ARIN 48 Public Policy Meeting, Day 2 Transcript - Wednesday, 20 October 2021

This transcript may contain errors due to errors in transcription or in formatting it for posting. Therefore, the material is presented only to assist you, and is not an authoritative representation of discussion at the meeting. If additional clarification and details are required, videos from our original webcast are available on our YouTube channel.

Public Policy Meeting, Day 2 Opening Announcements

Jennifer Bly: Hello, everyone. Come on in. Take your virtual seat. Great to see all the familiar names and quite a few new ones here as well. Glad to have you with us whether it’s your first ARIN meeting or 48th.

This is the second and final day of our Public Policy portion of ARIN 48 with an Election Forum and Members Meeting to come at later dates.

Go ahead, move on to the next slide. Welcome to the ARIN Board of Trustees. We’re glad to have you here today. And we give you a virtual nod. Thanks for all you do for ARIN.

Moving on. Same for the ARIN Advisory Council. Thanks for everything you do for ARIN as well. We are glad to see you today. Thanks for being here and hats off to you.

And the NRO Number Council as well. Hello and welcome to the meeting. Great to have you here and have you participate as well.

So I’m sure you’ve been at a million Zoom meetings by now, and you’re a pro. So I’m just going to very briefly take you through how to make the most of the platform for this meeting. You may find the Q&A panel a little bit different than some other webinars you’ve been to.

So we’re going to be using the chat for informal conversations amongst other attendees, which I already see you’re doing great at. And then if you have something you’d like to put on the record and you want to be sure that the presenters see, you’ll just go down to the bottom of your Zoom pane and click on the Q&A tab.

That will take you to where you can put in your question and it will be read into the meeting if you do that. Or if you have a more lengthy contribution, please go ahead and raise your hand. That little button also on the bottom, that will put you into the queue to have the opportunity to unmute your mic and speak to everyone yourself.

In any case, as usual, please remain professional. Stick to the topic at hand. And follow the ARIN Standards of Behavior.

When you use the chat, Zoom will default to the panelists only. Change that setting to “everyone” if that’s your intention.

Our Board of Trustees Chair will be moderating the questions. And as always, be sure to type or if you’ve raised your hand and are speaking, please speak your name and affiliation. Very important.

Just a few more points of information. We are recording this meeting and it is being live streamed in real time. And you can refer to any of the slides that you will see today. And the transcripts are available as well.

As you’ve probably already noticed, the meeting website has not only the registration but lots of other goodies. You can feel free to check those out as well, including the agenda, speakers and much more for each of the meeting days.

So with that I’d like to thank our Network Connectivity Sponsors, USI and Lumen. Thank you.

Now, at a very high level on the agenda for today we have a report from our Government Affairs Department, four more project reports from the community grant recipients and then we get into the highly anticipated policy block during which three draft policies will be on the floor for discussion.

And then on the second agenda slide here, you can see that we’ll finish up the day with a series of updates from our Registration Services Department, the Number Resource Organization, the NRO NC and Board Chair.

Rounding out the day we’ll have another Open Microphone session. And during that, you can feel free to ask any questions or bring any topics up that you would like.

As you can see we have a great day in store for you. And I’ll get started by introducing our first presenter of the day, Einar Bohlin. He’s going to give us the Government Affairs Department Report. I can let you take it away, Einar.

Government Affairs Department Report

Einar Bohlin: Can you see and hear me? I’m Einar Bohlin, the VP of Government Affairs. Next slide, please.

This is the table of contents. We’ll talk about the composition of the team. We’ll see the areas of focus of the department. We’ll dive down a little bit into activities in the Caribbean, law enforcement and public safety activities and international Internet regulation engagement. And then a look at 2022.

Next, please. This is the team today. Myself, Leslie Nobile, who is the Senior Director of Trust and Public Safety, and Bevil Wooding, who is the Director of Caribbean Affairs.

As you’ll note, I’m not Anne-Rachel Inne. She left last month to go to the ITU. She’s the Director of the local office in Africa in Addis Ababa in Ethiopia. She was with us for about four years. I think she left way too soon. But I am wishing her all the success at the ITU.

And as everyone knows, you can never really leave the RIR system. We’ll still be working with her closely. And she will still have the wishes of the RIR system in her mind.

Next slide, please. Areas of focus. I’ve taken this text from a document that was published in March of this year. It came from the Board of Trustees. And these were the areas that really resonated with me as what this department, the Government Affairs Department, does and should do.

So we protect the multi-stakeholder approach, the PDP, and essentially promote and protect the RIR system. And within that we strive to improve the accuracy and trust of the registry system, and we engage with governments to support their needs and to keep them informed of the perspectives of our community.

And as an entire section of the directives from the Board, there was this section devoted to outreach and engagement in the Caribbean – to support the strengthening and resiliency of the Internet infrastructure, to have strong government relations in that region, and to make sure that our services are well known to the Internet community in the Caribbean.

Next slide, please. Caribbean Affairs. Bevil Wooding, as noted, is the Director. He’s been strengthening and maintaining the relationships with governments and industry groups, including the ones listed here such as the CTU, CANTO, OECS, CARICOM, CaribNOG. And I just learned about a new one this morning called APEX. I’ll give you more information about it in a moment.

The engagement areas here that are in bold were items, were activities that were hosted or co-hosted by ARIN, and as a result there is a blog that Bevil Wooding did on the ARIN website. So you can read about the outcomes of those activities.

The upcoming event – it was upcoming yesterday, but it was a two-day event and it started this morning, 9:00 to 12:00. This is the ARIN-Caribbean Agency for Justice Solutions, a jointly-hosted forum for judicial officers and legal professionals.

This morning there were about 50 judges and justices, not only from the Caribbean but from the U.S. as well. And that’s really something that we want to focus on going forward is to make sure that events that we do, that the department leads, are actually – that it’s well known that they’re open to all governments in the ARIN service region.

There was a fabulous keynote this morning about ICTs and their use in court systems. And I think it was important to remember from that keynote that it isn’t the use of ICTs, it’s not the judges or even the lawyers that are important to the users of the judicial system. When people go to courts, they want justice. And so I thought it was really interesting that the keynote spoke about how it should be outcomes that drive our activities. And I take that to heart.

Themes that we see over and over in discussions in the Caribbean include digital transformation, security and resiliency, and capacity building initiatives.

Next slide, please. So I just mentioned digital transformation. And that’s of course a buzzword today. It’s about getting economies online and reaping the benefits of citizens having access to the Internet, businesses getting online, governments getting online.

And an interesting statistic is that for the United States, in 2018, 10 percent of the GDP was accounted for by Internet activity, Internet business. And so, in other words, the U.S. GDP was over 20 trillion. And $2.1 trillion was created through Internet business.

Everybody wants their share of – they want their GDP to go up and they want their share of GDP to be boosted by Internet activities.

Another statistic I have here is from – came about from a question from a colleague at a meeting a couple weeks ago, who asked me if I knew if the Internet had stagnated or retreated or increased because of COVID.

And I just Googled it. And I had a feeling, just by reading the media, we knew people went online because of COVID. But what real impact was seen? And an article that came up right away was the statistic about the growth of peak traffic. It was consistent from 16 to 19, 30 percent per year. And last year peak traffic grew 47 percent. And I think that shows the resiliency of the Internet and just how important it is.

Next slide, please. This is another main focus of the department. Leslie Nobile works closely with law enforcement and public safety organizations to help them gain a better understanding how the Internet registry system works and how services and tools may be able to help them accomplish their missions.

Some of the engagement here is with the FBI, Department of Justice, the Canadian RCMP, Europol and Interpol. And if you look at this first bullet, the M3AAWG is pronounced “mog” – the Messaging Malware Mobile Anti-Abuse Working Group. And Leslie has been engaged there. She’s actually a co-Chair of the Names and Numbers Committee.

This group was very interested to hear about ARIN activities regards RPKI and IPv6 policies as well. And part of the engagement is to let them know, for example, this group and others, what ARIN does, what we can do and what we can’t do. And those are important messages that we do no matter where we go.

Upcoming. I’d like to highlight that, with this ARIN 48 meeting and straddling three weeks, on the fourth of November, the department – in particular Leslie who has done the bulk of the work getting this organized – we’re having a keynote and a panel on cybersecurity and the Internet. So please be sure to tune in on the fourth.

Themes, when we engage with law enforcement and public safety have included data governance, which specifically refers to data privacy, accuracy and access, critical infrastructure, Internet infrastructure protection, anti-abuse, cybercrime, cybersecurity – these are all right at the top of law enforcement and public safety’s agendas and priorities.

Next slide, please. Government engagement. International Internet regulation. So this is the third area after Caribbean affairs and law enforcement and public safety. And this is the area that I’ve been personally the most involved with.

And most of that activity has been, to be honest, at CITEL and the ITU. CITEL is the local telecom organization for the Americas. It’s part of the organization of American states. And it is a telecom organization for Canada, the U.S., Central and South America, and the Caribbean. And a lot of its work feeds into the ITU. The ITU of course being the International Telecommunication Union.

The ITU has three main parts – the R sector, which is about media spectrum and satellite orbit spectrum, they call it.

