ARIN 49 Public Policy and Members Meeting, Day 1 Transcript - Monday, 25 April 2022
Hollis Kara: All right, all right, all right. Can everybody come in and take a seat. We’ll get this show started. Welcome, everyone, to ARIN 49. Whether you’re here with us in person in Nashville or joining us online, we’re so excited to have you here.
Are these my slides? Yes, these are my slides, I think. Here we go.
To start off the day – hi, I’m Hollis Kara, ARIN’s Director of Communications, and I’m excited to welcome you here to the meeting. We’re really glad to be back here in this full hybrid format, and we have an exciting meeting planned.
First off, I’d like to do some thank yous and introductions. Our Board of Trustees is here with us on site today. I’d like to thank these elected volunteers for all the work they do in support of the community. You’ll see that they have stickers on their badges, ribbons on their badges that identify them. If you wish to speak to them about anything, please track them down and say hello. They’d love to speak to you.
Our Advisory Council is also mostly in the house. They also have ribbons, and we are glad to have them here and very thankful for all the work they do to support the policy development in the ARIN region. They will be up here leading policy discussions as we go through the meeting.
And then last, but certainly not least, our NRO Number Council representatives. You’ll be hearing some presentations from that group later in the day and learning a little bit more about their work that they do for the ARIN community, and we’re very thankful.
And then last in our primary thank yous, we’re really excited to finally have our RIR colleagues back in the house and be able to do these meetings and see our friends. They’re wearing big smiles because it’s not their meeting and they can relax and enjoy. If you do see them, say hi. They’d love to talk. They’ve all been locked away just like the rest of us for the last few years.
Okay. So let’s talk for a second about getting around the meeting.
For our virtual participants, we’re so excited to have you here. Please make use of the chat feature to talk amongst yourselves and with our virtual host.
Also, if you have a question that you would like entered in any of the Q&As or discussion periods, please put that in the Q&A box so we see it. That’s what we’re using to moderate that feed into the floor. And my producer will be helping read those questions in. Also include your name and affiliation to help her out.
If you need assistance as a virtual attendee during the meeting, we do have a virtual help desk. You can drop in there. I’m going to show you. Okay. And for those who are astute and on the meeting website, you’re going to go, that’s not actually what it looks like. That’s okay, there’s one more button on the bottom that says Event Hub.
Virtual help desk is where you can go to access the help desk. Virtual event hub is going to have links to all the sessions throughout the meeting, so if you aren’t able to get those from your emails, you can connect with those there and access the Zoom sessions for this meeting as well as our additional sessions, which I’ll talk a little bit more about in just a moment.
All right. For in person participants, if you are on anything – running hybrid AV is an extremely complicated setup, so please make sure anything that you’re running on your computer is muted. We don’t want to end up with any weird loops happening.
When we open the microphones for conversation, we have positioned Lysol wipes by the microphones. If you would care to clean them out of courtesy for the next speaker, that would be great. There’s also a trash can because otherwise things could get messy.
Let’s talk a little bit about attendance. So, this is really exciting to me. Typically a spring ARIN meeting would have about 150 attendees between our old virtual option and in person. Today you can see we’ve got a lot of folks here, both in person and online. What does that actually math out to?
We’ve got 191 registered virtual attendees and 112 in person, which means for the first time that I can think of, I’ve been around for a while, we’re over 300 attendees registered for an ARIN meeting which is fabulous.
Thank you. We’re really glad to have you. And we’re really glad to bring this meeting back in this format. Some chat reminders. These apply in the room as well as for our virtual attendees. Everybody, when you registered, you clicked a box that said you would adhere to our Standards of Behavior. We’re going to hold you to it, so please do that. Make sure your comments are professional and on topic. When we open the microphones, I’m going to be helping our producer in the back to manage the queues both in person and virtual. So we’ll be going back and forth to do that.
If you’re speaking at the mic in the room, please state your name and affiliation for the benefit of our transcriptionists. And same for our virtual attendees, please include your name and affiliation so we can make sure that we do correct attribution in the meeting transcript.
We are recording and livestreaming. So you can follow along that way. Slides have been published for all the presenters. If there are any late changes, we will make those updates before the meeting report goes live. But best of our knowledge, what you’re going to find on the website is what you’re going to see presented here today. And the transcripts will be published as soon as they’re available. And a cleaned up version, chaptered by session, will be published as part of the meeting report in a couple of weeks. Takes us a minute to get that together.
I’d like to take a minute to introduce and thank my meeting staff today. I’ve got Beverly Hicks back on the back riser helping out our AV team doing virtual and hybrid production.
Melissa Goodwin, who I’m sure you’ve all met, is our hostess with the mostest, our meeting planner, she’ll be running around. I’ll be up on stage trying to run this circus.
Amanda Gauldin is going to be the virtual host. She’ll be the one you see online and in chat. Jason Byrne is staffing our virtual help desk, so stop by and say hi. He really misses being here in person.
And video and live stream have been set up by Tommy Baldwin. And Ashley Perks is our woman of all work. She will be running around helping us out with anything that needs to get done and taking pictures. She’s our in house paparazzi.
Before we move on, I’d like to thank our network sponsor, AT&T. We couldn’t have a meeting without them. If I could have a round of applause.
And then I’d also like to thank our Bronze Sponsors, IPv4.Global from Hilco Streambank, and IPv4Mall. Thank you very much for your support of the ARIN meeting.
And with that, we ran our newcomer orientation session last week. For folks that attended, they were given a brief survey at the end to tell us how we did, and from those surveys we drew a winner. That winner needs to be online to win. Beverly, do we have a winner? Waiting for Beverly’s mic.
Beverly Hicks: We do. Give me just a second. I’m so sorry. In fact, if you want to go forward a second I’ll come back to it. I apologize.
Hollis Kara: That’s okay. Takes us a second. We have to verify that folks are online so we have to scan the list so we’re looking.
Let’s talk about emergency evacuations. This is probably the easiest emergency evacuation situation we’ve had at an event. There’s a door across the hall, go that way, and there’s the Caterpillar building just across the driveway is the rally point.
In the event that something happens, please proceed in an orderly fashion, assist a friend if they need assistance and hang out over there so we can make sure everybody’s okay. Done with the rules.
Beverly Hicks: I have your winner if you like. We have a winner. It is one of our virtual attendees, Mr. William Sun. Congratulations.
Hollis Kara: Thank you, William Sun. William Sun gets a $100 Visa gift card. We’ll be sending it out to you and thank you very much for participating in ARIN 49 and our newcomer orientation.
Real fast, let’s do a run through the agenda. When I’m finished talking, I’m going to invite our CEO and then our Chair up to the stage to give a brief welcome. We’ll move into the presentation portion of the day with the NANOG update, Policy Implementation and Experience Report. A bunch of other stuff I’m not going to read you the slide because that seems a little bit weird. Then we’ll take a break. That will be nice. There will be stuff.
When we come back from break, we’ll have our policy discussion block. We’ll be doing four policy discussions today. Two of those, you’ll notice, are RDPs, which means we’ll be doing a show of hands to verify, get consensus on how people feel about moving forward with those.
Then we’ll take lunch. After lunch, we’ll come back and have a few more updates – Government Affairs, regional policy, some IPv4 stuff and then ARIN services update.
And then we’ll get another break because we like breaks. And then we’ll come back and finish up the day with an Operations report, some updates from the NRO and the ASO – and I’ll let them explain what those letters mean – a global status report on stats for Internet numbers and Open Microphone.
And then we’ll all go – I got ahead of myself. While we’re at lunch, we will be offering Virtual Table Topics today. Please, virtual attendees, this is something we’ve gone out of our way to set up. This is a popular event at our ARIN meeting in person where we have tables at lunch where you can go and talk about topics with different members of the Advisory Council and staff. We’re bringing those to you virtual today, and those links are either in the event hub or in your email this morning, so please take advantage of attending a table on one of these great topics. We want to hear from you.
And then, yes, what I was going to say is after we wrap the day, we’ll go get ready to head over to the Country Music Hall of Fame, for those of us who are here in Nashville. We’re really excited to have a social event at this meeting. We’ll have buses departing from out the front 6:45, 7:00 and 7:15, and buses starting back at 8:30 on the half hour. And we’re looking forward to a great night over at the Country Music Hall of Fame.
And with that, if I haven’t bored you to sleep yet, I’m going to invite John Curran up to give you a few words of welcome.
Welcome from ARIN President & CEO
John Curran: Thank you.
Thank you, Hollis. Good morning, everyone. For those who don’t know me, I’m John Curran, I’m the President and CEO of ARIN, the American Registry for Internet Numbers. Very happy to welcome to you back to our meetings.
We did have one before this, so this isn’t our first meeting gathered together post COVID, but it’s – we’re getting the hang of it in terms of getting everyone together and doing a hybrid format. It’s a little different than before. You’ll see less of us up here at a head table, and you’ll see Hollis doing quite a bit of the introductions.
But we’re all here. If you have any questions for us, as she said, feel free to find a member of the Board or the AC. We’re all readily identifiable.
I think it’s great that everyone’s coming back and we have a record attendance. I think that’s really what we need to see. We have actually a great meeting this week. And we have policies that are up, including Recommended Draft Policies, so we could be changing the Number Policy Manual after this meeting.
We have a number of great presentations about what ARIN has been doing in terms of services and rollout. So I think it’s going to be exciting. We’ll have a lot of good talks.
I would say, in terms of a location, Nashville is probably one of my favorite places, so really can’t go wrong there. I hope you all enjoy the week. If anything, if you have any suggestions on how we can improve things, feel free to hunt us down – myself, Hollis, John Sweeting, any of the staff. We’re happy to hear suggestions because we are trying to adapt. We’re not going to go back to the old completely online and a few remote attendees out there in cyberspace. It’s going to be hybrid. And we’re trying to do everything for you in the room and for you remotely.
To that end, I’m going to remind everyone, something I have a problem with, speak slowly and clearly. I tend to speak fast, Boston-style, a little too quick. But back there, we have some able transcriptionists who are busy keeping up. But it helps if you’re clear and fairly slow when you’re speaking.
So with that, I’m actually going to end my remarks and turn it over to our illustrious Chair, Bill Sandiford. Bill, take it away.
Welcome from ARIN’s Board of Trustees Chair
Bill Sandiford: Good morning, everyone. You know, as John mentioned, it’s not our first meeting back, post pandemic, but it sort of feels like it. Certainly it’s great to see lots of people back, both staff, other RIR volunteers, community members, Board members, other volunteers. So, welcome to Nashville.
The ARIN team, including the staff and the volunteers, have put together a fantastic program conference for everybody over the next two and half days. A little bit of everything in there, including we have four policies on the agenda today, three tomorrow. Lots of informational reports about the organization, the different departments, other RIRs, et cetera, all jammed in with a little bit of fun and excitement tonight at the Country Music Hall of Fame.
So once again, on behalf of myself and the Board, welcome to everybody. There’s not much left to say because Hollis has done such a great job in the opening introduction. So let’s get on with it, Hollis.
Hollis Kara: Thank you John and Bill. Glad to have everybody here. And I’m happy to welcome our first speaker, who is not one of us, to the stage.
Edward McNair, the executive director from the North American Network Operators Group, is going to give us a brief update at what’s been happening at NANOG, in case you haven’t been paying attention.
Edward McNair: Good morning, everyone. Thank you for the opportunity to get a chance to speak in front of you all. The relationship between NANOG and ARIN is one that is very special to our organization, and hopefully it’s reciprocal.
I’m going to take a few minutes and give you an update on what’s happened with NANOG over the past few years, especially in light of the pandemic. I think all of us found ourselves in a very awkward role when this pandemic happened. For NANOG we had to ask ourselves a series of questions: How do we keep our community safe during a pandemic?
We are a community based organization. How do we maintain relevance during a time when we can’t meet face to face? Especially for NANOG, we were centered around delivering three conferences a year, and how do you adapt when these things take place?
Can we manage financially? For ourselves, as an organization, our economic model was based upon sponsorships of conferences, and when you can’t have live conferences, how does that translate into another space?
And then the final question is how long will this pandemic last? I’m sure for all of us, it lasted far longer than we anticipated and the effects of it are still lingering.
So we found ourselves scrambling, like all other organizations, to kind of meet the challenges that the pandemic had put in front of us. Due to the uncertainty, it took us a few weeks to figure out what to do next.
For NANOG, this pandemic happened, I think it was about two, two and a half months before our conference was supposed to take place in June. We still weren’t sure what to do, what was going to happen. So it took a while to kind of get our bearings. And once we figured out that we couldn’t possibly have a physical event, then we had to shift to doing an online virtual event.
Now, for us, it took us from the time that the Board was able to make the decision, we had to implement in six weeks doing a virtual event. Huge challenge. And thankfully we had a development, a platform sponsor, who was able to make the transition for us. So we were able to deliver our first virtual event.
However, what happened was, in coming to our next event, we found ourselves in a point of conflict. They could not service the meeting time due to the demands that was put upon themselves. So for that, it forced us into the position where we had to actually develop our own platform. So within the span of three months, we took on the daunting task of building our own platform.
So, what did that kind of look like? So we have a platform, we have the ability to stream video from any platform we need, flexible display options, Zoom integration, real time chat, built in Q&A, online help, virtual booths for our sponsors. Again, our revenue source was sponsorships; we had to find a way to incorporate that. And also real time polling through third party support.
So as the pandemic went deeper, we found ourselves with a situation where still we weren’t meeting. So how do we kind of make the best of leveraging that time? So what we did is we dug more into development.
So we built our own event platform, management platform that allowed us to be able to manage the various events that we do, but we also have support for third parties for other industry events to leverage those platforms as well.
And then we were planning to go directly into building a meeting appointment tool, but without meeting face to face, what was the point of having a meeting appointment tool? So then we took on the daunting task, led by Dé Harvey and her team, of actually building a new registration system.
We always had challenges with Cvent, and so their team, working with our developer, were able to take and replicate a system – I wouldn’t say replicate, create a system that was best suited for us, for NANOG, our organization, which meant that our data, our community’s data, was kept in house and not shared beyond that.
And I’m here to say that we have a great registration system. And it’s smoothed out bugs, works in real time, integrated into our website. It was a huge win for our organization.
We’re also now offering 360 livestreams of our events. So there’s a 360 view camera where you can get in. It hovers right above the floor of the stage and the audience. If you’re watching remotely, it allows you to actually pivot around, see the room in real time, give you an experience like you’re actually at the conference.
We also are now currently – as I mentioned before, we pushed it off as a result of COVID, but we’re now building our own meeting appointment tool. So we’re doing all that we can to make the experience as best we can for our community.
We’re also going to be exploring making these tools available for other NOGs so they can leverage our tools, the work that we’ve done, so we can help improve offerings of our community as well – actually the broader community as well.
In the online space, content is king. And so for NANOG and fortunately for us, we’ve had this history of videos that we’ve done throughout the years of our conferences. So we’ve taken and kind of brought in the best of those, and we’ve rolled them into what’s called NANOG TV. It’s on our website. It hosts and features different videos, different things that we have that over the course of history, content that we can share with our community and others. Right now NANOG has had like 2.6 million views of our video content online. So it’s a huge resource for our organization.
We now do monthly webinars when we can, focusing on particular topics of interest to students and those who are new to the industry. We’ve increased community engagement by developing a meaningful newsletters, blogs and interactive polls and other engaging social media experiences. We’ve also released an Internet innovator series. And that series focuses on people within the Internet space who have made major contributions to the Internet as we know it.
It became clear to us, there’s a new generation of people coming in who don’t have the understanding of some of the great minds that have helped build the Internet that we have and that we take advantage of today.
So we featured Vint Cerf. And we’ve featured out – I keep thinking what’s coming up next – Radia Perlman, whose interview is going to be releasing soon. If you go to our website, you’ll find there are several ones that we have done. We’ve got others in the hopper being developed today.
So in broadening our scope as an organization, in addition to the long standing partnership that we have with ARIN, we’ve also stepped in and we have partnerships with ISOC and ICANN as well. We have monthly meetings where we talk about how we can collaborate within North America to help better the experience of the people within our community.
We are committed to providing structural education. NANOG has always done education, but it’s been the form of speakers coming up and sharing with our community the latest trends within the industry. Now we’re specifically working on structured courses to be able to help build the next generation of network professionals.
We’re developing mentorship programs. We’re also reinventing our hack-a-thon so that it’s more relevant for the needs of a modern community.
And we’ve also recently provided ombuds support for our events. NANOG is dedicated to creating an environment of diversity and inclusion. And we have a code of conduct that says that but the ombuds is part of the process to ensure that anyone who attends a NANOG meeting feels, safe, secure and welcome.
So in closing up, I’d like to talk about some of the lessons learned that we experienced as a result of this pandemic.
One, from the terms of sponsors, it became very clear to us that they’re very much interested in return on investment. They come to NANOG meetings because it’s a great place for them to be able to interact and find people like minded that they can do business with.
Being small is an advantage. It meant that we were able to make and change course relatively quickly.
Also being small is a disadvantage. It means that we have limited resources and we have to prioritize how we’re going to use those resources.
And we need to explore new forms of revenue. As an organization, we’ve got to make sure that we can stay healthy. Fortunately, for us, in this pandemic, previous board members had assured that NANOG had a reserve fund so we had money to weather the storm. But we need to make sure as a result of that we don’t find ourselves in a similar situation in the future. The world has changed since COVID and it will never be the same as a result of it.
So, in closing and looking forward, the plan has got us to this point won’t necessarily be the plan that takes us forward. We need to be always willing to evaluate our processes and procedures and ensure that they make sense today.
Change is an essential part of anything that is living. If it’s not changing, it’s dead. And then change is very difficult. It’s uncomfortable, painful.
