bringing you answers - american registry for internet numbers · 1:35 -2:05 pm internet number...
TRANSCRIPT
B R I N G I N G Y O U A N S W E R S
|DENVER, CO 13 JUNE 2017
#AOTR
Dan AlexanderChair, ARIN Advisory Council
Susan HamlinDirector, Communications & Member Services
Richard JimmersonChief Information Officer
Jon WorleyTechnical Services Manager
Here Today From ARIN
#AOTR
9:30 - 9:45 AM Getting Started & Self Intros9:45 -10:15 AM ARIN Mission and Services10:15 -10:45 AM ARIN Technical Services
Break
10:55 - Noon Life After IPv4 Noon - 1:00 PM Lunch
Morning Agenda
#AOTR
1:00 - 1:35 PM DNSSEC1:35 - 2:05 PM Internet Number Resource Policy 2:05 - 2:40 PM Resource Certification (RPKI)
Break
2:50 - 3:45 PM Everything You Ever Wanted To Know About IPv6
3:45 - 3:55 PM Open Mic and Wrap Up
4:00 - 5:00 PM Happy Hour
Afternoon Agenda
#AOTR
Self Introductions:•Name•Organization and type of business• The question I would most liked
answered today is….....
Let’s Get Started!
#AOTR
ARIN and the RIR System: Mission, Role
and ServicesSusan Hamlin
Director, Communications and Member Services
#AOTR
Regional Internet Registries
#AOTR
•Manage the distribution of IP addresses and Autonomous System numbers (ASNs)
• Provide reverse DNS and a public Whoisdatabase
• Support Internet infrastructure through technical coordination
What do the RIRs do?
#AOTR
• Independent• Not-for-profit
• Fee for services, not number resources• 100% community funded
• Membership-based• Internet service providers (ISPs), telecommunication
organizations and large corporations
• Community “Regulated”• Community developed policies• Member-elected governing boards• Open and transparent
The RIRs are…
#AOTR
Distribution of IP Addresses
#AOTR
ARIN, a nonprofit member-based organization, supports the
operation of the Internet through the management of
Internet number resources throughout its service region;
coordinates the development of policies by the community
for the management of Internet Protocol number resources;
and advances the Internet through informational outreach.
#AOTR
ARIN’s Service Region
The ARIN Region includes many Caribbean and North Atlantic islands, Canada, the United States and outlying areas.
#AOTR
• 37,000+ organizations served• 20,000+ customers paying fees for services • 5,550+ members • 80+ professional staff
… and anyone with an interest in Internet number resource management in the ARIN region.
The ARIN Community includes…
#AOTR
ARIN is governed by individuals who are elected by our membership.
• Board of Trustees: 6 elected, 3 year terms•Advisory Council: 15 elected, 3 year terms•Number Resource Organization Number
Council – 2 elected, 3 year terms; 1 member appointed by the ARIN Board
Community-based Leadership
#AOTR
7 Member Board of Trustees
• 6 elected by the membership plus President & CEO – all voting
• 2 seats open each election/year
• Ability to appoint an additional voting member for diversity
• Maintains authority over the scope, mission, and establishes the strategic direction and fiscal oversight
Board of Trustees
#AOTR
15 Member Advisory Council
• Elected by the membership
• 5 seats open each year/election
• Serves in an advisory capacity to the Board on Internet number resource policy and related matters
• Forwards consensus-based policy proposals to the Board for ratification
Advisory Council
#AOTR
Number Resource Organization Number Council (NRO NC)Address Supporting Organization Advisory Council (ASO AC)
• 15 member body/3 per RIR
• 2 elected and one appointed
• Global policy development process
• Selects ICANN Board seats 9 and 10
• Provides advice to the ICANN Board on number resource allocation policy, in conjunction with the RIRs
NRO NC/ ASO AC
#AOTR
ARIN performs its mission according to a Strategic Plan. Updated annually, this plan
drives the creation of organizational objectives and the internal work plan.
ARIN’s 2017-2018 Strategic Plan And Objectives:https://www.arin.net/about_us/corp_docs/stratplan-2017-2018.pdf
Strategic Planning
#AOTR
• Maintain accountability to membership
• Perform audits (security, registration services)
• Make Board aware of community needs for services
• Participate in global discussions to maintain the community-based multi-stakeholder policy development model
• Conduct two ARIN Public Policy and Member meetings
• Maintain a strong outreach in the Caribbean
2017 Organizational Objectives
#AOTR
• Support law enforcement efforts consistent with ARIN’s mission
• Support community discussions on global routing table management
• Provide Advisory Council requested automation support
• Continue IPv4/IPv6 transition awareness campaign
• Continue to review and enhance online services, including making significant user interface improvements per user feedback and customer survey
2017 Organizational Objectives
#AOTR
• IP address allocations & assignments
• ASN assignment
• Transfers
• Reverse DNS
• Record Maintenance
• Directory services – Whois, Whowas...