There’s the D sector, which is the development sector, and the T sector, which is the telecom standards sector.

I’ve got three bullets here. The D sector, the development sector, is focused on meaningfully connecting the unconnected. And we support that role. These discussions give us plenty of opportunity to promote IPv6, which is also an ITU goal all by itself.

We don’t have much to do with the R sector, radio and satellite, at least not yet.

We have engaged with governments at the ITU on telecom standardization. The T sector part, developing standards – backing up a sec. The ITU is a non– not non – the ITU is a governmental standard development organization. So it’s mostly governments making tech standards for telecom. They used to be focused on telephone, telegraph, radio, et cetera. But they are looking at the Internet very hard. They also allow sector members and industry to participate.

And in 2018 a sector member came with a proposal for the ITU-T to develop standards, protocols and architecture for a new parallel Internet and this was referred to at the time as “New IP.” The proponent, to help illustrate what he was talking about, said think of the current Internet as the Post Office. You can write a letter, stick it in the envelope, put a stamp on it, put it in the mail and it will get to its destination. “That’s this current Internet,” he said.

And New IP is like FedEx, it will bring lots of new potential services for guaranteed delivery, access control, many different things that the proponent said are desired in the future Internet. And he was careful to clarify that these are parallel networks and New IP isn’t intended to replace the current Internet but run alongside it.

After a couple of years of discussions, where this topic came up, New IP, no consensus to formally adopt this and work on it was taken. However, it’s not going to go away. We continue to see proposals for work and things at the ITU that don’t say New IP, but are related to something new, they’re just continuing to come in different directions with smaller pieces.

I have STIR and SHAKEN here, which is a completely different topic. STIR and SHAKEN come from the IETF. They’re protocols to help mitigate spoofing. I think everybody is probably familiar with getting a phone call where a number or text displayed has nothing to do with who is actually calling.

The IETF has done work to help mitigate that. As a matter of fact, Congress told the FCC to make STIR and SHAKEN happen in the U.S. And there are FCC milestones for implementation. The first one was for large mobile operators to implement STIR and SHAKEN last month, in September. Many of them did. And they’re doing it, and it’s having an effect already.

Now, the reason STIR and SHAKEN is here under the category of CITEL and the ITU is that for international STIR and SHAKEN to work, there needs to be coordination by someone. And the ITU has a role with telephone numbers. They’re a registry, actually, for country codes, and many other numbers regarding mobile telephony.

And they have a role in number misuse and calling party number delivery, which is essentially what spoofing is violating. So the ITU is looking at STIR/SHAKEN, early stages, but they’re looking at it.

The department is monitoring – so it’s not engaging onsite – the following categories. At the UN they’re working on essentially a cyber warfare treaty. The U.N. Office of Drugs and Crime is working on a cybercrime treaty. They’re supposed to have their first meeting in January.

The department’s looking at GDPR and possible amendments and the network information security initiatives, the NIS1, which exists today, and the proposed NIS2 might have impacts on the net.

Congress has multiple bills that would require reporting cyber incidents. That might have an impact on us and ISPs. Data privacy, there’s nothing at the federal level. It’s being left to the states – looks like California is driving that the most. But there are a dozen other states, including Virginia, that have their own data privacy laws.

And in Canada we’re looking at a proposed copyright law. The reason for that is that it includes Whois – Whois being recognized as a tool to figure out who is infringing on copyright. And their data privacy law is called PIPEDA – I forget what that stands for – but if that is amended, we would be interested in keeping an eye on that.

And themes with governments include critical infrastructure laws and regulation, a different flavor of data governance. At this level you have data sovereignty, privacy, and concern about cross-border flows. Digital transformation and cybersecurity are also government priorities.

I see in the chat, the definition of PIPEDA. Thank you to our Canadian friends.

Next slide, please. A view to 2022. So first of all, I’m not even going to hazard a guess about whether we go back to normal. I thought we would be further along in 2021. So since I would have been completely wrong last year, I’m just going to skip that piece. There are supposed to be a whole bunch of meetings next year. Whether they’re in person or hybrid or remote participant only remains to be seen.

In any case, the department is going to work to strengthen relationships with the governments in our region to make sure that their best interests are best served.

We’re going to – Bevil has done outstanding work in the Caribbean. And we’re looking at that model of engagement. And we’ll make sure that governments in our entire region know that they can participate and that they’re welcome and invited to those events. And finally we’re going to look to increase monitoring of Internet-impacting legislation, regulation of policy development in Canada, the Caribbean, the U.S. and other regions, because policy changes and regulation changes could affect ARIN. They could affect operations of our customers. Could cost you money, essentially, to abide by them.

Next slide, please. Here’s my takeaway slide. Thank you very much for the slide deck format. It was very fun to follow this time.

The team is strengthening relationships with governments and Internet industry organizations to make sure community interests are understood and taken into consideration.

I think I’m at the end. Next slide. Thank you very much for the time. And if there are any questions, I’d be more than happy to address those.

Beverly Hicks: Thank you very much. At this time, if anyone has questions, remember that you can raise your hand or type them in the Q&A box. Remember to include your affiliation please for the record.

I’m holding for a minute to see if anyone is typing away.

While I’m waiting, I’ll thank you, Mr. Einar Bohlin, for our Government Affairs update. Looks like there’s no questions. Must be perfectly clear.

Einar Bohlin: If there are no questions, I’d like to let people know you can reach me directly. I’d be happy to touch base and talk about any of these topics at any time. Thank you very much.

Beverly Hicks: Fantastic. Thank you so much.

Grant Program Recipient Presentations

Beverly Hicks: All right, yesterday we heard from Jennifer Bly regarding our grant recipients, and we had the much-awaited second half of those recipient program updates. We’ll continue with those now. We have four additional updates today.

And I thank Ted for continuing to do the introductions for those. And I will get that started right now. Thank you.

Voiceover: First, we’d like to welcome Glenn McKnight and Alfredo Calderon from the Virtual School of Internet Governance.

Glenn McKnight: Good day. It’s Glenn McKnight and Alfredo Calderon. We’ll talk to you about the Virtual School of Internet Governance. This is our second year of funding support. We’re very grateful to the ARIN community for supporting this program.

Let me tell you a little bit about VSIG. VSIG is a team. Our team consists of Glenn McKnight, Lillian, and Alfredo. All three of us work hand in hand to deliver the program.

So this is a very brief description of what we’re doing. It’s a comprehensive program. We use a program called Moodle and it’s a comprehensive program delivering from registration to delivery of the course.

This is a quick overview of the Org chart. We have on top an Advisory Council, and myself and Alfredo have different responsibilities to deliver the program.

Let me tell you the vision. It’s to create and promote a comprehensive free online capacity-building program on Internet governance for anyone anywhere.

What’s our mission statement? To create a multilingual online training platform that allows novice and advanced students to learn the basics of Internet governance, in addition to learning to network globally, exchange information, and improve their knowledge without any geographic or economic barrier.

Our objectives and student benefits are very clear in the program. I want to stress, this is a free program, and we are dedicated to keep it free forever.

I’ll turn over to my colleague, Alfredo, to talk about where our students are from and other details.

Alfredo Calderon: I’m Alfredo Calderon, the co-founder of this Virtual School of Internet Governance.

As you can see on the map we have a distribution of the participants we’ve had so far, which consists of 407 actual participants. You can see we cover the ARIN region – North America, including Canada, the United States and Puerto Rico, and the Caribbean islands as well.

Next slide, please. Here you can have an idea. We’ve had so far a seven percent participation from North America, which we seek to increase. The majority of our participation is from Africa and Asia-Pacific. And we have a small group as well from Latin America.

Having said that – next slide, Glenn – this gives you an idea of the 36 past guests we’ve had, including ARIN. Leslie Nobile has participated as an invited guest. And we plan to have more participation from ARIN in future sessions.

Next slide, Glenn. This gives you an idea of the participant survey results. 95 percent of all of them are pleased or very pleased with the course.

Back to you, Glenn.

Glenn McKnight: Thank you. We have two tracks currently. We have the Spanish track, you can see on the left. And that starts on September 13. And the English track, group E, in English starting on September 6. And both programs are full.

We have an extensive selection process of selecting our fellows into our program. And this multilingual program, as I stated before, it’s one of our commitments.

We have other languages on stream for ‘22. Portuguese and French are two of the languages we’re looking at. And other languages that are coming in the future will be Hindi, Bengali and Chinese.

So we’ve had some great testimonials, Lavash is an example, thanking us for our hard work and benefitting all the graduates.

If you’re interested in getting in touch with us, here’s our email addresses and website. We more than welcome any of your questions or queries.

Over to you, Alfredo.

Alfredo Calderon: I want to emphasize that we are available via our email account, and you can our visit website and keep up with what the Virtual School of Governance is all about. Thank you for your sponsorship, and we hope to hear from some of you. Thank you.

Voiceover: Our next recipient is Job Snijders with his project, RRDP Support for rpki-client.

Job Snijders: Hello, everyone. I’m Job Snijders, I’m a principal engineer at Fastly, and today I want to share with you an update on a project that happens in the OpenBSD community, specifically the implementation of RRDP and rpki-clients.

