you will use128 IP addresses within one year (50%) • Single-homed (/20 minimum) – Show how you will use1,024 IP addresses immediately (25%) – Show how you will use 2,048 IP addresses within one year (50%) IPv4 End User Data Requested • Subnet mapping for previous ARIN assignments – Each subnet with description and # IPs currently used • Planned subnet mapping for requested block – Each subnet with description, # IPs used within 30 days, # IPs used within one year Example ISP or End User? • ISP = Any service that provides Internet access – Dedicated servers, Virtual Private Servers (VPS), colocation • End User = Services that do not provide Internet access – Software as a Service (SaaS), VPN, Application Service Provider (ASP) The Bottom Line • ARIN has v4 space today, but can’t guarantee future availability • Plan appropriately to ensure continued growth of your network – Waiting List – Specified Recipient Transfers – IPv6 Q&A Securing Internet Infrastructure: Using DNSSEC with ARIN Online Mark Kosters ARIN Engineering Why DNSSEC? What is it? • Standard DNS (forward or reverse) responses are not secure – Easy to spoof – Notable malicious attacks • DNSSEC attaches signatures – Validates responses – Can not spoof Reverse DNS at ARIN • ARIN issues blocks without any working DNS –Registrant must establish delegations after registration –Then employ DNSSEC if desired • Just as susceptible as forward DNS if you do not use DNSSEC Reverse DNS at ARIN • Authority to manage reverse zones follows allocations –“Shared Authority” model –Multiple sub-allocation recipient entities may have authority over a particular zone Changes completed to make DNSSEC work at ARIN • Permit by-delegation management • Sign in-addr.arpa. and ip6.arpa. delegations that ARIN manages • Create entry method for DS Records – ARIN Online – RESTful interface – Not available via templates Changes completed to make DNSSEC work at ARIN • Only key holders may create and submit Delegation Signer (DS) records • DNSSEC users need to have signed a registration services agreement with ARIN to use these services Reverse DNS in ARIN Online First identify the network that you want to put Reverse DNS nameservers on… Reverse DNS in ARIN Online …then enter the Reverse DNS nameservers… DNSSEC in ARIN Online …then apply DS record to apply to the delegation Reverse DNS: Querying ARIN’s Whois Query for the zone directly: whois> 81.147.204.in-addr.arpa Name: Updated: NameServer: NameServer: NameServer: Ref: 81.147.204.in-addr.arpa. 2006-05-15 AUTHNS2.DNVR.QWEST.NET AUTHNS3.STTL.QWEST.NET AUTHNS1.MPLS.QWEST.NET http://whois.arin.net/rest/rdns/81.147.204.in-addr.arpa. DNSSEC in Zone Files ; File written on Mon Feb 24 17:00:53 2014 ; dnssec_signzone version 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 0.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM. 86400 IN NS NS4.COVAD.COM. 10800 NSEC 1.74.in-addr.arpa. NS RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. oNk3GVaCWj2j8+EAr0PncqnZeQjm8h4w51nS D2VUi7YtR9FvYLF/j4KO+8qYZ3TAixb9c05c 8EVIhtY1grXEdOm30zJpZyaoaODpbHt8FdWY vwup9Tq4oVbxVyuSNXriZ2Mq55IIMgDR3nAT BLP5UClxUWkgvS/6poF+W/1H4QY= ) 1.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM. 86400 IN NS NS4.COVAD.COM. 10800 NSEC 10.74.in-addr.arpa. NS RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. DKYGzSDtIypDVcer5e+XuwoDW4auKy6G/OCV VTcfQGk+3iyy2CEKOZuMZXFaaDvXnaxey9R1 mjams519Ghxp2qOnnkOw6iB6mR5cNkYlkL0h lu+IC4Buh6DqM4HbJCZcMXKEtWE0a6dMf+tH sa+5OV7ezX5LCuDvQVp6p0LftAE= ) DNSSEC in Zone Files 0.121.74.in-addr.arpa. 86400 86400 86400 86400 IN NS IN NS IN NS DS 86400 DS 86400 RRSIG 10800 NSEC 10800 RRSIG DNS1.ACTUSA.NET. DNS2.ACTUSA.NET. DNS3.ACTUSA.NET. 46693 5 1 ( AEEDA98EE493DFF5F3F33208ECB0FA4186BD 8056 ) 46693 5 2 ( 66E6D421894AFE2AF0B350BD8F4C54D2EBA5 DA72A615FE64BE8EF600C6534CEF ) DS 5 5 86400 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. n+aPxBHuf+sbzQN4LmHzlOi0C/hkaSVO3q1y 