And finally, we have to ask ourselves: If we were going to build our organization today in this timeframe, in the world that we live in, would that organization be the same as we have right now? And how do we look at it, what would it look like to create an organization that’s going to fit right now in 2022?
With that, thank you.
Hollis Kara: Thank you, Edward. All right. So for our next speaker, I’d like to welcome John Sweeting to the stage. He’s ARIN’s Chief Customer Officer and he’s going to go over the Policy Implementation and Experience Report.
Policy Implementation and Experience Report
John Sweeting: Good morning, everyone. It is great to see so many smiling faces out there. Everybody enjoying themselves, having a great time. Shout out to Cathy Clements, long time ARIN employee. If you get a chance to, if you see her out in the hallway or lunch or anything, thank her for her years and years of service to this community. For those who don’t know, Cathy recently retired. I just wanted to do that right up front.
Okay. This is the Policy Implementation and Experience Report. I’m not going to really talk about a current policy, but I’m going to give you a look at a process that we have within ARIN that we use for eligibility criteria for IPv4 address space issued via the ARIN Waiting List policy.
This process supports the Waiting List policy. And it’s what we – it’s how we make sure that the address blocks we’re going to give back out to the Waiting List are ready to be given back out to the Waiting List and be used on the Internet again.
So we have this list of criteria for Waiting List re issuance. We really use a lot of common sense in this process, looking at these addresses.
If they’ve been returned, we ensure they’ve been returned in accordance with the RSA, which means for IPv4, that we have a document, an acknowledgment from an officer of that organization saying, yes, I really want to return these resources to the community, to ARIN for the community.
Of course, everyone knows the reason we do that. IPv4 is very very – is worth a lot now. We don’t want a disgruntled employee, as they’re leaving the company, and they happen to have admin rights, saying “Here, ARIN, take all this space back. We don’t need it anymore.” We want to avoid any of those pitfalls.
If they haven’t been returned, the other way, and really the way we get most of the space back for the Waiting List today, is through people that just don’t need it anymore and they just don’t pay their bill. So we revoke them in accordance with the Registration Services Agreement, which includes a registered letter to the organization/last known postal address and we do a lot more than that. I have people on my team in the CCO Office that do searches, they do everything they can to talk to a live person at these companies and try to get the bill paid. Obviously, it doesn’t always work because we get address space returned every month – revoked every month, excuse me. Not returned, revoked.
The biggest thing we get back through revocation really is ASN numbers, but we do get a little bit of IPv4 each month and some IPv6. I guess the good news or bad news with that is that currently is the only space, we have cleaned up and redistributed almost every other bit of IPv4 we could find in the back of the warehouse. And the only space we’re now giving out each quarter for the Waiting List is that space which has been returned or revoked. And of course it has to be more than one year since the date of the return or revocation.
So anything that got revoked, like, this month, it would be a year before we – actually it would be six months, because it takes us six months to actually complete the revocation after the bill isn’t paid.
And we do also do checks. We look and see, is this space being used on the Internet today? Is there somebody out there that if we actually give this out to somebody else, there’s going to be collisions over that and people are going to lose their data. And we mainly try to make sure we don’t harm any third parties that have no idea that maybe their ISP stopped paying for this space and they’re out there using it. And all of a sudden somebody else is telling them, hey, you’ve got to stop using this; it’s our space. We just got this issued from ARIN. So we do a lot of due diligence before we give any space back out.
So the question we would like to pose to the community is: Should this criteria be an Internet Number Resource policy anywhere, or should it just be left to ARIN’s discretion and the process that we currently have?
So think about that. Find an AC member, an Advisory Council member, and let them know your opinion, or myself or Mr. Curran or anyone else on staff.
Okay. That’s it for the Policy Experience Report, really. But there’s been some activities, some questions on the PPML as well as NANOG talking about legacy, LRSA, who is under LRSA, who’s under RSA. So we’ll share a few statistics here this morning.
The first one we’re going to share is Registration Services Agreement coverage over time, which you see we’re almost up to 65 percent of our space is covered under a Registration Services Agreement or a Legacy Registration Agreement. That means a little over 1 billion IPs are covered and a little bit over 600 million are not covered.
I had a conversation last night with the Registration Services Coordination Group, and we were talking about this. And I said, yeah, we have about 800 million that are under agreement and about 800 million that aren’t under agreement. And I had forgotten that over the last five years we’ve turned that around and we’re making a lot of headway.
Here’s the – for Legacy Registration Services Agreement adoption, as you can see, starting in 2016, it started going up. It’s been pretty steady since then, all the way up until the first quarter of this year, where it kind of exploded. There’s a few factors on that.
One is, of course, the transfer market. A lot of space, if it’s a legacy space that gets transferred, it has to come within ARIN. It has to come under a Registration Services Agreement.
Some of it has to go under a Legacy Service Agreement before it can be transferred because it has to be recovered by the organization that has the legal successor to the organization that received it.
And the other thing that’s really pushing this is the routing security. The new IRR, RPKI and DNSSEC, those three services can only be used by people that are under a Registration Services Agreement with ARIN. That’s really pushed it.
That first quarter of 2022, I contribute that doubling mostly to the authenticated IRR and the fact that we were shutting down the nonauthorized IRR on April 4th. We had a lot of activity. We continue to have a lot of activity, so we expect this to actually continue with that kind of growth.
And the last thing I want to share is today we have 17,216 Org IDs that hold a total of 23,116 legacy IPv4 blocks. That is the breakdown. Now, some of those Org IDs hold only legacy space. Some of them legacy space and space that’s under an RSA. None of this is the legacy that our Org IDs with a dash Z extension on it that indicates they’re under a Legacy Resource Agreement. This is pure legacy blocks not under an agreement.
Alright, that’s all I have right now. Are there any questions?
Hollis Kara: If you have questions, please approach the floor mics. We’ll also be taking questions from our virtual attendees, if we have any come in. For right now, I see that we have our first person on the floor, so going over to you.
Kevin Blumberg: Kevin Blumberg, The Wire. ARIN turned off their NONAUTH database on April 4th. In regards to the legacy data, those that are not under an RSA or an LRSA that are actively routed today are a problem far more than those that just have a legacy entry that is doing nothing.
So with this data, I think now, especially with RPKI and with ARIN AUTH, that you separate out the data between legacy blocks that are not being utilized on the Internet. It’s internal but having an IRR entry and an RPKI entry for an internal record is, I think, not relevant to the community overall. But what is relevant is how many of these Orgs are unable to actually deal with security moving forward.
So I think there’s obviously a lot of work that goes into that, but it is critical to understand which organizations – and maybe reach out to these organizations because it’s a long tail, as you saw with the ARIN NONAUTH, it’s a long tail to get in front of the right person with that. Thank you.
John Sweeting: I’ll have John answer that, but real quickly I want to let you know that we’re doing an extreme amount of outreach, especially with the research and education communities. And there’s a huge push right now to get a lot of this space under an LRSA. And we’re doing a lot of things to accommodate that. But, John, go ahead.
John Curran: Two questions, Kevin. First one I’m asking you. First is information, second one is policy.
For information, you want ARIN to produce additional information showing which of these blocks are in the routing table. If you go back to the coverage percentage chart, you want to know how much of that 37 percent – 35 percent, it’s dropping – how much that 35 percent is being routed?
Kevin Blumberg: Correct.
John Curran: So we can try to figure out how to present that. We haven’t worked on that. We don’t, by default – when we do a lot of things when we’re handling individual blocks and look at its pedigree and history and routing, we don’t systematically spend a lot of time looking at customer’s routing; it’s up to them whether they feel like routing their block, not routing their block, registering it. Some customers have address space that they never route.
So we don’t pay a lot of attention to that by default. But if you want us to add additional information, we’re happy to go out, pull the actual blocks, figure out where they’re routed and try to give you a breakdown.
The second question is, for the blocks that are being routed, you’re suggesting ARIN take an action, we do something?
Kevin Blumberg: I’m suggesting that additional outreach over time to those blocks is appropriate because the one thing – I did a lot of work in trying to reach out to Canadian organizations that were going to be impacted – the one consistent message was, we had no idea. And that was consistent across for the ARIN NONAUTH.
There’s something that’s disconnected with these organizations in terms of their understanding of what’s going on today. They just don’t know.
So, yes, at some point this is going to continually impact either them or us. So something being done in that regard would be appropriate.
John Curran: Let me keep going because I want to understand. For those customers, we can build a list of blocks that are being routed and our legacy not under agreement are being routed, don’t have the IRR services. Happy to build that.
So our contact information is no better than what’s in Whois. That’s what we’ve got. But these folks who are being routed have an ISP who actually in theory have a relation with them.
I’m not sure ARIN’s better suited to reach out to them than those ISPs are reaching out to their customers who actually have a relationship with each customer.
Are you really suggesting that ARIN do that or that the ISPs serving those unrouted blocks or those nonregistered blocks do it?
Kevin Blumberg: Having just done that, all of the above.
John Curran: All of the above.
Kevin Blumberg: I think the key point, John, is everybody drops the ball and says it’s not my responsibility, pass it on to the next person.
John Curran: Right.
Kevin Blumberg: So reach out through, not – reach out through ARIN’s Whois database? Wonderful. Reach out through public contacts for organizations that are relevant, that are being kept up because maybe this legacy information from 15 years ago isn’t.
So use LinkedIn, Twitter, whatever, company websites for trying to find that. That is work that needs to be done. Pass these to their upstream ISPs. Say, hey, here are the blocks. Everybody needs to be involved in this and it is a long process. But what happens when the next policy cycle comes down three, five years from now, and NONAUTH IRR isn’t acceptable anymore at all. They’re really stuck. And, again, it takes time to pivot.
I think the main thing I’ve seen is take responsibility because others are not. Everybody is dropping the ball on this.
John Curran: We’ve already done the reach out for everyone in that block. But we can do it again. Regarding the ISP half of what you’re suggesting, do you believe that’s an ISP responsibility? Is that something you want in policy?
Kevin Blumberg: No, this is not about policy. This is just about –
John Curran: I guess the question is you want the ISPs in the room to do it. And we don’t have any way of telling people they have to do it unless it’s something that’s conditioned in a policy.
John Sweeting: John, let me add something here. We actually are in contact with more than half of those people that are routing that are using these numbers. Probably everybody in this room knows the biggest one, and then with that biggest ISP and the research in education, we are working with more than half – I’d say probably 20 percent of that 35 percent today, we’re working with them to overcome supposed legal issues that they might have because of who they are and what they are and a lot of other things.
So we are doing all that. I don’t want anybody to walk away thinking we’re just saying, this is on them. We are doing that. We’re doing it every day.
John Curran: Right. My question is on the ISP side, you’re speaking to us and you’re saying ARIN should do something to help the ISPs. I want to know what you want. Because if you’re really telling the room they need to do something, that’s different than saying you want ARIN to drive that and cause the ISPs to do that.
Kevin Blumberg: I receive a daily email from the government of Canada showing all of the mistakes from a security perspective in my network. I didn’t ask for it. They feel and they are obligated, they feel obligated to send it to me.
John Curran: Okay.
Kevin Blumberg: I appreciate that being sent to me as a net block user.
John Curran: Post that as a suggestion for what you want ARIN to do, so it’s concrete.
Kevin Blumberg: That’s a minor aspect. I’m saying, John, it’s wonderful you’re reaching out to them in all these ways. If you can show us how that is improving over time or how we can help over time as well, from an outreach perspective, that would be very beneficial. It is a group problem.
John Curran: Where did my slide go? Bring my slide back. That’s how it’s improving over time. We’re making an impact. I want to be clear to the extent that you’re suggesting stuff for ARIN, I want a suggestion or I want a Policy Proposal because I want to make sure we hit your target. A lot of your target, though, is talking about what ISPs need to do.
So you’re really talking to me in the room almost like you have to turn around and say, hey, you guys I need you to do this.
Kevin Blumberg: Absolutely. And just to close it out. The reason I asked for the separation of data is it shows a 1 percent improvement in the last while. But I don’t know if that 1 percent is 25 percent of the routed blocks or if it’s 1 percent of the route blocks and we’re doing a really poor job. That’s why I asked for the separation.
John Curran: One more question. So the moment ISPs start saying, you need to be an IRR in order to be routed, this number will drop very rapidly. Is that something you’re suggesting ISPs do or not?
Kevin Blumberg: That has nothing to do with this discussion. That’s a separate aspect. There is a lot of work that other organizations are doing in terms of routing policy when it comes to security. But that is a down the road discussion. I think we’re far off from that.
John Curran: I’m not sure I understand. I guess my question is, the new ISPs decide the conditions of the blocks you’re willing to route. Are you suggesting that people don’t block, don’t route blocks that aren’t under agreement under IRR? What are you suggesting in that regard?
Kevin Blumberg: If an organization does not have their blocks registered in IRR, many, many organizations, the MANRS program as an example, will not route their blocks.
John Curran: Okay.
Kevin Blumberg: That has nothing to do with policy. That just has to do with practice on the Internet today.
John Curran: Right. I’m saying – and there are organizations that you can – that will, like, for example, ISOC has a MANRS initiative. That’s presently not a criteria in MANRS. It could be. But that’s not an ARIN role.
Kevin Blumberg: No, correct.
John Curran: Okay. Thanks. Next.
Mike Burns: Mike Burns from IPTrading. I have a quick question related to the number of addresses that are revoked each month and how that relates to the Waiting List.
As brokers, we have inquiries from potential buyers of addresses, and we need to tell them whether it makes sense for them to go on the Waiting List or not.
And to do that accurately, we need to have some idea as to how many requests are going to be fulfilled by the Waiting List, whether they’re going to make it through one cycle or two cycles. And that’s all based upon the number of returned or revoked addresses.
Can you quantify those a little bit?
John Curran: I can take that one. Okay. So we actually got a couple of feedback last six months that said, the issuance of blocks, we tell people we issue from the Wait List, but we don’t actually tell them which blocks and how many. And it’s also for people who have, like, spam filters and block lists. They don’t know the block’s been reissued for reputation cleanup. They can hear about it one by one.
Actually, in the last issuance we did two weeks ago, we now publish all the blocks that are being issued. We try to do it in a useful format. We publish the blocks that were reclaimed that got broken up and used to reissue because the re issuance is 22s, 23s and 24s, the blocks that might come in might be a 20, might be a 16.
And so we published a list of the blocks that have been used to do all of the Wait List issuances, and that’s now on the website.
Now the problem is that this is a little like a stock market. Past performance is not an indicator of future performance.
I will say if you look at the past allocations, which are now out there, you can go look at them, that’s the current trend. I expect the current trend to continue for two more years.
Mike Burns: Really?
John Curran: Maybe three. Maybe.
This is somewhat uncertain. It really – there’s a little bit of guess and windage here. We do have blocks internally we spend a long time cleaning up that get added. We have blocks being revoked because of nonpayment, for example.
But the amount of space available for us to recover practically is dropping slowly over time, as is the blocks coming back through nonpayment. People are becoming more aware of how important that is.
So we probably are going to see Wait List issuances comparable to what we’ve done every quarter for the next two years, maybe three. Not beyond.
Is that advice for someone who wants to get on the Wait List? I don’t know. Someone who can wait two years to get their block may not need a block as desperately as one might imagine.
As for the market side and the costs and where that’s going, I would ask you that the other way.
Mike Burns: I understand that. It’s a little hard for us to make those predictions as well. But I will say it would help us if we had more visibility into your quarantine process to know where things are in that process so that we can look and see, as their process exhausts, that they’re getting closer to being on the market.
And there are other registries that do that. They list blocks that are revoked that are in recovery process, things like that.
John Curran: We thought about actually publishing the same list that we do – here’s these eight blocks; they were broken up into 44 Wait List allocations.
And someone said if you can give me that six months in advance I can take it out of the block list, I can put it in the bogons and so on and so forth.
I said, yeah, but the moment we publish that, that’s an announcement of where to squat address space.
Mike Burns: It’s also an announcement to the brokers to where to recover the address space. In other words, you send a letter to these people and you make efforts when they don’t pay their bill, but does the letter say your addresses are worth more than your ARIN bill, which is usually the case?
John Curran: We have not gotten into that with the letters we send. ARIN tries to – we facilitate the market you operate in. But we actually try to participate and keep track of prices.
The challenge, I guess, is that if we publish inside the blocks that were inside, cleaning up, we’re very concerned that people will squat on them. And then the reputation of them issued in the Wait List would be ruined.
Mike Burns: What if you don’t number the blocks, but give us the sizes.
John Curran: Hmm?
Mike Burns: Give us the sizes of the blocks that are in the quarantine process, not necessarily the block numbers.
John Curran: Happy to do that one. Can you put that in the Suggestions so we don’t lose it?
Mike Burns: Yes.
John Sweeting: A real quick addition to that, Mike. The Wait List is – the last one we just did, is that’s what it’s going to be, 40 to 50 organizations getting filled.
There may be, down the road, as John said, we have a few bigger blocks. But we’re going to end up with over 500, 600 people on the Wait List for the next one, and we’re only going to take 50 off of that. So then it will go up to 800. It will be very soon impractical to use the Wait List.
But I encourage people, if they can’t go out on the transfer market to get what they need, then they should probably get on the Wait List. If they need to get that space, then they’ll come off the Wait List.
Mike Burns: A related question – Mike Burns of IPTrading – are the Micfo blocks in the quarantine process?
John Sweeting: Mr. Curran will answer that.
John Curran: (Indiscernible) is fine as well, unfortunately.
So let’s try to describe this. At the point in time when we entered into arbitration with Micfo, as a result of that process, a significant amount of space came back and has actually been in the Wait List process, has been cleaned up and has been reissued.
However, there’s a significant number, about – I don’t know in terms of percent, I’m going to say the other half – which they retained and then the criminal action proceeded.
The criminal action has since concluded. The gentleman, Amir Golestan, pleaded guilty to the counts, at which point, because he pleaded guilty, the RSA allowed us to take that and engage in revocation because of violations, which we did.