RRDP is a fairly new means to synchronize RPKI data from the signing entities towards the relying parties, the validators.

What makes RRDP stand out it was designed to distribute to crazy amounts of relying parties through the use of http and http caching.

There were a few challenges implementing RRDP. The RRDP RSYNC is a little bit thin on how exactly RRDP and RSYNC, the other synchronization protocol, should actually exist.

There’s very little guidance on how a software application can implement the two synchronization protocols working together. But we figured out some cool tricks.

Other things that were noteworthy in the implementation of RRDP was the bloated use of XML. XML doesn’t really serve much of a purpose in RRDP other than that it’s a sort of a very expensive field delimiter. Finally what surprised me is that there are data inconsistencies possible in RRDP.

In the RRDP protocol there are no inherent mechanisms to confirm the integrity or completeness of the data being transferred. Despite RRDP running over https, the RRDP data is unauthenticated and unsigned.

So whatever you receive via RRDP should always be taken with a grain of salt. And the cryptographic reality needs to match up to what you see in RRDP.

rpki-client, the OpenBSD validator, stands out from other validators in that it’s the only validator that uses process privilege separation to really split out the different tasks that exist in a validation run into different sub-processes. And each sub-process is further restricted or constrained to specific groups of system calls.

So this means that the http sub-process can talk to the Internet and do, for instance, DNS look-ups, but the XML RRDP parser is not able to connect to the network and only has access to specific pipes.

And all of this activity exists to limit our risk surface in case a software defect slips into our software and to sort of restrict the blast radius of potential problems.

The RRDP implementation in OpenBSD was made possible by the ARIN Community Grant for which we’re thankful.

The implementation, I think, positively impacted the RPKI ecosystem. Because of the OpenBSD implementation, we uncovered various CA repositories where load balancers were misconfigured in such a way that it would lead to data inconsistencies for RRDP clients. We uncovered some junk data that should not exist in RRDP feeds.

All in all, I would argue that the OpenBSD validator has positively impacted the ecosystem and contributes in terms of diversity and perspective on how these protocols should work.

So my recommendation to all CA operators is, if you’re serving your RPKI data via RRDP, please also take a look at the OpenBSD validator to confirm that your implementation aligns with our understanding of the specifications.

Thank you for the grant and your patience. And until next time.

Voiceover: Thanks so much. Next we will hear from Phil Roberts with the CrypTech Project.

Phil Roberts: Hi, I’m Phil Roberts here to represent the CrypTech Open Source Project. We received a grant from ARIN this year and it helped us accomplish our goals. I’d like to give you an update on the project. And thank you for helping us continue our project.

CrypTech is an open source cryptography project. Our main target is for building hardware security modules. Hardware security modules are dedicated appliances for doing cryptography.

We typically think of it storing private keys and public key infrastructure and doing operations on those. They’re very expensive. There are very few vendors. And those vendors are often tied to national interests, strong connection to various spy and intelligence agencies, which gives some people pause on the security of the devices themselves.

So this is a hardware security module and a bunch of things that it’s used for. And they come in many flavors and sizes, from a rack-mounted server to a USB device.

This is a little more information about the CrypTech Project. It was started at the instigation of a few folks who are very active in the IETF security community.

The idea is to build components that could be put together for various kinds of applications, for example, DNSSEC, and we have fair assurances of the project being open.

We have a core team that’s spread around the world. Sweden, Russia, United States, Germany, et cetera. And we have opened development with signed commits to Git repositories that we’ve used.

We make our stuff as available as we can. We use a 3-clause BSD license for all the software in the FPGA code. And we use Creative Commons for all the documents, which includes PCB layouts and bills of materials. And our intent is to make this available and easy to use for others as much as possible.

This is a picture of the last Alpha Board we had. The new ones we had because of this grant are so new we don’t have pictures of them yet.

This is a list of accomplishments we’ve done and reported on this last year. All of our stuff is published hardware and software. We use it for RSA signing. We do 80 signatures a second in our device. With 2048 RSA keys. And we also do hash-based signatures. And we have an security code audit which tells us our devices are really secure.

This is what we did in 2020-2021 with the ARIN grants in the previous two years. We had a lot of disruption this year because of COVID. So everything we tried to do was disrupted. Our personal lives, where a lot of us spent time on this, were impacted. A lot of impact happened in supply chain. As we tried to build a new version of this board, we had interruptions in all kinds of things of things that were supposed to be delivered.

We managed to move our board designs to KiCad, which is an open source tool. We completed our new board design. And we have six new boards fabricated that we’re currently in the process of testing and debugging and testing new components for this year.

This is where we’re going next, we think. More detailed or more extensive elaboration on our current design, largely putting new things into the FPGAs we have on the device. Using a core for the master control unit. Rearchitecting the DMA engine and integrating a small RISC-V into the FPGA Master Key Memory.

So, thanks to ARIN. The grants you gave us last year and this year have helped us move this along. I don’t think we would have our prototype boards if we had not received a grant from you in this year.

So thank you very much. And these are the other people who have supported CrypTech in the past.

We thank all of them as well. Thanks.

Voiceover: Finally, today, let me introduce Keith Mitchell from DNS-OARC with their grant project regarding RPKI Origin Validation Visibility for Check My DNS.

Keith Mitchell: Hello. I’m Keith Mitchell, President with DNS-OARC. And I’m here to tell you about the ARIN Community Grant that we received last year.

This was to add RPKI origin validation visibility to our existing Check My DNS tool.

For those not familiar with OARC, we’re a nonprofit membership organization like ARIN and we’re here to make the Internet’s domain name infrastructure work better.

We do this for a number of activities. We encourage cooperation between researchers and operators. We develop open-source tools. And we do various types of community building and information sharing.

And one of the main vehicles for doing that is workshops, which we run two or three times a year.

We have a very diverse community of members, nearly 120 of them. You can see that there’s a wide range of sizes and different types of interests in the DNS.

Software projects that we do – I mentioned we develop open-source software. In 2019, ARIN was good enough to give us a grant which provided general support for the development and maintenance of many of our open-source DNS tools.

Last year’s grant was, as I say, to add this RPKI origin validation visibility to our existing Check My DNS tool.

What does that do? Whenever you’re using the Internet, you’re using a DNS resolver that converts your name into an IP address. It’s very important that that’s trustworthy.

And essentially what this tool does is the resolver, which could be at your ISP, it could be somewhere in the cloud or local network, basically what it’s doing is it’s checking whether it’s RPKI validated or not.

I expect many of you are familiar with ARIN’s RPKI efforts, but there’s a reference for those who want more information.

Check My DNS is a tool we’ve been running for a number of years. Over OARC’s history, we’ve developed many such tools. What this is, this is a framework that all these tests can be incorporated into.

The way that it works is the end user clicks on a link in their browser and then traffic goes between the scripts in the browser and the custom nameserver that we run.

These results are then visible in the user’s browser in a graphical summary. And if the test results are of interest, you can drill down and find more detail.

The tests check things like is DNS working over UDP or TCP transports or are appropriate source code randomization through security supported, and what protocol features are or aren’t supported.

In this development, we also added the idea of an achievements badge. And the first achievements badges that you can earn on our tests are for RPKI, whether it’s v4 or v6.

If you do a completely successful test, then this is what the results look like. There’s more information if the tests are not successful. And you can click on various parts of the screen to drill down for more information and you can see the RPKI achievements badge. It’s something having scored on this particular test.

Why do all this? Why is it so important to do RPKI validation? Basically, the Internet needs both secure routing and stable DNS to operate robustly. And RPKI is an important part of this.

And it’s one of these places where ARIN and OARC, our public benefit missions have common cause.

And we already had a command-line base prototype to support this validation check. And the idea was to make this visible in a user-friendly way and use that as a means to raise awareness of the value of RPKI.

And also it’s a tool that can help with debugging and testing of infrastructure.

One of the things that supports this isn’t just the tests on our end. There are ROA beacons. And the RPKI tester needs these in order to work. These were first brought up in an ad hoc basis by various parties. But I’m pleased to say that the RIPE NCC are in support of our tool, and it would be great if other organizations could also support ROA beacons to increase the coverage.

That’s pretty much all I have to say. If you want more information about OARC’s software development projects in general, you can find it there. And you can find out how to fund our projects, and where our projects and mailing lists are.

There’s also a blog post there which is a bit more background on this project.

And I think I should make clear, I didn’t do this development work. It was done by our software engineer, Jerry Lundstrom, and any errors in this presentation, Jerry is on vacation at the moment so the errors are mine, not his – however, when he gets back in a week or two, he’ll certainly be very happy to answer any questions that you may have.

And thank you for your time. I hope that was of interest.

Beverly Hicks: Thanks so much to our grant recipients. I know that there were several questions for those recipients. If you would like to email us, we can get those questions on to them. Not all of them were available to be here today.

And because we are running a little bit ahead of schedule, I will – I’m sorry, did I see a hand? No, we’re good.

Okay. Because we’re running a little ahead of schedule, we’re going to switch it up a little bit, move something up from this afternoon.

At this time it’s my pleasure to welcome Lisa Liedel, the Director of Registration Services, for our Registration Services Update.

Lisa, are you there?

