B R I N G I N G Y O U A N S W E R S

|DENVER, CO 13 JUNE 2017

#AOTR

Dan AlexanderChair, ARIN Advisory Council

Susan HamlinDirector, Communications & Member Services

Richard JimmersonChief Information Officer

Jon WorleyTechnical Services Manager

Here Today From ARIN

#AOTR

9:30 - 9:45 AM Getting Started & Self Intros9:45 -10:15 AM ARIN Mission and Services10:15 -10:45 AM ARIN Technical Services

Break

10:55 - Noon Life After IPv4 Noon - 1:00 PM Lunch

Morning Agenda

#AOTR

1:00 - 1:35 PM DNSSEC1:35 - 2:05 PM Internet Number Resource Policy 2:05 - 2:40 PM Resource Certification (RPKI)

Break

2:50 - 3:45 PM Everything You Ever Wanted To Know About IPv6

3:45 - 3:55 PM Open Mic and Wrap Up

4:00 - 5:00 PM Happy Hour

Afternoon Agenda

#AOTR

Self Introductions:•Name•Organization and type of business• The question I would most liked

answered today is….....

Let’s Get Started!

#AOTR

ARIN and the RIR System: Mission, Role

and ServicesSusan Hamlin

Director, Communications and Member Services

#AOTR

Regional Internet Registries

#AOTR

•Manage the distribution of IP addresses and Autonomous System numbers (ASNs)

• Provide reverse DNS and a public Whoisdatabase

• Support Internet infrastructure through technical coordination

What do the RIRs do?

#AOTR

• Independent• Not-for-profit

• Fee for services, not number resources• 100% community funded

• Membership-based• Internet service providers (ISPs), telecommunication

organizations and large corporations

• Community “Regulated”• Community developed policies• Member-elected governing boards• Open and transparent

The RIRs are…

#AOTR

Distribution of IP Addresses

#AOTR

ARIN, a nonprofit member-based organization, supports the

operation of the Internet through the management of

Internet number resources throughout its service region;

coordinates the development of policies by the community

for the management of Internet Protocol number resources;

and advances the Internet through informational outreach.

#AOTR

ARIN’s Service Region

The ARIN Region includes many Caribbean and North Atlantic islands, Canada, the United States and outlying areas.

#AOTR

• 37,000+ organizations served• 20,000+ customers paying fees for services • 5,550+ members • 80+ professional staff

… and anyone with an interest in Internet number resource management in the ARIN region.

The ARIN Community includes…

#AOTR

ARIN is governed by individuals who are elected by our membership.

• Board of Trustees: 6 elected, 3 year terms•Advisory Council: 15 elected, 3 year terms•Number Resource Organization Number

Council – 2 elected, 3 year terms; 1 member appointed by the ARIN Board

Community-based Leadership

#AOTR

7 Member Board of Trustees

• 6 elected by the membership plus President & CEO – all voting

• 2 seats open each election/year

• Ability to appoint an additional voting member for diversity

• Maintains authority over the scope, mission, and establishes the strategic direction and fiscal oversight

Board of Trustees

#AOTR

15 Member Advisory Council

• Elected by the membership

• 5 seats open each year/election

• Serves in an advisory capacity to the Board on Internet number resource policy and related matters

• Forwards consensus-based policy proposals to the Board for ratification

Advisory Council

#AOTR

Number Resource Organization Number Council (NRO NC)Address Supporting Organization Advisory Council (ASO AC)

• 15 member body/3 per RIR

• 2 elected and one appointed

• Global policy development process

• Selects ICANN Board seats 9 and 10

• Provides advice to the ICANN Board on number resource allocation policy, in conjunction with the RIRs

NRO NC/ ASO AC

#AOTR

ARIN performs its mission according to a Strategic Plan. Updated annually, this plan

drives the creation of organizational objectives and the internal work plan.

ARIN’s 2017-2018 Strategic Plan And Objectives:https://www.arin.net/about_us/corp_docs/stratplan-2017-2018.pdf

Strategic Planning

#AOTR

• Maintain accountability to membership

• Perform audits (security, registration services)

• Make Board aware of community needs for services

• Participate in global discussions to maintain the community-based multi-stakeholder policy development model

• Conduct two ARIN Public Policy and Member meetings

• Maintain a strong outreach in the Caribbean

2017 Organizational Objectives

#AOTR

• Support law enforcement efforts consistent with ARIN’s mission

• Support community discussions on global routing table management

• Provide Advisory Council requested automation support

• Continue IPv4/IPv6 transition awareness campaign

• Continue to review and enhance online services, including making significant user interface improvements per user feedback and customer survey

2017 Organizational Objectives

#AOTR

• IP address allocations & assignments

• ASN assignment

• Transfers

• Reverse DNS

• Record Maintenance

• Directory services – Whois, Whowas...