But it’s a complicated situation, because when you have a crime, criminal act, the US government has forfeiture requirements, and that’s actually underway as well. It’s quite possible that that will end up being something that doesn’t actually, in the end, come back to ARIN and go to the Wait List. It will be forfeitured. It will end up being something that the DOJ deals with just like any (indiscernible) forfeited property. It will be – it will go into the market for brokers.
Mike Burns: Auctioned.
John Curran: So, yes, half of it has already been reclaimed and recovered. The other half, what they were holding at the time of the criminal charge, is now going through a process.
Mike Burns: Okay.
John Curran: Helpful?
John Sweeting: And that space was a little bit over a 14 equivalent.
Hollis Kara: Before you step away, John, looks like we have a couple of questions that are coming in the virtual queue.
Beverly, go ahead with the first.
Beverly Hicks: Tom Bonar from TDS Telecom: I read a couple of whitepages from the IETF on the changing the unicast to a /16. Does ARIN know if this is actually going to be occurring to help give back some of the IPv space that could be used?
John Sweeting: No, ARIN has no idea what’s going to happen with that. It’s totally out of our purview. If it happens, we’d expect we’d get some of that space, and it would probably be used on the Wait List. But it would actually be up to the community to come up with a policy to deal with that.
Beverly Hicks: I have a second question, but it doesn’t have a name and affiliation with it. If the person that typed that question could add that in, we can come back to it.
But the question is: What is the percentage of address space that’s reclaimed through audit verification of usage?
John Sweeting: It’s very rare. We do have our Section 12 out of the Number Resource Policy Manual that we do use. If we get what we end up confirming is a hijacking or a fraud case, we go through the Section 12 and we have recovered space through the Section 12 audits. It’s not a lot. It’s not enough to change the Wait List distribution very much at all.
Beverly Hicks: Thank you.
John Sweeting: Sounds like that’s it. I’ll turn it over to Hollis.
Hollis Kara: Thank you, John. Next up, I’ll invite Leif Sawyer, chair of the Advisory Council, to the stage to give the presentation on the Advisory Council Docket. Come on up.
Advisory Council Docket Report
Leif Sawyer: Thank you. Good morning, everyone. It’s been a really interesting couple of years here. We thought that when COVID hit we wouldn’t have a lot of work to do. Things would kind of slow down. But it really hasn’t slowed down. We’ve had a lot of policy work over the last couple of years.
So some of the things that we’ve worked on and sent to the Board of Trustees here are shown on this slide. And just as a reminder, you can always go on to the ARIN website to look up any of the policies that have gone through to see any of the notes, any of the actions that have been taken.
We’ve received a bunch of policies since ARIN 48, one currently advanced to draft and three of them currently under Shepherd Review. Those will be worked on. We probably won’t be talking about anything until October. But you’re welcome to keep track of those online.
For discussions over this next couple of days, we have two Recommended Draft Policies, 2021 3 and 2021 4, exciting policies – I invite all of you to stand up at the microphones and give us your feedback for them – five draft policies, one really bog standard boring policy, 2020 6. I think that’s just going to be a quick one. And the rest of them, again, exciting stuff for everybody to talk about.
And that’s really all we’ve done. Not a whole lot. But I encourage all of you, if you have any ideas out there for more policies, to keep our shepherds working hard to submit them, and – or bring them up to the microphone so we can start talking about them.
Any other questions or comments?
Hollis Kara: Give it just a few moments to see if we get any questions in the virtual queue. In the room, if anyone has a question, please feel free to approach the microphone.
Go ahead, Sean.
Sean Hopkins: Hi. Sean Hopkins, Senior Policy Analyst. I’d like to advocate for the AC here.
This is not all they’ve done. This is the docket overview which is an introduction to the policy discussions of the day and tomorrow. On day three, there will be a presentation on the vast amount of work that the AC has done since the last meeting. Thank you.
Leif Sawyer: Yes, thank you, Sean. I was being very flippant when I said that’s all the shepherds have done. We have a tremendous amount of work done by the working groups, as Sean so rightly points out.
Hollis Kara: Thank you, Sean. Thank you, Leif. Doesn’t look like we have any questions in virtual. So I think we’re all set.
Leif Sawyer: All right. Thank you.
Hollis Kara: Thanks, Leif.
Okay, moving on. Next we’ll move over to a presentation from our External Relations Manager, Jennifer Bly, on our grant program. Jennifer was not able to travel to be with us here in Nashville. We have a short video. Give us a second. We’ll get that rolling.
ARIN Community Grant Program Update
Jennifer Bly: Hi, everyone. I’m excited to chat with you today about the ARIN Community Grant Program. Let’s get started with our slides.
The ARIN Community Grant Program is an initiative that was launched in 2019. It’s now in its fourth year running, and it’s designed to provide operational and research grants in support of initiatives that improve the overall Internet industry and Internet user environment. It enables projects that benefit the Internet community in the ARIN region.
And the good news is the application period is open right now. So there are several types of operational or research projects that we’re looking for: Projects must be non-commercial in nature; broadly benefit the Internet community within the ARIN region.
And to be eligible for a grant, projects must align with ARIN’s mission and fit into one or more of the following four broad categories. And those include:
Internet technical improvements that promote and facilitate the expansion, development and growth of Internet infrastructure, consistent with the public interest; registry processes and technology improvements that help maintain a globally consistent and highly usable Internet number registry system; informational outreach that advances the Internet by covering topics such as IPv6 deployment and Internet governance, and then research related to ARIN’s mission and operations.
And then since the program launched, we have funded 15 projects over the course of three years. And then in the first two years of the program, among completed projects, grant recipients estimated they’ve collectively reached more than 46,500 individuals, as reported in their final project reports.
In 2021, we funded three projects which are currently in progress. They included: Raising Awareness on Digital Standards for ARIN Region Countries; IPv6 Integrated Database, Phase Two; Virtual School of Internet Governance, Phase Two.
And these projects are all off to a great start according to their update reports which were just completed the end of last month. And their final reports are due the end of September. And we invite recipients to share results with the community in the blog and at the next ARIN meeting.
If you would like to dig into some of the project reports, you’ll get a better sense of the projects that we’re able to achieve that. For example, a few project outcomes included: produced a software package that can connect RRDP servers and connect RPKI projects. And an unanticipated effect was discovering security issues in other RPKI validators, defined a multipart heuristic for matching entities between ARIN and NIST datasets, which is a critical milestone for moving forward with defining leading indicators for enterprise IPv6 adoption.
Garnered over 500 IPv6 entities over the ARIN region, many different regions and companies; provided a free and professional program that grew and fostered a greater understanding of Internet governance.
Built six new prototype CryptTech reports leaving a more physical secure design and allowing us to design more critical components that both improved the overall performance and, most importantly, the security of devices that use our technology.
Added user-friendly visibility to the results of RPKI origin validation, checking on Orgs existing check my DNS tool. And to read the project reports you can just click through to the ARIN Blog and you’ll find them there.
Now I just want to explain a little bit how the program has evolved since it first began a few years ago. Each year we collect feedback from a variety of sources and then work to approve the program accordingly. This year there’s a new section called Outcomes Impact and Sustainability where we ask how will the results be demonstrated, who are the specific beneficiaries, and how will outcomes be broadly available, sustainable or replicable.
And then we’ll have new fields for bios of senior participants in the project work, and a field for a data management plan if code or data will be generated. And then also new this year, we have the opportunity for you to request that an ARIN staff member reach out to you after submission.
We have one last slide. With all that said, if you know of a project that’s non-commercial in nature and fits the other criteria that I went over earlier, I’d like to invite you to apply for an ARIN Community Grant in 2022. Please let your friends and colleagues know. Any organization that you are aware of that is conducting a project or considering starting one who may want to apply, just let them know. You can send them to arin.net/grants. And the deadline for applications is June 1st. And so we look forward to receiving your application.
Hollis Kara: Thank you, Jennifer. I’m going to take a few moments. Jennifer is live online. I can bring her up if there are any questions. Going to give it a few seconds to see if we have anything from our virtual attendees.
That means for folks in the room, if you have a question, this would be a good time to approach the microphones before we move on to our next presentation.
We’re not seeing anything? Nope. Okay. Thank you, Jennifer, for your time. And we’re going to move right along.
Oops, let me go back. Next up, I’ll introduce two back to back presentations by our CTO, Mark Kosters, first on Brute Force Login Attacks and, second will be his Engineering Department report.
Brute Force Login Attacks
Mark Kosters: This is kind of special to me. I don’t think I’ve ever spoken on a Monday morning my entire time here at ARIN. So, I’m kind of nervous.
So usually by Wednesday, usually when I do the department report on Wednesday, I’ve gotten to know you all and everything is super cool. But since I haven’t seen you for two years, hey, I’m Mark. Everything’s cool, right? Good. Good.
So, oh, wait, first thing I want to talk about is our Brute Force Login Attacks that we’ve had. This has gone on for the last two years. Our first go about that you saw on it was perhaps you noticed our login behavior changed.
We aligned ourselves to NIST’s 800-53B guidelines on how they handle multiple logins. Basically, it times out over a period of time.
Oops, I hit the wrong button.
So, what I’d like to do is this is the agenda I’d like to bring up. I like to talk about the effects of the attacks that we’ve seen, the engineering and customer costs that we’ve seen as a result, and finally talk about particular mitigation strategies, one of which – I’m going to give you a hint here – is going to involve you. All right. Good.
So, the problem. Here you can see, if you look at the – the most important one is the blue lines. Usually, we see a number of logins that happen on a day to day basis, but this is kind of weird – 65,000 login attempts per minute? Even higher? What? What’s going on here?
You can see this has been going on – this is just one case that we have on our monitoring system that we have dealt with and have been alerted for and actually looked through the logs. This has happened multiple times. And some of the attacks have been fairly long running attacks that have gone for a day or two at a fairly sustained, high rate. So, let’s go on to the next one.
When we look at the logs, the IP addresses that are sourced that do these attacks are always highly distributed. Say, okay, it’s just a compromised host out there; let’s go ahead and filter it out. These things are so highly distributed, we really can’t filter them out unless we want to turn off the Internet. I don’t think that’s a good idea.
So, you can see that we’ve had almost 23,000 unique IP addresses. And you can see there that it’s fairly distributed in terms of number of times that they were attempted for that particular IP address. We have 16 percent that have gone on only once, 46 percent that have gone less than 10, and 55 percent that went to like 100 times.
The attack came from disparate blocks, both v4 and v6. We actually looked at the origins of the AS’s that sourced these attacks too, to see if there’s any commonality – and there was none.
So, what this has done to us internally is every time this happens, we get alarms. And here’s one particular set of alarms we get where the active database connections – we have a finite number that goes to our database on the backside – and you can see that it just – it basically will get alerted.
The database doesn’t fall over. Nothing happens in that regard. But we get alerted that, hey, there’s a high number of database connections going on here. You can see it also affects our CPU usage as well.
You can say, yeah, I can understand that, and this is kind of common sense. But it does cause some pain. And to even go a little bit further, the amount of logs that we see that were logged in is just gigantic. And we use Java. And this causes a problem with Java in that it’s doing 1.8 gig per hour of logs.
So one of the things we try to do is, hey, all this stuff is actually dockerized. Let’s just put a few more containers out there, make this go and see what happens. And basically, the attackers, what they did, they just increased their throughput, the number of login attempts that they went. So, we actually backed that back down again because it was really doing no good doing that.
Now, what was interesting about this is we have monitoring in place as well that checks in. Okay, what about legitimate logins? And we have a check that happens all the time. And the that continues to work.
So, I don’t think any of you are seeing these effects when we have these kinds of attacks. But I want you to know that we’re seeing these kinds of attacks.
In fact, we’re not alone. RIPE has also seen this and it was actually advertised about a year ago on their attack. And one of the things we do is various CTOs, the five regional registries – LACNIC, APNIC, RIPE and AFRINIC – we all sit together, and we say, hey, you know, do you see this?
And aside from this one reported event by RIPE, no one is seeing the numbers that we are seeing. I don’t get it. They should be seeing this too. But we seem to be the only ones that are seeing numbers like this.
What does this mean for us? Each incident has opportunity costs because it either wakes us up, gets us out of bed. We miss dinner, family dinner, that sort of thing. Or it happens during the business hours. And each attack, actually we have to go ahead and say, okay, what’s going on here, what are the effects, where is it coming from? All this takes time, it means a lot of logs we have to pour through, try to analyze patterns, et cetera. And we have to look at reporting.
One of the things that does happen out of this is that we do see potentially compromised accounts. And those accounts are actually sent to RSD. Most of them, rest assured, are web user accounts, they have no resources.
These people have come in, set up their ARIN Online account. But they have no resources associated with them. But each one of them is diligently looked at by John Sweeting’s team. If they see anything that looks nefarious, they go ahead and lock that account. So, we actually have a fairly good, resultant process in place.
So, the things that we’re doing, have done, or will be doing, is we’re going to be caching all usernames to prevent round trips to our database. A lot of the brute force attacks, they don’t know the usernames. They try everything under the sun. And most of them are invalid. We’ll also be looking at the system resources and see if there’s any optimization that we can do, which we’re doing right now.
We have reevaluated our logging and metrics gathering so we can actually do quicker turnaround on each of these attacks. And we’re also presenting CAPTCHAs. You may have seen this, immediately when we’re under attack, especially under sustained attack. This thwarts it from the very beginning. Right now, you’ll have four invalid login attempts and CAPTCHA will come up. Now, if we’re under attack, you’ll be immediately presented by CAPTCHA before you can go on to the next step.
None of these things are really customer impacting. Maybe a little bit of change in behavior for you, but nothing beyond that.
So here’s where things are going to get interesting. And this is where we need your input. So only 3.2 percent of users have two-factor authentication enabled. That’s kind of low, especially on critical Internet resources. I would think this would be a little bit higher than this. But there’s not. And I think we need to do a better job to be the evangelism that needs to happen here.
Maybe we need to have a lower threshold for 2FA. Right now, we have TOTP, and you have your Google Authenticator. Maybe people don’t want to use that. Some people have very strong views against TOTP. They don’t like it. Maybe SMS is good enough. My bank uses SMS. Many places I use SMS as a result. And I know for a security person, that’s not the most elegant solution. It has lots of challenges associated with it. It can be hijacked, but it’s better than nothing. So, this is something that we’re going to be looking to do. Actually, we’re in development for this right now and making this happen.
Now, what’s going to be interesting and for you to start thinking about is there’s going to be an emerging community consultation coming out, and how should we be enforcing this 2FA for all users associated with resources, if you think that’s a good idea or not? And so, this community consultation is going to be coming out. And I encourage you to think about this very hard and what you think the best way that you should safeguard your resources. And we can work on thwarting these attacks.
So that is the end of my first presentation. Any questions? Oh, we’ve got two.
Hollis Kara: Awesome. We’ll start with questions from the floor. I do see we also have one in the virtual queue, but we can go ahead and start with Tina, if you want to go ahead.
Tina Morris: Tina Morris, Amazon, AWS. Two-factor, love it, need it, make all my staff do it. However, there’s no way for me to set up a parent account to force everybody linked to my addresses to do it.
I have to individually go to them and pull it. And every time they reset their password or anything they have to reset and say they want that.
People simply forget. I want to have a master that everybody linked to my addresses has to have that. I want to be able to set that kind of policy on my address space.
Mark Kosters: That’s a great suggestion. Actually, there’s an ACSP that actually mentions that out there right now as something that we need to implement. So, it’s a really great idea. Thank you so much for that, Tina.
Alyssa Quinn: Hi, Mark, Alyssa Quinn, CIRA and ARIN AC. You mentioned there’s no impact on customers when these brute forces are happening. Are customers getting – if it’s my ARIN Online account – am I getting a notification that someone has tried to log in to my account, or I’m not seeing any of that?
Mark Kosters: Most of them are unsuccessful. So, a huge majority.
Alyssa Quinn: But that there’s been an attempt.
Mark Kosters: That’s something I think we need to improve upon, frankly. I think that would be a good idea to put in as an ACSP, for us to actually look forward to implementing. But I think it’s a great idea.
Alyssa Quinn: And to use that as an opportunity to say, hey, you can enable 2FA to prevent this kind of thing in the future, right?
Mark Kosters: Agreed.
Alyssa Quinn: Thank you.
Mark Kosters: Thank you so much.
Hollis Kara: Before we take the next question from the floor, I see we do have one in queue, so let’s pop over there real quick. Beverly, if you want to read that one in.
Beverly Hicks: Steve Wallace would like to reiterate to allow organizations to enforce MFA for their authorized POCs.
Mark Kosters: Excellent. Thank you.
Hollis Kara: Back to the floor.
Leif Sawyer: Leif Sawyer, GCI Communications, Alaska. MFA is great. I’d love to see some hardware keys, U2F.
Mark Kosters: That is another suggestion as well. We’re actually playing with YubiKeys internally within engineering. So, we’re trying to hit the sort of – the easy things first, frankly, trying to – we’re trying to figure out – grappling why is this not taking off as much as it should.
And there’s people – if you read the list, people say TOTP is just not good enough, I need to have my YubiKey. I need to be running my special stuff. And other people say, whoa, that’s way too hard. I don’t want my YubiKey going around with me all over the place. I don’t even carry it with me. I need to attach it every time I log in to ARIN Online. I’m not sure I want to do that.
You have lots of varying degrees of security awareness and concern that’s associated with it. But any of these three things, whether it’s SMS, the OAuth stuff or TOTP, all those things are better than nothing. And I would just like to get the better or nothing going, especially with login and password being sort of – it’s a vector.
Leif Sawyer: Great thing about the hardware key is I can leave it behind in a safe, and if I’m hit by a bus, my backup can grab that right out and they don’t have to have access to my cell phone authenticator.