Registration Services Update

Lisa Liedel: Yes. I’m Lisa Liedel, Director of Registration Services. I want to give you an update on what the Registration Services group has been doing.

Next slide. We’re just going to outline here about the customer base and the organizations currently served by ARIN.

Currently looks like about 19 percent of our customers are our Registration Services Plan customers, or our RSP customers. And then we have about 42 percent, which are our end user customers. And then we have another, almost 39 percent, which are customers who are not currently under contract with ARIN, or our legacy customers.

Next slide, please. This just shows a little bit on how the standard and the Legacy Registration Services agreements have been increasing while the organizations or the IPv4 addresses not covered under Registration Services Agreement are decreasing.

We seem to have a steady flow of that, and we would like to see that keep going up.

Next slide, please. Our IPv4 waiting list. We continue to see some steady flow in that over the past several quarters.

We do issue at the end of each quarter for folks on the waiting list. And we’ve been depleting most of everything, all the requests on the waiting list. But that doesn’t mean we’ll continue to be able to do that going forward.

But I wanted to give you a little update on where we are with that now. Next slide. These are our reserve pools from Section 4.4 and 4.10. That’s our critical infrastructure, 4.4, and transition – space for transition services under NRPM Section 4.10. We’re in good shape there.

Next slide. And this is our IPv6 profile for our Registration Services Plans. So we see that we have, for our customers, or for IPv6, we have a bunch, like 39.5 percent of RSP customers have only IPv4. That doesn’t mean they don’t have IPv6 from an upstream provider. And I think you’ll see that in one of the future slides.

And then we have some customers that have only IPv6 from ARIN and that’s about eight and a half percent. And then almost 52 percent have both IPv4 and IPv6 from ARIN.

Next slide, please. This is the networks, the IPv6 networks that are created via SWIP by year.

And this is where we see some of those customers that did not have IPv6. They only had IPv4.

We would anticipate that a lot of those are included in these SWIPs from the ISPs. And so far this year there’s almost 97,000 IPv6 reassignments from customers.

And we note that one of the very large ISPs has probably done about 80 percent of these reassignments this year. It kind of shows they’re really getting their customers on the IPv6 connectivity.

Next slide, please. And this is the transfers that we’ve received by quarter. And you can see it’s kind of a steady flow as well.

The IPV to M&A transfers, the market transfers for 8.3 and then the 8.4 inter-RIR transfers are listed here as well.

Next slide, please. This is the number of /24s transferred by quarter. The numbers that are kind of hanging off at the top to themselves, those are the recipient numbers.

The bar charts are kind of a little tiny to see where they actually are. But that’s what the number /24s that we’ve received in.

Next slide, please. And we do coordinate our statistics with the other RIRs. So all five do post our statistics on the NRO website and we’d like to invite you to go out there and take a look at those.

Next slide, please. And that’s all I have. If you have any questions, I’d be happy to answer them.

Beverly Hicks: Thank you so much. We’re looking for questions. Reminder to put your questions in the chat – I’m sorry. Let’s remind, shall I, remind you to put your questions in the Q&A boxes and include your affiliation.

If there are any questions for Ms. Liedel. It doesn’t look like there is. Thank you so much. All right. We’re not going to the NRO presentation.

We’re going to jump back to getting ready for our break. And I’ll just give our coordinator a second.

No worries. I could tell a joke. Want a joke?

Paul Andersen: It’s singing. Remember, we have to sing.

Beverly Hicks: I do sing, but Mr. Andersen.

Paul Andersen: I don’t sing, last time I sung there was a riot in the community.

Beverly Hicks: Do you know what it’s called when a cow is missing two legs?

Paul Andersen: I don’t know, what is a cow missing two legs?

Beverly Hicks: Lean beef. So stick around for the break. Stick around for the break, everybody. We’ve got a ten-minute stretch with Erin, and you’ll have free time until we return. We’ll return for the policy block at 1:30.

So you’ve got an extended break by a few minutes today. Thank you so much. We will move on to our break from here. Have a great afternoon, get some lunch or snacks, and we’ll see you back in just a little bit.


Paul Andersen: We’ll go over the last part of our policy block. Much like yesterday, there were two types of policies — draft policy and recommended draft policy. These are all draft policies much, much earlier in the circuit.

A reminder to please put your questions in the Q&A or raise your hand, even while the presentation is going so we can open up the queues, we have action.

First we’re going to ask the Advisory Council member shepherd, Alyssa Quinn, to give the presentation on Draft Policy 2021-4: Clarifications to sections 8.3, 8.4, and 8.5.6. Alyssa, over to you.

Draft Policy ARIN-2021-4: Clarifications to Sections 8.3, 8.4 and 8.5.6

Alyssa Quinn: Hello. Next slide, please.

Okay, some history on this one. We first got the proposal in mid-August. We forwarded it to Draft Policy about a week later. And there’s been a little bit of discussion on the PPML. I’ll go over that in a bit. And this is this proposal’s first appearance at an ARIN meeting.

Next slide, please. So the problem statement is that the language in sections 8.3 and 8.4 are not clear with respect to what we mean by number resources. Is it just IPv4 addresses? Is it ASNs? Do you need to transfer ASNs with v4 addresses? I guess a little bit of confusion there based on the language. And then some similar cleanup there in Section 8.5.7.

And there’s a comment from the author of the proposal that the changes in this proposal were originally included in an editorial Policy Proposal that went for a Staff and Legal Review. And the Staff and Legal Review came back with the advice that actually some elements of this are not editorial in nature and it could actually have some material changes.

So just out of an abundance of caution, which is a term that is used a lot lately, we have broken this out into its separate one that is not editorial in nature.

Next slide, please. So here’s the policy statement. And as you can see, just a little bit of wording changes. So in this first one we say “IPv4 number resources and ASNs may be transferred according to the following conditions.”

And the proposal updates that to say “IPv4 addresses and/or ASN resources.” And the object is there is to make it clear you don’t have to transfer an ASN along with IPv4. Similar situation with the next bit of text, so taking it from just saying “IPv4 address resources” to saying “IPv4 address and/or ASN resources.”

So pulling that ASN element through to make it clear that that’s also being referred to in the NRPM as well.

Next slide, please. So similar situation. All the way through this text, taking it from saying “IPv4 number resources and ASNs” to “and/or ASN resources” all throughout this text.

Next slide, please. And finally, this one’s even more of a basic change, so the current text of NRPM says, in the second line here, that “IPv4 address blocks in order to receive additional space.”

So the updated proposed text would say “additional IPv4 space,” to make it clear that we’re referring to IPv4. It’s kind of self-evident, but to make it crystal clear.

The conversation so far on PPML was, well, “is this really material in nature? It still seems kind of editorial to me.” Sure, that’s a fair critique. But it was advice given to us through staff and legal. And it certainly could be interpreted in a material manner.

And some folks commented to that effect on PPML as well. So here’s an example of a comment, that “in the original text it’s unclear whether AS numbers are intended to be independently transferable, and in the new text it will be clear that they’re independently transferable. So that’s material in nature, not just cleaning up some difficult word construction.”

Next slide, please. So my questions for the community today are: Is this a reasonable change? Are you supportive of this proposal moving forward? And is there better language that we could use?

And I think I’ll just leave it open on that question slide for you, Paul.

Paul Andersen: That’s perfect. A reminder, because this is a very early proposal, as Alyssa said. Two types of feedback are very useful, especially with our Q&A, is that either you’re in favor of the proposal, or even if you don’t like the proposal, are you at least in favor of this being a problem that the AC should solve?

They’re happy to come up with different approaches. But it’s just useful that they know that this should even be something to work on.

For those new, we try to remember acronyms, NRPM was mentioned – that’s the short form we use for Number Resource Policy Manual, for those that may not be as familiar.

But with that attempt to diatribe, hopefully there’s some Q&As coming in or anyone who would like to raise their hand. So far none, but we’d like to solicit feedback right now on what people think, so the queues, either in Q&A or raised hand, are open.

Remember to put your affiliation in if you are typing a comment. And with that we’ll go to our first comment.

Melissa Goodwin: Our first comment is from David Farmer, with the University of Minnesota, support as written. This language is good enough in my opinion.

Paul Andersen: Thanks, Dave, for that comment of support.

Melissa Goodwin: We have a comment from Kevin Blumberg. Kevin, I’ll let you unmute yourself.

Paul Andersen: Kevin from The Wire, please, unless he’s speaking from a different capacity. Kevin, go ahead.

Kevin, I assume you must be having some technical difficulties. Maybe we’ll go to our next comment while Kevin sorts it out.

Melissa Goodwin: Next comment is from Joe Pace from American Honda Motor Company. I support the proposed change as written. They add clarity.

Paul Andersen: A reminder, the comments in chat cannot be put on the record. So please, if you do that – I see Joe would like to speak as well. Let’s go to our next comment, though, first.

Melissa Goodwin: We have Henry Clay Dean with Mediacom Communications, AS30036, support as written.

Paul Andersen: Okay. Let’s try Kevin Blumberg again.

Kevin Blumberg: Kevin Blumberg, The Wire. I support the policy. I have one question. Does this create a situation where a resource holder, if they transfer an AS number, becomes ineligible for IPv4 space as an example? Or are they treated independently in that regard?