6J0KjqNPzYqtxLgZjU+IL9qhtIOocgNQib9l gFRmZ9inf2bER435GMsa/nnjpVVWW/MBRKxf Pcc72w2iOAMu2G0prtVT08ENxtu/pBfnsOZK nhCY8UOBOYLOLE5Whtk3XOuX9+U= ) 1.121.74.in-addr.arpa. NS DS RRSIG NSEC … NSEC 5 5 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. YvRowkdVDfv+PW42ySNUwW8S8jRyV6EKKRxe DNSSEC Validating Resolvers • www.internetsociety.org/deploy360/dnssec/ • www.isc.org/downloads/bind/dnssec/ Reverse DNS Management and DNSSEC in ARIN Online • Available on ARIN’s website http://www.arin.net/knowledge/dnssec/ Q&A Obtaining IP Addresses II ARIN’s IPv4 Waiting List and the IPv4 Transfer Market Leslie Nobile Director, Registration Services IPv4 Waiting List How It Works • If ARIN can’t fill a justified request, option to specify smallest acceptable size • If no block available between approved and smallest acceptable size, option to go on the waiting list • May receive only one allocation every three months • Only one request on the list at a time Filling Waiting List Requests • Oldest request filled first – Example • /19 is oldest request • /16 returned to ARIN • ARIN breaks up the /16 and issues the /19 • Subject to re-verification • Removed from list once a block is issued IPv4 Churn • IPv4 addresses go back into ARIN’s free pool 3 ways – Return = voluntary – Revoke = for cause (usually nonpayment) – Reclaimed = fraud or business dissolution • 3.54 /8s received back since 2005 – /8 equivalent returned to IANA in 2012 Burn Rate vs. Churn Rate 300000 250000 200000 # /24s issued 150000 # /24s received back 100000 50000 0 2005 2006 2007 2008 2009 2010 2011 2012 2013 Reality Check • At the rate at which IPv4 addresses were recovered in 2013, it would take 51 years to fill all of 2013’s approved requests • Waiting List is a lottery ticket, not a savings bond IPv4 Transfer Market Types of Transfers • Mergers and Acquisitions (8.2) • Transfers to Specified Recipients (8.3) • Inter-RIR transfers (8.4) Transfers to Specified Recipients • 12 month waiting period (anti-flip provision) • Recipient must qualify to receive resources under current ARIN policy • Recipient may receive up to a 24 month supply Specified Recipient Transfer Notes • 71 transfers completed (46,758 /24s)* • Transactions typically arranged through IPv4 brokers *As of Apr 31, 2014 Inter-RIR Transfers From ARIN • RIR must have reciprocal, compatible needs-based policies • Currently: APNIC – Under discussion in the RIPE NCC, LACNIC, & AFRINIC regions • Org releasing resources must not have received IPv4 from ARIN within the past 12 months • Recipient must meet other RIR’s Inter-RIR transfer policy requirements Inter-RIR Transfers To ARIN • RIR must have reciprocal, compatible needs-based policies – Currently: APNIC • Recipient must qualify to receive resources under current policy • Recipient may request up to a 24 month supply Inter-RIR Transfer Notes • 24 transfers completed (2,677 /24s total) • ARIN & APNIC for now • Expectation is primarily ARIN to APNIC given the early exhaustion of IPv4 in the APNIC region Specified Transfer Listing Service (STLS) • 3 ways to participate – Listers: have available IPv4 addresses – Needers: looking for more IPv4 addresses – Facilitators: available to help listers and needers find each other • Major Uses – Matchmaking – Obtain preapproval for a transaction arranged outside STLS Misconceptions About Specified Recipient Transfers • IPv4 transactions will never be allowed – Fact: Transfer of unused IPv4 started June 2009 • It’s a ploy to take my unused addresses back – Fact: ARIN does not require the return of address space • ARIN recognizes all IPv4 transactions – Fact: Must meet policy requirements Tips and Tricks • Make sure you are applying under the correct transfer policy • Involve ARIN as early as possible – Make sure a contemplated specified transfer meets ARIN requirements before finalizing • Make sure