Mark Kosters: Agreed. Thank you. Thank you.
Hollis Kara: Do we have another question?
Beverly Hicks: We do. They’re having trouble getting it into Q&A, so I’ll read it from the chat. We have James Hulce, who is an ARIN 49 Fellow: Is it possible to add support for web authentication in ARIN Online? Many devices include TPM chips for that, plus a slick UI.
Mark Kosters: Yes, one of the things we’ve been looking at – this kind of goes back to the earlier things – one of the things that we’ve also looked at, okay, how do other people do this in terms of multiple forms of doing authentication?
And actually other places, especially cryptocurrency firms, actually do this. Which authentication method do you want to use? Select one of them and that’s what we’ll do and make it go.
So, these things are definitely things that we have been heavily looked at and anxious to start implementing on. Thank you.
Hollis Kara: Awesome. We’ll come back to the floor.
Kevin Blumberg: Kevin Blumberg, The Wire. A lot of unpacking with what you said. I submitted the original ACSP in 2017 for two-factor authentication. TOTP is already at the lowest common denominator of acceptable authentication for multi factor. SMS should not even be considered multi factor authentication today with all of the issues with it.
So, you’re already at the lowest common denominators as far as the industry is concerned. The only way you’re going to get uptake to be higher is not education, it’s enforcement. Turn it on, enforce it. Done.
There are lots of ways to improve it. That was in the original suggestion. The biggest problem that you’re going to have is if you want to do it yourself, you are going to have a hard time doing it. The way other companies do it is they outsource to actual security companies who provide many avenues and ways of dealing with it.
So, yes, if you want to do it yourself, good luck. You are going to be beating your head against a wall for many, many eons coming with a self provided system. You have to look to the experts when it comes to this if you want to deploy it.
The next thing is you are not alone in terms of attack, brute force attacks. You’re not special. Sorry. But please consider putting in a lightweight proxy authentication that before your heavy applications, your heavy Java all gets hit with crap, you have lightweight systems in front of that that allow you to mitigate all of these attacks before it gets to your actual environment.
Again, this is stuff that is being done very normally now in the industry. There are many companies that do it. And once again, doing it yourself makes it that much harder. And there may be a necessity for that, but in some cases not doing something because you want to do it yourself for necessity is far worse than doing it with somebody else until you can build it yourself. That’s the reality of today.
Mark Kosters: Thank you very much for that, Kevin. I look forward to seeing those comments when consultation comes out.
Hollis Kara: Let’s take one more from virtual, then we’ll come back to the floor. Thank you.
Beverly Hicks: James Paek, also an ARIN 49 Fellow: How can we make sure that MFA is enforced in all organizations and to make available universal in one platform?
Mark Kosters: So I guess one of the things that we need to do is we need to have a consultation, so this is something that the community truly wants. What we’re seeing right now is that the MFA that we currently have right now isn’t as well used as we had hoped.
So maybe people don’t want this. We’re going to put it out there to see if people truly want it, and if so, at what degree. So we’ll see what actually happens out of this consultation. So thank you.
Hollis Kara: Back to the floor.
Kevin Loch: I’m Kevin Loch from QTS Data Centers. I don’t know if you could share with us the brute force attempts for the username, are they attempting a username or an email address style username?
Mark Kosters: Both.
Kevin Loch: They’re just guessing, getting it from another channel.
Mark Kosters: Totally guessing. Most of them are invalid usernames. To go back, so – went too far. Oh, and I turned it off. Isn’t that special? Okay.
One of the things we’re doing is most of them are like total guesses. So, we’re optimizing the database connections and right now caching the valid usernames so that it doesn’t do a database connection to see whether or not it’s there. It’s actually on the application itself.
Second thing that we’re doing is we’re looking at separating the login process from the regular ARIN Online. It’s separate sort of systems put in place.
It still, however, needs to have that database connection. So, you still have that one sort of single point that you have to deal with. But there are ways to mitigate this and stuff that Kevin’s been saying, yes, this stuff that we’re asking.
Kevin Loch: I guess my question was more directed at is there anything that ARIN needs to do to change the style of authentication credentials? For example, if someone is using an email address, that is probably riskier than a password that doesn’t look like your email address.
Mark Kosters: Absolutely. People are at that sort of luxury right now, which is the wonderful thing about web user accounts or ARIN Online accounts, is that those users can actually have something totally different than what their POC handle is or –
Kevin Loch: Right. And should ARIN require that, I guess is where I’m going?
Mark Kosters: We haven’t enforced that. Again, when the consultation comes out, put these really good ideas out there. So, thank you.
Hollis Kara: Wonderful. I have one more question from the virtual queue, if we can go there real quick.
Beverly Hicks: James Paek, ARIN 49 Fellow: Based on the presentation, why do you think people are unwilling to move into MFA and 2FA on their mobile devices or computer? Are there any factors or reasons you’re aware of?
Mark Kosters: None that I know. I personally, when I go do anything that’s sensitive, I insist on having some sort of MFA associated with it. Otherwise, I will not do business with them. So that’s me personally.
Other people have other ideas. I really hope that through this consultation that some of those things, some of that reluctance comes out so that we can actually work with that because we have a solution. Might not be the best, but it is available right now. But people are not taking advantage of it.
Hollis Kara: We’ll come back to the floor. And we’ll be closing the microphones after this question unless anybody hops up and gets in line right now.
Mike Burns: Mike Burns from IPTrading. I want to back up for a second. Seems like you have some question about whether ARIN is actually being targeted based on what the other RIR’s experience has been. And my question is, why are people hacking these passwords? Is it to get access to ARIN Online to do something, or is it just credential gathering?
Mark Kosters: That motivation is not clear to me through the attacks, what they are. You can make guesses. IP addresses could can be kind of –
Mike Burns: That’s kind of what I’m getting at. Do we, as a community, need to be aware that this is an attack vector with some kind of purpose behind it?
Mark Kosters: And so that’s why we’re bringing it to y’all’s attention. We’re trying to be transparent about the operations at ARIN and some of the struggles that we’re seeing as a result. And this is one of the struggles, frankly, that we’re seeing.
Mike Burns: Like, why are they doing it?
Mark Kosters: It’s unclear – from our perspective, it’s unclear what the attack is in terms of are they trying to take us down because we have a high volume? Or are they trying to get into accounts? If they do, this is a poor way of doing it because they’re trying to guess. If they get in, almost 100 percent of the time it has nothing to do anything with resources. So they’re not able to.
And there’s also, if people do get in, they’re not going to get very far because RSD watches over any sort of activity that goes beyond that very, very closely.
So this is – I don’t think this is something – I don’t see this as a thing that is a critical problem in terms of the Internet is going to burn down tomorrow because we don’t have to get this fixed. But on the other hand, this is something that I would personally like to see us work together as a community to enhance the security coming into ARIN Online for you all to make your changes so that we can make sure things are done correctly.
Mike Burns: Have you seen any evidence of successful infiltrations leading to hijacks?
Mark Kosters: Not that we’re aware of. If you have heard of any, we’d like to know about it.
Mike Burns: I’m just trying to think about what a person would do if they got access to an ARIN Online account with resources. What would be their motivation? And hijacking might be one thing they could do.
Mark Kosters: We have lots of cases that happened in the past that could look like hijacking, and some of those cases go in the Wayback Machine, like sex.com and its associated resources. You could say that that was a sense of hijacking, when you had a conflict between the two owners and one owner actually stole it from the other.
So, there’s various forms that this can take, but this is a case that I think we – I want to take care of the operational impact of this. There might be a wide degree of motivation behind it. I don’t see the motivation; I see the attacks.
Mike Burns: It goes to the MFA. If the motivation is merely credential gathering, then the MFA is protection for the user, not for ARIN. Basically, it’s protecting their credentials from being stolen and being distributed. And that’s their incentive to do the multi factor. But it doesn’t really protect ARIN much. Thank you.
Mark Kosters: Thank you.
Hollis Kara: I don’t see any further questions. So, you are free to move on to your next presentation.
Engineering Department Report
Mark Kosters: All right. So this is a report I give on Wednesday mornings. So it usually comes, and a good number of you, frankly, are gone. So now you get to see the Engineering departmental report in total on Monday.
What do I have to do, just click it?
Oh, I’m Mark. Guess what?
Let’s give the Engineering report. I’m going to go through statistics, software releases that we’ve done, operational improvements we’ve put out, challenges and what’s next. What is Engineering going to be doing next?
So, this is always an interesting chart that we have. This is the number of accounts that are activated. And I thought when ARIN actually put out ARIN Online, many, many years ago, in 2009, I thought that we would see a pretty significant increase and then sort of level off, because the number of people coming in, yeah, you have some growth.
But this is amazing. We see almost 15,000 new users coming onto ARIN Online every year. I guess that’s pretty cool.
So anyways, it’s one of the vectors that they can use for this attack because there’s a lot more users out there. But a lot of these users – most of them, a majority – don’t have any resources associated with them.
And this is also an interesting chart. And this has not changed very much over the course of time. It’s the number of people that come in – many are doing the one and done. They want to say, I set up an account. What does this do with me? Oh, nothing. And that’s it. So a lot of people are in that category.
And maybe we just think about some days working on cleaning those up. But the more fascinating thing is the people that come in 16 times or more, and there’s a lot of power users out there, a lot of power users that come in, use ARIN Online.
I have a spreadsheet that’s spit out before this, and I go through it. And there is one that has billions and billions of logins. It’s obviously an automated process that they’re using to come in on ARIN Online. It’s interesting how people have sort of leveraged this, and automated ARIN Online. Not only do you have the users coming in doing their thing, but you have automated processes doing their things as well.
Here’s another interesting thing. And this is one of the things I like to see go away at some point. We’ve had this template processing system for reassignments now for years and years and years. I think in 1991 we were dealing with templates. We’re still dealing with templates today, mainly just for reassignments, which is fine. This has really leveled off. The number of people that have templates now, it’s a mere trickle compared to what it had been in the past. And almost a majority of people are now using the RESTful API to do their reassignments, as well as other causes as well. So you can see here the dark colored line is the number of transactions that happen on RESTful interface. And it’s doing very well.
Here’s the next slide. This is fascinating, fascinating to me. People who use Whois and Whois RWS. Whois is a traditional Port 43 service. You’ve got your port, you’ve got your client, especially people on Linux boxes and so on, and you query against Whois.
And one of the things that’s interesting about this is back in 2009, we had a number of – I think it was an implementation mistake, but what people would do is – you know how you can use your Facebook account using OpenID across from different platforms? As part of that process, they were actually doing a Whois lookup, saying, where did this IP address come from?
We saw this incredible spike back in 2009 on people trying to use OpenID Connect to connect to third party sites through their Facebook login or whatever. So we talked to them, and that went away. So you saw this spike up there, and it came back down. And at the time my operations manager was, like, oh, my gosh, how are we ever going to sustain this load? Because we’re seeing – this is just astronomical the number of queries we were seeing before that.
And we looked even previous to that, it’s in the weeds, the number of queries per second. Then all of a sudden, this huge spike. We were able to sustain it. But it’s something that we’ve always been paying very close attention to.
And you say, okay, that’s fine. And things went back down. But what’s interesting is that it’s starting to rise again. And it’s starting to go to the same level that it was back in 2009. And there’s no – did people use it for operational purposes? Oh, yeah. And we’ve talked to a number of these players. But it’s interesting to see how high the rate is.
Now, we’ve also talked with this with the other regional registries. And the other regional registries don’t see numbers near close to this. And I think it’s because ARIN – as part of its legacy resources, people default to come to ARIN to do their queries before they may go elsewhere.
So that is one of the reasons why. But the numbers that we have compared to the other regional registries is actually very amazing to see.
And you can also see that Whois RWS, which is a RESTful interface, is also seeing an uptick in traffic. People are using that as part of their automated processes.
Here’s the latest implementation of Directory Services. It’s called RDAP. You can see that it has both v4, which is in blue – I’m sorry, green – and v6, which is in purple. And you can see that it’s kind of gradually increasing in traffic. And it’s being used more and more.
And this is the IETF standard. It’s hopefully one day going to replace this Port 43 Whois. Port 43 Whois has been around since the 1980s. For those who try to code against it, you can’t, or it’s very hard to, because there’s really no standardization behind it. So everybody does something a little different, including the original registries and how they display the information. So this is a IETF standard. There’s a very regimented way that things are actually displayed, and the searching and the results are consistent between the regional registries as well as domains' providers as well.
Releases since ARIN 48. Really? Good. I thought we had some.
So here you can see the things that we’ve done. We created a hybrid RPKI, which allows people to run their own CA. They send us the data and we put it in our repository, and it’s served from there.
The second thing we’ve done is we have full conformance to the NRO conformance profile dealing with RDAP. What this does is making sure that – there’s a group of engineers got together saying, hey, this is a little different behavior between the two; we really need to close the gap here.
And this is something that each regional registry had made up to like 30 items, frankly, that they had to go ahead and fix to make it all consistent. And we finished that. So we’ve done our part, and other regional registries are working on theirs and hopefully will be done in Q2 of this year.
We also have a fee harmonization completed and standardized between ISPs and end users. There’s no longer this lingo of assignment versus allocation, so it’s one and the same. We completely redesigned the invoices to include payment information as well as number resource detail information. So you know what you’re paying for.
IRR Route Guard was implemented. Membership update request functionality was implemented. And of course we had reduction of technical debt.
Operational improvements. We added the RPKI hybrid capability as a new service. We allowed users to request and issue space smaller than /36s.
We had end of life box replacements. ARIN has a pretty significant inventory of boxes that we operate. It’s not two PCs in the garage. There’s a lot more boxes than that. And we continually run through the process of replacing end of life boxes that we have to deal with.
We moved our phone system from a PRI to a SIP trunk. What’s interesting about this, we’re using this old school ISDN PRI coming into the office. And then we convert it to Voice over IP and disseminated it into the company. Well, that old school line, actually the company that we dealt with actually outsourced it to another that outsourced it to another. Whenever we had an issue, it took us forever to get this solved. And it seemed like there was no learning capability each time we had an outage. We had to go through the same process over and over again. It’s always the DS3 card and the third party provider that had the physical line.
Glad to get rid of that. It’s now, it’s Voice over IP all the way through.
We moved from Ansible virtual management system to Docker containers as part of our process to move everything into Kubernetes as we go forward, we’re just tracing the deployments.
We expanded our DDoS mitigation coverage, making sure that we continue to have service across all our sites. We have five. And we had our security audit completed this year.
Challenges. Directory Services, last meeting, we talked about this before in terms of the amount of attack traffic we see against Whois and Whois RWS. In fact, since I wrote this presentation, we had another attack, which was kind of interesting. And people noticed. And we took care of it.
But one of the things that was interesting, this attack we had reported at the last meeting, it looked like it was a new botnet. It actually was a legitimate third party service provider. And they knowingly were outsourcing queries to third parties to gain access to our Whois information for their own purposes. And so we talked to that provider. They actually shut those guys down, and we actually dealt with it. But it was interesting. And of course the brute force attacks that we just talked about.
So, what’s next? Third party payment and invoicing vendors. We’ve had the same ones we’ve had for years. We’re looking to do some improvements there.
New third party election vendor. So this is something – we’re using this system called BigPulse. You’re all familiar with it for those who vote. We’ll have a new way of doing voting this fall, and it’s something that we’re dealing with right now.
System improvements with the Premier Support Plan. Secure routing enhancements. We’re doing some work in IRR and RPKI – you can read this as well as me – in terms of doing certificate renewals.
One of the things that we had was expiry on the initial set of resource certificates. They went 10 years. We’re at ten years of RPKI. So, we’re actually automating this process and doing automatic roles. You won’t notice a thing. We’ll have these new roles coming on.
Two-factor authentication with RPKI, it’s something that we’re looking at doing that’s smaller than the consultations coming out, but something that we’re looking at doing.
RPKI and IRR integration, we’re looking at using the same UI to actually do both things at once. Right now they’re separate actions.
And of course we have technical debt. We’re replacing libraries that are end of life, much like everybody else is. And so you have all sorts of interesting attack vectors that happen there.
I’m sure many of you are familiar with the Log4j incident that occurred and the people who had to deal with those. Thankfully we didn’t have this issue, but those are definitely issues that companies have to worry about in terms of third party products.
We’re looking at doing some PFS site improvements, where we’re replacing the hardware. It’s getting to be end of life. We’re replacing it with new gear that can support actually higher rates than we have now.
And of course SOC 2 compliance. We have a new Vice President of Information Security, Christian Johnson, back there in the corner. And he’s waving his hand right now. And we’re working together on doing SOC 2 compliance.
All right. And that is it. So any questions?
Hollis Kara: Please approach the microphone or start typing. We’ll start with the floor.
Kat Hunter: Kat Hunter, Comcast, ARIN AC. One of the slides on there had the templates versus ARIN Online, and as someone who uses both heavily, one of the features that is not available that I know I asked for when Online was built is modifying a SWIP is not possible through ARIN Online. You have you to do a full delete and an add.
And it doesn’t sound like it’s a big deal, but the creation dates of that registration is changed as soon as you delete it and readd it. So you could have a customer from 2007 that now looks like I just SWIPed them in 2022.
When you’re trying to look at historical data, that makes a huge difference. So I would suggest, and I believe it is in the suggestion queue somewhere, I think I submitted it also, I would think that would be one of the things that would help get people away from the templates.
Another one that I know is also in the queue is being able to do more than one SWIP to a customer at the same time. So if I have a customer that has a /30 and a /29 that have been created over time and they need both done at the same time, they decide they no longer want to be private, there’s currently no way to do more than one block. It is a lot easier to go into the template, cut and paste the IP address and send it through email.
I would much rather use my two-factor authentication through ARIN Online, but there’s a little bit of a hindrance to doing it that way.