Paul Andersen: Alyssa, did you want to field that? Or staff are handling it right now.

Alyssa Quinn: I would defer to staff for that interpretation.

John Sweeting: They’re handled independently. The v4 doesn’t have any effect on the ASN.

Paul Andersen: Kevin, does that address your question?

Kevin Blumberg: It’s only a question of will this text change that if, it’s now an and/or. Are they commingling in regards to that or does that need additional clarification that they are independent of one another?

John Sweeting: For better clarification – I’d have to go look at it again. But we don’t mix and match the justifications for ASN transfer and IPv4 transfer.

Paul Andersen: So Kevin, do you think this is a problem, though, that should be being solved or…

John Sweeting: Can we go back to the language? Can we look at the language?

Where was the question you had, Kevin?

Kevin Blumberg: It’s about the – by co-mingling it, “and” and “or” together now, if an AS is transferred, is staff going to put them together because they’re now put together within this text?

As long as that’s not the situation, because I think that would be an unintended consequence, I support this because it is cleaning things up. I just want to make sure that they are treated independently of one another when it comes to that.

John Sweeting: I think by putting the “and/or” in there, it allows it to be treated independently because it’s an “and/or” rather than “and.” It’s a clarification to do exactly what you’re asking.

Alyssa Quinn: I think the previous language, like the current language, Kevin, had that potential effect that they would be treated together, that they’d be co-mingled. But adding the “or” gets us away from that.

Kevin Blumberg: Thank you. Then I support as written.

Paul Andersen: Thank you. Joe Provo, do you want to go next? I know you’re having a technical problem, you can’t put it in Q&A. Do you want to put your comment in here on the record?

Joe Provo: Certainly. Joe Provo, ARIN AC, Google. I was one of the co-authors on the original proposal. I believe it definitely needs to continue work as it was directly raised from members of the community. And I support as written currently.

Paul Andersen: Thanks, Joe.

Let’s go – we have about five comments – so let’s clear those in. As we’re coming somewhat up to our time, I’d ask if you do have comments you’d like to raise, please raise your hand and/or put in the Q&A.

So I’ll ask the staff to read all our comments.

Melissa Goodwin: Gary Giesen with E-EGATE Networks and ARIN AC. Support change as written. It adds clarity and we don’t need to go overboard with the language as it’s much better than it was.

Paul Andersen: Next comment.

Melissa Goodwin: Our next comment is from Gus Reese, Cogent Communications. I agree this is a reasonable change and support the policy as written.

Paul Andersen: Okay. And our last two comments.

Melissa Goodwin: Our next comment is from Donnie Lewis with The Obsidian Group. The language is clear. Support as written.

And our final comment is from Robert Seastrom, ARIN AC, ClueTrust, Capital One. Support as written.

Paul Andersen: That ends our queue. If you have a comment, please either raise your hand or type furiously. Even send us a small Q&A saying you’re typing, but we’ll give it a couple seconds here.

Obviously if there is anybody who does not think this is a good problem to be working on, now would be a good time to raise it.

As we wait and try to fill the video stream, I will remind this is the more formal way to put your views on the record. For those newer to the process, please always feel free to reach out to the AC shepherds. You’ll find their email addresses on the ARIN website. And you can always provide feedback to them directly by email on there. They’re always happy to take it.

Of course, if you want to put it more on the public record, there’s the ARIN PPML Mailing List you can join and put that feedback in.

Seeing no hands up, though, and seeing no Q&A, I think we’ll consider the queues closed. This input has been provided to Alyssa. Thank you, Alyssa, for the presentation. We’ll keep on moving.

We’ll ask Joe Provo, who we heard and now we’ll see, who will be doing the next Draft Policy 2021-5: Update ISP and End User References for the 2022 Fee Schedule. Joe, take it away.

Draft Policy ARIN-2021-5: Update ISP and End User References For 2022 Fee Schedule

Joe Provo: Hello.

Paul Andersen: You seem to have lost video there – apparently his video has been muted. If we could unmute his video.

Joe Provo: I’ll start my video. Thank you so much, host.

Hi, I’m Joe Provo. I’m presenting this on behalf of myself and my colleague, Alison Wood, on the Advisory Council. We’re the shepherds of this policy, 2021-5. It’s very similar to the last proposal you heard. It’s an early draft.

If you want to go to the next slide, please, we’ll have the history. Just came in in September. We as shepherds haven’t really taken the editorial pen to this yet. We wanted to get all the feedback from the ARIN meeting.

Next slide, please. It’s a pretty direct problem statement we have here, that we are attempting to get ahead of the fee changes that have been decided by the Board.

Since there’s no longer going to be a differentiation between end users and ISPs, it would behoove us to look over the policy to see where in the NRPM we have such differentiation, if it needed to be changed.

So next slide, please. Kind of restating exactly what I said in the formal language of the policy statement.

Next slide, please. We’re going to compare each section individually.

I’m not going to regurgitate what’s on the slides here or in your electronic version of your handout that you would have as PDF on the website. But it’s pretty straightforward in terms of addressing the nomenclature, substituting organizations here, where we see ISPs.

Next slide, please. And similar sort of normalization of – trending towards a more generic terms of organizations, rather than ticking off specific types of organizations.

Next slide, please. You’ll see the same kind of text change here in 6.10.1.

So, thank you. There was a suggestion bundled in with the proposal, that “resource holder” might be better than organization for the new text.

I’m inclined personally, as the shepherd, to lean in that way to help normalize, as we’ve also had changes similar in the earlier proposal to speak about resources versus specific types when we can construct it.

The PPML feedback again. This is a new proposal – newish in the ARIN timeline of things. So there was a little bit of confusion about whether this was actually implementing the fee change. No, that’s an RSA topic, not an NRPM topic.

This is merely a language adjustments to get ahead of the change so we’re not doing this next year and catching up to the change.

There was one cogent suggestion to adjust the language to include assignment. And it might be that some of these suggestions might be a follow-on of – the assignment might be a direct change for this one. That would be useful.

I think perhaps maybe an editorial broad brush about organization versus resource holder might apply in more sections that may not be relevant to this change. But that’s open for discussion.

Next slide, please. And that’s where we are. Open for discussion.

Paul Andersen: Thank you, Joe. All right. Again a new Policy Proposal, and as Joe points out, I think on this one, just to make clarity, there is – fees are not in policy but fees can use definitions by that. So it is true there’s been a change in that regard.

So this is not to implement that fee proposal; it’s simply to clean up the language since there was some distinctions in the NRPM, and now they’ll just be focused solely on policy.

With that, we’ll throw open the queues for any comments, questions or thoughts on this proposal. If this is a good idea to be working on is always useful.

I apologize. I can hear my dog in the background. It must now be officially a Zoom meeting. A pet or small child has interrupted the meeting.

We will give it a bit of time. Again, you can – give it 30 seconds then we’ll assume there’s no feedback.

But as a reminder, you can reach out to Joe or through PPML if you want to give further feedback.

This is certainly going to bring us back on time if there’s no feedback. But not that we shouldn’t have feedback. I see something has popped up.

Joe Pace from the American Honda Motor Company, is supportive as written. Thank you, Joe Pace.

Any other comments?

To save you from any more dad jokes, we’ll close the queues. And I thank Joe for that excellent presentation. And hopefully some feedback will be generated either offline or – thank you, Joe.

Our last proposal, 2021-6: Remove the Circuit Requirement. We have Andrew Dul to present. Andrew, feel free to appear and take it away.

Draft Policy ARIN-2021-6: Remove Circuit Requirement

Andrew Dul: Thank you, Paul. Can everybody hear and see me okay?

Paul Andersen: Yes.

Andrew Dul: Excellent. So this presentation is for 2021-6: Remove Circuit Requirement. Myself and Matthew Wilder are the shepherds on this policy.

Next slide, please. Here’s the history of it. It’s quite young in its draft stage. We received it on September 13th and promoted it at the next AC meeting, and has not yet been presented at an ARIN meeting.

This is the one you’ve all been talking about on PPML.

So next slide, please. What the policy problem statement says: Current ARIN policy prevents the use of leased-out addresses as evidence of utilization. And the author notes: This concise change informs staff that neither physical nor virtual circuits are required for a technical connection between the LIR and customer.

Next slide, please. This is the policy statement. In this slide I have highlighted and underlined in red the changes that we’re doing.

It basically changes the definition of an LIR with regard to network services and just says users of the network.

Next slide, please. So what are the policy impacts of this? If this change to the definition of LIR is implemented, what would be the impacts to this?

So, first of all, let’s look at the waitlist. An organization would be able to make a request for number resources via the waitlist, regardless if the organization provided network services to its customers.

This means pretty much any organization in the world would be able to come to the waitlist and ask for number resources for someone else.

IPv4 transfers. The same would be true for organizations who request IPv4 transfers. They would be able to ask for address space and note it as utilized, even if they provide no network services to any of their customers.

Next slide, please. IPv6, the same would be true of IPv6 allocations. An organization would be able to come to ARIN and ask for IPv6 number resources regardless if it provided those number services to its customers. They would only be providing number resources. The same thing would be true for ASNs.