that all registration information is current and accurate • Use ARIN’s STLS to pre-qualify • Provide detailed information to support 24 month need IPv4 Transfer Market Reality Check, Part 2 • Reports say current asking prices are around $10/IPv4 address • Prices will likely rise once ARIN’s depletes its IPv4 pool (supply and demand) • Supply not guaranteed; need willing participants • Temporary measure; does not preclude need to transition to IPv6 Q&A Lunch Break Take your valuables as the room will not be locked. This Afternoon’s Agenda 1. Obtaining IP Addresses III: IPv6 2. Automating Interactions with ARIN 3. Policy Experience and Other Items of Interest 4. Securing Internet Infrastructure II: RPKI 5. Current Number Resource Policy Discussions and How to Participate 6. Q&A and Open Microphone Obtaining IP Addresses III IPv6 Adoption Leslie Nobile Director, Registration Services Why Adopt IPv6? • Global IPv4 pool is depleted • ARIN’s IPv4 free pool will be gone soon • IPv4 Waiting list is uncertain and sure to be loooooooooooong • IPv4 Transfer Market = $$$$$ • How will you continue to grow your network? • What other options do you have? Alternatives? • Large Scale/Carrier-Grade NAT? – Equipment costs to consider – Degraded services: increased latency, certain applications don’t work well, law enforcement compliance issues, geolocation, etc. • Or: solve the problem the right way Qualifying for IPv6 - ISPs • Have a previous v4 allocation from ARIN OR • Intend to multi-home OR • Provide a technical justification which details at least 50 assignments made within 5 years IPv6 ISP Data Typically Requested • If requesting more than a /32, a spreadsheet/text file with – # of serving sites (PoPs, datacenters) – # of customers served by largest serving site – Block size to be assigned to each customer (/48 typical) Qualifying for IPv6 – End Users • Have a v4 direct assignment OR • Intend to multi-home OR • Show how you will use 2000 IPv6 addresses or 200 IPv6 subnets used within a year OR • Technical justification as to why provider-assigned IPs are unsuitable IPv6 End Users – Data Requested • List of sites in your network – Site = distinct geographic location – Street address for each • Campus may count as multiple sites – Technical justification showing how they’re configured like geographically separate sites ISP Members with IPv4 and IPv6 IPv4-only and IPv4+v6 ISPs 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 2010Q1 2010Q3 2011Q1 2011Q3 2012Q1 2012Q3 2013Q1 2013Q3 % IPv4 Only 80% 75% 70% 66% 64% 62% 60% 59% % IPv4 and IPv6 20% 25% 30% 34% 36% 38% 40% 41% *4,646 total members Benefits of Deploying IPv6 • No more coming to ARIN multiple times a year for address space • Deploy a subnet to a site once and you’re good • Improved aggregation The Solution to IPv4 Depletion • IPv6 must be adopted for continued internet growth • Now is the time to deploy IPv6 Everyone needs an IPv6 Plan • Each organization must decide on a unique IPv6 deployment plan right for them – Timeline will vary – Investment level will vary Your IPv6 Check List IPv6 address space IPv6 connectivity (native or tunneled) Operating systems, software, and network management tool upgrades Router, firewall, and other hardware upgrades IT staff and customer service training ARIN Resources www.GetIPv6.info IPv6 Info Center www.arin.net/knowledge/ipv6_info_center.html www.TeamARIN.net Operational Guidance www.InternetSociety.org/ Deploy360/ www.NANOG.org/archives/ bcop.NANOG.org www.hpc.mil/cms2/index.php/ ipv6-knowledge-base-general-info Q&A Automating Your Interactions with ARIN Mark Kosters ARIN Engineering Why Automate? • Interact with ARIN faster • Not dependent on ARIN’s systems for user interface issues • Build a customized system using standards-based technologies • Improved accuracy • Integrate multiple services Why Automate (continued) • We have a rich