Mark Kosters: Thank you for the shortcomings, identifying them. Thank you.
Hollis Kara: Thank you. Before we close the microphone queue and head into break, do we see anything in virtual? Nope. Going once, going twice. Anyone else here in the room? Looks like a no. Okay, Mark, I think you’re free.
Mark Kosters: All right. Thank you.
Hollis Kara: Thank you very much.
All right, folks, that brings us up on our first break of the day. In order to stay on schedule with our policy block starting at 11:00, we will be coming at 11:00, which I kind of just said. But until then you’re on break. We have refreshments in the foyer, and we’ll see you back in about 20 ish minutes. Thank you very much.
(Break from 10:43 AM to 11:00 AM.)
Hollis Kara: Hello, hello, hello. It’s almost time for us to start with our first policy block of the meeting – we’ll give folks some time to come back into the room and get back to their chairs – ARIN 2020-6: Allowance for IPv4 Allocation “Swap” Transactions via 8.3 Specified Transfers and 8.4 Inter RIR Transfers.
John Curran: Good morning. If people will come back in and get seated, we’ll get started. There we go.
Hollis Kara: Getting ready to start with our first policy block of the day. Just as a point of information, as we wait for people to wander in, we’ve gone to scheduling policy in a block format that allows us to move through that conversation kind of expeditiously and make sure that our virtual attendees know that they have a defined period of time that they want to tune in and focus on that. In order to keep things rolling, we’ll do that.
Our first policy discussion of today will be led, presentation by Rob Seastrom of the ARIN Advisory Council. He’s not in the room. How awkward.
Here he comes. Welcome back, R.S. All right. R.S. is going to be coming up to join us in just a minute. I’ll let him put his coffee down. And he’ll be presenting Draft Policy 2020-6 – it’s good this one has a long title; gives him time – Allowance for IPv4 Allocation “Swap” Transactions via 8.3 Specified Transfers and 8.4 Inter RIR Transfers.
All right. R.S., the clicker is yours.
Robert Seastrom: This one?
Hollis Kara: That one.
Policy Session 1: Draft Policy ARIN 2020-6: Allowance for IPv4 Allocation “Swap” Transactions Via 8.3 Specified Transfers and 8.4 Inter-RIR Transfers
Robert Seastrom: I apologize for being late due to coffee. I think the first thing you have to do is admit you have a problem, and most of you know who know me well, I do have a problem in that department.
All righty. So 2020-6 has been around for a little while. It’s one of those administrative cleanup policies that involves putting in the NRPM sort of what staff has read between the lines and done and making it official.
And as such, it’s been sort of difficult to get strong reactions to cleaning it up on PPML. So I’m hoping that we get some good microphone traffic on this here and maybe get a positive direction on it.
So it’s been around for almost two years. It’s been revised a couple of times to take into account some feedback that we’ve gotten in the past.
Organizations that want to swap out a big block for a small block, if they want to be good citizens to the network, they don’t want to deaggregate. They don’t want to intentionally break up space, just in the interests of liquidity.
So ARIN staff has been allowing Orgs to transfer out blocks after receiving smaller ones inside the 12 month window. But a lot of ARIN resource holders aren’t aware of this.
There’s been some create a new Org ID, do a shuffle that way to stay within the rails, but that has knock on effects. And what we should really do is face the idea that these Orgs are trying to be good citizens, good neighbors, reduce the size of their block, sell off the old one. And we should embrace that.
So the policy statement, and this goes on and on, is clarify the conditions under Section 8.3 and 8.4 that explicitly allows transfer of a larger block exchange for a smaller block as part of a renumbering plan by making the following changes in 8.3, 8.4 and 8.5.
So I’m not going to read these aloud to folks. I will give you a moment to skim through this. But it is in your discussion – do we have booklets or PDFs?
Hollis Kara: If you go to the meeting website, on the Meeting Materials page, you can download the Discussion Guide. It’s right there for you. Or there are lots of links around the website to find it as well.
Beverly Hicks: It’s also available at the registration desk for those that are in person.
Hollis Kara: Yes, there are limited edition copies at the registration desk.
Robert Seastrom: I understand you can get those autographed by senior staff members and Board members and other people.
In keeping with their limited-edition nature, please do not hoard them like IPv4 number resources.
Another policy statement. Essentially the same thing but for Section 8.5. In Section 8.3 and 8.4, we clarify the conditions under source of the transfer.
The latest version that’s up there is the result of Staff and Legal Review of 7 September that was posted around the beginning of February to PPML.
Staff and Legal Review recommended changing some verbiage, which we took and did. The officer attestation is in conflict with the current direction that we’re going. So we cleaned that up a little bit, too.
Implementable as written? Yes. No material legal issue. And Legal doubled down on what Staff said about the clarifications and confusion. So that was the version that was circulated on PPML on February 5th.
Implementation timeframe is more or less immediate. Something I would like to point out. We had lukewarm support on PPML for this. One of the observations was it seems like a no op, like it doesn’t change things. And that’s kind of the point, is that it clarifies existing practice and puts it in the NRPM.
So microphones are open. Please come up and discuss.
Hollis Kara: Yes, please approach the microphones. For those of you on virtual, please start typing.
Bill Sandiford: Back, center microphone.
Lee Howard: Lee Howard, IPv4.Global by Hilco Streambank. You’re right, Hollis, that is a lot of words. That’s hard to say.
I support this. I think we should absolutely do this. I think this may have been something that I stumbled across and tried to reach out to my favorite AC member, was overwhelmed by favorite AC members. So I think that we should totally do this.
Bill Sandiford: Thank you. Center microphone.
Chris Woodfield: Chris Woodfield, Twitter, ARIN AC. One of the motivations for forwarding this as a proposal, even though we know this is common practice, is the fact that, yes, it is standard practice within Registration Services, but only if people know that it’s a possibility.
The main motivation for these kind of slot transactions is to save everyone’s precious TCAM space and avoid prefix explosion so that there’s no need to deaggregate a route, a larger prefix if you want to sell off parts of it.
But people don’t necessarily know that this is an option unless they actually talk to Registration Services about it. Putting it in the NRPM makes the community at large aware that this is an accepted practice.
So, yes, a no op, but it’s important to have it, my feeling is it’s important to have it in writing and publicly known that this is an acceptable pattern. So, yes, in support.
Bill Sandiford: Rear mic.
Tina Morris: Tina Morris, AWS. Also in support as written. This codifies current practice. We’ve used this practice quite a few times. And to build on what Chris was saying, having it formalized allows people to realize that you’re not scamming ARIN when you’re doing this because that is the perception when you first bring it up to somebody that is selling space. So having it written down in official policy would be helpful.
Robert Seastrom: Thank you.
Bill Sandiford: A reminder to those who are remote, we do have people in the room who are prepared to take your comments. So if remote participants have anything they want to add, please feel free to type it in, and we’ll have it relayed in the room. Rear microphone.
Kevin Blumberg: Kevin Blumberg, The Wire. I support the proposal, but just one question. Does the limitation, as in if you get the block, small block from the process, you’ve got one year, and if you don’t do it in one year, you can’t do anything until you’ve dealt with that?
Is that actually really worth putting in? Is it creating another complication, unintended side effect? Things change. I’m just wondering if it’s actually complicating it more than it needs to be.
I actually support the whole concept of this. I think it’s wonderful. Putting it in is wonderful. But we’re very good at wrapping in additional complexities as a community.
And is there something softer that doesn’t now create a concern for an organization that does want to do this? Because ultimately they want to get rid of that larger block. But things change. So does it create more complexity than it’s worth?
Robert Seastrom: My answer to that is, not being the author but the shepherd, is that if we did not have that in there, there would be a complaint that it was a backdoor way to get additional space.
And I agree with you that it is complexity that is likely unnecessary, but maybe necessary to get community consensus. And I would invite you to submit a short one liner proposal that just struck that, submit it, and see if we can get the community to back that out subsequent to getting this in.
Kevin Blumberg: Thankfully it’s in draft. And you, as the shepherd, have editorial control over the document, the AC does. I would suggest striking that record out, and you can absolutely look at all the permutations that come along with it. I’m just making the suggestion that it’s complicating the policy and to please look at that.
Bill Sandiford: Hollis, I’ve received the applicable smoke signal from the back of the room that we have a remote participant comment.
Hollis Kara: You do. Beverly, would you like to read that in?
Beverly Hicks: Sure. Joe Provo, Google, ARIN AC, LRSA signatory: Support in principle and as written.
Hollis Kara: And just a reminder, for virtual attendees, please note your statements of support, even if it’s just a “yay, I like this,” in Q&A so we can read that into the official record.
Bill Sandiford: All right. Another 30 seconds or so for any remote participants for any final comments.
Noting the queues in the room are empty, so if anybody has any additional comments, please approach the microphones now.
Hollis Kara: Another comment from virtual. Two more. Beverly, do you want to take these?
Beverly Hicks: Sure. James Woodside: No objections; in support. Secure Shores Datacenter.
Also support and accept from Citizen Support.
Hollis Kara: Thank you. That clears the virtual queue.
Bill Sandiford: All right. Rob, does the AC wish guidance from the community?
Robert Seastrom: Yes, we would like a sense of the room on two things: One is support versus not support, with the current verbiage, and one is support the – I don’t think I need three. I think I want support versus not support, with the verbiage deleted that Kevin suggested deleting, the requirement that if you are stuck for 12 months –
Bill Sandiford: Let’s tackle them one at a time. The first question you’d like polled in the room –
Robert Seastrom: As is.
Bill Sandiford: Those in support or not in support as is?
Robert Seastrom: Correct.
Bill Sandiford: Can we deal with that one first, please?
Hollis Kara: We did not have it queued up as a virtual question. I’m going to ask if folks can just acknowledge in Q&A that are virtual if they support the question as posed, and we can take that in the room however you like, if you’d like to do a show of hands.
Bill Sandiford: All right. So those who are in support in the room, please raise your hand so the tabulators can get to work. It would be the time for those to indicate as well through the Q&A.
And I’m told that the geniuses we have here at ARIN are creating forms on the fly to handle this going forward.
Hollis Kara: That’s right. We’re grabbing this as we go.
Bill Sandiford: We have lots of geniuses.
Hollis Kara: Yes. Be patient with us, though, be kind.
Bill Sandiford: Thank you very much. Those not in favor?
Hollis Kara: If anybody in virtual would like to state that they don’t support this policy, please drop that in Q&A. Thank you.
Bill Sandiford: Thank you. And, Rob, your second?
Robert Seastrom: The second sense of the room is – and I see J.C. getting up here, so I’m going to –
John Curran: (Indiscernible) the second one?
Robert Seastrom: Let’s find the one that said within the last 12 months, but there was a 12 months to complete. You haven’t gotten one within the last 12 months.
Bill Sandiford: I want to make sure that the question being posed is it clear and understandable for everyone in the room and online.
Robert Seastrom: There we go. Yes, because it says one year instead of 12 months. My bad.
So the current text says that – we took the suggestion of the larger block is not transferred within one year, the organization will be ineligible to receive any further transfers under this section until a larger block is transferred. We would be removing that clause under 8.3 and 8.4.
John Curran: Has that been discussed by this last discussion?
Robert Seastrom: That was brought up by Kevin Blumberg as being, well, things change and we don’t want people jammed up indefinitely if they’re not able to follow through on this.
Bill Sandiford: We’d be looking for a show of hands those in favor of moving forward as Rob proposed.
Robert Seastrom: Getting rid of – of course we would put the revised text out to PPML.
I see people showing up at the microphone, which we haven’t really called for.
Bill Sandiford: Kevin, do you have a clarification?
Kevin Blumberg: I asked for discussion, I didn’t ask for a show of hands on a strikeout –
Robert Seastrom: I’d like a show of hands.
Kevin Blumberg: Okay, because this would potentially need work. I don’t think the community – without you actually, as I had said, going through this and looking at the pros and cons of different scenarios, I don’t think the community can really vote on something other than a complete strikeout, which doesn’t necessarily serve the purposes.
Robert Seastrom: I’m interested in feedback on a complete strikeout. And because of this, it’s going back to PPML anyway.
Kevin Blumberg: Thank you.
Robert Seastrom: We’re not going to turn this into a recommended draft on the basis of this, obviously.
Bill Sandiford: All right. Go ahead, John.
John Curran: The principle involved here is that a poll of the room is only valid if the issue put before the room has been discussed and people have had time to ponder it and consider the merits of the change that’s being suggested and the issues concerned with that change so when we talk about adopting a Policy Proposal, it’s very clear that it’s the whole proposal and we can all know what’s in favor and what’s against.
When we start slicing these up and down, we can only have a poll if everyone understands the question being polled is adoption of a different policy and, if so, what’s the text of that policy.
So I leave that to Bill and R.S. to decide, but it’s very important that we don’t do polls unless everyone in the room understands what’s being asked.
Bill Sandiford: My understanding, from Rob, of the nature of the poll is not with regards to adopting a policy, but more whether or not the AC is being given guidance to – that people are in favor of looking at it the other way. Is that correct, Rob?
Robert Seastrom: Yes. Are we in favor of looking at it the other way? If you are not in favor of looking at it the other way, then please do not put your hand up.
Bill Sandiford: Let’s move forward with that. I trust that people are clear with the question that’s being asked. So I would ask those who are in favor or willing to show support for the other way, having the AC investigate doing it differently, to raise your hand now or indicate online.
Lee Howard: Lee Howard, IPv4.Global. What? I did not understand the question.
Robert Seastrom: So Kevin came up to the microphone and suggested that – did you say you already have a Policy Proposal in draft to get rid of that? Kevin?
Kevin Blumberg: No. Sorry, Rob, I just want the AC to investigate this policy text and see if an improvement can be made. It is a Draft Policy. That’s all I was suggesting. I think you’re taking it beyond what my suggestion was, which was to look at this and make sure there weren’t unintended consequences of the complication.
Bill Sandiford: Do you need support for that?
Robert Seastrom: I’m going to withdraw my request for a show of hands.
Bill Sandiford: On the question that was posed previously, 136 people in the room and remote: 30 showing hands in support or for; zero against. Rob, you can take that to the AC for their consideration.
Robert Seastrom: Thank you very much.
Bill Sandiford: Hollis.
Hollis Kara: Thank you.
All right. Clickers. We’re going to advance a few slides.
Next up we have Chris Tacit from the Advisory Council to lead a discussion of recommended Draft Policy ARIN 2021 3 – lots of words you can read yourself.
Policy Session 1: Recommended Draft Policy ARIN 2021-3: Private AS Number and Unique Rounting Policy Clarifications
**Chris Tacit: ** Thank you very much. Glad to be here today and to see all of you live in 3D. It’s great.
So this particular policy came out of a Policy Experience Report. And here’s the brief history. It started out as a proposal in July of last year. It was revised a couple times, once just in the course of AC discussion and the second time following Staff and Legal Review. And it was recently turned into a Recommended Draft Policy.
So basically the essence of this policy is to clarify the requirements for use of public AS numbers, obtaining AS numbers for public use. And basically staff, in dealing with requests for ASNs, found that there was a lack of clarity and people were a little bit confused about what constituted need for AS numbers and what constituted requirements to have unique routing policy.
And so we were asked to – we took it upon ourselves to clarify that once we were given the opportunity through a Policy Proposal. So eventually three sets of changes have been proposed. And what I’m showing you now is the text as it currently stands in the Recommended Draft Policy relative to the original policy and that’s in the NRPM right now.
The first change would be to replace the text “Sites that do not require a unique AS Number should use one or more of the AS Numbers reserved for private use” with “If a unique AS Number is not required for a given network design, one or more of the AS Numbers reserved for private use should be utilized.”
The second change attempts to increase a little more precision about what type of verification is required in order to qualify for public AS. And you either need to originate an announcement of IP number resources via an accepted protocol – and we didn’t want to tie it to a specific one, so we just used BGP as an example – from an AS number different than that of its upstream provider; multi homing with one or more autonomous systems; or to use an AS number to interconnect with other autonomous systems.
And finally, because we made those clarifications, the third change is just really a simplification of wording which tried to kind of give examples of what “need” is.
And so because we’ve now defined that in the previous two changes, we are proposing simplification of “AS Numbers are issued based on current need, as set out in this Section 5.”
The Staff and Legal Review basically just suggested a couple of wording changes in each case, which were incorporated into the text that you saw.
There were no particular problems or issues identified and no particular implementation challenges. So it’s anticipated by staff that this policy, if adopted, could be implemented within three months.
So at this point what we’d like to get is any feedback that you may have on whether the intent of the policy is clear enough and any other considerations or concerns.
The discussion on PPML was fairly limited, but what was there was supportive of this. We had one clarification comment, which the AC believes has been addressed through the most recent set of changes.
And other than that, I’m happy to hear your comments and discussion.
Bill Sandiford: All right. I see people approaching the microphones. We’ll start with the front microphone.
Chris Woodfield. Chris Woodfield, Twitter, ARIN AC. It’s not entirely clear to me whether or not this policy change effectively raises or lowers the bar for what’s necessary to obtain an AS number, a global AS number.
Raising the bar for acquiring a unique ASN made a lot more sense when there were only 16 bits worth of them. We now have 32 bit ASNs. Similar to v6, it is a post scarcity resource, I think, in my opinion.
As such, I don’t think I could be in favor of any language that makes it more work to obtain a unique ASN.
If anything, we should be making it easier to obtain one, easier for Registration Services to approve an application for one. And it’s not clear to me that this policy does that.
So I am reserving my in favor/not in favor at this time for that reason.
Chris Tacit: I can tell you that as a shepherd, and I can’t speak on behalf of my co shepherd, but I believe our intent was really just to clarify existing practice, not to increase hurdles or create new hurdles.
Now, it might be interesting to hear from staff as to whether they perceive that this policy, when they go – when they need to implement it, would be viewed that way or would be viewed as – because really that’s the question that needs to be answered. It’s not necessarily just our perception, but how it would actually be implemented process wise.