Next slide, please. This policy draft as it is, it’s not been modified by the shepherds at this point. We note that basically this changes the definition of Section 2.4, the Local Internet registry.

However, other sections of the NRPM also are used in defining the nature of an LIR. And just changing the definition section will likely create inconsistencies with other parts of the NRPM.

Here I specifically note three sections that would likely also need to be updated for clarity to understand what happens in these situations.

For example, Section 1.2, organizations are currently required to have distributed resources to organizations that have a technical need for them. Section 1.4, the fundamental purpose of number stewardship is to distribute unique number resources to building and operating networks.

And 8.5, under transfer section, ARIN allocates and assigns number resource via transfer solely for the purpose of use on an operational network.

Next slide, please. This is the PPML summary as noted so far. Many more messages were posted. However, most of them seem to be composed of basically about 20 or so authors, contributors on the list.

We noted three contributors made statements of support of the draft, 12 opposed. And five did not specifically state their support or opposition.

Next slide, please. These were a few highlights from PPML in support. “Conservation will be provided by the market as it places addresses in their best and highest need. Allowing leasing encourages accurate usage in Whois and RDAP. A lack of clarity on leasing encourages registry shopping.” And “limits on leasing cause increases in lease pricing.”

Statements not in support, “explicit leasing will create additional route table entries. IPv4 resources should remain under control of ARIN, not leasing companies. Additional leasing encourages speculation by non-network operators and increases address prices.” And “encouraging existing holders of” – excuse me – “encourages existing holders of excess address space to lease them rather than to transfer them.”

And here’s a last slide, which is the question of the day: Do you support the current draft as written? If you don’t support as written, are there changes that you would recommend to support the Draft Policy? And do you support the concepts of the draft and would like the AC to continue working on this? Or do you think this is something that should be abandoned?

Those are the questions for today. And look forward to your conversation.

Paul Andersen: We have no time for conversation, so unfortunately we’re just going to have to close it right there.

Andrew Dul: Oh, I’m sorry. Just have to continue the jokes.

Paul Andersen: Nobody would like to comment. We, of course, continue our jokes. But in all seriousness, the queues are open. I’d suspect we’ll hear some feedback on this one.

So, please, Q&A, remember to put your name and affiliation. I encourage more use of the raising hand because it’s good to get interactive if you’re making more than a support or against.

But with that we have two comments. So the first one is from David Farmer, University of Minnesota. While I support allowing the leasing of IPv4 addresses and obtaining IPv4 addresses from the transfer market, I do not support the policy as written.

My primary objection is that this policy change would apply to both IPv4 and IPv6, which I do not believe to be appropriate.

Thank you for that, Dave. I would assume you would take that v6 off.

Next comment, please.

Melissa Goodwin: Tom Coffeen with HexaBuild. Support as written.

Paul Andersen: I see one person has put a comment in chat, so I would ask that you either transfer that to the Q&A so we can put it on or raise your hand, please. I would hate to see that not get put in.

We’ll continue to take feedback here. I may have lost the over/under, because I thought there would be a little more. As they say, it’s been a hot topic on PPML – or spicy topic.

Chris Woodfield, Twitter, does not support as written. I don’t believe it’s in the community’s interests to allow non-operators to hold resources unrelated to providing network services. Thanks for that person moving into the Q&A. We’ll get the next one.

Melissa Goodwin: Mike Burns, IPTrading. I propose a change designed to shield the waiting list, and I would support with that change.

Paul Andersen: Any comment on that change, Andrew, or is that something still being considered?

Andrew Dul: We haven’t taken the pen to this draft at this point. So we would certainly incorporate that and other feedback into the next version.

Paul Andersen: Just a reminder to those posting questions, please put your affiliation. We have one in there that doesn’t have an affiliation. If you would put that in, we’d appreciate it.

Gus Reese, Cogent Communications. I support the concepts and the draft and would support further AC and PPML discussion.

I don’t think anybody has put a hand up. We’re just waiting for their affiliation to come in.

Tina Morris of Amazon Web Services says, do not support.

Some comments coming up.

Melissa Goodwin: Connor Genyk with 10110770 Manitoba. Support as written.

Paul Andersen: And next one.

Melissa Goodwin: We have Gus Reese with Cogent Communications. I support the concepts and the draft and would support further AC and PPML discussion.

Paul Andersen: We have a hand up. Could we unmute that mic, or it didn’t go away.

Melissa Goodwin: Mercia, you can unmute yourself.

Paul Andersen: Full name and affiliation, please, and whether you’re for or against.

Mercia Arnold: Mercia Arnold, The Obsidian Group Inc. Support continued discussion.

Paul Andersen: Thank you. Let’s take our next written comment, please.

Melissa Goodwin: Rob Seastrom, ARIN AC, ClueTrust, Capital One. Speaking on my own behalf, oppose as written.

Paul Andersen: Joe Pace, American Honda Motor Corporation, says I do not support.

We have one more comment. I’d ask those that – we’re not in a time rush, but I would ask if you have feedback to start putting in so we can make sure we allocate time correctly.

Obviously if you have any reasons why you are for or against it would be great if you could raise your hand so we can get your comments live, and if the shepherd has any questions he can ask at that point.

With having said that, we’ll give another 30 seconds for comments to come in. Let’s take our next comment in.

Melissa Goodwin: Donnie Lewis, with The Obsidian Group. Support the concepts, but more work.

Paul Andersen: Next comment.

Melissa Goodwin: Citizen Support [LLC]. I believe this will cause confusion. I do not support as written.

Paul Andersen: Okay. Let’s take what is our last comment. And we’ll be closing in the next 15 seconds.

Melissa Goodwin: Phoebe Rouge from the U.S. Government, but speaking only for myself. Support further discussion of downstream impacts on market.

Paul Andersen: I’ll go out of order and probably ask one of the Johns, Curran or Sweeting, to address this. The question is how much underground leasing happens at ARIN, and Whois does not know about? And that’s from Jonathan Stewart at LES.NET.

And I would preface it by saying you don’t know what you don’t know. I don’t know if John Curran would like to address a bit of maybe what the organization has seen in general in that.

John Sweeting: I can insert myself here, Paul, and say we have no idea. We know that it’s out there. We know it’s happening. But we have absolutely – there’s probably different flavors of it.

There’s the ones where it’s being leased and it’s actually being SWIPed in Whois. So it’s actually showing up as the people it’s being leased to. And then there’s the ones where there’s probably no record of who was actually using that.

And we really look to the operators’ community to stop that from happening and not be routing blocks that do not show up in Whois. So there’s very little that ARIN can do about those types of leasings.

Paul Andersen: Thanks, John Sweeting.

We’ll close the queues and we’ll listen to the last two comments. Can we have the next one, please.

Melissa Goodwin: Joe Provo, ARIN AC, Google. Speaking for myself, oppose as written and in principle.

Paul Andersen: And the last word goes to Martin Hannigan, Deep Edge Realty, who says he supports further discussion.

We thank you for all that input to this policy. Is there anything, Andrew, you wanted to add before we end off?

Andrew Dul: No, just to say thanks for the discussion today. And I look forward to continued discussion on PPML as we move forward with this. Thank you.

Paul Andersen: Thank you, all. We’re quite a bit ahead of schedule but we have great content. I’ll turn it over to introduce our next speaker.

Beverly Hicks: Thank you so much. I’m just giving our slides coordinator a second to jump ahead. And then we will get ready.

Our next update is the NRO update. And that will be presented by Mr. John Curran, President and CEO.

I’ll make sure that he is ready for us. You’re just making me wait and have to have jokes, aren’t you?

Beverly Hicks: No, I will not sing the jokes.

Paul Andersen: That’s not fair.

Beverly Hicks: Does anybody else follow whether it’s a bones or no bones day? I need to know. Is today a bones day? I feel like it would be a bones day.

Paul Andersen: Apparently it’s a bones day.

Beverly Hicks: It’s a bones day, yay!

Paul Andersen: I suspect John must be having some technical difficulties because I noticed he didn’t appear earlier.

Beverly Hicks: Correct. I was giving it a second, but at this point we are – I can be ready to move on.

And we will do the NRO NC update and we’ll come back – and give me a moment to get that up and running; if you want to tell a joke while I’m finding it, I’m just saying you could.

Paul Andersen: John has appeared. John, are you okay if we just go with Louie’s and then we’ll come back to you?

John Curran: Any order is fine. Sorry about that. I had a network problem.

Paul Andersen: I assumed as much. Why don’t we go with the NRO NC update because it’s all queued up, and then we’ll come back to John in a second.

John Curran: Very good.

NRO NC Update

Louie Lee: Hi, I’m Louie Lee. I’m one of the members of the NRO Number Council from the ARIN region. This is the ASO update for ARIN 48.

We’re the NRO Number Council made up of 15 members with three from each region. Two are elected and one is appointed by the RIR boards.

While the term of the office varies between regions, in the ARIN region, the term is three years for both elected and appointed members.

We do our work as the Address Council in the ICANN Address Supporting Organization as specified in an agreement between ICANN and the five RIRs.

The main functions include: advising the ICANN Board on matters related to IT and AS number policies; overseeing the Global Policy Development Process; appointing two ICANN Board of Directors; and appointing one member to the ICANN NomCom.