set of interfaces • Focused on reliability and completeness • Welcome to share your tools with the community at projects.arin.net REST – Service Summary • ARIN’s RESTful Web Services (RWS) – Whois-RWS • Provides public Whois data via REST – Reg-RWS (or Registration-RWS) • Allows ARIN customers to register and maintain data in a programmatic fashion – Report Request/Retrieval Automation • Permits request and download of various ARIN data (subject to AUP) – RPKI using Reg-RWS What is REST? • Representational State Transfer • As applied to web services – defines a pattern of usage with HTTP to create, read, update, and delete (CRUD) data – “Resources” are addressable in URLs • Very popular protocol model – Amazon S3, Yahoo & Google services, … The BIG Advantage of REST • Easily understood – Any modern programmer can incorporate it – Can look like web pages • Re-uses HTTP in a simple manner – Many, many clients – Other HTTP advantages • This is why it is very, very popular with Google, Amazon, Yahoo, Twitter, Facebook, YouTube, Flickr, … What does it look like? Who can use it? Where the data is. What type of data it is. The ID of the data. It is a standard URL. Anyone can use it. Go ahead, put it into your browser. Where can more information on REST be found? • RESTful Web Services – O’Reilly Media – Leonard Richardson – Sam Ruby Whois-RWS • Publicly accessible, just like traditional Whois • Searches and lookups on IP addresses, AS numbers, POCs, Orgs, etc… • Very popular – As of September 2013, constitutes 65% of our query load • For more information: – http://www.arin.net/resources/whoisrws/index.html Registration RWS (Reg-RWS) • Programmatic way to interact with ARIN – Intended to be used for automation – Not meant to be used by humans • Useful for ISPs that manage a large number of SWIP records • Requires an investment of time to achieve those benefits Reg-RWS • Requires an API Key – You generate one in ARIN Online on the “Web Account” page • Permits you to register and manage your data (ORGs, POCs, NETs, ASes) – But only your data • More information – http://www.arin.net/resources/restful-interfaces.html Anatomy of a RESTful request • Uses a URL (just like you would type into your browser) • Uses a request type, known as a “method”, of GET, PUT, POST or DELETE • Usually requires a payload – Adheres to a published structure – Depends upon the type of data – Depends upon the method • Method, Payload, and XML schema info is found at “RESTful Provisioning Downloads” Example – Reassign Detailed • Your automated system issues a PUT command to ARIN using the following URL: http://www.arin.net/rest/net/NET-10-129-0-0-1/reassign?apikey=API-1234-5678-9ABC-DEFG The payload contains the following data: <net xmlns="http://www.arin.net/regrws/core/v1" > <version>4</version> <comment></comment> <registrationDate></registrationDate> <orgHandle>HW-1</orgHandle> <handle></handle> <netBlocks> <netBlock> <type>A</type> <description>Reassigned</description> <startAddress>10.129.0.0</startAddress> <endAddress>10.129.0.255</endAddress> <cidrLength>24</cidrLength> </netBlock> </netBlocks> <parentNetHandle>NET-10-129-0-0-1</parentNetHandle> <netName>HELLOWORLD</netName> <originASes></originASes> <pocLinks></pocLinks> </net> Example – Reassign Detailed ARIN’s web server returns the following to your automated system: <net xmlns="http://www.arin.net/regrws/core/v1" > <version>4</version> <comment></comment> <registrationDate>Tue Jan 25 16:17:18 EST 2011</registrationDate> <orgHandle>HW-1</orgHandle> <handle>NET-10-129-0-0-2</handle> <netBlocks> <netBlock> <type>A</type> <description>Reassigned</description> <startAddress>10.129.0.0</startAddress> <endAddress>10.129.0.255</endAddress> <cidrLength>24</cidrLength> </netBlock> </netBlocks> <parentNetHandle>NET-10-129-0-0-1</parentNetHandle> <netName>netName>HELLOWORLD</netName> <originASes></originASes> <pocLinks></pocLinks> </net> Reg-RWS