ARIN Manages:

#AOTR

• ARIN Online (customer web portal)

• Security (DNSSEC, RPKI)

• Community Software Project Repository

• Whois-RWS

• Whois and Registration Data Access Protocol (RDAP) directory services

• Operational Test & Evaluation (OT&E) Environment

ARIN Services

#AOTR

• Educational Materials library https://www.arin.net/knowledge

• Instructional Video Libraryhttp://youtube.com/teamarin

• In-person Training/Education• ARIN on the Road• ARIN + NANOG on the Road• Other fora upon request

Training and Education

#AOTR

• Policy Development through Public Policy Meetings and Consultations

•Work closely with the technical community to ensure education, empowerment, engagement

•Collaborate with Caribbean organizations to maximize inclusion

Outreach & Community Engagement

#AOTR

• Foster working relationships on a global scale

• Be a key technical resource

• Support cooperation and direct involvement alongside governments and international organizations

Global Community Engagement

#AOTR

• Get6 - teamarin.net/get6/

• Focus on getting public websites IPv6-enabled

• Featuring Forward Thinkers who have done it already

• Wiki list of IPv6 webhosters, DNS providers, trainers, & consultants - getipv6.info

IPv6 Outreach

#AOTR

• ARIN Announce: arin-announce@arin.net

• ARIN Discussion: arin-discuss@arin.net (members only)

• ARIN Public Policy: arin-ppml@arin.net

• ARIN Consultation: arin-consult@arin.net

• ARIN Issued: arin-issued@arin.net

• ARIN Technical Discussions: arin-tech-discuss@arin.net

• Suggestions: arin-suggestions@arin.net

http://www.arin.net/participate/mailing_lists/index.html

ARIN Mailing Lists

#AOTR

ARIN on Social MediaTeamARIN.net

/TeamARIN

@TeamARIN

+TeamARIN

www.linkedin.com/company/ARIN

www.youtube.com/TeamARIN

#AOTR

• Subscribe to an ARIN mailing list

• Attend a Public Policy and Members Meetings

• Voice your opinion - ARIN’s Consultation and Suggestion Process

• Volunteer – Committees of the Board: Fellowship Selection, Nomination, Mailing List Acceptable Use Policy and serves as a Meeting Mentor

• Members – Vote in annual elections

You Can Participate!

#AOTR

Questions & Discussion

#AOTR

ARIN Technical Services

Richard JimmersonCIO

#AOTR

How Many Records Do We Manage?• Networks

• Direct• Indirect

• ASNs• Reverse DNS Delegations• Organizations

• Org IDs• Customers

• Points of Contact• Web Users... for a grand total of ____________?

#AOTR

Almost 8 Million!• Networks: 3,069,469

• Direct: 57,764• Indirect: 3,011,705

• ASNs: 25,920• Reverse DNS Delegations: 606,584• Organizations: 3,183,197

• Org IDs: 733,927• Customers: 2,449,270

• Points of Contact: 725,975• Web Users: 121,134... for a grand total of 7,732,279

#AOTR

Major Technical Service Areas• Core Registry Functions (ARIN Online)

• Resource Registration & Management• Whois• Reverse DNS

• New Services• Web-based reassignment management (SWiP-EZ)• DNSSEC & RPKI• WhoWas• RDAP• RESTful Interfaces• Operational Test & Evaluation Environment (OT&E)

• Technical Support

#AOTR

Core Registry Services – ARIN Online• Registering ASNs and IPv4/IPv6 blocks

• Including reassignments and reallocations

• Transferring ASNs and IPv4/IPv6 blocks

• Managing org & contact information

• Managing reverse DNS & RPKI

• Bulk Whois and WhoWas Reports

• Invoices and Bill Payment

• All now available via ARIN Online

#AOTR

ARIN Online - Total Users

2,72712,799

29,831

49,524

64,185

78,074

92,866

107,627

120,785

0

20,000

40,000

60,000

80,000

100,000

120,000

140,000

2008 2009 2010 2011 2012 2013 2014 2015 2016

#AOTR

ARIN Online Usage Frequency81,607

23,43810,921

1,5330

10,00020,00030,00040,00050,00060,00070,00080,00090,000

Occasional (0-5 Logins)

Regular (6-25

Logins)

Active (26-100 Logins)

Very Active (> 100 Logins)

# Users

One user logged in 1,319,292 times!

#AOTR

Web-Based Reassignment Management

•Manage customer reassignments (SWIPs) via ARIN Online

•Comprehensive reassignment report• Generates a spreadsheet of all reassignments made

from your space along with holes (unassigned space)

• Recommended for ISPs managing a small number of records

#AOTR

DNSSEC & RPKI• Security for core Internet protocols• Stay tuned for details...

#AOTR

WhoWas• Spreadsheet with registration history for

one ASN/IP address

• Requested by the community

•Common uses include• Researching the history of an IPv4 block prior to

entering into a transfer• Investigating possible unauthorized changes• Law enforcement

#AOTR

Registration Data Access Protocol (RDAP)

• Designed by the IETF to replace Whois• Whois was designed for humans to read, not for

machines to interact with

• Provides standardized HTTP-based RESTful JSON responses• “Plays well with machines”

• Can offer referral responses• If you ask ARIN for a record that’s held by another

RIR, we point you to it

#AOTR

RDAP In ActionClient ARIN APNIC

45.65.1.1?

Ask ARIN

45.65.1.1?

Ask APNIC

Bootstrap Server

45.65.1.1?

JSON

#AOTR

Automating With REST Services

Reg-RWS

• Reassignments (SWiP)• Reports• DNS / RPKI

Management

Whois

• RDAP• Whois-RWS

#AOTR

What is REST?• REpresentational State Transfer

• Uses HTTP & URLs to create, read, update, and delete data

•Widespread industry adoption

• Easily understood• Any modern programmer can incorporate it

#AOTR

The BIG Advantage of REST• Allows you to automate your interactions with

ARIN• Customer reassignment management• Reverse DNS management

• Can use existing tools• ARINcli• 6connect• https://github.com/arineng• http://projects.arin.net

• Or, write your own!

