ARIN 55 Day 2 Recap

By Christina Paladeau – Social Media and Content Specialist

Welcome back for your Day Two recap of the ARIN 55 Public Policy and Members Meeting in Charlotte, North Carolina, and online via Zoom. Today’s highlights included reports from ARIN Community Grant recipients, presentations by ARIN staff, the second policy block of the meeting, and updates from each of the other Regional Internet Registries (RIRs). Thanks to everyone who has joined us so far — we’ll see you again tomorrow at 9 AM ET for the final day of the meeting.

If you wish to participate in the meeting proceedings, it’s still not too late to register.

A Hive of Activity

Setting up the game plan for the day, Director of Communications Hollis Kara welcomed all attendees, encouraged active participation in the policy discussions, and introduced the Day Two agenda which primarily focuses on ARIN accountability and how we are using our resources to benefit the community. After recognizing our meeting sponsors, Hollis took a moment to honor former ARIN Chief Financial Officer Bob Stratton, who passed away on this day 12 years ago; we remembered him as the heart of our community and gave a round of applause in memory of Bob.

She then turned the stage over to Chief Technology Officer Mark Kosters, who presented the report from the Engineering Department. He reviewed all the services ARIN provides and highlighted recent statistics, software releases, operational improvements, ARIN’s data center move and database update, and upcoming planned public enhancements.

Follow-up questions focused on plans to automate manual processes to reduce opportunities for human error, the geographic diversity of the new data center(s), how ARIN measures ROI of improvements, and more were answered by Mark, Chief Operating Officer Richard Jimmerson, and Chief Experience Officer John Sweeting. Comments on the importance of advance notice of deprecations and positive feedback on the ROI of ARIN’s Resource Public Key Infrastructure (RPKI) services were also provided by Kevin Blumberg, The Wire Inc., and Louie Lee, Google Fiber, respectively.

Then we heard the update from Chief Information Security Officer Christian Johnson. He shared an overview of InfoSec goals and roles at ARIN, updates on our security training, email reporting, and internal response drill efforts as well as our System and Organization Control (SOC) 3 and Payment Card Industry Data Security Standard (PCI DSS) compliance initiatives. Christian also reviewed roadmap impacts on security, highlighting the action taken in response to community discussion at a previous ARIN meeting about removing outdated services for the sake of ARIN’s cybersecurity posture. The recent removal of outdated Secure Socket Layer (SSL) and Transport Layer Security (TLS) cryptography on public resources and retirement of File Transfer Protocol (FTP) has already reduced vulnerabilities, and our migration to Kubernetes and subsequent data center move will continue to do the same.

In response to a follow up comment that the cost of certification beyond the SOC 3 that ARIN currently holds should be borne by the few individual organizations demanding it, John Sweeting highlighted ARIN’s Premier Support Plan (PSP) as an option for such customers. ARIN 55 Fellow Atefeh Mohseni asked how AI is influencing ARIN’s InfoSec operations, and Christian explained that ARIN is monitoring emerging threats and taking advantage of new technologies without rushing to fad solutions.

Brad Gorman, Director of Customer Technical Services, was up next with his presentation on routing security. Along with reviewing the Resource Public Key Infrastructure (RPKI) services ARIN offers, he gave updates on global RPKI activity, adoption and coverage rates in the ARIN region, and new and upcoming features for ARIN’s services, including Route Origin Authorization (ROA) edit feature and Autonomous System Provider Authorization (ASPA) object support. Brad also discussed the Number Resource Organization (NRO) RPKI Program, sharing what the program learned from the community and accomplished in 2024 — gaining a better understanding of how a global RPKI ecosystem should look and feel, better measuring the robustness of the RPKI system as a whole, and how to keep the technical community informed and engaged and to address RPKI-related concerns in a coordinated way — and what it is aiming for in 2025.

Comments and questions sparked by the Routing Security Update included: interest in ARIN’s RPKI trainings; tools available to generate RPKI validity data for users (with Advisory Council Member Alison Wood recommending and offering to demo the ThousandEyes platform for community members who want to monitor their RPKI); ARIN’s strategy to reach the 85 percent of organizations that don’t already have or use RPKI services; the importance of quality (aka accuracy) over quantity of signed routes; and the view that RPKI should become an opt-out service instead of an opt-in service in order reach higher adoption rates.