In the ARIN region, the elected NRO members also serve as the IANA Numbering Services Review Committee.

In short, we review the interactions between IANA and the RIRs and put on annual review about how well it has been going.

From the ARIN region, we have Martin Hannigan, Kevin Blumberg as Chair, and myself.

Of the three of us, Kevin is the one appointed by the ARIN Board. My term is up at the end of this year.

And now a short message about the NRO NC election. ARIN 48 and NANOG 83 attendees who are not voting contacts for eligible ARIN members may vote from November 1st through the 12th if they have registered for the meetings before October 28th. All voting contacts for eligible ARIN members may vote online from November 4th through the 12th.

And since our last ARIN meeting, the notable update to the list of the ASO AC members is that James Kennedy replaced Filiz Yilmaz when she stepped down at the end of May.

The five of us are designated to keep an eye on the regional Policy Mailing List to call out any policy proposals that has potential to be global policy.

These five are the PPFT, the Policy Proposal Facilitator Team. The person designated from the ARIN region this year is Martin Hannigan.

There was not a Policy Proposal this year that became a proposal for global policy.

We have an annual face-to-face meeting normally. This year it’s been postponed. But our Mailing Lists are open to the public and so are our monthly teleconferences. They are normally held the first Wednesday of each month. And the length is posted shortly before the meeting.

This year, we appointed Alan Barrett to serve a three-year term on the ICANN Board. This is the board seat previously occupied by Ron da Silva.

Since Akinori-san’s seat ends at the end of next year we have begun taking nominations for appointments to his seat. The nominations will close in a month, and we expect to complete the selection process in April and announce our selection.

Please let us know if you know somebody who might be well suited to serve on the ICANN Board.

This is the list of RIR meetings that have happened in about the last six months. This month, LACNIC 36 was held mostly online with two days as hybrid meeting in Montevideo, Uruguay.

And here’s the list of the RIR meetings for the next six months.

Thank you very much. I’ll be here to take any questions.

Beverly Hicks: Louie is actually here if anybody has any questions for him. I checked on that. And we will pass that –

Paul Andersen: Now we know somebody’s YouTube history.

Beverly Hicks: It’s all ARIN, so I’m not sure if that’s – (laughter).

All right, at this time we are now going to –

Paul Andersen: No, no, I had a comment. Sorry, that’s why I appeared magically. I guess you just have in presenter mode.

I just thought I would, on the last presentation, think it would be appropriate to take a moment, as Louie very quietly mentioned he’s ending his term. But what he failed to mention is that he’s ending an 18-year run. And he’s served your community for many years on that.

I just think – I’d like to take a moment to ask the community to thank Louie for many years of service. It’s a very thankless job. The ASO AC is very important.


I just thought I would add those words and thank you, Louie, for all the many years. I can’t think of – it’s been so long, I can’t think of a time without you. I know the ASO AC – it’s a loss to lose you but I appreciate all your service. And I’ll turn it over to John if he has any words.

John Curran: I’d also like to thank Louie. It’s been an incredible run. And truly when I think of the ASO AC, I think of Louie. I’m going to have to get used to the fact that it can function without him in the lead. And just an incredible run, Louie.

Paul Andersen: Or without his hat.

NRO Update

John Curran: I’m going to give you the NRO update. So this is the Number Resource Organization. It’s the coordination function among the five RIRs. The executives in charge of each of the RIRs gets together and we use the NRO as a sort of unincorporated coordinating entity to make sure that we work on one registry that’s appropriately coordinated.

Next slide. The NRO is the project of an MoU signed in October 2003. And it coordinates the RIR system and joint RIR activities. We promote the multi-stakeholder bottom-up policy-development model. And we fulfill the role of ICANN ASO.

The ASO, the Address Supporting Organization, is actually defined in ICANN’s bylaws. And it indicates that the NRO shall serve as the ASO.

Our NRO Number Council serves as the ASO AC, as you’ve just heard.

Let me talk a little bit more about what the NRO does aside from the global policy aspect, the operational coordination.

Next slide. The Executive Committee, the NRO EC, is made up of the executives of the five RIRs. That’s Hans Petter Holen, Oscar Robles, myself, Paul Wilson and Eddy Kayihura.

We have a rotating set of officer roles. This year I serve as Treasurer, Hans Petter as a Chair.

Permanent Secretariat is hosted by APNIC, and German serves as our executive secretary and has support from Laureana. We have coordination groups. Each of the various functions that’s in an RIR actually has to be coordinated across RIRs. We have communications, engineering, registration services and public safety coordination groups that meet and make sure when we do something with what we use for schemers for Whois or when we’re making communications, communications, that we do it appropriately.

We also have informal coordinating activities – public affairs, policy, finance, legal, human resources.

It is interesting. The RIRs are each their own organization, but we actually work best as one coordinated set of functions. So it does take a bit of work.

Next slide. We publish a few things. The Internet Number Resources status report, which gives us the status of the Number Resource pools, including the ones at the IANA, and the allocations that have gone out to each of the RIRs.

Global stats on IPv4, IPv6 and ASNs. RPKI adoption report, showing the amount of coverage of the RPKI certificate trees. All those are available at

We do a comparative policy overview. This is an interesting document. I recommend everyone take a chance to look at it when you have a moment, which compares the various policy sections of our policy manual.

So what the policy rules for transfer are in the ARIN region, APNIC, RIPE, LACNIC, etc. What our policies are for IPv6 transition block or ASN issuance. You can actually get a good cross-RIR view of what’s in common and what’s different regarding our policies. That gets updated periodically.

Next slide. In terms of how we do all this, we have general operations budget of about $480,000 a year. That handles the Secretariat support, the Chair of the ASO EC’s travel and coordination group meeting expenses – all of the work of us getting together and doing the coordination and any of the tasks that we have to do jointly.

It also includes – we have IGF contribution that we make of $150,000 to support both to support both the overall international Internet governance forum, but some of the regional forums and support activities.

We also have a contribution to ICANN. So every year we give a contribution to ICANN. It has two pieces. The IANA contract, the SLA services-level agreement for IANA for the administration of the unallocated common free pools, $650,000. And the voluntary contribution, the remainder, is about $173,000 a year.

We’ve donated $183,000 to ICAAN since ICANN’s inception – the RIRs predate ICANN. So we’ve been supporting them every year as part of the ecosystem.

We also have a Stability Fund. Each RIR has pledged to make available resources if necessary to support an RIR that might have a financial challenge. Collectively the pledges are over $2 million U.S. And you can find more details at the Joint RIR Stability Fund.

While we have all pledged money to that, we actually hold our individual pledges and we only put those into this fund if needed. There’s so far been no request to the Joint RIR Stability Fund though we’ve made sure we’re standing by if necessary.

Next slide. Cost distribution. We look at the total sizes of each of the RIRs and that changes year by year. We use a comparison between them. And that’s how we do the allocation. So you saw the costs. Then we have to allocate those costs according to this percent.

RIPE NCC is the largest, 39.9 percent. And then after that ARIN, APNIC, LACNIC and AFRINIC.

Next slide. The IANA Review Committee. We have a couple of responsibilities. One of them is, according to ICANN bylaws, we have the ability to have an IANA, actually according to our Service Level Agreement, we have an IANA Review Committee which reviews the service level of the IANA numbering services.

When an RIR needs more ASNs or IPv6 space and it puts in a request, that becomes an IANA request. It gets fulfilled by the Public Technical Identifiers organization at ICANN. But they report back and we annually have a community committee that reviews how they’ve done in handling our requests.

It’s fairly straightforward, but just to make sure that we have a performance review function in place.

Next, the Review Committee for the IANA services for 2021 is there on the slide. From the ARIN region, we have Louie Lee and Martin Hannigan and John Sweeting.

Next slide. The ICANN Empowered Community. In the IANA stewardship transition that happened just a few years back, the NTIA/U.S. government relinquished its contract over ICANN and said we’d like ICANN to instead contract with each of the respective communities. That’s how we ended up with a Service Level Agreement with ICANN for running the number pools. That’s why the IETF has an MoU with ICANN regarding the protocol parameters.

The DNS community is actually a function of ICANN. It operates ICANN coordinates and organizes the DNS community. But ICANN is also the IANA PTI, Public Technical Identifiers, function.

Because they’re both in ICANN, the ICANN bylaws were changed to provide an oversight function, just to make sure that ICANN is operating appropriately and that the community has the ability to affect change with ICANN if necessary.

There’s this function called the ICANN Empowered Community, which ratifies budgets or has the opportunity to not ratify budgets, strategic plans, changes to the board of directors of ICANN.

So we have a set of procedures so we can uphold our role, we as one of the Empowered Community members, have one of the votes in the Empowered Community function.

We have procedures for how we approve, how we might reject, how we might remove Directors from ICANN. All these can be found online.

In general, ICANN has performed exemplary. And the Empowered Community has never really had a significant issue. But you can read about it all online if you’re interested.

Next. ASO review. The ICANN bylaws provides for a periodic review of the ASO’s effectiveness within ICANN. Since the NRO serves as the ASO, we have to periodically review our effectiveness within the ICANN structure.