#AOTR

What does REST look like?

http://whois.arin.net/rest/poc/KOSTE-ARIN

Where the data is.What type of data it is.

The ID of the data.

It’s a standard URL. Anyone can use it.Go ahead, put it into your browser. We dare you.

#AOTR

Reg-RWS Transactions (cumulative – restful/templates)

408k596k 846k

1.0M

1.3M1.5M

1.7M

2.0M2.2M 2.4M

2.5M

40k320k 841k

3.5M

4.3M4.7M

5.0M

5.6M6.0M 6.2M

6.5M

0

1,000,000

2,000,000

3,000,000

4,000,000

5,000,000

6,000,000

7,000,000

#AOTR

For more information…

RESTful Web Services•O’Reilly Media• Leonard Richardson• Sam Ruby

#AOTR

Operational Test & Evaluation (OT&E)

• Lots of people test in production• Is not the best place to test• Things do get stuck – may impact others• Operational Test & Evaluation

•Goodness of OT&E• Place to test code/processes• All services now under ote.arin.net except email• Need to register to participate• https://www.arin.net/resources/ote.html

#AOTR

Technical Support•Ask ARIN

• Phone Help Desk• 7AM – 7PM ET M-F• +1.703.227.0660

• Email support via hostmaster@arin.net

• arin-tech-discuss mailing list• Make sure to subscribe• Archives contain useful information

#AOTR

In the works… a new design!

#AOTR

Q&A

#AOTR

Life After IPv4 Depletion

Jon WorleyTechnical Services Manager

#AOTR

Overview• IPv4 Request Activity

•Reserved IPv4 Space

• IPv4 Waiting List

• IPv4 Transfer Market

• Specified Transfer Listing Service

#AOTR

IPv4 Requests Since Depletion

------- = IPv4 depletion

050

100150200250300350400450

#AOTR

IPv4 Waiting List• Requesters have the waiting list option• Initial /21 (ISP) or /24 (EU) with no justification• Larger blocks based on 24 month need• Requester may specify a smaller acceptable size• One request per org on the list at a time

•Oldest requests filled first• Requests met by transfer are removed

#AOTR

IPv4 Waiting List – Block Sources• IANA Redistribution (2x a year)• Down from /11 May 2014 to /19 March 2017

• Returned IPv4 Blocks

• Revoked IPv4 Blocks• Generally for nonpayment

• Lengthy review process before reissue

#AOTR

Reissue Review Process• RSD analyzes returned/revoked blocks

• Unrouted blocks get priority over routed blocks• Need verification the return/revoke was done

properly

• FSD confirms fees unpaid & notices sent

•Meeting held to confirm reissue• Legal review• 4 management team signatures required• 20-40 blocks reviewed in each meeting

• 328 blocks currently in the review process

#AOTR

IPv4 Waiting List Growth

------- = IPv4 depletion

050

100150200250300350400450

#AOTR

IPv4 Waiting List StatisticsOf the 703 requests added:

• 244 (35%) have been filled• Last request filled waited ~13 months

• 166 (24%) dropped off• Most got IPv4 via the transfer market

• 286 (41%) still waiting• Oldest added 31 Jul 2015

#AOTR

Waiting Time•Of the 244 completed requests:• Average 15 months wait• Longest wait: 24 months

•Of the 166 closed requests:• Average 7 months before close• Longest wait: 21 months (filled via transfer)

#AOTR

IPv4 Critical Infrastructure Reserve• 2 /16s reserved for: • Public exchange points• ICANN-sanctioned Core DNS operators• RIRs• IANA

• New gTLDs not eligible

• 13.1% used

#AOTR

Reserved IPv4 for IPv6 Deployment

..... stay tuned. J We’ll discuss this policy in the IPv6 presentation.

#AOTR

• Mergers and Acquisitions (NRPM 8.2)– Traditional transfer resulting from a merger,

acquisition, or reorganization supported by legal documentation

• Transfers to Specified Recipients (NRPM 8.3)– IPv4 market transfer from one organization to another

that it specifies, supported by justified need (within region)

• Inter-RIR transfers to Specified Recipients (NRPM 8.4)– IPv4 market transfer from one organization to

another that it specifies, supported by justified need (between regions)

IPv4 Transfer Policies

#AOTR

Specified Recipient TransferAllows orgs with unused IPv4 resources to transfer them to orgs in need of IPv4 resources• Source• Must be current registrant, no disputes• Not have received addresses from ARIN for 12

months prior

• Recipient• Demonstrate need for 24-month supply under

current ARIN policy

#AOTR

Specified Recipient Transfer Growth

------- = IPv4 depletion

0

50

100

150

200

250

#AOTR

Inter-RIR Transfers• RIR must have reciprocal, compatible needs-

based policies• Currently APNIC and RIPE NCC

• Transfers from ARIN• Source cannot have received IPv4 from ARIN 12

months prior to transfer • Must be current registrant, no disputes• Recipient meets destination RIR policies