Want to help the NRO RPKI Program make progress towards its 2025 goals of: improved transparency, robustness, and security of the RPKI system; increased consistency of the RPKI system user experience; and keeping the technical community informed and engaged throughout the process? Email rpki_program@nro.net to share your insights on the main barriers or obstacles hindering RPKI adoption that could be solved (or at least improved) through better coordination and collaboration among the Regional Internet Registries.

Rounding out the day’s first batch of presentations, CTO Mark Kosters returned to the podium to demystify ARIN’s Trust Anchor, covering: the RPKI ecosystem and trust anchors; RPKI certificates; ARIN’s structure for ARIN-issued resources; why the Trust Anchor is important; and the signing process.

Research and Registries

After a short break, ARIN Project Manager Amanda Gauldin shared an update on the Fellowship and Grant programs as well as ARIN’s ongoing outreach efforts, including a look at industry events attended by ARIN staff. The ARIN Community Grant Program has awarded nearly US$270,975 so far in support of 23 projects; past project reports are available on the ARIN Blog, and we got a firsthand look at the two projects currently underway as the 2024 grant recipients presented reports following Amanda’s presentation.

First, Dr. Amreesh Phokeer, Internet Measurement and Data Expert for the Internet Society, reported on “Exploring Potential Use Cases of RPKI Signed Checklist (RSC) Under RFC 9323.” He explained the RSC — a new type of RPKI object that came out in late 2022 and allows resource holders to sign arbitrary files or documents with a set of Internet number resources — along with its creation and verification processes and the potential use cases for this resource ownership verification. Amreesh shared the results collected so far in a survey on awareness, potential applications, challenges, and legal considerations related to RSCs among network operators, enterprises, and cloud providers, and he encouraged community members to share their responses to help shape best practices, inform discussions, and guide further standardization efforts.

Read more about these projects in this blog post: Announcing the 2024 ARIN Community Grant Recipients.

Then, Alex Deacon, Senior Research Fellow at the DNS Research Federation (DNSRF), discussed the project “Mitigating Internet Abuse Through IP Addresses: A Data-based Analysis.” He provided an introduction to DNSRF and to the project and its research questions, followed by a review of the methodology and indicators it is employing to reach its conclusions. So far, those conclusions indicate that: malware IP address abuse is significant and on the rise; the Asia-Pacific region accounts for the majority of reported IP-based abuse; and country results may benefit from scaled metrics based on population size versus absolute numbers.

Interested in applying for an ARIN Community Grant for your project that benefits the Internet community in the ARIN region? The 2025 application period is open now through 18 June! Visit arin.net/grants for more information and the application.

Next, we heard updates from each of the four other Regional Internet Registries (RIRs), presented by our colleagues: Willy Manga, Deployment Ops Engineer, AFRINIC; Vivek Nigam, Regional Manager for Member and Registry Services, APNIC; Alfredo Verderosa, Chief Services Officer, LACNIC; and Alastair Strachan, Community Development Officer, RIPE NCC. It was great to hear what our fellow RIRs are up to in their respective regions and acknowledge the hard work going on in support of Internet security and stability around the world.

Before heading into the second and final policy block of ARIN 55, we paused for lunch — one of the numerous break times throughout the meeting during which in-person attendees could stop by the Customer Service Desk to get questions answered and get support for any resource requests they’re currently working on or planning to submit.

Policy Block

The meeting’s policy discussions, which began yesterday, continued as Advisory Council members presented each of the following draft policies and ARIN Board of Trustees Chair Bill Sandiford opened the floor for community members to provide input and ask questions.

• Draft Policy ARIN 2024-5: Rewrite of NRPM Section 4.4 Micro-Allocation presented by Chris Woodfield
• Draft Policy ARIN 2025-1: Clarify ISP and LIR Definitions and References to Address Ambiguity in NRPM Text presented by Leif Sawyer
• Draft Policy ARIN 2025-2: Clarify 8.5.1 Registration Services Agreement presented by Gus Reese
• Draft Policy ARIN 2025-3: Change Section 9 Out Of Region Use Minimum Criteria presented by Doug Camin

A Team Effort

Once the policy discussions concluded, we turned our attention to more organizational updates, beginning with the Chief Experience Officer Update from CXO John Sweeting. He shared an overview of ARIN’s expanded CXO organization — which has evolved to reflect our deepening commitment to customer success and Internet trust — along with its reporting departments, goals, external impact and engagement wins, and internal efficiency and service improvements.