ARIN Manages:
#AOTR
• ARIN Online (customer web portal)
• Security (DNSSEC, RPKI)
• Community Software Project Repository
• Whois-RWS
• Whois and Registration Data Access Protocol (RDAP) directory services
• Operational Test & Evaluation (OT&E) Environment
ARIN Services
#AOTR
• Educational Materials library https://www.arin.net/knowledge
• Instructional Video Libraryhttp://youtube.com/teamarin
• In-person Training/Education• ARIN on the Road• ARIN + NANOG on the Road• Other fora upon request
Training and Education
#AOTR
• Policy Development through Public Policy Meetings and Consultations
•Work closely with the technical community to ensure education, empowerment, engagement
•Collaborate with Caribbean organizations to maximize inclusion
Outreach & Community Engagement
#AOTR
• Foster working relationships on a global scale
• Be a key technical resource
• Support cooperation and direct involvement alongside governments and international organizations
Global Community Engagement
#AOTR
• Get6 - teamarin.net/get6/
• Focus on getting public websites IPv6-enabled
• Featuring Forward Thinkers who have done it already
• Wiki list of IPv6 webhosters, DNS providers, trainers, & consultants - getipv6.info
IPv6 Outreach
#AOTR
• ARIN Announce: [email protected]
• ARIN Discussion: [email protected] (members only)
• ARIN Public Policy: [email protected]
• ARIN Consultation: [email protected]
• ARIN Issued: [email protected]
• ARIN Technical Discussions: [email protected]
• Suggestions: [email protected]
http://www.arin.net/participate/mailing_lists/index.html
ARIN Mailing Lists
#AOTR
ARIN on Social MediaTeamARIN.net
/TeamARIN
@TeamARIN
+TeamARIN
www.linkedin.com/company/ARIN
www.youtube.com/TeamARIN
#AOTR
• Subscribe to an ARIN mailing list
• Attend a Public Policy and Members Meetings
• Voice your opinion - ARIN’s Consultation and Suggestion Process
• Volunteer – Committees of the Board: Fellowship Selection, Nomination, Mailing List Acceptable Use Policy and serves as a Meeting Mentor
• Members – Vote in annual elections
You Can Participate!
#AOTR
Questions & Discussion
#AOTR
ARIN Technical Services
Richard JimmersonCIO
#AOTR
How Many Records Do We Manage?• Networks
• Direct• Indirect
• ASNs• Reverse DNS Delegations• Organizations
• Org IDs• Customers
• Points of Contact• Web Users... for a grand total of ____________?
#AOTR
Almost 8 Million!• Networks: 3,069,469
• Direct: 57,764• Indirect: 3,011,705
• ASNs: 25,920• Reverse DNS Delegations: 606,584• Organizations: 3,183,197
• Org IDs: 733,927• Customers: 2,449,270
• Points of Contact: 725,975• Web Users: 121,134... for a grand total of 7,732,279
#AOTR
Major Technical Service Areas• Core Registry Functions (ARIN Online)
• Resource Registration & Management• Whois• Reverse DNS
• New Services• Web-based reassignment management (SWiP-EZ)• DNSSEC & RPKI• WhoWas• RDAP• RESTful Interfaces• Operational Test & Evaluation Environment (OT&E)
• Technical Support
#AOTR
Core Registry Services – ARIN Online• Registering ASNs and IPv4/IPv6 blocks
• Including reassignments and reallocations
• Transferring ASNs and IPv4/IPv6 blocks
• Managing org & contact information
• Managing reverse DNS & RPKI
• Bulk Whois and WhoWas Reports
• Invoices and Bill Payment
• All now available via ARIN Online
#AOTR
ARIN Online - Total Users
2,72712,799
29,831
49,524
64,185
78,074
92,866
107,627
120,785
0
20,000
40,000
60,000
80,000
100,000
120,000
140,000
2008 2009 2010 2011 2012 2013 2014 2015 2016
#AOTR
ARIN Online Usage Frequency81,607
23,43810,921
1,5330
10,00020,00030,00040,00050,00060,00070,00080,00090,000
Occasional (0-5 Logins)
Regular (6-25
Logins)
Active (26-100 Logins)
Very Active (> 100 Logins)
# Users
One user logged in 1,319,292 times!
#AOTR
Web-Based Reassignment Management
•Manage customer reassignments (SWIPs) via ARIN Online
•Comprehensive reassignment report• Generates a spreadsheet of all reassignments made
from your space along with holes (unassigned space)
• Recommended for ISPs managing a small number of records
#AOTR
DNSSEC & RPKI• Security for core Internet protocols• Stay tuned for details...
#AOTR
WhoWas• Spreadsheet with registration history for
one ASN/IP address
• Requested by the community
•Common uses include• Researching the history of an IPv4 block prior to
entering into a transfer• Investigating possible unauthorized changes• Law enforcement
#AOTR
Registration Data Access Protocol (RDAP)
• Designed by the IETF to replace Whois• Whois was designed for humans to read, not for
machines to interact with
• Provides standardized HTTP-based RESTful JSON responses• “Plays well with machines”
• Can offer referral responses• If you ask ARIN for a record that’s held by another
RIR, we point you to it
#AOTR
RDAP In ActionClient ARIN APNIC
45.65.1.1?
Ask ARIN
45.65.1.1?
Ask APNIC
Bootstrap Server
45.65.1.1?
JSON
#AOTR
Automating With REST Services
Reg-RWS
• Reassignments (SWiP)• Reports• DNS / RPKI
Management
Whois
• RDAP• Whois-RWS
#AOTR
What is REST?• REpresentational State Transfer
• Uses HTTP & URLs to create, read, update, and delete data
•Widespread industry adoption
• Easily understood• Any modern programmer can incorporate it
#AOTR
The BIG Advantage of REST• Allows you to automate your interactions with
ARIN• Customer reassignment management• Reverse DNS management
• Can use existing tools• ARINcli• 6connect• https://github.com/arineng• http://projects.arin.net
• Or, write your own!