• Transfers to ARIN• Must demonstrate need for 24-month supply

under current ARIN policy

#AOTR

Inter-RIR Transfers Completed

------- = IPv4 depletion

02468

101214161820

#AOTR

No Drop In IPv4 Consumption

0

50000

100000

150000

200000

250000

300000

350000To

tal /

24s

Free Pool Transfer Market

#AOTR

Minimal Drop in IPv4 Workload

050

100150200250300350400450500

IPv4 Requests Need-Based Transfer Requests

#AOTR

Transfer Pre-Approval•Optional free service to confirm your 24

month projected IPv4 need

• Receive IPv4 addresses via multiple need-based transfers up to the pre-approved amount over the next 24 months

• $300 fee to complete each transfer• Now paid at the time transfer is submitted

#AOTR

Specified Transfer Listing Service (STLS)• Optional fee-based service to facilitate

specified recipient and inter-RIR transfers• Sources have IPv4 addresses verified as available• Recipients have a verified need for IPv4 addresses• Facilitators arrange transfers between parties

• Approved participants can view detailed information for all other participants

• Public summary available on ARIN’s website• Available block sizes• # of source ORGs and approved block sizes• List of facilitators with contact information

#AOTR

Takeaways• IPv4 consumption still strong

• If you need IPv4:• Get pre-approved & look at transfer

market• Get an IPv6 block & use reserved IPv4

block for IPv6 deployment policy• Wait List an option if you can defer need

• IPv6 is the future

#AOTR

Q&A

#AOTR

Securing Core Internet Functions - DNSSEC

Jon WorleyTechnical Services Manager

#AOTR

What is DNSSEC? •A DNS extension which authenticates

responses • When you ask how to get to www.arin.net,

DNSSEC verifies the answer is from ARIN and not someone pretending to be us

•Doesn’t ensure the answer is correct, just that it’s coming from the right place

#AOTR

Why is DNSSEC Important? • Standard DNS is not secure• Trivial to spoof (provide false responses)• ... so an attacker can redirect people

looking for www.arin.net to his own site• ... and then steal login information.

•DNSSEC is (surprise) secure• An attacker can try to redirect traffic, but

DNSSEC will show it’s not a valid response

#AOTR

DNS Cache Poisoning• Attacker gives the nameserver a

“poisoned” (incorrect) response to www.arin.net

• If accepted, this nameserver will direct people to the fake site, typically for hours

• ... and any nameservers that trust the poisoned one will also become poisoned.

#AOTR

Case Study: Kashpureff Attack• Eugene Kashpureff didn’t like Internic’s

control of top level domains

• In 1996, he used DNS cache poisoning to redirect Internic traffic to his own site

• Kashpureff was eventually convicted of computer fraud

• This attack could have been preventedwith DNSSEC

#AOTR

Case Study: Kaminsky Flaw• 2008: Dan Kaminsky discovered a

fundamental flaw in the DNS protocol• 65,536 Transaction IDs in DNS makes it easy to

guess the right one & spoof

• Updates to DNS software makes this flaw more difficult to exploit, but not impossible

• These attacks can be prevented with DNSSEC

#AOTR

Case Study: Bradesco• Bradesco is a bank in Brazil

•DNS cache poisoning attack resulted in 1% of the bank’s customers being redirected to a fake site• Getting login credentials for 1% of a large bank’s

customers could be disastrous

•Networks not using DNSSEC are vulnerable to a similar attack

#AOTR

Other Uses1. Protect DKIM & SPF• Without DNSSEC, an attacker can make use your

email addresses for spam.

2. SSH Initial Host Key Exchange• Protect SSH Fingerprint (SSHFP) records.

3. PGP Key Distribution• Use _pka records to distribute PGP keys easily usable

by GnuPG

4. DANE• Coming standard from the IETF to use DNS as a

global public key infrastructure.

#AOTR

DNSSEC Usage StatisticsARIN 39

Number of Orgs with DNSSEC 139

Total Number of Delegations 620,412

DNSSEC Secured Zones 671

Percentage Secured 0.11 %

#AOTR

#AOTR

How Can We Increase Usage?• Identify Barriers to Adoption• Don’t know how• Don’t have time• “... but I haven’t been attacked”

• Then, knock them down• Increased awareness• Education/assistance• “An ounce of prevention is worth a pound of cure”

#AOTR

Using DNSSEC with ARIN• Remember: this is for reverse DNS, not

forward DNS

• Use your DNS server software to:• Generate your key pair• Create DS records to upload to ARIN via

ARIN Online or Reg-RWS• Sign your DNS zones

#AOTR

DNSSEC Configuration• Ensure the required DNSKEY, RRSIG,

NSEC, and DS records are published in your nameservers• Consult your zone file…..

•ARIN provides only reverse DNSSEC• Make sure to also secure your forward DNS

through your domain registrar

#AOTR

How It Works•DNSSEC adds new resource records into

your zone file.

• These records are signed off-line.

• Two types of public/private key pairs• Zone Signing Key (ZSK) is used to sign

records in the zone• Key Signing Key (KSK) signs the ZSK. Usually

longer lived than the ZSK.

#AOTR

Signed & Unsigned Zones0.43.199.in-addr.arpa. 10800 IN SOA ns1.arin.net. dns-ops.arin.net. 2016072520 10800 3600 604800 36000.43.199.in-addr.arpa. 10800 IN NS ns1.arin.net.0.43.199.in-addr.arpa. 10800 IN NS ns2.arin.net.0.43.199.in-addr.arpa. 10800 IN NS ns2.lacnic.net.0.43.199.in-addr.arpa. 10800 IN NS sec1.apnic.net.0.43.199.in-addr.arpa. 10800 IN NS sec1.authdns.ripe.net.1.0.43.199.in-addr.arpa. 10800 IN PTR host-199-43-0-1.arin.net.10.0.43.199.in-addr.arpa. 10800 IN PTR host-199-43-0-10.arin.net.