But certainly it was not our intent to create any higher hurdle or threshold. That’s my view.
Bill Sandiford: Rear microphone.
Kevin Blumberg: Kevin Blumberg, The Wire. I support simplifying AS policy. And if this is to clarify, not simplify, then I would recommend coming up with more in that area.
There are a number of use cases that were not envisioned back in the BGP days, in the AS days, many years ago. And this whole concept of unique routing policy, quite frankly, is garbage today.
There are a number of use cases, cloud providers requiring a unique AS number for direct connectivity; that while it may be unique to some people, it may not be considered unique when you look at it from an Internet perspective but it’s being used internally.
There are a number of use cases today where our language, I think, is part of the problem, first thing.
Second is, AS numbers were a gatekeeper to getting more space. You would start the process and show that you were multi homed to then be able to show that the IP allocations you had from – assignments you had from your Internet provider to then be able to go and get your own space from ARIN.
And you needed an AS number and you needed to show you were multi homed before you could start that process. It was a gatekeeper. It doesn’t need to be a gatekeeper anymore.
So, again, I support it. But simplify, simplify, simplify and just make it that much easier for organizations to be able to get what is a close to limitless resource at this point, not like it was before.
Chris Tacit: That’s a good idea. I’d welcome your proposal for doing that, Kevin, as a next step.
Bill Sandiford: A reminder to those online and participating remotely that the queues are open for you as well. We’ll go to the rear microphone in the room.
Andrew Dul: Andrew Dul, 8 Continents, ARIN AC. To my colleague on the AC who believes that this policy creates more barriers, I would like to know what you think those are. Because as the person who wrote most of this text, I believe that this lowers the bar if it does anything. So if you think there are bars here, I’d like to know what they are, because I don’t think they’re here.
Chris Woodfield: Chris Woodfield, Twitter, ARIN AC. Responding to Andrew, it’s not clear if it raises or lowers the bar. It makes it more complex to apply for an ASN or not. Hence my comment.
I am in favor of policy that lowers the bar for acquiring AS numbers simply because they’re far less scarce than they once were.
Bill Sandiford: Andrew.
Andrew Dul: I’m confused by your comment, Chris, I’m sorry. I think we’re trying to make this clearer. And I think we’ve done that. But it sounds like you don’t think we’ve done that.
So I don’t know what to say at this point other than I think we’re moving forward, and I would encourage people in the room to think if we’re moving forward and making this clearer and easier, then we should move this beyond recommended to Last Call.
If you don’t think that we’re making it clear and you don’t know if we’re making it clear or not, then I would encourage other people to come to the microphone because you’re the only one, and Kevin, who are unclear about this text.
So I want to understand why we’re not hitting the mark here, if we’re trying to make it clearer and not raise the bar.
Bill Sandiford: Front microphone.
Lee Howard: Lee Howard, IPv4.Global by Hilco Streambank. It seems to me that the text as given, as proposed is clearer, and I therefore support it.
It seems to me that there may be support in the community for additional work in this space to consider lowering the bar and making it easier to get ASNs. Probably a separate proposal that we should see at the next meeting.
Bill Sandiford: All right. Smoke signal received. You have somebody online.
Hollis Kara: We do. Beverly, would you like to read that in?
Beverly Hicks: Joe Provo, ARIN AC, second shepherd on this policy: I respectfully disagree with Mr. Blumberg. The unique routing policy covers non-DFC use cases. I believe Prop 307 covers make it easier topic, which is not the thrust of addressing the staff policy experience report.
Bill Sandiford: All right. Thank you. Rear microphone.
Kevin Blumberg: Kevin Blumberg, The Wire. I want to say one thing. I actually retract all of my concerns.
And I will point this out.
To the wonderful AC, please don’t use Draft Policy when you’re asking about questions about something when it’s recommended, and that was my mistake. This text, as it is, does move the bar forward. I will look at simplifying an additional policy. But I do support this.
But please fix your slide so that it is specified that this is a Recommended Draft Policy.
Chris Tacit: Thank you.
Bill Sandiford: Thank you, Kevin. Final call for microphones. Final call for remote participants to get their comments in.
While we’re waiting for that, this is a Recommended Draft Policy. We’ll get the tabulators on standby and ready.
Seeing nobody else approaching the microphone, hearing of no others online, we’ll ask for a sense of the room. And those online, we’re looking for a show of support for those who are in favor as moving forward or support the policy as written.
Hollis Kara: We’re going to launch a poll for our virtual participants. When we call for hands in the room, you’ll see that poll pop up in your Zoom instance.
Bill Sandiford: All right. For those in the room, please indicate your support for the policy as written now. Hands up.
Hollis Kara: Get them high.
Bill Sandiford: Keep them up. Time to stretch. Hollis says she can run a calisthenics class later if you them for stretching higher.
Hollis Kara: Get jazz fingers just to mix it up.
Bill Sandiford: All right. I’m told we’re good. And for those who are against the policy, or do not want to see it moving forward, please indicate as such now.
Hollis Kara: Give us just a moment to gather the count from the poll.
Bill Sandiford: Seeing none, we’ll wait for the tabulators to finish their results while Chris Tacit gives us his ad hoc stand up comedy.
Chris Tacit: My what?
Bill Sandiford: Your ad hoc stand up comedy.
Chris Tacit: No, not this time. I’ll save it for next time.
Bill Sandiford: 137 people participating either in the room or remotely – 58 for and zero against. You can take it to the AC. Thank you. Next.
Hollis Kara: Thank you for playing. Moving along, we’ll have our next Recommended Draft Policy, presented by Alyssa Quinn. It’s Recommended Draft Policy No. 2021-4: Clarifications of Sections – lots of numbers with dots, and I don’t have my glasses on. Come on up, Alyssa.
Policy Session 1: Recommended Draft Policy ARIN 2021-4: Clarifications to Sections 220.127.116.11, 8.3, 8.4 and 8.5.6
Alyssa Quinn: Hello everyone. It’s good to be back. This is my first meeting back. And I certainly had a rough start this morning. I managed to smoosh raspberries into my white pants at breakfast and managed to leave my phone at the registration desk. And I also managed to nearly flip my laptop off my desk when trying to open it. So, take it easy on me today, please.
I am working on Recommended Draft Policy 2021-4. There are a bunch of sections that we’re doing some mostly editorial work on, referring mostly to how we use the term “IPv4 addresses” versus “IPv4 number resources” versus “IPv4 space.” We refer to it all different ways throughout the NRPM right now, trying to clean it up.
And then we’re also trying to clarify these places where it looks like when you transfer ASNs, when you transfer IPv4 addresses that you also have to transfer your ASN along with it. Obviously, that is not true. So cleaning up some language that makes that crystal clear.
So this first came on the docket in August of last year. We revised it in January of this year as AC, and we recommended it at our meeting last month. And now I’m presenting it to you as a Recommended Draft Policy.
A reminder what “Recommended Draft” means: It meets the number policy principles, that it is impartial and fair policy, that it’s technically sound and has the support of the community.
This has already seen PPML. It hasn’t had a lot of conversation, just given the non-controversial nature of it. But we’re recommending it to you today.
So the problem statement is that the current Sections 18.104.22.168, 8.3 and 8.4 are not clear regarding ASN only transactions – this is what I was talking about with respect to the transferring the ASN along with v4 transfer, obviously we don’t want you to be doing that if you don’t want to – and that the current language in Section 8.5.6 is not clear with regard to additional IPv4 space versus addresses versus number resources, cleaning that up.
So the first one, 22.214.171.124 g., I bolded the text that we’re changing. So moving from saying “IPv4 number resource holdings” to “IPv4 address holdings.” We want to use the term “IPv4 address” throughout. So instead of “resources” or “space” or “holdings,” the most specific one that we figured we could use is IPv4 address, and that’s to differentiate it from v6 address or aggregate space across your v4 and v6. We’re specifically referring to IPv4 addresses.
In 8.3, we have one of these instances of resources and ASNs being coupled together. You see how it says “and” between there. We want it to say “or” so that you’re not having to couple those two. Again, obviously we don’t want you to have to do that if you don’t want to.
This is obviously operationally, we don’t require you to transfer your ASN along with your v4. This is non op but offers some clarity for, say, newcomers to the Number Resource Policy Manual.
In Section 8.4, here’s another instance of where it’s coupled, number resources and ASNs are coupled together. So we’re using the term “addresses or ASNs.” Another instance in 8.4 of that same issue.
And finally, in Section 8.5.6, you see where it’s bolded, where it says “additional space,” we’re referring specifically to IPv4 addresses. We clarified that. In the second sentence where “all space” is bolded, it’s all IPv4 space to differentiate it from IPv6 space.
A couple of comments on how these came to be. All these edits were initially included in an editorial change that was proposed. Some staff feedback that we got were to break it out into a separate proposal, just to make it crystal clear, run it by the community and to ensure that there wasn’t any perception that this had some sort of operational change inherent in it.
And finally, the original draft that was presented to the community didn’t include the change of 126.96.36.199. That’s new when it went to recommended in March. We added that because the Staff and Legal from February 1st indicated that there was another instance where the term “IPv4 address” should be used instead of one of the other ones – I can’t remember if it said “space” or – oh, here it is, “IPv4 address holdings” instead of “number resource holdings.”
So the Staff and Legal was clean. We implemented the two additional recommendations, so where they found another instance of “IPv4 number.” That’s the 188.8.131.52 that I just referred to.
And we also added that 8.4, that “The source entity must be the current rights holder of the IPv4 addresses or ASNs,” not “and ASNs.” Oh, did I characterize that correctly? No. “The source entity must be the current rights holder” to align with the other – oh – plural references to ASNs. So, yes, it was singular rather than plural.
Staff and Legal says it is implementable as presented, that it doesn’t have material impacts on Registry Operations, and there are no material legal issues.
It would take about three months to implement and requires some pretty standard requirements of ARIN in order to put it into practice.
And we’re ready to discuss.
Bill Sandiford: Looking for discussion from either those in the room or online. Any questions, comments?
Alyssa Quinn: Kevin, that should say “Recommended Draft Policy” at the bottom.
Bill Sandiford: Don’t everybody rush to the microphone at once, please. Don’t want any stampedes here.
Hollis Kara: Not seeing anything in virtual.
Bill Sandiford: That’s how good you are, Alyssa. Nobody has any questions. It’s clear and precise. And you thought you were having a bad day.
Alyssa Quinn: Well, it’s not over yet.
Bill Sandiford: Hold on. This is a Recommended Draft Policy, so we have to take a poll. We’ll give another minute in case those online need an extra second to get any questions or comments in. But given there seems to be none in the room, I’m suspecting it might be silent.
Hollis Kara: I think we may be okay to move.
Bill Sandiford: All right. I see that the tabulators are ready. So we’d be asking those in the room and online to show your support for this Recommended Draft Policy as written by raising your hand or participating in the online poll now, please.
Okay. Thank you. And those who are not supporting or not in favor of this Recommended Draft Policy, please raise your hand now or participate online.
All right, total, quick math here, 135 people participating in the room or remote – 67 for, zero against. And I think, if I’m not mistaken, at least in all the years that I’ve been participating, we have three Recommended Draft Policies, so there won’t be any more official polls this meeting.
I think it was the first time we’ve ever had zero against for all policies at a meeting. So the AC is doing a great job. You can take that and give it to them as guidance.
We’ll move on to the next one. Thank you.
Hollis Kara: Thank you, Bill. Well done, AC. One more policy to discuss in this block. And I’d like to invite Andrew Dul to join me up on stage.
He’ll be presenting a Draft Policy on Permitting IPv4 Leased Addresses for Purposes of Determining Utilization for Future Allocations.
I’m going to put in a little request to the AC, maybe we can get shorter with the titles? I don’t know, just a thought. But, anyway, hand it over to Andrew.
Policy Session 1: Draft Policy ARIN-2021-6: Permit IPv4 Leased Addresses for Purposes of Determining Utilization for Future Allocations
Andrew Dul: This is the one that I’m between you and lunch and everybody wants to talk about probably based on what’s on the Mailing List. So we’ll see how this goes.
So one of the big things to note is this had a former title. There is a new title on this policy that is perhaps more encompassing of what we think the author originally wanted to do here. So the main goal here is to talk about IP address leasing in this region.
So where this came from, originally policy – Proposal 302 back in August of last year. We talked about that proposal as is at our meeting in September. And we’ve gone through a very substantial rewrite based upon the feedback that we got at that meeting and some analysis from the AC to this Draft Policy that we have today.
This is a draft. We will be seeing this at another meeting in the future most likely. And so we should be discussing what we like about this policy, what we don’t like about this policy in order to make a better policy for the future discussion. I’ve covered these changes in my topic already off this slide. So let’s move on to the next slide.
So the problem statement that we’re working with is allowing leasing for purposes of utilization. And so the idea here is that you can lease some of your address blocks to someone else who is not related or receiving any of your network services and use that as utilization to get additional blocks on the transfer market primarily.
So this has some fundamental changes to the way that ARIN does and looks at some of its principles. And so we see changes in the NRPM in the very top section, number one, some of the definitions. And this is a change that we suggested making in the conservation statement in NRPM, and the changes are bolded here.
And the change here is to basically remove the conservation term from before, as we’re now letting the market perform the reassignment or the reallocation of resource function. So we’re not using a conservative, needs based policy for v4 anymore.
We then look at stewardship. Again, we’re doing similar language here. We’re exempting the v4 from the stewardship language because we believe now that we are using the market to do that rather than a rules based principle system since we’ve had a functioning market in this region now for probably about 10 years, plus or minus a couple of years.
Now, Section 2.4, this is where we now take note that a network provider and LIR does not have to provide any network services with a leased block. Today we have a requirement that in general that an ISP or an LIR provide network services to its clients for its addresses. And if you’re doing leasing, you’re not providing network services. So we are exempting that requirement to provide network services.
There’s two changes on this fourth slide here. The first one is around the Wait List. So we specifically still allow the Wait List to have an operational need requirement.
So that’s to make the leasing allowable only really for transfers. And because this is all about transfers, the last change here is striking Section 8.5.2 about operational use. And this is saying that you do not have to operate or you don’t have to lease to someone – as an LIR, you do not have to provide network services with a lease.
All right. So the policy impact. So this has a fundamental change for what we do with v4 addressing. An LIR or an ISP traditionally would allocate resources to its customer, to which they provide network services. And we’re changing that relationship such that you do not have to do that anymore.
There’s no VPN requirement. There’s no circuit requirement. There’s no cloud services requirement. It’s strictly I’m leasing you address spaces presumably for money.
I’m not going to read this slide today, but it is in the packet and online. These are some pullouts that we pulled out of the PPML discussion, which was quite extensive, both pro and con. I encourage you to read those and see what your fellow colleagues are saying about this Draft Policy.
Finally, the questions, and I’m going to leave these questions up on the slide for us during our discussion.
Would you happen to support the policy today as written? That’s not specifically the question we’re asking because it’s not recommended. But is this good enough? Do you think this could come to the next meeting as perhaps a Recommended Draft Policy?
If not, what changes would you like to see in this Draft Policy? Where would you like to go for it?
And on the Mailing List, there’s been a couple of suggestions that have not been addressed in the text as of yet, specifically around limiting initial block sizes for transfers for organizations perhaps looking to set up a leasing company.
And one at the bottom is also do you fundamentally support this as a problem that ARIN needs to solve? Basically, do you think that this region should allow leasing like that? Because that’s a fundamental question that, as a community, we have to ask ourselves that question before we could get to the details about how we would allow leasing, is do you think we should do that?
So those are our questions up for discussion today. And off we go for discussion.
Bill Sandiford: All right. Reminder to those online that we’re interested in hearing from you as well, too. We’ll start with the rear microphone.
Kevin Loch: Kevin Loch with QTS. I want to say a data point for everyone in this discussion that in my business, running an ISP and a data center business, I’m seeing increasing requests for IP lease requests.
In other words, they don’t necessarily want my bandwidth, but they want IPs. It’s something I didn’t see several years ago. It wasn’t common. They wouldn’t necessarily come to us to ask us for that.
These are, you know, in the vast majority of cases customers that are in our buildings using – as a tenant in our buildings, but they’re not necessarily using our networks.
So there appears to be increasing demand for IP leasing. If I’m seeing that, I’m sure others that are seeing that as well. I would be interested to see if anyone is seeing an uptick recently.
So whether or not as written you support this, I would like you to consider that there is demand in the marketplace. That means we should try to stay ahead of that in the ARIN community and craft a proposal that works efficiently and safely for all parties.
Bill Sandiford: Thank you. Rear microphone again.
Mike Burns: Mike Burns, IPTrading. I proposed this policy. And I had some complaints about the problem statement. So I’m hoping that I can address the reason why this is a problem for the ARIN community.
And essentially it comes down to the cost and expense of IPv4 addresses. So if I am an operator who wants to grow, I need to acquire IP addresses. But my only way to do that currently is to pay cash up front, in full, usually to an escrow agent.
And as IP addresses have increased dramatically in value since our last meeting, the need for some financially accessible way for these network operators to acquire the blocks they need to grow has also grown.
And right now there are no banks or financiers who are willing to back IP address holdings as some kind of a secured asset, which means that the person who needs addresses can’t take out a loan, can’t finance them. And the only financing available is through the practice of leasing.
Current ARIN policy restricts the pool of lessors artificially to those incumbent address holders who no longer need the addresses for their original purpose, or for large cloud entities who have no problems justifying new purchases.
But I proposed this policy to allow the entry of a new player into the market who would accept the financial risk of the original capital expense to purchase the addresses in exchange for the hope of profit through the leasing of the addresses.
So in my history at ARIN, I’ve always believed that the pricing in the market provides the conservation, which was ARIN’s original – one of the original remits.