Has More Than Templates • Only programmatic way to do IPv6 Reassign Simple • Only programmatic way to manage Reverse DNS • Only programmatic way to access your ARIN tickets Reg-RWS adoption at ARIN – In 2012… • 1.09 Million transactions processed – 375K processed via Reg-RWS (34%) – 371K processed via Template (34%) – Remainder via ARIN Online – In 2013… • 4.72 Million transactions processed – 3.66M processed via Reg-RWS (78%) – 488K processed via Template (10%) – Remainder via ARIN online Testing Your Reg-RWS Client • We offer an Operational Test & Evaluation environment for Reg-RWS • Your real data, but isolated – Helps you develop against a real system without the worry that real data could get corrupted • For more information: – http://www.arin.net/resources/ote.html Obtaining RESTful Assistance • http://www.arin.net/resources/restful-interfaces.html • Pay attention to Method, Payload, and XML schema documents under “RESTful Provisioning Downloads” • Or use ARIN Online’s Ask ARIN feature • Or use the arin-tech-discuss mailing list – Make sure to subscribe – Someone on the list will help you ASAP – Archives on the web site • Registration Services Help Desk telephone not a good fit – Debugging these problems requires a detailed look at the URL, method, and payload being used Report Request/Retrieval • For customer-specific data, access is restricted by user – Permits you to request and retrieve reports – But only your data • For public services, you must first sign an AUP or TOU (Bulk Whois, Registered ASNs, WhoWas) – ARIN staff may review your need to access this data • Requires an API Key New Feature: RPKI thru Reg-RWS • Delegated – very complex • Hosted – easy but tedious if managing a large network through the UI • Solution: Interface to sign ROAs using the RESTful API – Ease of Hosted – Programmatic way of managing a large number of ROAs Q&A Policy Experience and Other Items of Interest Leslie Nobile Director, Registration Services Purpose of Policy Experience Report • Review existing policies – Ambiguous text/Inconsistencies/Gaps/Effectiveness • Identify areas where new or modified policy may be needed – Operational experience – Customer feedback • Provide feedback to community and make recommendations when appropriate ASN Policies • Be multi-homed or have a unique routing policy • Issue ASNs from an undifferentiated 32-bit pool (contains both 2-byte and 4-byte ASNs) • Problem: 2-byte ASNs are depleting and 4byte ASNs are still not supported across the board ASN Policies… • ARIN originally issued choice of 2-byte or 4byte – Most 4-bytes were returned because “upstream said routers won’t support them” • Recently changed practice to issue 4-byte if acceptable, 2-byte if requested – Issuing more 4-bytes with few returns = progress • 2-byte pool will likely deplete in near future – Check your hardware and ISPs to ensure they support 4-byte ASNs if you plan on multi-homing First time Requestor Policies • Will new/first time ISP requestors be able to qualify for IPv4 space under existing ARIN policies after free pool depletion? 119 Observations • Seeing many first time requestors requesting space directly from ARIN – Hearing that upstreams are requiring them to renumber and return their space • About 25-30% of current requestors are first timers to ARIN • Other RIRs have IPv4 “austerity” policies that allows all orgs to receive small v4 block from last /8 – ARIN has policy that reserves a /10 for IPv6 transition only but no general austerity policy for last /8 Potential Issues for New ISPs • No address space reserved for new organizations – Post depletion options: Market transfers or immediate need policy • Specified and Inter-RIR transfers require qualification under existing policy – All IPv4 ISP policies (except immediate need), require requestors to already have v4 space to get space • Possible that first time ISP requestors won’t have/can’t get upstream space • End result: no way for many new ISPs to obtain initial allocation Suggestions • Create a new “austerity” policy that allows ARIN to reserve a specified prefix size for first timer ISP requestors • Modify existing policies to allow small initial allocation without having provider assigned space • Result of Policy Experience Report: New policy proposal 2014-13 “Reduce Minimum Allocation/Assignment Units to /24” recently introduced to address problem Common Problems with Resource Requests • First time requestors don't have IPs reassigned (swipped) to them by their upstream(s) • Not multi-homed or won’t be for many months, want IP addresses in advance in order to be ready to deploy • Don't want to provide customer information due to privacy concerns Common Problems… • Customer justification data not well understood (they would like a standard form) • Block size requested is larger than justified for three month need based on demonstrated historical utilization rate • Customers want their requests expedited New Fee Schedule • Effective 1 July 2013 • Fees continue to be based on cost recovery • Lower initial assignment/allocation fees • Almost all IPv4 ISPs can now get IPv6 without an additional annual fee Fee Schedule Fee Schedule Q&A Securing Internet Infrastructure: Route Origin Security using RPKI at ARIN Mark Kosters ARIN Engineering What is RPKI? • Resource Public Key Infrastructure • Attaches digital certificates to network resources – AS Numbers – IP Addresses • Allows ISPs to associate the two – Route Origin Authorizations (ROAs) – Can follow the address allocation chain to the top What does RPKI accomplish? • Allows routers or other processes to validate route origins • Simplifies validation authority information – Trust Anchor Locator • Distributes trusted information – Through repositories Resource Cert Validation Resource Allocation Hierarchy AFRINIC ICANN RIPE NCC APNIC ARIN LACNIC Issued Certificates Route Origination Authority LIR1 “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” Attachment: <isp4-ee-cert> ISP Signed, ISP4 <isp4-ee-key-priv> ISP ISP2 ISP ISP4 ISP ISP ISP Resource Cert Validation Resource Allocation Hierarchy AFRINIC ICANN RIPE NCC APNIC ARIN LACNIC Issued Certificates Route Origination Authority LIR1 “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” Attachment: <isp4-ee-cert> ISP Signed, ISP4 <isp4-ee-key-priv> ISP ISP2 ISP ISP4 ISP ISP ISP 1. Did the matching private key sign this text? Resource Cert Validation Resource Allocation Hierarchy AFRINIC ICANN RIPE NCC APNIC ARIN LACNIC Issued Certificates Route Origination Authority LIR1 “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” ISP2 Attachment: <isp4-ee-cert> ISP Signed, ISP4 <isp4-ee-key-priv> ISP ISP ISP4 ISP ISP 2. Is this certificate valid? ISP Resource Cert Validation Resource Allocation Hierarchy AFRINIC ICANN RIPE NCC APNIC ARIN LACNIC Issued Certificates Route Origination Authority LIR1 “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” ISP2 Attachment: <isp4-ee-cert> ISP Signed, ISP4 <isp4-ee-key-priv> ISP ISP ISP4 ISP ISP ISP 3. Is there a valid certificate path from a Trust Anchor to this certificate? What does RPKI Create? • It creates a repository – RFC 3779 (RPKI) Certificates – ROAs – CRLs – Manifest records Repository View ./ba/03a5be-ddf6-4340-a1f9-1ad3f2c39ee6/1: total 40 -rw-r--r-- 1 143 143 1543 Jun 26 2009 ICcaIRKhGHJ-TgUZv8GRKqkidR4.roa -rw-r--r-- 1 143 143 1403 Jun 26 2009 cKxLCU94umS-qD4DOOkAK0M2US0.cer -rw-r--r-- 1 143 143 485 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.crl -rw-r--r-- 1 143 143 1882 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.mnf -rw-r--r-- 1 143 143 1542 Jun 26 2009 nB0gDFtWffKk4VWgln-12pdFtE8.roa A Repository Directory containing an RFC3779 Certificate, two ROAs, a CRL, and a manifest