0.43.199.in-addr.arpa. 10800 IN SOA ns1.arin.net. dns-ops.arin.net. 2016072520 10800 3600 604800 36000.43.199.in-addr.arpa. 3600 IN RRSIG NSEC 5 5 3600 20170131143127 20170117133127 13093 0.43.199.in-addr.arpa. p33dgTSLyg/qoDuoN6XGRFUwfRdILdYQtJfl/i077aLZA/usJ0r3furj 3FikILZOodCWez0yiKYwKaUYlGiFgZyWSlDTrbMgnLBG162tQrby8wAQ Ke1mOYRBdSOT6swRzhJx6rRRSH4C0/3YpQqmKZsplQisyTdbykhy4N3h 38M=…0.43.199.in-addr.arpa. 10800 IN DNSKEY 256 3 5 AwEAAXCN3mUJUntP90L4F4oNxxlzKFos9FYD0wxTqxoWueBjFVAvS9vt FSAC7sV4yqKF3NbOOgk81Ep8n8BLZ3vvhnL8/y6Gf3K+d/yvK248ZWR6 +r+AAsV6icMEloQhaJzuam/eMrlj4kJ96lVjFvMEwdPNNSYzen30OfpC sswVvamh…0.43.199.in-addr.arpa. 3600 IN NSEC

1.0.43.199.in-addr.arpa. NS SOA RRSIG NSEC DNSKEY0.43.199.in-addr.arpa. 10800 IN NS ns1.arin.net.…1.0.43.199.in-addr.arpa. 10800 IN PTR host-199-43-0-1.arin.net.…

A signed zone file will have

RRSIG, NSEC, and

DNSKEYrecords.

#AOTR

New Record TypesDNSKEY – records holding the public zone signing key and key signing key

RRSIG – records holding the cryptographic signatures of the other DNS records

NSEC – records cryptographically stitching the other records together

DS – these point to your zone like an NS record (needed in the parent zone)

#AOTR

How Do I Know It’s Working?

Use a DNSSEC validating resolver. Popular options include:

www.internetsociety.org/deploy360/dnssec/www.isc.org/downloads/bind/dnssec/

91

#AOTR

Takeaways• If you’re not using DNSSEC, you’re

vulnerable to a DNS cache poisoning attack

• Plenty of readily available documentation regarding implementation details

• If we can help, contact us

#AOTR

Q&A

#AOTR

ARIN Internet Number Resource Policy

…your participation matters

Dan AlexanderChair, ARIN Advisory Council

#AOTR

ARIN’s Policy Development Process Video

#AOTR

ARIN applies policies to the management of Internet number resources and certain directory and registry services.

Policies are given effect through the application of business rules and operating procedures

What Do Internet Number Resource Policies Do?

#AOTR

The Number Resource Policy Manual (NRPM) is the collection of all ARIN policies, arranged by topic.Topics include:

• Definitions• Directory Services• IPv4• IPv6• AS Numbers• Transfers

View the NRPM at: https://www.arin.net/policy/nrpm.html

What is the NRPM?

#AOTR

NRPM 4.3.1 - End-users

ARIN assigns blocks of IP addresses to end-users who request address space for their internal use in running their own networks, but not for sub-delegation of those addresses outside their organization. End-users must meet the requirements described in these guidelines for justifying the assignment of an address block.

Policy Example

#AOTR

Internet number resource policy must:• Enable fair and impartial number

resource administration• Be technically sound (providing for

uniqueness and usability of number resources)• Have support from the community

Policy Principles

#AOTR

Where do Policies Come From?Proposals for policy change can come from anyone, and follow a basic email template:

Proposals go to policy@arin.net

#AOTR

Policy Development Process (PDP)1) Proposal – Someone sends a Proposal to policy@arin.net using the approved

template

2) The Advisory Council (AC) Chair assigns AC shepherds• Shepherds manage the Proposal, working closely with the author(s) and

encourage feedback• To be accepted as a Draft Policy, a proposal must contain a clear

problem statement and be within the scope of ARIN's mission

3) Draft Policy- Work in progress, discussed on the mailing list and at Public Policy Meetings and Consultations• Once a Draft Policy meets the Principles of Internet Number Resource

Policy, the AC may recommended it for adoption

#AOTR

Policy Development Process (PDP)continued

4) Recommended Draft Policy – More discussion and presentation at meeting(s). Does the community support turning this into policy?

5) Last call6) Board Review and Adoption 7) Staff Implementation (NRPM)

#AOTR

PetitionsThe community may petition for or against several AC actions, including:• Against the rejection of a Proposal• Against the abandonment of a Draft Policy or Recommended Draft

Policy• For the movement of a Proposal to Draft Policy status• For the movement of a Draft Policy to Recommended Draft Policy

status• Movement of a Recommended Draft Policy to Last Call status

#AOTR

Open• Developed in open forums• Anyone can participate

Transparent• All aspects documented and available on

website

Bottom-up • Policies developed by the community• Staff implements, but does not make policy

Principles of the PDP

#AOTR

•A single community member can propose a policy change, or spark an important discussion in support or opposition to a potential change.