And I think that as the market has shown itself to be reliable, that we can kind of restrict – we could take off some of the restrictions that are preventing normal business practices from occurring in this market. And by that I mean the presence of lessors.
In the argument that this is a fundamental and dramatic change, I would simply answer that this fundamental and dramatic change has been in effect at RIPE for a long time and that we can view the effects of that change, and really, from my perspective, I don’t see anything negative.
So, I support the policy as written. It was always my intention to protect the free pool and the Waiting List from this policy, and with the changes the shepherds made, I think that’s been accomplished. So I do support the policy.
Bill Sandiford: Thank you, Mike. Rear microphone.
Tina Morris: Tina Morris, Amazon Web Services. I do not support this policy. This effectively removes needs based allocations and also allows issuance of space to anybody that claims that they will be a leasing agent with no operational network, guidelines or support for those customers.
I think it is a risky behavior that actually fundamentally changes how ARIN issues space.
Bill Sandiford: Thank you. Reminder to those online –
Hollis Kara: We have a few in the queue online. Beverly?
Bill Sandiford: Excellent. Let’s go for that.
Hollis Kara: Beverly, would you like to read the first one in?
Beverly Hicks: Sorry, I was asking if you could read it. I’m trying to take care of something.
Hollis Kara: Certainly, sorry. Guys, I need my glasses. Hold on. Aging is fun. Joe Provo, Google, ARIN AC, LRSA signatory: Do not support this in principle nor as written. There is no legitimate need for these resources – need was in quotes – other than their deployment.
The entire point of transfers is to move resources from where they’re idle and unused to where they will be deployed. That is, where they are needed.
Transfers are one mechanism to achieve this by policies governing the free pool, IANA distribution, the Wait List and others that have come and gone.
We did not redefine need to justify the perpetuation of any of these mechanisms and we should not now.
If the community wishes to discuss eliminating needs basis, that is a different conversation to have, but in my opinion this policy is not the correct vehicle.
And then there’s – I think there’s a follow up from Mr. Provo, if I can go ahead and read that.
Bill Sandiford: Go ahead, might as well do that now.
Hollis Kara: It says: Regarding Mr. Burns', quote, v4 address cost justification is exactly counter to ARIN’s hard landing v4 runout policy approach. We expressly chose the economic friction to drive IPv6 adoption. This policy acts to undermine that approach. Comparisons to registries who chose soft landing completely ignore this point. That’s it.
Bill Sandiford: Front microphone.
Chris Woodfield: Chris Woodfield, Twitter, AC: Speaking for myself here. I am not in support of this policy. At the risk of saying what they said, I believe Tina and Joe made the same points I would have been making if they hadn’t spoken first.
I would add one additional point. If the friction is financial, if the issue is that an organization wishing to acquire IP address space cannot come up with cash up front and is struggling to obtain financing for that purchase, that speaks to a market need on the financial side, not necessarily a policy solution to that, in my opinion.
This feels like a market opportunity for someone willing to take on the risk of financing IP address purposes, obviously at a reasonable financing rate. That would be the way I would look at that problem, not necessarily solving it by a policy.
Bill Sandiford: Thank you. Rear microphone.
Larry Rosenman: Larry Rosenman, LERCTR Consulting: Just one thing. You said Internet number resources. We just had a policy change a couple ago that we changed that to IPv4 addresses. We should probably do the same thing here.
Andrew Dul: I think we’re trying to harmonize our language as we go through this. And we haven’t harmonized everything. And this is still a draft. So point well taken. Thank you.
Bill Sandiford: Rear microphone.
Kevin Blumberg: Kevin Blumberg, The Wire. I don’t support the policy. And I echo what was said in regards to if there are financial instruments that need to be done in this industry, wonderful. That’s outside of this scope, and it completely detracts from the NRPM side of things.
One thing, though, that may be of benefit is we have a list of people who handle transfers and we have a list of people who do all of that.
I think we do need to understand that people do lease space. That does happen. Maybe give a list of people who have space available for lease.
I don’t think we need to create new entities that are doing nothing with that space, and we have all sorts of things we have to go around to do that. But if an Org has some space that they do want to lease out, maybe we can at least facilitate that and allow it to be a little easier to see what’s there.
But I think ultimately this comes back to we’re trying to serve – we’re trying to fix a market problem, the financing of a purchase, with policy which I don’t think is the right way to do this.
Bill Sandiford: Thank you. Front microphone.
Robert Seastrom: Rob Seastrom, speaking on my own behalf, not on behalf of my day job; and I’m also on the ARIN AC, who I’m not speaking on behalf of.
I would like to amplify the problem statement that there is a difficulty, especially on the low end of the market – new entrants, small shops – with looking for options other than cash on the barrelhead, compared to a hyperscaler with deep pockets, that disproportionately affects a very small organization in terms of payment possibilities.
That said, when we talk about finance options, to Kevin’s point, we will likely need to forge policy to accommodate that sort of thing, because the amounts of money that we’re talking about here is significantly in excess of what’s usually done as a signature loan with no recourse to repossess the underlying asset if it’s not paid for.
And so if we want to go in that direction, we can, but it will absolutely have to be addressed in policy to some degree. And I’m in favor of continuing to explore in this direction with creative financing, be it leasing, be it the ability to pledge addresses as collateral against a mortgage against those addresses, whatever it is.
Although I’m opposed to this current proposal as it’s written. I think there’s a lot of work to be done here. Thank you.
Bill Sandiford: Thank you. All right. We’ll be closing the queues in one minute. I’d like anyone who wants to speak to please get in queue and invite those online to get their comments in. We’ll close them in one minute and we’ll go to the rear microphone.
Mike Burns: Mike Burns, IPTrading: Some of the discussion has indicated that this is a banking or financing problem. But the bankers and the financers who I have spoke to have said it’s a policy, restrictions in place, that are preventing or helping to prevent them from financing these addresses.
Rob mentioned one is repossession. Another is the 12 month resale. It makes – as well as of course the need to justify, but there is a policy environment that we control that provides information to a banking community we don’t control.
But from what I’ve heard, the banking community just doesn’t want to come near IPv4 addresses because of characteristics associated with the regulations attached to them. And that’s what I’m seeking to change, thanks.
Bill Sandiford: Thank you, Mike. Rear microphone. Before you get started, remote queues are now closed. And we’ll still invite online comments.
Kevin Loch: Kevin Loch with QTS again. It seems a lot of the discussion around this policy is around new entities that just want to be an IP leasing shop.
I have a question about existing network operators like myself. The vast majority, if not all, of my downstream customer assignments today are on my network, which is the way I personally prefer it.
But given what I said early about the increased demand, if I decide to start leasing IPs to folks that are not on my network and I need to go acquire more IPs in the future, would I then be disqualified?
Would those IPs that are leased not count towards utilization for an actual network operator that does a hybrid model of customers that I’m serving directly with my network and customers that are not on my network?
Bill Sandiford: Thank you for the question. John?
John Curran: Okay. With respect to how we currently treat things, ARIN is agnostic about leasing; you have an assigned address block, you can utilize it internally, you can use it routed on the Internet, you can have your neighbor or your friend or a business associate use half your block. None of that affects what we consider.
However, when it comes time for you to turn around and say you’re going to do a transfer to receive more addresses, we only count utilization that’s associated with network infrastructure.
So to that regard, if half an address block is off being leased to someone, it’s not utilized. When you go to do a transfer, we’ll say half your address block is already available, sir. You can’t do a transfer. The amount of space you need is not what you claim to need because you have half an address block free.
So, yes, the ability for someone to transfer in address space and document their need can be constrained. If they’re leasing addresses they’re not considered utilized under the current policy. Does that answer your question? Okay.
Bill Sandiford: All right. We’ll check to make sure there were no further comments online.
Hollis Kara: Nothing further online.
Bill Sandiford: Nothing further online. This was not a Recommended Draft Policy, so there’s no poll related to this one. And we’re right on time.
Hollis Kara: Thank you very much, Bill and Andrew. Okay. So that brings us to our lunch break. A couple of quick notes before everybody runs for the door.
We will be on break until 1:30, I believe; is that correct? Yes, that’s correct. 1:30. We’ll be on lunch break until 1:30. For those who are here with us in Nashville, lunch will be in Symphony 1, where breakfast was located.
For those who are attending virtually, don’t forget we will be running Virtual Table Topics from 12:30 to 1:00. You will have that Zoom link in your day one email that you received this morning or available in your event hub. And we look forward to seeing you back at 1:30.
(Lunch break from 12:11 PM to 1:30 PM.)
Hollis Kara: Hello, hello, hello. It’s time to get started. We’re trying to pull people in from the hall so we can get started with this afternoon’s presentations.
Give us just a moment for folks to wander back in. I hope everybody enjoyed lunch, caught up on their email, did all the things. We’re starting.
Hopefully everybody is looking forward to the social tonight. Just so folks know, obviously we’ll have folks in the lobby to make sure you get where you need to go. But if it’s raining cats and dogs at the time when we need to load buses, we’ll use the doors to the side, right here off the foyer, rather than the main doors. And the hotel has graciously offered to have folks with umbrellas to make sure we don’t get too soggy. We’ll be there. And if you weren’t in here, they will know who was late because they’ll go out the front door and get wet. Yeah, it may be raining.
Are we ready to go? The countdown is on. The last scramble through the door. Here we go, here we go. Okay. I think we’re going to call it good.
Welcome back. We’re going to kick off our afternoon with a presentation from Einar Bohlin, our vice president of government affairs. And he’s going to give a Government Affairs Update that covers all the things. So get ready. Einar is walking up.
He’s strolling. I don’t have much else to say at the moment. Here we go.
Government Affairs Department Update
Einar Bohlin: Thank you, Hollis. Good afternoon, everyone. My name is Einar Bohlin. I’m the VP of Government Affairs. Welcome back to this room after lunch, the committed and on time people.
It’s great to see – it’s great to be here in person. Great to see so many friends, so many familiar faces and new faces as well.
If I haven’t met you, I hope to meet you at some point during this meeting. I’m looking forward to the social. And let’s get going. This is the Government Affairs report.
Here’s the contents of the report. We’re going to look at the structure of the department. Our areas of focus. Highlights from the three areas, including the Caribbean; law enforcement and public safety; and Internet regulation. And then a look at 2022.
So this is the team, myself, and we have Nate Davis, who is the Senior Government Affairs Analyst; Leslie Nobile, Senior Director, Trust and Public Safety; and Bevil Wooding, Director of Caribbean Affairs. And we’re all sitting in the back on the right. And come chat with us if you have any questions about this report or these activities.
So our areas of focus. We exist to protect the multi-stakeholder approach to technical coordination of the Number Registry System. We do that by improving accuracy and trust in the RIR system. We engage with governments to support their needs and to keep them informed of the perspective of our community.
In the Caribbean, we work to support the strengthening and resiliency of the infrastructure, to have strong engagement with the countries and territories in that region, and to make sure that our services are well known.
On the matter of Caribbean affairs, highlights of recent activities include participating in CaribIX, which is a project to establish Internet Exchange Points in Saint Martin, Saint Barthélemy and Guadeloupe. That’s in conjunction with the CTU, CaribNOG and Interreg Caraïbes. And this, of course, is an activity spearheaded by Bevil. All of the Caribbean work is undertaken by Bevil, actually, with support from the rest of the team.
Bevil has been doing outreach in support of the Caribbean Justice Forum work. And that’s been with the CTU, the Organization of Eastern Caribbean States and the Caribbean Agency for Justice Solutions. And this is work where we’re trying to educate lawyers and judges and people that work in the judicial system about how the Internet works.
Continuing with Caribbean affairs, upcoming events include a CTU ministerial. Actually Bevil is with us today, but he’s heading for that tomorrow. If you want to catch Bevil, please catch him here today or at the social. CaribNOG 23 is on the 11th and the 18th. That’s a virtual event.
The ARIN LACNIC CTU event is on the 17th and 19th. That’s been modified away from the 18th so we don’t overlap with CaribNOG. That’s also a virtual event.
And in the third quarter we’re planning the Justice Sector Forum, and this is a joint effort between ARIN and APEX. And last year we had two days: one focused on judges and one focused on attorneys. They were well attended and very well-respected fora and the discussions were amazing. It was right after the ARIN meeting. It should be another good event.
Themes in the Caribbean include digital transformation, security and resiliency, capacity building, and Internet number resource and network autonomy.
Law enforcement and public safety. This is Leslie Nobile’s specialty and area of focus. Recent engagement activities include, at both of these events – with the help of Brad Gorman, our RPKI expert – we gave RPKI presentations at both the Canadian Centre for Cyber Security and M3AAWG, also known as “maug” [phonetic pronounciation].
Shout out to Leslie Nobile who is the co chair of the Names and Numbers Committee at M3AAWG and bringing information about the RIR system to that organization.
We’re also tracking an interesting development with the Budapest Convention. This is a treaty on cybercrime. It’s 20 years old, and it’s been amended. We expect it to be signed, updated and signed in May, next month, actually. And it’s going to provide – as it says on the slide, it’s going to “provide legal basis for disclosure of domain name registration information and for direct cooperation of service providers for subscriber information.”
What that means is that law enforcement participants in the treaty are going to have easier and quicker access to get information about customers. So we’re tracking this. Perhaps this might have some impact on information that registries might have to provide to law enforcement.
Upcoming events in this area of law enforcement and public safety include M3AAWG and ICANN. And themes in this area of work include data governance, which has the different flavors of data privacy, accuracy and access, and critical infrastructure, anti abuse, cybercrime and cybersecurity.
International Internet Regulation. We’ve been engaging with CITEL, which is the regional telecom organization for the Americas as that organization prepares for large ITU conferences.
There are IPv6 resolutions at the ITU, with the basic title of something like IPv4 – getting rid of IPv4 and deploying and transitioning to IPv6. So these are existing resolutions in the different parts of the ITU – the D sector, the standard sector, the Plenipotentiary Conference. And by working with CITEL, we made a couple of good changes to the resolution that was adopted in March. There was text saying that countries should share successful deployment strategies with each other. If a country happens to have established and gone and implemented a deployment strategy for v6, then they’re welcome to bring that to the ITU to share with other countries.
And the v6 proposal that we have going into WTSA, which is in June, has language about encouraging countries to get their governments and industry to offer services like their websites and email over IPv6.
So these proposals, these resolutions already exist. We’re making some minor changes to them. And of course we’re keeping track to make sure that things that we wouldn’t like don’t go into them. So, for example, the resolution that was amended in March, that has text about the ITU considering becoming a registry. That language is still there. There’s been attempts to get it taken out. But the membership isn’t ready to remove that text yet.
Other resolutions we’re looking at are the so called traditional Internet resolutions as well as new ones. A couple years ago at the Plenipotentiary meeting, there was a new resolution on OTTs, over the top services. And this was quite contentious, but it did go through. It was so contentious that hours were spent whether or not OTT should be mentioned by what it stands for. So to give you an idea, and then we expect a resolution on AI to come to the meeting later this year and that is going to be very contentious as well.
And then areas of engagement – or activities that we’re monitoring, rather, include the cyber treaty that is happening at the UN General Assembly, the cybercrime treaty that’s being developed at the Office of Drugs and Crime. We’re monitoring NIS2 out of Europe, which is going to have significant reporting requirements for cyber incidents. That won’t necessarily affect ARIN directly, but NIS2 coming from the EU will be affecting the RIPE NCC.
In the US, there were several bills proposed to require cyber incident reporting when there are breaches. There are also state laws or state bills on that topic.
And in the area of data privacy, that continues to be left to the states. And some states are making significant progress in their data privacy laws. And that’s troublesome because you can’t just simply follow the most restrictive data privacy law in the state. You have to look at all of them because, to abide by them, they might be apples and oranges.
In Canada, we’re looking at potential changes, laws regarding critical infrastructure, data privacy, copyright, and this relatively new one which is online harm.
And I did the slides over a week ago. If I had updated them this morning, I would have put the EU on here because there’s been articles in the press about the EU looking at content.
Themes and Internet regulation include critical infrastructure laws and regulation, data governance with a different look, data sovereignty, data privacy, cross border flows, digital transformation and cybersecurity.
A look at 2022. This has been already a very interesting year, and it’s going to be even more interesting. These major ITU conferences, WTSA, which is the standards conference; WTDC, which is the development sector conference; and the Plenipotentiary Conference, normally take place not in the same year, but because of COVID and delays, they’re all happening this year.
And as we prepare for one – as we are attending one meeting, we’re preparing for the next one. And it’s really been a lot of effort to keep up and stay on track for each of these meetings. WTSA occurred in March. The WTDC is in June. And Plenipotentiary Conference is in September and October.
So looking at all of these, there’s an interesting event that’s going to happen at the Plenipotentiary Conference, and that’s the election of the Secretary General. The current Secretary General of the ITU is a Chinese gentleman named Houlin Zhao. He served two terms, and he’s terming out. There will be an election, and right now, there are two candidates. There’s one from the US and one from Russia. And in January it was a pretty even race. With the war in Ukraine, the Russian gentleman’s chances seem to be diminishing. But I wouldn’t call him out yet. For example, I’ll tell you a story about WTSA. When that meeting started, there was a proposal to ban Russian citizens from leadership positions at WTSA and in the T sector in general.
And that took several hours to have the outcome finally decided, and it was by a vote. And the vote to keep the Russians out of leadership positions was approximately 50 in favor, 30 against and 30 abstentions. So looking at those numbers, it doesn’t seem entirely clear that the Russian has no chance at the Plenipotentiary meeting.
That said, Russia was kicked out of CEPT, which is the European regional telecom organization. But then last week, they weren’t kicked out of the G20, even though the US and Canada proposed that and strongly urged it.
The Russian candidate, his platform, as stated by a Russian minister in 2021, includes the desire to transfer Internet management to the ITU.