We conducted our first review in 2011, our second one in 2017. You can find information of both of those online. We’ll be doing another one coming up next year.

And it’s interesting because we’re really reviewing how well we do those parts within ICANN that support the functions like the IANA global number registry.

There hasn’t been a lot of global number resource policies, so it’s a little bit challenging to review how well we’re doing. Still, worth reading. Sometimes it points out some of the more interesting or byzantine aspects of how we’re organized. As I said, there’s one coming up next year. We’ll have a third-party do an independent review of our effectiveness within the ICANN structure.

Next slide. RIR community consultation for the implementation of the recommendations. Out of our 2017 recommendations, we did a consultation in the community on how to implement those recommendations.

And the NRO EC and the ASO got together and looked and came up with implementation steps. We’ve actually gone through and implemented a number of those.

Some of those are terminology issues. Some of those are updating the website, whether it’s the NRO or the ASO website, to make sure it’s clearer because sometimes all of this is not straightforward if you haven’t been steeped in it for 10 years.

To that end, if you want to see the status of our implementation of the last set of recommendations, you can go online and find it there, under the ASO review 2017 section.

Next slide. NRO projects. We have a number of projects ourselves. One is to review the MoU that we used to form the NRO. And we actually did an update of the NRO MoU as a result.

We’re doing an NRO strategic review that will happen, sat it down and it will run through next April. And that’s to look at what is it that the NRO needs to do, what’s in scope, what defines a success criteria.

That’s pretty important because the RIRs have to work together effectively, and the NRO is the function we use. So we’re doing a little strategic review to make sure the NRO is all that it can be but also that it’s not more than it should be.

And then, of course, as I noted the ASO review, every three to five years. We have one coming up. We have the ASO review again scheduled for 2022. Hopefully we’ll have all the items from 2017 complete by that time.

Next slide. That’s it. Welcome to the whirlwind tour of the Number Resource Organization. I’ll take questions if there are any.

Beverly Hicks: While looking for questions, a reminder to include your affiliation in your questions.

Mr. Curran, it appears it was perfectly clear and that everyone has everything they need. Nope, Mr. Anderson has appeared.

Paul Andersen: Nope, no, I’m just getting ready.

Beverly Hicks: You’re ready for the next one.

John Curran: Thank you very much.

Beverly Hicks: Thank you, sir.

We’ll now turn it over to Paul Andersen for his Board Chair Update.

Board Chair Update

Paul Andersen: Well, just “mini Board update” before we get into Open Mic, just because I know this is not the format that we’ve been used to. It’s been a struggle for all of us not to be able to travel.

And even though we’ll have our formal Members Meeting in Minneapolis in a few weeks, I thought I would give a quick couple minute updates on some stuff that the Board has been actively working on.

We’ve not been able to meet ourselves in person for the majority of the year. However, we did manage to actually have a hybrid, where some of the Board was able to make it to an in-person meeting. And the rest came in through a more hybrid approach. And we’re hoping that approach works well for PPM.

A lot of our work – again, we’re not involved in operations. We have a very amazing professional staff of almost 100 bodies throughout the Reston and Northern Virginia area and Washington area that take care of all the daily activities that make the organization tick.

But some of the focus we’ve had is we’ve continued to try to establish a series of KPIs, to give you a good idea of the health of the organization. Again, seeing some of the fruits of a lot of the investments we made in product development. As many of you saw, we had the services plan launch earlier this year, and great success and a lot of great feedback.

One area where we’ve been taking a high-level look at as well is just from security. That was an omnipresent issue, nothing new. We’ve worked with staff. And as you know, they’ve brought on some new hires to just look at security from all angles, to make sure that, given ARIN’s key role that we’re making sure that there’s good investments in that. And we’re hoping that that new hire will bring lots of information and potential projects both to the staff and to us.

Many of you are aware that we did work on the fee harmonization and that proposal has passed and the information is out there.

We appreciate the feedback that we got, good and not good. We understand that some rates went up. And nobody likes raising rates, but we do hope that in the end this is seen as a more equitable and fairer method of distribution.

As John mentioned, we did spend quite a bit of time on the AFRINIC situation. We put out our statement as to that effect – we don’t have much more to say on that other than we obviously do have a lot of attention on that right now.

From a governance standpoint, we’ve had a Governance Working Group working throughout the last two years, just looking at a whole host of issues in terms of structure and Board efficiency, what’s the right tenure and people to have around the table from that standpoint.

We’re hoping to have some proposals from the community. This has been ongoing work for some time. I know it’s been a topic of recent attraction, but it’s something that we’ve already had a lot of ideas and concepts that will come. And we’re hoping to have proposals for community and member feedback hopefully by the end of the year, including – we did have some good discussion on Board succession, another area that we’ve worked on.

I did indicate to the Board earlier this year that I would not be seeking reelection. That ‘21 – when I talked about Louie, about why is it that I can never remember Louie not being on the ASO – because I joined my first ARIN meeting 18 years ago. So, we’ve put in what we think is a good plan and some discussions on that to ensure there’s good continuity.

But having said that, I do hope that for those that are going to be able to be in Minneapolis that we’ll be able to see you and at least see you in – good to see old friends.

It’s been a great pleasure meeting many of you over the last many years. And for those that can’t make it, I hope we will be able to touch base online at some point.

That’s all I wanted to bring. It’s just a short update. I’ll have a more fulsome Board update in Minneapolis.

With that we’ll move into Open Microphone. Hopefully John can appear, and John and I are happy to take your questions, comments or concerns on anything you’ve heard over the last few days or any issues you want to raise.

We have the whole team here, and I see we have our first hand up, so why don’t we go to that hand.

Open Microphone

Beverly Hicks: Mercia, you should be able to unmute yourself now.

Mercia Arnold: Thanks for letting me listen in on ARIN 48. It’s been very instructive. I must say, I don’t remember pushing the request to say anything. So let me just have this opportunity to say it’s good to see everybody and I look forward to the rest of the meetings.

Paul Andersen: Just to clarify that, you raise a good point. This is only the end of our two days of Public Policy. But we have our virtual Election Forum coming up. And as I mentioned, we’re back-to-back with NANOG, which will be the first in-person meeting that we’ve had since the pandemic kind of threw us all into a bit of a loop. It will be a hybrid meeting, so you’ll be able to participate either remotely or virtually. At this point we’ll be having great content as kind of an extended members meeting, but there will be some other items.

And I think we have a good keynote lined up. It would be great if you could tune in.

Okay. I don’t know, John, unless you see any hands flying up.

John Curran: I don’t.

Paul Andersen: They’ve expunged it all on the great policy discussion we had. So if there are no further comments or questions, I think we can – David Farmer has a question.

After listening to the ARIN grant report by E. Marie Brierley from yesterday, it seems to me that an optional field for an organization to discuss its domain names could be handy to help correlate domains with organizations for research purposes and probably more generally as well.

John, did you have any thought? I assume, David, that’s just a comment on the great output of the grant program, or is that a suggestion that ARIN may want to start getting into that? Thank you. He says yes. Thanks for that comment, Dave.

Oh, he does think that ARIN has an involvement. John, that’s definitely a “you question.”

John Curran: The question would come up as whether or not the community wants to have an optional field to associate a set of domain names with their address blocks.

Aside from the implementation, that’s not something that ARIN does a lot with. But if the community thought it was useful, it would have to be a structured field to be useful.

Obviously there’s ability to put comments in records now, but if you wanted to do any data analysis you really need to have this in a structured field.

So not a problem there. The question is, does the community want it? I would suggest if a group of people think it would be a valuable item, you could come to ARIN and say you want to do it, either as a suggestion – I don’t think it needs to be policy; it does change the format of our records – but it’s really a question of whether or not the field will get used.

I don’t want to put something in the Whois records that no one’s actually going to deploy. So get a group of people who are interested in that and we’re happy to implement it.

Paul Andersen: Since there’s no other comments or questions, I will hand this over to you, John. Thank everyone for your participation.

Closing Announcements and Adjournment

John Curran: Very good. Paul, thank you for doing an excellent job in chairing this session. And I’d like to do the wrap-up.

Thank you everyone for coming for today’s policy discussions. I’d like to thank our sponsors, USI, Unbelievably Simple Internet; and Lumen. Without them we wouldn’t be able to have this session today.

Survey reminder, we’ll be sending a survey out. Please complete your survey reminder. It’s very important for us to get feedback as to how we run these meetings, particularly as we change up the format as we’ve done for this.

There’s also a small chance to win an iPad, which could be fun. So you’ll get a reminder in the mail. Please, fill it out, the online survey. Let us know how we’re doing in this session.

And join us for – on October 28th, we have the ARIN Election Forum. At 12:00 PM Eastern time, we’ll be having an Election Forum where you’ll hear about the candidates for the ARIN AC and the ARIN Board of Trustees. And the candidates will answer the questions submitted by everyone.

A great opportunity to learn more about the candidates before the upcoming election opens up in a few weeks.

And one more. One more slide. Is that it? No more slides. Okay, that’s it. Thank you.

Join us on October 28 for the Election Forum. Thank you all for coming. Enjoy your afternoon.

[Meeting adjourned at 2:37 PM]