•Many significant policies have gone through the entire PDP with only a handful of voices speaking for or against them.

The Importance of Participation

#AOTR

• Purpose: reduce the minimum allocation/assignment size to /24 for all networks, whether end-user or ISP, and whether single or multi-homed.

• Discussion was extensive; many voices spoke up about how a minimum of /24 would help the community pre- and post- depletion, and PPML saw an extended last call.

• How Many Community Members Did it Take to Bring ARIN-2014-13 to Fruition?

Example: ARIN-2014-13

#AOTR

• Out of 1,850+ PPML subscribers:• Ten total contributors

• PPC at NANOG 61 Show of Hands• Total attendees/remote participants: 49• In favor: 16• Against: 0

• Board ratified 2014-13 in August 2014

• Staff implemented one month later

Twenty-six!

#AOTR

Recommended Draft Policies Under Board of Trustees Review

• ARIN-2016-3: Alternative simplified criteria for justifying small IPv4 transfers• Allows orgs to double holdings up to a /16 with 80%

prior utilization.

• ARIN-2016-9: Streamline Merger & Acquisition Transfers• Removes additional needs test for combined

resources of acquiring/acquired orgs

#AOTR

• Draft Policy ARIN-2017-1: Clarify Slow Start for Transfers

• Draft Policy ARIN-2017-2:Removal of Community Networks

• Draft Policy ARIN-2017-3:Update to NRPM 3.6: Annual Whois POC Validation

• Draft Policy ARIN-2017-4:Remove Reciprocity Requirement for Inter-RIR Transfers

• Draft Policy ARIN-2017-5: Equalization of Assignment Registration requirements between IPv4 and IPv6

Current Draft Policies

#AOTR

•ARIN doesn't create number policy, you do. It’s as easy as submitting a Proposal.

• Policy development includes assistance from the Advisory Council throughout the process.

• Stay informed. Join the policy list and/or attend meetings (in person or remotely).

Takeaways

#AOTR

• Policy Development Process (PDP)http://www.arin.net/policy/pdp.html

• Draft Policies and Proposalshttp://www.arin.net/policy/proposals/index.html

• Number Resource Policy Manual (NRPM)http://www.arin.net/policy/nrpm.html

References

#AOTR

Q&A

#AOTR

Securing Core Internet Functions – RPKI

Jon WorleyTechnical Services Manager

#AOTR

Routing – A Primer

#AOTR

Routing ArchitectureThe Internet uses a two level routing hierarchy:• Interior Routing Protocols, used by each network

to determine how to reach all destinations that line within the network• Interior Routing protocols maintain the current

topology of the network

#AOTR

Routing ArchitectureThe Internet uses a two level routing hierarchy:• Exterior Routing Protocol, used to link each

component network together into a single whole• Exterior protocols assume that each network is

fully interconnected internally

#AOTR

Exterior Routing: BGPBGP is a large set of bilateral (1:1) routing sessions• A tells B all the destinations (prefixes) that

A is capable of reaching• B tells A all the destinations that B is

capable of reaching

A B

10.0.0.0/2410.1.0.0/1610.2.0.0/18

192.2.200.0/24

#AOTR

What is RPKI?• Resource Public Key Infrastructure

•Cryptographically certifies network resources• AS Numbers• IP Addresses

•Also certifies route announcements• Route Origin Authorizations (ROAs) allow you

to authorize your block to be routed

#AOTR

Why is RPKI Important?•Allows routers (or other processes) to

validate routes as authorized

• Provides stronger validation than existing technologies, such as:• Routing registries• LOAs• “Seems legit” 119

#AOTR

Case Study: YouTube• Pakistan Telecom was ordered to block

YouTube• Naturally, they originated their own route

for YouTube’s IP address block

• YouTube’s traffic was temporarily diverted to Pakistan

•Could have been prevented with widespread adoption of RPKI

#AOTR

Case Study: Turk Telekom• Turkish President ordered censorship of

Twitter

• Turk Telekom’s DNS servers were configured to return false IP addresses• So people started using Google’s DNS (8.8.8.8)

• Turk Telekom hijacked Google’s IP addresses in BGP

•Could have been prevented with RPKI

#AOTR

Case Study: Bitcoin• Late 2013 & early 2014, Dell Secure Works

noticed /24 announcements being hijacked• Amazon, OVH, Digital Ocean, LeaseWeb,

Alibaba networks routed to a small network in Canada

• Data between Bitcoin miners and Bitcoin data pools intercepted• An estimated haul of $83,000

• Could have been prevented with RPKI

#AOTR

RPKI Basics• All of ARIN’s RPKI data is publicly available in a repository

• RFC 3779 certificates show who has each resource

• ROAs show which AS numbers are authorized to

announce blocks

• CRLs show revoked records

• Manifests list all data from each organization

#AOTR

Hierarchy of Resource Certificates

124

ICANN0.0.0.0/0

0::/0

ARIN128.0.0.0/8 192.0.0.0/8

Regional ISP128.177.0.0/16

Some Small ISP128.177.46.0/20

Other Small ISP192.78.12.0/24

LACNIC AFRINICRIPENCC

APNIC

#AOTR

Route Origin Authorizations(ROAs)