#AOTR
What does REST look like?
http://whois.arin.net/rest/poc/KOSTE-ARIN
Where the data is.What type of data it is.
The ID of the data.
It’s a standard URL. Anyone can use it.Go ahead, put it into your browser. We dare you.
#AOTR
Reg-RWS Transactions (cumulative – restful/templates)
408k596k 846k
1.0M
1.3M1.5M
1.7M
2.0M2.2M 2.4M
2.5M
40k320k 841k
3.5M
4.3M4.7M
5.0M
5.6M6.0M 6.2M
6.5M
0
1,000,000
2,000,000
3,000,000
4,000,000
5,000,000
6,000,000
7,000,000
#AOTR
For more information…
RESTful Web Services•O’Reilly Media• Leonard Richardson• Sam Ruby
#AOTR
Operational Test & Evaluation (OT&E)
• Lots of people test in production• Is not the best place to test• Things do get stuck – may impact others• Operational Test & Evaluation
•Goodness of OT&E• Place to test code/processes• All services now under ote.arin.net except email• Need to register to participate• https://www.arin.net/resources/ote.html
#AOTR
Technical Support•Ask ARIN
• Phone Help Desk• 7AM – 7PM ET M-F• +1.703.227.0660
• Email support via [email protected]
• arin-tech-discuss mailing list• Make sure to subscribe• Archives contain useful information
#AOTR
In the works… a new design!
#AOTR
Q&A
#AOTR
Life After IPv4 Depletion
Jon WorleyTechnical Services Manager
#AOTR
Overview• IPv4 Request Activity
•Reserved IPv4 Space
• IPv4 Waiting List
• IPv4 Transfer Market
• Specified Transfer Listing Service
#AOTR
IPv4 Requests Since Depletion
------- = IPv4 depletion
050
100150200250300350400450
#AOTR
IPv4 Waiting List• Requesters have the waiting list option• Initial /21 (ISP) or /24 (EU) with no justification• Larger blocks based on 24 month need• Requester may specify a smaller acceptable size• One request per org on the list at a time
•Oldest requests filled first• Requests met by transfer are removed
#AOTR
IPv4 Waiting List – Block Sources• IANA Redistribution (2x a year)• Down from /11 May 2014 to /19 March 2017
• Returned IPv4 Blocks
• Revoked IPv4 Blocks• Generally for nonpayment
• Lengthy review process before reissue
#AOTR
Reissue Review Process• RSD analyzes returned/revoked blocks
• Unrouted blocks get priority over routed blocks• Need verification the return/revoke was done
properly
• FSD confirms fees unpaid & notices sent
•Meeting held to confirm reissue• Legal review• 4 management team signatures required• 20-40 blocks reviewed in each meeting
• 328 blocks currently in the review process
#AOTR
IPv4 Waiting List Growth
------- = IPv4 depletion
050
100150200250300350400450
#AOTR
IPv4 Waiting List StatisticsOf the 703 requests added:
• 244 (35%) have been filled• Last request filled waited ~13 months
• 166 (24%) dropped off• Most got IPv4 via the transfer market
• 286 (41%) still waiting• Oldest added 31 Jul 2015
#AOTR
Waiting Time•Of the 244 completed requests:• Average 15 months wait• Longest wait: 24 months
•Of the 166 closed requests:• Average 7 months before close• Longest wait: 21 months (filled via transfer)
#AOTR
IPv4 Critical Infrastructure Reserve• 2 /16s reserved for: • Public exchange points• ICANN-sanctioned Core DNS operators• RIRs• IANA
• New gTLDs not eligible
• 13.1% used
#AOTR
Reserved IPv4 for IPv6 Deployment
..... stay tuned. J We’ll discuss this policy in the IPv6 presentation.