Repository Use • Pull down these files using a manifestvalidating mechanism • Validate the ROAs contained in the repository • Communicate with the router marking routes “valid”, “invalid”, “unknown” • Up to ISP to use local policy on how to route Possible Flow • RPKI Web interface -> Repository • Repository aggregator -> Validator • Validated entries -> Route Checking • Route checking results -> local routing decisions (based on local policy) How you can use ARIN’s RPKI System? • • • • Hosted Hosted using ARIN’s RESTful service Web Delegated (being deprecated) Delegated using Up/Down Protocol Hosted RPKI • Pros – Easier to use – ARIN managed • Cons – No current support for downstream customers to manage their own space (yet) – Tedious through the IU if you have a large network – We hold your private key Hosted RPKI with RESTful Interace • Pros – Easier to use – ARIN managed – Programatic interface for large networks • Cons – No current support for downstream customers to manage their own space (yet) – We hold your private key Delegated RPKI with Up/Down • Pros – Same as web delegated – Follows the IETF up/down protocol • Cons – Extremely hard to setup – Need to operate your own RPKI environment Hosted RPKI in ARIN Online Hosted RPKI in ARIN Online Hosted RPKI in ARIN Online Hosted RPKI in ARIN Online Hosted RPKI in ARIN Online SAMPLE-ORG Hosted RPKI in ARIN Online SAMPLE-ORG Hosted RPKI in ARIN Online Your ROA request is automatically processed and the ROA is placed in ARIN’s repository, accompanied by its certificate and a manifest. Users of the repository can now validate the ROA using RPKI validators. Delegated with Up/Down Delegated with Up/Down Delegated with Up/Down Delegated with Up/Down • • • • You have to do all the ROA creation Need to setup a CA Have a highly available repository Create a CPS Updates within RPKI outside of ARIN • The four other RIRs are in production with Hosted CA services • ARIN and APNIC have delegated working for the public • Major routing vendor support being tested • Announcement of public domain routing code support ARIN Status • Hosted CA deployed 15 Sept 2012 • Web Delegated CA deployed 16 Feb 2013 • Delegated using “Up/Down” protocol deployed 7 Sept 2013 • RESTful interface deployed 1 Feb 2014 RPKI Usage Oct 2012 RPAs Signed 27 Certified Orgs Apr 2013 Oct 2013 Apr 2014 72 130 162 47 68 108 ROAs 19 60 106 162 Covered Resources 30 82 147 258 0 0 0 0 0 Web Delegated Up/Down Delegated Why is this important? • Provides more credibility to identify resource holders • Leads to better routing security Q&A ARIN’s Policy Development Process Current Number Resource Policy Discussions and How to Participate John Sweeting ARIN Advisory Council Policy Development Process (PDP) Flowchart Proposal Template Archive Petitions http://www.arin.net/policy/pdp.html Policy Development Principles Open – Developed in open forum • Public Policy Mailing List • Public Policy Meetings / Consultations – Anyone can participate Transparent – All aspects documented and available on website • Policy process, meetings, and policies Bottom-up – Policies developed by the community – Staff implements, but does not make policy Who Plays a Role in the Policy Process? Community – Submits proposals – Participates in discussions and petitions Advisory Council (elected volunteers) – Facilitates the policy process – Develops policy that: • enables fair and impartial resource administration • is technically sound • is supported by the Community – Determines consensus based on community input Roles… ARIN Board of Trustees (elected volunteers) – Provides corporate fiduciary oversight – Ensures the policy process has been followed – Adopts policies ARIN Staff – Provides feedback to community • Staff and legal assessments • Policy experience reports – Implements adopted policies Basic Steps 1. Proposal from community member 2. AC works