125

ICANN0.0.0.0/0

0::/0

ARIN128.0.0.0/8 192.0.0.0/8

Regional ISP128.177.0.0/16

Some Small ISP128.177.46.0/20

Other Small ISP192.78.12.0/24

LACNIC AFRINICRIPENCC

APNIC

128.177.46.0/20AS53659

128.177.0.0/16AS17025 192.78.12.0/24

AS2000

#AOTR

Current Practices

126

ICANN0.0.0.0/0

0::/0

ARIN128.0.0.0/8 192.0.0.0/8

Regional ISP128.177.0.0/16

Some Small ISP128.177.46.0/20

Other Small ISP192.78.12.0/24

LACNIC AFRINICRIPENCC

APNIC

128.177.0.0/16AS17025

192.78.12.0/24AS2000128.177.46.0/

20AS53659

#AOTR

Using ARIN’s RPKI Repository (Theory)

1. Pull down these files using a manifest-validating mechanism

2. Validate the ROAs contained in the repository3. Communicate with the router to mark routes:• Valid• Invalid• unknown

Ultimately, the ISP uses local policy on how to route to use this information. 127

#AOTR

Using ARIN’s RPKI Repository (Practice)1.Get the RIPE NCC RPKI Validator

128

#AOTR

Using ARIN’s RPKI Repository (Practice, continued)

2.Get the ARIN TAL• https://www.arin.net/resources/rpki/tal.html

3.Plug it in to your routing policy engine:• Directly to the router via RTR protocol• Using custom scripts and the REST API• As RPSL route objects 129

#AOTR

Putting Your Routes in the RPKI

1.Determine if you want to allow ARIN to host your Certificate Authority (CA), or if you want ARIN to delegate to your Certificate Authority.

2.Sign up with ARIN Online.

3.Create Resource Certificates and ROAs.

#AOTR

Hosted vs. Delegated RPKI• Hosted• ARIN has done all of the heavy lifting for you• Think “point click ship”• Available via web site or RESTful interface

• Delegated using Up/Down Protocol• A whole lot more work• Might make sense for very large networks

131

#AOTR

Hosted RPKI - ARIN Online• Pros• Easy-to-use web interface• ARIN-managed (buying/deploying HSMs, etc.

is expensive and time consuming)

•Cons• Downstream customers can’t use RPKI• Large networks would probably need to use

the RESTful interface to avoid tedious management• We hold your private key

132

#AOTR

Delegated RPKI with Up/Down• Pros• Allows you to keep your private key• Follows the IETF up/down protocol• Allows downstream customers to use RPKI

•Cons• Extremely hard to set up• Requires operating your own RPKI

environment• High cost of time and effort 133

#AOTR

Delegated with Up/Down• You have to do all the ROA creation

•Need to set up a Certificate Authority

• Have a highly available repository

•Create a CPS

134

#AOTR

RPKI UsageOct2012

Apr2013

Oct 2013

Apr2014

Oct2014

Apr2015

Oct2015

Apr 2016

Oct2016

Apr 2017

CertifiedOrgs 47 68 108 153 187 220 250 268 292

ROAs 19 60 106 162 239 308 338 370 414 470

Covered Resources 30 82 147 258 332 430 482 528 577 640

Up/Down Delegated 0 0 0 1 2 1 2 2

#AOTR

RPKI vs The Routing Table: Globally

#AOTR

RPKI vs The Routing Table: RIPE

#AOTR

RPKI vs The Routing Table: APNIC

#AOTR

RPKI vs The Routing Table: AFRINIC

#AOTR

RPKI vs The Routing Table: LACNIC

#AOTR

RPKI vs The Routing Table: ARIN

#AOTR

Takeaways• If you’re not using RPKI, you’re vulnerable

to route hijacking

• Plenty of readily available documentation regarding implementation details

• If we can help, contact us

#AOTR

Q&A

#AOTR

Everything You Always Wanted To Know

About IPv6

Richard JimmersonCIO

#AOTR

The Road To IPv6 Deployment• Why Move To IPv6 Now?• Obtaining IPv6 From ARIN• Dedicated IPv4 Block For IPv6 Deployment• IPv6 Address Plans• IPv6 Deployment Case Studies• IPv6 Resources

... and a few words about the current state of IPv6 adoption.

#AOTR

Why Move To IPv6 Now?• Being IPv4-only has costs• Transfer market, latency, CGN boxes, NAT

•Generally no additional cost for ISPs & fees recently lowered for end users

• IPv6 gives you access to a reserved IPv4 block• One IPv4 /24 per six month period 1

46

#AOTR

Requesting IPv6 - ISPs• Have a previous v4 allocation from

ARIN or predecessor registryOR

• Intend to IPv6 multi-home OR

• Provide a technical justification which details at least 50 assignments made within 5 years 147

#AOTR

IPv6 ISP Block Size• /48 typically assigned to customers• Might be smaller, e.g. /56, for residential

• /32 default generally sufficient• Enough to number 65k+ customers

• Larger blocks based on:• # of serving sites (PoPs, datacenters)• # of customers at largest serving site• Block size to be assigned 148

#AOTR

Requesting IPv6 – End UsersHave a v4 assignment from ARIN

OR

Intend to IPv6 multi-home OR

2000 IPv6 addresses/200 IPv6 subnets usedOR

Have 13+ active sites within 12 monthsOR

Technical justification showing ISP-assigned IPs are unsuitable 149

#AOTR

IPv6 End User Block Size

37

Number of Sites Block Size

1 /48

2-12 /44

13-192 /40

193-3,072 /36

3,073-49,152 /32

#AOTR

Reserved IPv4 for IPv6 Deployment• /10 reserved under policy in April 2009 • 60 /24s issued to date (99.6% remains available)

• Must be used to facilitate IPv6 deployment• Dual stacking key servers, NAT-PT/NAT464,

etc.