#AOTR
• Mergers and Acquisitions (NRPM 8.2)– Traditional transfer resulting from a merger,
acquisition, or reorganization supported by legal documentation
• Transfers to Specified Recipients (NRPM 8.3)– IPv4 market transfer from one organization to another
that it specifies, supported by justified need (within region)
• Inter-RIR transfers to Specified Recipients (NRPM 8.4)– IPv4 market transfer from one organization to
another that it specifies, supported by justified need (between regions)
IPv4 Transfer Policies
#AOTR
Specified Recipient TransferAllows orgs with unused IPv4 resources to transfer them to orgs in need of IPv4 resources• Source• Must be current registrant, no disputes• Not have received addresses from ARIN for 12
months prior
• Recipient• Demonstrate need for 24-month supply under
current ARIN policy
#AOTR
Specified Recipient Transfer Growth
------- = IPv4 depletion
0
50
100
150
200
250
#AOTR
Inter-RIR Transfers• RIR must have reciprocal, compatible needs-
based policies• Currently APNIC and RIPE NCC
• Transfers from ARIN• Source cannot have received IPv4 from ARIN 12
months prior to transfer • Must be current registrant, no disputes• Recipient meets destination RIR policies
• Transfers to ARIN• Must demonstrate need for 24-month supply
under current ARIN policy
#AOTR
Inter-RIR Transfers Completed
------- = IPv4 depletion
02468
101214161820
#AOTR
No Drop In IPv4 Consumption
0
50000
100000
150000
200000
250000
300000
350000To
tal /
24s
Free Pool Transfer Market
#AOTR
Minimal Drop in IPv4 Workload
050
100150200250300350400450500
IPv4 Requests Need-Based Transfer Requests
#AOTR
Transfer Pre-Approval•Optional free service to confirm your 24
month projected IPv4 need
• Receive IPv4 addresses via multiple need-based transfers up to the pre-approved amount over the next 24 months
• $300 fee to complete each transfer• Now paid at the time transfer is submitted
#AOTR
Specified Transfer Listing Service (STLS)• Optional fee-based service to facilitate
specified recipient and inter-RIR transfers• Sources have IPv4 addresses verified as available• Recipients have a verified need for IPv4 addresses• Facilitators arrange transfers between parties
• Approved participants can view detailed information for all other participants
• Public summary available on ARIN’s website• Available block sizes• # of source ORGs and approved block sizes• List of facilitators with contact information
#AOTR
Takeaways• IPv4 consumption still strong
• If you need IPv4:• Get pre-approved & look at transfer
market• Get an IPv6 block & use reserved IPv4
block for IPv6 deployment policy• Wait List an option if you can defer need
• IPv6 is the future
#AOTR
Q&A
#AOTR
Securing Core Internet Functions - DNSSEC
Jon WorleyTechnical Services Manager
#AOTR
What is DNSSEC? •A DNS extension which authenticates
responses • When you ask how to get to www.arin.net,
DNSSEC verifies the answer is from ARIN and not someone pretending to be us
•Doesn’t ensure the answer is correct, just that it’s coming from the right place
#AOTR
Why is DNSSEC Important? • Standard DNS is not secure• Trivial to spoof (provide false responses)• ... so an attacker can redirect people
looking for www.arin.net to his own site• ... and then steal login information.
•DNSSEC is (surprise) secure• An attacker can try to redirect traffic, but
DNSSEC will show it’s not a valid response
#AOTR
DNS Cache Poisoning• Attacker gives the nameserver a
“poisoned” (incorrect) response to www.arin.net
• If accepted, this nameserver will direct people to the fake site, typically for hours
• ... and any nameservers that trust the poisoned one will also become poisoned.
#AOTR
Case Study: Kashpureff Attack• Eugene Kashpureff didn’t like Internic’s
control of top level domains
• In 1996, he used DNS cache poisoning to redirect Internic traffic to his own site
• Kashpureff was eventually convicted of computer fraud
• This attack could have been preventedwith DNSSEC
#AOTR
Case Study: Kaminsky Flaw• 2008: Dan Kaminsky discovered a
fundamental flaw in the DNS protocol• 65,536 Transaction IDs in DNS makes it easy to
guess the right one & spoof
• Updates to DNS software makes this flaw more difficult to exploit, but not impossible
• These attacks can be prevented with DNSSEC
#AOTR
Case Study: Bradesco• Bradesco is a bank in Brazil
•DNS cache poisoning attack resulted in 1% of the bank’s customers being redirected to a fake site• Getting login credentials for 1% of a large bank’s
customers could be disastrous
•Networks not using DNSSEC are vulnerable to a similar attack
#AOTR
Other Uses1. Protect DKIM & SPF• Without DNSSEC, an attacker can make use your
email addresses for spam.
2. SSH Initial Host Key Exchange• Protect SSH Fingerprint (SSHFP) records.
3. PGP Key Distribution• Use _pka records to distribute PGP keys easily usable
by GnuPG
4. DANE• Coming standard from the IETF to use DNS as a
global public key infrastructure.
#AOTR
DNSSEC Usage StatisticsARIN 39
Number of Orgs with DNSSEC 139
Total Number of Delegations 620,412
DNSSEC Secured Zones 671
Percentage Secured 0.11 %
#AOTR
#AOTR
How Can We Increase Usage?• Identify Barriers to Adoption• Don’t know how• Don’t have time• “... but I haven’t been attacked”
• Then, knock them down• Increased awareness• Education/assistance• “An ounce of prevention is worth a pound of cure”
#AOTR
Using DNSSEC with ARIN• Remember: this is for reverse DNS, not
forward DNS
• Use your DNS server software to:• Generate your key pair• Create DS records to upload to ARIN via
ARIN Online or Reg-RWS• Sign your DNS zones
#AOTR
DNSSEC Configuration• Ensure the required DNSKEY, RRSIG,
NSEC, and DS records are published in your nameservers• Consult your zone file…..
•ARIN provides only reverse DNSSEC• Make sure to also secure your forward DNS
through your domain registrar
#AOTR
How It Works•DNSSEC adds new resource records into
your zone file.
• These records are signed off-line.
• Two types of public/private key pairs• Zone Signing Key (ZSK) is used to sign
records in the zone• Key Signing Key (KSK) signs the ZSK. Usually
longer lived than the ZSK.
#AOTR
Signed & Unsigned Zones0.43.199.in-addr.arpa. 10800 IN SOA ns1.arin.net. dns-ops.arin.net. 2016072520 10800 3600 604800 36000.43.199.in-addr.arpa. 10800 IN NS ns1.arin.net.0.43.199.in-addr.arpa. 10800 IN NS ns2.arin.net.0.43.199.in-addr.arpa. 10800 IN NS ns2.lacnic.net.0.43.199.in-addr.arpa. 10800 IN NS sec1.apnic.net.0.43.199.in-addr.arpa. 10800 IN NS sec1.authdns.ripe.net.1.0.43.199.in-addr.arpa. 10800 IN PTR host-199-43-0-1.arin.net.10.0.43.199.in-addr.arpa. 10800 IN PTR host-199-43-0-10.arin.net.