Registry Integrity & Oversight (RIO) Manager Reese Radcliffe then presented his update on: the registry threat landscape; ARIN’s integrity mission; the RIO team formation; Org Create changes; oversight activities; fraud deterrence; and community partnership. John Sweeting followed up to emphasize that the RIO team emerged out of John Curran, ARIN President and CEO, and the Board requesting increased focus on data accuracy and to highlight the value of Number Resource Policy Manual (NRPM) Section 12: Resource Review actions in protecting the registry and users’ data.

John Sweeting returned to the podium to share an IPv4 Transfer Services Update, reviewing transfer types, trends and challenges, along with practices and community resources for improving the transfer process, which include ARIN’s Qualified Facilitator program. He made special note of the recent reductions in transfer times, particularly the 72 percent decrease for 8.2. (Mergers, Acquisitions, and Reorganizations) transfers.

After one more break to keep the energy up, we rounded out the afternoon with a couple more updates. First, John Sweeting stepped in for Director of Customer Experience and Strategy Joe Westover to provide an update on ARIN Agreements, explaining the timeline of legacy resources, the benefits of an ARIN Agreement, and the Legacy Registration Services Agreement (LRSA). A follow up question addressed the fee structure for legacy resources not under agreement, with John Curran providing clarification that fees are not charged for these resources and the limited set of services available for them. He also noted that the permanency of the ARIN Agreement rather than the Registration Services Plan Fee Schedule for resources under agreement seems to be the primary blocker to bringing more resources under agreement, explained that legacy is a status of the block and the party holding it, and directed the community to the Board members at the meeting for further discussion the topic further.

Then we heard about data accuracy in the ARIN registry from Brad Gorman, who discussed the importance of accurate registry data, gave an overview of ARIN’s data accuracy program, and reviewed its current progress, initiatives, and future direction.

The final presentation of the day was actually a four-part report on ARIN’s outreach and engagement strategies. Hollis Kara stepped in for Joe Westover and kicked it off by explaining why outreach matters, ARIN’s outreach priorities and focus areas, and the outcome of strong outreach. Then we got a deeper look at ARIN’s three engagement strategies, starting with Government Affairs. Senior Government Affairs Analyst Nate Davis explained with whom ARIN interacts and on what topics we engage, along with the why, where, and how of this activity. Up next was Trust and Public Safety, with Senior Director Leslie Nobile discussing this strategy’s importance, the relevant stakeholder communities, and her key areas of focus. Finally, Director of Caribbean Affairs Bevil Wooding closed out this report and the Day Two presentations with his overview of ARIN’s Caribbean initiatives — why they matter, key target stakeholder groups and strategic partners, and the top three areas of strategic focus for engagement in the Caribbean.

In response to the Outreach and Engagement presentation, ARIN 55 Fellow Caleb Ogundele commented on the importance of working with civil servants as opposed to government leadership, since there can be frequent turnover with officials, with Leslie confirming that the outreach team includes that in their strategy. He also asked Bevil how ARIN can support the Caribbean technical community during emergency periods. John Curran replied by emphasizing ARIN and CaribNOG’s work in promoting resilience to natural disasters and explaining that, while there is not truly a role for ARIN in emergency situations, on occasion fees have been waived for impacted customers. Another ARIN 55 Fellow, Altie Jackson, asked about increasing engagement in the Caribbean, which Bevil addressed by explaining ARIN’s current focus on underserved territories and places that specifically request support.

John Curran and Board Vice Chair Tina Morris hosted a lively open mic session at the end of the day and fielded questions and comments on topics ranging from the caliber of the Fellowship Program, ARIN Agreement signing cases where legal names differ from preferred names, and ROAs for 4.10 space, to CGNAT as justification for 4.10 space, new ways for community discussion beyond meetings and the Public Policy Mailing List (PPML), and ARIN’s migration to Kubernetes. Hollis Kara closed with final announcements and adjournment to conclude Day Two of ARIN 55.

An Evening of Discovery

Last night, in-person attendees had the opportunity to socialize with each other, continue discussions sparked by the meeting, and explore interactive exhibits, inspiring experiments, and fascinating displays that bring science to life at the Discovery Place Science museum in Charlotte.

To reference anything that has been presented during the meeting so far, visit our ARIN 55 Meeting Materials page. All slides have been posted there, and we will be adding transcripts and webcasts soon, too. We encourage you to continue posting on X, LinkedIn, and Facebook with the #ARIN55 hashtag, and we look forward to the third and final day of the meeting tomorrow.

Recent blogs categorized under: Public Policy

• ARIN 55 Day 1 Recap
• Sustainability at ARIN Meetings
• Get to Know the Draft Policies Up for Discussion at ARIN 55
• ARIN 54 Day 2 Recap