•Must have an IPv6 block

•One per organization every six months• /24 maximum size

#AOTR

Subnetting: IPv4 vs IPv6• The IPv4 mindset: think in terms of IP

addresses• “If a site has 50 devices, I give it a /26”

• The IPv4 mindset does not work for IPv6• Last 64 bits used for device

autoconfiguration• ... and we have a ton of IPv6 addresses.

• The correct IPv6 mindset: think in terms of subnets, not addresses

#AOTR

IPv6 Subnetting – NANOG BCOP• Each individual network segment gets a /64• A /64 can hold a near-infinite number of devices

• Subnet on nibble boundaries for DNS• /48, /44, /40, etc

• Addressing plans should be hierarchical, with each level using subnets of the same size• Each site gets a /48• Customers generally get a /48• PoPs/aggregation points sized based on largest

#AOTR

IPv4 Address Plan: End UserEnterprise Network

SJO Hub14 offices

/27 for each448 IPs

CHI Hub15 offices

/28 for each240 IPs

DAL Hub7 offices/28 for each

112 IPs

ASH Hub156 sites/27 for each

4,992 IPs

/23

/24 /24

/19

#AOTR

IPv6 Address Plan: End UserEnterprise Network

SJO Hub14 offices

/48 for each448 IPs

CHI Hub15 offices

/48 for each240 IPs

DAL Hub7 offices/48 for each

112 IPs

ASH Hub156 sites

/48 for each4,992 IPs

/40

/40 /40

/40 (256 /48s)

#AOTR

IPv4 Address Plan: ISPFTTH ISP Network

Denver Hub952 home users (1 IP

each)5 biz

customers (/29-/24)

= 1,952 IPs

Grand Junction Hub

214 home users

(1 IP each)= 214 IPs

Colorado Springs Hub497 home

users(1 IP each)

= 497 IPs

Ft. Collins Hub497 home

users(1 IP each)

4 biz customers (/29-/24)= 997 IPs

/21

/24/23

/22

#AOTR

IPv6 Address Plan: ISPFTTH ISP Network

Denver Hub1,027 total

users (home + business)

= 1,027 /48s

Grand Junction Hub214 total users

(home + business)= 214 /48s

Colorado Springs Hub

497 total users (home + business)= 497 /48s

Ft. Collins Hub506 total users

(home + business

= 506 /48s

/36 (4,096 /48s)

/36 /36

/36

#AOTR

Anatomy Of An IPv6 Address

2001:0DB8:3007:000A:B9D3:284A:83E2:90DB

/32 from ARIN

Hub /360 = Denver1 = Grand Junction2 = Colorado Springs3 = Ft. Collins4 = Future Hub... etc

Site /48001 = Ft. Collins Site 1002 = Ft. Collins Site 2....007 = Ft. Collins Site 7

Subnet /640001 = Subnet 10002 = Subnet 2....000A = Subnet 10

Device /128Autoconfiguredwith MAC Address

#AOTR

IPv6 Deployment Information• ISOC’s Deploy360 program has 16

detailed case studies covering:• ISPs• Hosting providers• Enterprise businesses• Universities• Governments

•ARIN’s IPv6 Wiki• DNS, tools, translation services, etc

#AOTR

IPv6 Info Centerwww.arin.net/knowledge/ipv6_info_center.html

41

www.GetIPv6.info

www.TeamARIN.net

#AOTR

How Far Are We In IPv6 Adoption?

Depends where you look...

• How many networks have an IPv6 block?• How many networks are routing IPv6?• How much traffic is using IPv6?

#AOTR

Percentage of Members with IPv6

162

34.10%

52.83% 52.87%

87.55%75.11%

0%10%20%30%40%50%60%70%80%90%

100%

AfriNIC APNIC ARIN LACNIC RIPE NCC

#AOTR

Customers with IPv4 & IPv6

163

2,467

2,420

449

RSP

6,432

1,780

295End Users

IPv4 Only IPv4 & IPv6 IPv6 Only

#AOTR

IPv6 Adoption by ISP Size

0%10%20%30%40%50%60%70%80%90%

100%

ISPs with IPv6 ISPs without IPv6

#AOTR

IPv6 Requests Since Depletion

165

------- = IPv4 depletion

0

20

40

60

80

100

120

#AOTR

Routing Table Growth

IPv4 – First 14 Years IPv6 – First 14 Years

#AOTR

Google’s IPv6 Traffic Growing

167

#AOTR

Facebook & Akamai

#AOTR

Discussion: IPv6 & You•Do you have an IPv6 block from ARIN? • If so, how was the process?

• Have you deployed IPv6?• If not, do you plan to? Are there blockers?• If so, how is it working? Any experience to

share?

•What can ARIN do to help you with IPv6 deployment?

#AOTR

Q&A

#AOTR

• You make ARIN’s Internet number resource policy

•Apply for IPv6 addresses and get started

•Consider implementing DNSSEC & RPKI

• Reach out to us with questions and suggestions -engage

Today’s Takeaways:

#AOTR

https://www.arin.net/participate/meetings/fellowship.html

#AOTR

Fill out & submitthe survey for your chance to win a $100 Amazon Gift Card!