0.43.199.in-addr.arpa. 10800 IN SOA ns1.arin.net. dns-ops.arin.net. 2016072520 10800 3600 604800 36000.43.199.in-addr.arpa. 3600 IN RRSIG NSEC 5 5 3600 20170131143127 20170117133127 13093 0.43.199.in-addr.arpa. p33dgTSLyg/qoDuoN6XGRFUwfRdILdYQtJfl/i077aLZA/usJ0r3furj 3FikILZOodCWez0yiKYwKaUYlGiFgZyWSlDTrbMgnLBG162tQrby8wAQ Ke1mOYRBdSOT6swRzhJx6rRRSH4C0/3YpQqmKZsplQisyTdbykhy4N3h 38M=…0.43.199.in-addr.arpa. 10800 IN DNSKEY 256 3 5 AwEAAXCN3mUJUntP90L4F4oNxxlzKFos9FYD0wxTqxoWueBjFVAvS9vt FSAC7sV4yqKF3NbOOgk81Ep8n8BLZ3vvhnL8/y6Gf3K+d/yvK248ZWR6 +r+AAsV6icMEloQhaJzuam/eMrlj4kJ96lVjFvMEwdPNNSYzen30OfpC sswVvamh…0.43.199.in-addr.arpa. 3600 IN NSEC
1.0.43.199.in-addr.arpa. NS SOA RRSIG NSEC DNSKEY0.43.199.in-addr.arpa. 10800 IN NS ns1.arin.net.…1.0.43.199.in-addr.arpa. 10800 IN PTR host-199-43-0-1.arin.net.…
A signed zone file will have
RRSIG, NSEC, and
DNSKEYrecords.
#AOTR
New Record TypesDNSKEY – records holding the public zone signing key and key signing key
RRSIG – records holding the cryptographic signatures of the other DNS records
NSEC – records cryptographically stitching the other records together
DS – these point to your zone like an NS record (needed in the parent zone)
#AOTR
How Do I Know It’s Working?
Use a DNSSEC validating resolver. Popular options include:
www.internetsociety.org/deploy360/dnssec/www.isc.org/downloads/bind/dnssec/
91
#AOTR
Takeaways• If you’re not using DNSSEC, you’re
vulnerable to a DNS cache poisoning attack
• Plenty of readily available documentation regarding implementation details
• If we can help, contact us
#AOTR
Q&A
#AOTR
ARIN Internet Number Resource Policy
…your participation matters
Dan AlexanderChair, ARIN Advisory Council
#AOTR
ARIN’s Policy Development Process Video
#AOTR
ARIN applies policies to the management of Internet number resources and certain directory and registry services.
Policies are given effect through the application of business rules and operating procedures
What Do Internet Number Resource Policies Do?
#AOTR
The Number Resource Policy Manual (NRPM) is the collection of all ARIN policies, arranged by topic.Topics include:
• Definitions• Directory Services• IPv4• IPv6• AS Numbers• Transfers
View the NRPM at: https://www.arin.net/policy/nrpm.html
What is the NRPM?
#AOTR
NRPM 4.3.1 - End-users
ARIN assigns blocks of IP addresses to end-users who request address space for their internal use in running their own networks, but not for sub-delegation of those addresses outside their organization. End-users must meet the requirements described in these guidelines for justifying the assignment of an address block.
Policy Example
#AOTR
Internet number resource policy must:• Enable fair and impartial number
resource administration• Be technically sound (providing for
uniqueness and usability of number resources)• Have support from the community
Policy Principles
#AOTR
Where do Policies Come From?Proposals for policy change can come from anyone, and follow a basic email template:
Proposals go to [email protected]
#AOTR
Policy Development Process (PDP)1) Proposal – Someone sends a Proposal to [email protected] using the approved
template
2) The Advisory Council (AC) Chair assigns AC shepherds• Shepherds manage the Proposal, working closely with the author(s) and
encourage feedback• To be accepted as a Draft Policy, a proposal must contain a clear
problem statement and be within the scope of ARIN's mission
3) Draft Policy- Work in progress, discussed on the mailing list and at Public Policy Meetings and Consultations• Once a Draft Policy meets the Principles of Internet Number Resource
Policy, the AC may recommended it for adoption
#AOTR
Policy Development Process (PDP)continued
4) Recommended Draft Policy – More discussion and presentation at meeting(s). Does the community support turning this into policy?
5) Last call6) Board Review and Adoption 7) Staff Implementation (NRPM)
#AOTR
PetitionsThe community may petition for or against several AC actions, including:• Against the rejection of a Proposal• Against the abandonment of a Draft Policy or Recommended Draft
Policy• For the movement of a Proposal to Draft Policy status• For the movement of a Draft Policy to Recommended Draft Policy
status• Movement of a Recommended Draft Policy to Last Call status
#AOTR
Open• Developed in open forums• Anyone can participate
Transparent• All aspects documented and available on
website
Bottom-up • Policies developed by the community• Staff implements, but does not make policy
Principles of the PDP
#AOTR
•A single community member can propose a policy change, or spark an important discussion in support or opposition to a potential change.