with author ensure it is clear and in scope 3. AC promotes proposal to Draft Policy for community discussion/feedback (PPML and possibly PPC/PPM) 4. AC recommends fully developed Draft Policy (fair, sound and supported by community) for adoption 5. Recommended Draft Policy must be presented at a face-to-face meeting (PPC/PPM) 6. If AC still recommends adoption, then Last Call, review of last call, and send to Board 7. Board reviews 8. Staff implements Petitions • Petitions available for: – Delay by the AC • Proposal to Draft Policy (after 60 days) • Draft to Recommended Draft (after 90) • Last Call (after 60) • Board (after 60) – Abandonment – Rejection (proposals out of scope) • Petitions begin with 5 day duration, needing support from 10 people from 10 different organizations (later stages require more people) • Despite low bar, attempted petitions are rare Number Resource Policy Manual ARIN’s Policy Document – Version 2014.2 (21 January 2014) – 33rd version Contains • Change Logs • HTML/PDF/txt http://www.arin.net/policy/nrpm.html Policies in the NRPM • • • • • • • • • ARIN Principles IPv4 Address Space IPv6 Address Space Autonomous System Numbers (ASNs) Directory Services (Whois) Reverse DNS (in-addr) Transfers Experimental Assignments Resource Review Policy Current Draft Policies/Proposals Recommended Draft Policies 1. ARIN-2013-8: Subsequent Allocations for New Multiple Discrete Networks 2. ARIN-2014-5: Remove 7.2 Lame Delegations 3. ARIN-2014-12: Anti-hijack Policy 4. ARIN-2014-13: Reduce All Minimum Allocation/Assignment Units to /24 5. ARIN-2013-7: NRPM 4 (IPv4) Policy Cleanup (last call just ended) https://www.arin.net/policy/proposals/ Current Draft Policies/Proposals Draft Policies 1. ARIN-2014-1: Out of Region Use 2. ARIN-2014-2: Improving 8.4 Anti-Flip Language (Abandoned by AC) 3. ARIN-2014-3: Remove 8.2 and 8.3 and 8.4 Minimum IPv4 Block Size Requirements 4. ARIN-2014-6: Remove 7.1 [Maintaining IN-ADDRs] 5. ARIN-2014-8: Alignment of 8.3 Needs Requirements to Reality of Business 6. ARIN-2014-9: Resolve Conflict Between RSA and 8.2 Utilization Requirements 7. ARIN-2014-11: Improved Registry Accuracy Proposal 8. ARIN-2014-14: Removing Needs Test from Small IPv4 Transfers 9. ARIN-2014-15: Allow Inter-RIR ASN Transfers 10. ARIN-2014-16: Section 4.10 Austerity Policy Update 11. ARIN-2014-17: Change Utilization Requirements from last-allocation to total-aggregate https://www.arin.net/policy/proposals/ How Can You Get Involved? There are two ways to voice your opinion: – Public Policy Mailing List – Public Policy Consultations/Meetings • In person or remote • ARIN meetings and PPCs at NANOG Public Policy Mailing List (PPML) • Open to anyone • Easy to subscribe to • Contains: ideas, proposals, draft policies, last calls, announcements of adoption and implementation, petitions, and more… • Archived • RSS feed available https://www.arin.net/participate/mailing_lists/index.html ARIN Meetings • Two ARIN meetings a year – Attend and participate in person or remotely • Check the ARIN Participate/Meetings site a few weeks prior to meeting • Look at the Proposals/Draft Policies on Agenda (what and when?) • Get a copy of the Discussion Guide (summaries and text) • Attend/log in and state your opinion – Additional consultations (PPCs) at all NANOG meetings • AC meeting results – – – – Watch PPML for AC’s decisions (once a month) Read AC meeting minutes (if you have insomnia) Draft Policies – good or bad ideas, for or against? Last Calls – For or against? References Policy Development Process http://www.arin.net/policy/pdp.html Draft Policies and Proposals http://www.arin.net/policy/proposals/index.html Number Resource Policy Manual http://www.arin.net/policy/nrpm.html Q&A Q&A / Open Mic Session Fill out & submit the survey for your chance to win a $100 Amazon Gift Card! Ask ARIN • ARIN staff available for your questions one-on-one