•Many significant policies have gone through the entire PDP with only a handful of voices speaking for or against them.
The Importance of Participation
#AOTR
• Purpose: reduce the minimum allocation/assignment size to /24 for all networks, whether end-user or ISP, and whether single or multi-homed.
• Discussion was extensive; many voices spoke up about how a minimum of /24 would help the community pre- and post- depletion, and PPML saw an extended last call.
• How Many Community Members Did it Take to Bring ARIN-2014-13 to Fruition?
Example: ARIN-2014-13
#AOTR
• Out of 1,850+ PPML subscribers:• Ten total contributors
• PPC at NANOG 61 Show of Hands• Total attendees/remote participants: 49• In favor: 16• Against: 0
• Board ratified 2014-13 in August 2014
• Staff implemented one month later
Twenty-six!
#AOTR
Recommended Draft Policies Under Board of Trustees Review
• ARIN-2016-3: Alternative simplified criteria for justifying small IPv4 transfers• Allows orgs to double holdings up to a /16 with 80%
prior utilization.
• ARIN-2016-9: Streamline Merger & Acquisition Transfers• Removes additional needs test for combined
resources of acquiring/acquired orgs
#AOTR
• Draft Policy ARIN-2017-1: Clarify Slow Start for Transfers
• Draft Policy ARIN-2017-2:Removal of Community Networks
• Draft Policy ARIN-2017-3:Update to NRPM 3.6: Annual Whois POC Validation
• Draft Policy ARIN-2017-4:Remove Reciprocity Requirement for Inter-RIR Transfers
• Draft Policy ARIN-2017-5: Equalization of Assignment Registration requirements between IPv4 and IPv6
Current Draft Policies
#AOTR
•ARIN doesn't create number policy, you do. It’s as easy as submitting a Proposal.
• Policy development includes assistance from the Advisory Council throughout the process.
• Stay informed. Join the policy list and/or attend meetings (in person or remotely).
Takeaways
#AOTR
• Policy Development Process (PDP)http://www.arin.net/policy/pdp.html
• Draft Policies and Proposalshttp://www.arin.net/policy/proposals/index.html
• Number Resource Policy Manual (NRPM)http://www.arin.net/policy/nrpm.html
References
#AOTR
Q&A
#AOTR
Securing Core Internet Functions – RPKI
Jon WorleyTechnical Services Manager
#AOTR
Routing – A Primer
#AOTR
Routing ArchitectureThe Internet uses a two level routing hierarchy:• Interior Routing Protocols, used by each network
to determine how to reach all destinations that line within the network• Interior Routing protocols maintain the current
topology of the network
#AOTR
Routing ArchitectureThe Internet uses a two level routing hierarchy:• Exterior Routing Protocol, used to link each
component network together into a single whole• Exterior protocols assume that each network is
fully interconnected internally
#AOTR
Exterior Routing: BGPBGP is a large set of bilateral (1:1) routing sessions• A tells B all the destinations (prefixes) that
A is capable of reaching• B tells A all the destinations that B is
capable of reaching
A B
10.0.0.0/2410.1.0.0/1610.2.0.0/18
192.2.200.0/24
#AOTR
What is RPKI?• Resource Public Key Infrastructure
•Cryptographically certifies network resources• AS Numbers• IP Addresses
•Also certifies route announcements• Route Origin Authorizations (ROAs) allow you
to authorize your block to be routed
#AOTR
Why is RPKI Important?•Allows routers (or other processes) to
validate routes as authorized
• Provides stronger validation than existing technologies, such as:• Routing registries• LOAs• “Seems legit” 119
#AOTR
Case Study: YouTube• Pakistan Telecom was ordered to block
YouTube• Naturally, they originated their own route
for YouTube’s IP address block
• YouTube’s traffic was temporarily diverted to Pakistan
•Could have been prevented with widespread adoption of RPKI
#AOTR
Case Study: Turk Telekom• Turkish President ordered censorship of
• Turk Telekom’s DNS servers were configured to return false IP addresses• So people started using Google’s DNS (8.8.8.8)
• Turk Telekom hijacked Google’s IP addresses in BGP
•Could have been prevented with RPKI
#AOTR
Case Study: Bitcoin• Late 2013 & early 2014, Dell Secure Works
noticed /24 announcements being hijacked• Amazon, OVH, Digital Ocean, LeaseWeb,
Alibaba networks routed to a small network in Canada
• Data between Bitcoin miners and Bitcoin data pools intercepted• An estimated haul of $83,000
• Could have been prevented with RPKI
#AOTR
RPKI Basics• All of ARIN’s RPKI data is publicly available in a repository
• RFC 3779 certificates show who has each resource
• ROAs show which AS numbers are authorized to
announce blocks
• CRLs show revoked records
• Manifests list all data from each organization
#AOTR
Hierarchy of Resource Certificates
124
ICANN0.0.0.0/0
0::/0
ARIN128.0.0.0/8 192.0.0.0/8
Regional ISP128.177.0.0/16
Some Small ISP128.177.46.0/20
Other Small ISP192.78.12.0/24
LACNIC AFRINICRIPENCC
APNIC
#AOTR
Route Origin Authorizations(ROAs)
125
ICANN0.0.0.0/0
0::/0
ARIN128.0.0.0/8 192.0.0.0/8
Regional ISP128.177.0.0/16
Some Small ISP128.177.46.0/20
Other Small ISP192.78.12.0/24
LACNIC AFRINICRIPENCC
APNIC
128.177.46.0/20AS53659
128.177.0.0/16AS17025 192.78.12.0/24
AS2000
#AOTR
Current Practices
126
ICANN0.0.0.0/0
0::/0
ARIN128.0.0.0/8 192.0.0.0/8
Regional ISP128.177.0.0/16
Some Small ISP128.177.46.0/20
Other Small ISP192.78.12.0/24
LACNIC AFRINICRIPENCC
APNIC
128.177.0.0/16AS17025
192.78.12.0/24AS2000128.177.46.0/
20AS53659
#AOTR
Using ARIN’s RPKI Repository (Theory)
1. Pull down these files using a manifest-validating mechanism
2. Validate the ROAs contained in the repository3. Communicate with the router to mark routes:• Valid• Invalid• unknown
Ultimately, the ISP uses local policy on how to route to use this information. 127
#AOTR
Using ARIN’s RPKI Repository (Practice)1.Get the RIPE NCC RPKI Validator
128
#AOTR
Using ARIN’s RPKI Repository (Practice, continued)
2.Get the ARIN TAL• https://www.arin.net/resources/rpki/tal.html
3.Plug it in to your routing policy engine:• Directly to the router via RTR protocol• Using custom scripts and the REST API• As RPSL route objects 129
#AOTR
Putting Your Routes in the RPKI
1.Determine if you want to allow ARIN to host your Certificate Authority (CA), or if you want ARIN to delegate to your Certificate Authority.
2.Sign up with ARIN Online.
3.Create Resource Certificates and ROAs.
#AOTR
Hosted vs. Delegated RPKI• Hosted• ARIN has done all of the heavy lifting for you• Think “point click ship”• Available via web site or RESTful interface
• Delegated using Up/Down Protocol• A whole lot more work• Might make sense for very large networks
131
#AOTR
Hosted RPKI - ARIN Online• Pros• Easy-to-use web interface• ARIN-managed (buying/deploying HSMs, etc.
is expensive and time consuming)
•Cons• Downstream customers can’t use RPKI• Large networks would probably need to use
the RESTful interface to avoid tedious management• We hold your private key
132
#AOTR
Delegated RPKI with Up/Down• Pros• Allows you to keep your private key• Follows the IETF up/down protocol• Allows downstream customers to use RPKI
•Cons• Extremely hard to set up• Requires operating your own RPKI
environment• High cost of time and effort 133
#AOTR
Delegated with Up/Down• You have to do all the ROA creation
•Need to set up a Certificate Authority
• Have a highly available repository
•Create a CPS
134
#AOTR
RPKI UsageOct2012
Apr2013
Oct 2013
Apr2014
Oct2014
Apr2015
Oct2015
Apr 2016
Oct2016
Apr 2017
CertifiedOrgs 47 68 108 153 187 220 250 268 292
ROAs 19 60 106 162 239 308 338 370 414 470
Covered Resources 30 82 147 258 332 430 482 528 577 640
Up/Down Delegated 0 0 0 1 2 1 2 2
#AOTR
RPKI vs The Routing Table: Globally
#AOTR
RPKI vs The Routing Table: RIPE
#AOTR
RPKI vs The Routing Table: APNIC
#AOTR
RPKI vs The Routing Table: AFRINIC
#AOTR
RPKI vs The Routing Table: LACNIC
#AOTR
RPKI vs The Routing Table: ARIN
#AOTR
Takeaways• If you’re not using RPKI, you’re vulnerable
to route hijacking
• Plenty of readily available documentation regarding implementation details
• If we can help, contact us
#AOTR
Q&A
#AOTR
Everything You Always Wanted To Know
About IPv6
Richard JimmersonCIO
#AOTR
The Road To IPv6 Deployment• Why Move To IPv6 Now?• Obtaining IPv6 From ARIN• Dedicated IPv4 Block For IPv6 Deployment• IPv6 Address Plans• IPv6 Deployment Case Studies• IPv6 Resources
... and a few words about the current state of IPv6 adoption.
#AOTR
Why Move To IPv6 Now?• Being IPv4-only has costs• Transfer market, latency, CGN boxes, NAT
•Generally no additional cost for ISPs & fees recently lowered for end users
• IPv6 gives you access to a reserved IPv4 block• One IPv4 /24 per six month period 1
46
#AOTR
Requesting IPv6 - ISPs• Have a previous v4 allocation from
ARIN or predecessor registryOR
• Intend to IPv6 multi-home OR
• Provide a technical justification which details at least 50 assignments made within 5 years 147
#AOTR
IPv6 ISP Block Size• /48 typically assigned to customers• Might be smaller, e.g. /56, for residential
• /32 default generally sufficient• Enough to number 65k+ customers
• Larger blocks based on:• # of serving sites (PoPs, datacenters)• # of customers at largest serving site• Block size to be assigned 148
#AOTR
Requesting IPv6 – End UsersHave a v4 assignment from ARIN
OR
Intend to IPv6 multi-home OR
2000 IPv6 addresses/200 IPv6 subnets usedOR
Have 13+ active sites within 12 monthsOR
Technical justification showing ISP-assigned IPs are unsuitable 149
#AOTR
IPv6 End User Block Size
37
Number of Sites Block Size
1 /48
2-12 /44
13-192 /40
193-3,072 /36
3,073-49,152 /32
#AOTR
Reserved IPv4 for IPv6 Deployment• /10 reserved under policy in April 2009 • 60 /24s issued to date (99.6% remains available)
• Must be used to facilitate IPv6 deployment• Dual stacking key servers, NAT-PT/NAT464,
etc.
•Must have an IPv6 block
•One per organization every six months• /24 maximum size
#AOTR
Subnetting: IPv4 vs IPv6• The IPv4 mindset: think in terms of IP
addresses• “If a site has 50 devices, I give it a /26”
• The IPv4 mindset does not work for IPv6• Last 64 bits used for device
autoconfiguration• ... and we have a ton of IPv6 addresses.
• The correct IPv6 mindset: think in terms of subnets, not addresses
#AOTR
IPv6 Subnetting – NANOG BCOP• Each individual network segment gets a /64• A /64 can hold a near-infinite number of devices
• Subnet on nibble boundaries for DNS• /48, /44, /40, etc
• Addressing plans should be hierarchical, with each level using subnets of the same size• Each site gets a /48• Customers generally get a /48• PoPs/aggregation points sized based on largest
#AOTR
IPv4 Address Plan: End UserEnterprise Network
SJO Hub14 offices
/27 for each448 IPs
CHI Hub15 offices
/28 for each240 IPs
DAL Hub7 offices/28 for each
112 IPs
ASH Hub156 sites/27 for each
4,992 IPs
/23
/24 /24
/19
#AOTR
IPv6 Address Plan: End UserEnterprise Network
SJO Hub14 offices
/48 for each448 IPs
CHI Hub15 offices
/48 for each240 IPs
DAL Hub7 offices/48 for each
112 IPs
ASH Hub156 sites
/48 for each4,992 IPs
/40
/40 /40
/40 (256 /48s)
#AOTR
IPv4 Address Plan: ISPFTTH ISP Network
Denver Hub952 home users (1 IP
each)5 biz
customers (/29-/24)
= 1,952 IPs
Grand Junction Hub
214 home users
(1 IP each)= 214 IPs
Colorado Springs Hub497 home
users(1 IP each)
= 497 IPs
Ft. Collins Hub497 home
users(1 IP each)
4 biz customers (/29-/24)= 997 IPs
/21
/24/23
/22
#AOTR
IPv6 Address Plan: ISPFTTH ISP Network
Denver Hub1,027 total
users (home + business)
= 1,027 /48s
Grand Junction Hub214 total users
(home + business)= 214 /48s
Colorado Springs Hub
497 total users (home + business)= 497 /48s
Ft. Collins Hub506 total users
(home + business
= 506 /48s
/36 (4,096 /48s)
/36 /36
/36
#AOTR
Anatomy Of An IPv6 Address
2001:0DB8:3007:000A:B9D3:284A:83E2:90DB
/32 from ARIN
Hub /360 = Denver1 = Grand Junction2 = Colorado Springs3 = Ft. Collins4 = Future Hub... etc
Site /48001 = Ft. Collins Site 1002 = Ft. Collins Site 2....007 = Ft. Collins Site 7
Subnet /640001 = Subnet 10002 = Subnet 2....000A = Subnet 10
Device /128Autoconfiguredwith MAC Address
#AOTR
IPv6 Deployment Information• ISOC’s Deploy360 program has 16
detailed case studies covering:• ISPs• Hosting providers• Enterprise businesses• Universities• Governments
•ARIN’s IPv6 Wiki• DNS, tools, translation services, etc
#AOTR
IPv6 Info Centerwww.arin.net/knowledge/ipv6_info_center.html
41
www.GetIPv6.info
www.TeamARIN.net
#AOTR
How Far Are We In IPv6 Adoption?
Depends where you look...
• How many networks have an IPv6 block?• How many networks are routing IPv6?• How much traffic is using IPv6?
#AOTR
Percentage of Members with IPv6
162
34.10%
52.83% 52.87%
87.55%75.11%
0%10%20%30%40%50%60%70%80%90%
100%
AfriNIC APNIC ARIN LACNIC RIPE NCC
#AOTR
Customers with IPv4 & IPv6
163
2,467
2,420
449
RSP
6,432
1,780
295End Users
IPv4 Only IPv4 & IPv6 IPv6 Only
#AOTR
IPv6 Adoption by ISP Size
0%10%20%30%40%50%60%70%80%90%
100%
ISPs with IPv6 ISPs without IPv6
#AOTR
IPv6 Requests Since Depletion
165
------- = IPv4 depletion
0
20
40
60
80
100
120
#AOTR
Routing Table Growth
IPv4 – First 14 Years IPv6 – First 14 Years
#AOTR
Google’s IPv6 Traffic Growing
167
#AOTR
Facebook & Akamai
#AOTR
Discussion: IPv6 & You•Do you have an IPv6 block from ARIN? • If so, how was the process?
• Have you deployed IPv6?• If not, do you plan to? Are there blockers?• If so, how is it working? Any experience to
share?
•What can ARIN do to help you with IPv6 deployment?
#AOTR
Q&A
#AOTR
• You make ARIN’s Internet number resource policy
•Apply for IPv6 addresses and get started
•Consider implementing DNSSEC & RPKI
• Reach out to us with questions and suggestions -engage
Today’s Takeaways:
#AOTR
https://www.arin.net/participate/meetings/fellowship.html
#AOTR
Fill out & submitthe survey for your chance to win a $100 Amazon Gift Card!