And then at another – there have been constantly statements about enhancing the role of the ITU, about greater participation at the ITU. And this isn’t new, but this is pretty clear and obvious. It couldn’t be any clearer in the recent statements. In past years, it’s been more subtle. The ITU should have more say in Internet governance. But this is straightforward.
Next bullet here is FCC Request for Comments on Secure Routing. The FCC, in the Federal Register, asked for comments on the status of secure routing. Specifically, they mentioned BGP, they mentioned RPKI and ARIN. And ARIN staff worked together and produced a response to this document. I’ll try to explain the gist of it.
ARIN believes that RPKI is operational and ready to go and available to be used to help secure routing. However, it’s not the end all be all. Don’t overdepend on it. Best current practices mean if RPKI fails, routing should still work. That’s why we did a test last year. We also note that the FCC, in putting out this request for comments, might go down the path of creating a rule – rulemaking, something regarding securing routing. And many times in our report to the FCC we told them to be sure and consider comments received from ISPs and network operators; that if they consider any path towards rulemaking, be sure and get feedback from ISPs and network operators.
Next bullet is the Alliance for the Future of the Internet. This was announced by Tim Wu, who is famous for coining the phrase “network neutrality,” at the IGF meeting late last year. So he had a slot, and he presented this topic and he said that it was time for like minded countries to come together and sign an agreement on the future of the Internet, and the agreement is based on an Internet that considers democratic principles and respects human rights.
There’s more to it if you look at – if you Google “Alliance for the Future of the Internet”, AFI, and there’s articles on Politico, this announcement didn’t take off. The administration – Tim Wu, by the way, was representing the White House; he works for the Biden Administration. It didn’t take off. It looks like it’s been back burnered. And then, because of the war, most everything is eligible to be back burnered. So we need to see what happens with this. And perhaps it will be picked up and progressed, I don’t know.
IGF 2022. Normally I wouldn’t mention IGF. It’s a great conference. IGF is run by the UN. It’s owned by the Secretary General of the United Nations. It’s a great place to go and talk about any topic whatsoever regarding the Internet. But there’s two things that reminded me to put it on here. One is that is where the AFI was announced last year. And the second thing is that the Secretary General of the UN is determined to make the IGF more impactful, I would say.
Normally, the IGF has a report at the end. All the presentations are maybe bundled in a document, and that’s it. But the Secretary General wants output from the IGF to keep going. He’s forming what he calls a high level body of a certain number of people, and it’s going to be their job to meet several times after IGF to keep momentum going for certain topics. So we’ll have to see what happens with that.
And at the bottom: Internet-impacting Legislation. I talked about the Budapest amendments and this too. Let’s see. I talked about regulation of policy developments in Canada. We could get some activity out of the Caribbean. But I don’t see anything today.
So this is my takeaway slide. If you remember anything from this presentation, we’re working to strengthen relationships with governments and industry to make sure that your perspective is understood and taken into consideration. Thank you.
Hollis Kara: We have a moment. Don’t run away, Einar. If there are any questions from the floor, please approach the microphone. I do have one question that came in from our virtual attendees. Beverly, do you want to read that in?
Beverly Hicks: Sure. That’s from James Woodside, one of our ARIN 49 Fellows. Wants to know whether the Caribbean affairs events are open to all and, if so, where he can sign up.
Einar Bohlin: That’s an excellent question. They are open, especially the virtual ones. And you can sign up – I think we put information on our calendar. Yes, I’m getting a thumbs up on that. Hollis, maybe you can help.
Hollis Kara: It should be on ARIN’s event calendar. We list all of these events as we’re made aware of them; and if there’s a registration link, we provide that.
Bevil, I don’t know if you have any additional information you want to share. Bevil is shaking his head no. Thank you. That was exactly what he wanted me to make sure you guys know.
Keep an eye out on ARIN’s event calendar, and if there’s an event that you wish to register for that is available, you’ll find a link there with the listing of the event.
Einar Bohlin: Thank you for the question. Thank you.
Hollis Kara: Thank you, Einar.
Hollis Kara: We’ll move on. Einar, you took my agenda. Bring that back. I tell you, people around here. Geez.
Sean, hold your horses. Let me say the words first. Next up, I’ve got Sean Hopkins, Senior Policy Analyst and he’s going to give us a brief rundown on Regional Policy.
Regional Policy Update
Sean Hopkins: Hi, everyone. Been a while. Missed you. Sean Hopkins, Senior Policy Analyst.
Apologies in advance, I have had enough caffeine to send Elon to Mars. Usually I do this in the morning, when I say “good morning,” and I wait for you to all shout it back to me. I don’t think I’ll get that enthused a response in the afternoon. Instead, I’ll just do this in the form of spoken word poetry. Not enough of you know that I’m kidding. All right.
So outside of the ARIN region, here’s the world. Looks good in text, huh? AFRINIC, APNIC, LACNIC, RIPE NCC, all with regionally-specific, yet similar, Policy Development Processes. Continent of Africa is there. EU, et cetera.
Does anyone know – show of hands – where Antarctica lies in this picture of the globe? Excellent. Just shout it out. I don’t think they’ve gotten space in a bit, not much growth there. Too many hiring freezes. A swing and a miss.
I’m a dad now; I get to make the jokes.
First up, pending implementation. ROAs for unallocated and unassigned space. AFRINIC is in the process of implementing this. It does take some system upgrades. They’re doing work in the back end to make that possible.
What is not pending implementation but has reached consensus? We’ve got a few items here. The top one involves the inter-RIR transfers. There are actually two proposals under discussion within the AFRINIC region that involve Internet Number Resource transfers outside of that region.
One of them is compatible with ARIN in terms of our need to have, the exact wording, Compatible Bidirectional Internet Number Resource Transfers Between RIRs.
This one actually does allow all resources in but not quite all of them out. So that’s the distinction there. It’s also a Policy Compliance Dashboard one.
You’re also going to see a couple of these under appeal. There’s an appointed appeals committee. The consensus of these particular two, you see two at the top there, being the actual consensus is under appeal. It’s been in that state for just a bit. They have a meeting at the end of May. Probably get a bit more clarity at that time.
Under discussion: There’s the other inter RIR Resource Transfers proposal we discussed. The other being abuse contact specific. As of right now, they don’t have an abuse c attribute. This particular draft policy would address that.
Also under discussion: Update of PDP. So when I say regionally-specific yet similar to ARIN, ARIN does not actually involve changing the PDP within the PDP. That is one distinct difference between ARIN’s Policy Development Process than those of other RIRs.
Off to APNIC. That was a quick flight. The ASN to Customer Proposal is, to be more specific there, when an LIR gets an ASN, pushes it out to a customer and then, for whatever reason, that LIR stops providing services to said customer, is no longer their upstream, this proposal deals with what happens then? Does the ASN continue to get used or not?
As of now, I believe it does not. Also some experimental allocations stuff. It actually sets aside a – Prop 144 there sets aside a reserve pool for at least five years to specifically deal with experimental allocations. And this would be a first in the RIRs.
LACNIC, some unification of text, a decent amount of the proposals under discussion there are either unifying, clarifying, et cetera, text within their manual, much like the work that we’ve got going on here with our AC.
There’s also the 2021 4, specifically, if you’ve gotten resources through an M&A but the M&A as a whole failed, what happens to the resources? That’s what they’re kind of tangling with there. This would allow for the transfer of the resources instead of saying return it to LACNIC.
Did not reach consensus. Now, this is an intimidating list. As I said, most of these are a little bit more clarification than wholesale changes. You’ll also see a number of them involve the PDP directly – one, two, three – four PDP mentions. That does not mean they’ve been abandoned. Doesn’t mean they’re not going to be under discussion. They’re very much alive, very much under discussion, and we’ll see at future meetings.
Yes, this will be a long one. Not a whole lot in terms of active policy discussion at RIPE, at least none that have generated proposals that are listed online. But I can assure you there’s plenty of chatter happening, and Mark will back me up on that. Feel free to find him if you would like to discuss that.
For answers, check all of these lovely links. For questions, check any of these lovely microphones.
Excellent, thank you very much.
Hollis Kara: All right. Any questions for Sean? No, Sean is running away as fast as he can.
I think you’re free.
Sean Hopkins: Cool. Leaving now.
Hollis Kara: I’m going to introduce the next two presentations because they’re both being given by this fine gentleman to my right. John Sweeting is coming up, our Chief Customer Officer, giving an update on IPv4. And then followed up by a Services Update. You’re ready? Green button. Don’t push the one that turns the screen off.
John Sweeting: Good afternoon, everyone. Back again. I guess I’m giving two presentations in a row. We’ll wait and see together what the second one is.
The first one is an IPv4 update that I’m presenting for someone that was going to be here but had some things, other things more important to do and was not here today.
So here we go. All right. We’re going to do an overview of IPv4 coverage under RSA, LRSA, kind of blends into what I covered earlier this morning.
The Waiting List growth, the Reserved Pools, 4.4 and 4.10 space. I think it was probably Kevin long ago always asked us to update this during our meeting.
IPv4 /24 transfers. The number of 24s, not just /24 transfers. And then a couple of slides on IPv6 networks issued and created.
So here’s a little bit of a different picture of the RSA coverage in /24s. As you can see, about 50 percent are under a regular RSA, Registration Services Agreement; 15.2 percent are under a legacy agreement; and then no agreement, 34.8 percent.
This just shows the Wait List over the years since we initially started, went to the Wait List and started taking requests, back in June 2015.
As you can see, it went up and up and up, without too many being given out. It went up and down a little bit. We had a lot of work to do to clean up a lot of the space from prior years. We started doing that, and looks like March 2019 is when we started getting a lot of that stuff cleaned up and went through that process that I mentioned earlier today that we put in place, and we were taking the Wait List down to zero for several quarters in a row.
Lately we – I do want to clarify one thing I said this morning that the Wait List, the next couple of Wait Lists might look like the one we just had, but one of our expert researchers, Jon Worley, informed me that for the next two quarters, we’re going to give out a little bit more because we had – a year ago, we reclaimed some space that is now coming up and we’ll give it out.
So we’ll probably be – and this is like John mentioned earlier, there’s no guarantees on these words, but we’ll probably hit between 120 to 180 organizations with a /22, 23, 24, the next two quarters only, then we’ll probably go back down to that 40 organizations get fulfilled after that.
Just wanted to make sure that everybody was clear on that. And so keep getting your Wait List requests in. If you are eligible, and need IPv4, keep getting those Wait List requests in.
Here you go for the reserve pools. 4.4 is critical infrastructure. There are 172 /24s used and 340 still available. So looks like we’re about one third of the way through that pool.
Lisa is not here. I’m not sure – I’m not sure what the average we’re seeing for requests on that anymore, but it’s not a lot. We don’t see a lot. And then the 4.10 space, of course, is the IPv4 /24s that are put aside for helping the transition to IPv6.
And as you can see, there is a lot of them left. I believe that was when it started, it’s a /10, and the 4.4 was a /16 that got extended to a 15.
This is a little bit of an eye chart, it’s the number of /24s transferred by quarter by transfer type.
So the purple is merger and – that’s inter RIR transfers in. The green is inter RIR transfers out. The light gray, looks like, is 8.3 market specified transfers. And the last one, the purple, is merger and acquisitions /24s transferred by year. As you can see, 2021 was a big year on transfers.
The last little column there is Q1 of this year, so it looks like 2022 might be a big year as well compared to the history on there.
These are the types of blocks, as in /24, /23, /22, as you see. /24s are actually the most frequently transferred block size. And then it continues to go down. There was a blip there with /20s. But basically, it rode down and got down to /16, popped back up and this has been year over year for the last three years.
The same pattern except, like I said, that one little blip there with the /20s in 2021.
Blocks transferred within the Inter RIR Source. That’s blocks that went out of region, out of ARIN region by the last three years. As you can see, it grows. It’s been growing. Looks like we had a lot of /16s going out in 2019, but then slowed down in 2020, but jumped back up – no, 2021, it’s kind of stayed low, too.
So that’s just a nice little eye chart for you to look at, if you have any interest in those types of things. Looking at the size of these, how tall the bars are.
Then we’ll go to recipients. And this is blocks coming into the ARIN region from the other RIRs.
I’ll have numbers on that I think later, I do an NRO statistics presentation that has the actual number of those blocks and IPs, /24s.
This is just a chart of IPv6 that’s directly issued networks by ARIN directly to our customers by year.
As you can see, 2016, it went up and up and up until everybody – until we ran out of IPv4, and then for some reason it went down. You would have thought it would have kept going up, but it didn’t. It went down, and it’s now steadily creeping up little by little. Notice on here this is directly-issued networks by year from ARIN to our customers.
But here is a little different story. It tells us the number of IPv6 networks created per year, including reassignments. So space that we directly allocated to ISPs that then reassign them to their customers, we’ve had a huge jump in the last two years.
To me, what that tells me is that they’re actually putting IPv6 to use out there now. Actually, they got their allocations from ARIN. They experimented with them. They held on to them for a while, and now they’re actually giving them out to the customers, and that’s a good thing, I think.
That would be it. Any questions?
Hollis Kara: All right. The floor is open if anybody has any questions for Mr. Sweeting about this last presentation.
I believe we had a question in the virtual that showed up in chat, if we want to move that over to the Q&A. Yes, it popped through. I love it when that happens.
I’m going to turn it over to Beverly to read that one in.
Beverly Hicks: This is Mercia Arnold: I don’t have an affiliation. The question is, are there specific PSP sized mergers that impact the transfers per year? I am thinking of merger activity by Comcast or Amazon or Meta.
John Sweeting: Could you repeat that? I won’t talk about specific companies by name, but what was the gist of the question again?
Beverly Hicks: Are there specific mergers that impact transfers per year?
Hollis Kara: Specifically talking about the PSP sized organizations currently, so 2X and larger.
John Sweeting: Any other questions?
Hollis Kara: It’s still you. Go ahead.
John Sweeting: Oh, this is going to be on the Services Update. This is a short one. Services Update. What I’m going to talk about here is our Premier Support Plan Update, what we have shared with the community at the last – in Minneapolis and also our spring meeting last year, which was virtual.
So we’ve come up with a Premier Support Plan, and it’s part of our ARIN’s ever increasing focus on being customer centric and doing everything we can to meet our customers' needs.
One of the things – we initially launched this actually to our customers that were 2XL and larger to give a feel for what it would take to run the program as well as the benefit that it would actually provide. And we have looked at that and we have now developed a fee based version of the Premier Support Plan that is going to be out there and offered to all members. But it will be fee based because it will take more resources to support that. So based on that, we have to charge a fee for it.
What’s consistent – the PSP service offering consists of a dedicated account analyst. So once you become a PSP, you apply, pay your fee, you’ll immediately get a dedicated account analyst assigned to your account that you can reach out to at any time for anything you need from ARIN. They will also keep an eye on your tickets that come in because your tickets – as the tickets come in from a PSP customer, they have a flag on it that puts them to the top of the queue, and they get handled very quickly and moved along the process.
We also offer a direct technical services liaison, which today would be Jon Worley, Brad Gorman, Nathan Newman, one of our technical analysts that are in the CCO office or in Registration Services, and they will handle any of your questions. They will work with you to help you deploy your RPKI, put in your IRR objects, set up your DNSSEC. They will be available for you whenever you have any request that you need help with.
We also have a 24/7 on call support number that’s only given to our PSP customers. That basically you can call 24 by 7 if you’re having an issue that’s affecting your network that ARIN can help fix.
And then there’s also our Premier Service Plan Customer Focus Group, which is a quarterly roundtable with the ARIN CEO. You get direct access to John Curran today because he’s the CEO. He is there on almost every call. He makes it a priority to be there. So if you want to have the CEO’s ear, you will have it as a PSP.
And there’s also the waived transfer fees. That is the only transfer fees that get waived today. It used to be RSP, anybody under an RSP didn’t do it. That changed January 1st of this year. That’s a pretty good deal if you do transfers.
Highlights of the PSP so far that we’ve done with our 2XL partners is, well, as I said, the roundtable with the CEO and other senior members of ARIN’s leadership and technical teams. If we know ahead of time of specific questions or issues that are going to come up, we will make sure we have the correct people on that call to address those concerns.
We’ve had several good things come out of those calls. As you can see, follow up, we’ve had Brad Gorman, our Senior Product Owner for Routing Security, setting up calls and one on one calls with these individuals and walking them through how to set up their RPKI and IRR, and a lot of it was due to the NONAUTH IRR going away. He was very busy for the last six months and is probably going to be very busy for the next six months as we’re continuing to take care of all the issues surrounding that.
We take the feedback in for things we can do better, faster, easier. It’s all with a focus on customer service and how we can provide better service to you, our customers.
We did perform a survey in 2021, and we’re using those surveys to leverage, examine and make improvements to the program before we roll it out.
I guess I should have a slide. What’s next? We’re going to continue to assess that feedback that we get from the current customers that are in program, and we’ll take any feedback anybody would like to give us on that.
And the additional details to the community on the upcoming fee based version of the PSP, we’re actually going to have a date sometime in August. We’ll have a specific date very soon because we have to have that specific date very soon in August that we will be opening this up for enrollment. As John smiles. Very happy.
Any questions on that?
Hollis Kara: Opening the microphones for questions. Please, if you have questions, virtual attendees in the queue, go ahead and drop those. Give it just a moment. Looks like we have a question. Yes? No. That’s not one. Sorry. That was sitting in the queue. I think we’re good.
John Sweeting: No questions?
Hollis Kara: No. Thank you, John.
John Curran: Summon Hollis.
Hollis Kara: All right. So we are running slightly ahead of schedule, for those who are following along with the agenda closely. So we’re going to do one of our magical agenda flips, which means you get to listen to me talk a little bit more before you get another break.
I’ll go ahead and give you my Communications Department Report, fill you in a little bit about what we’ve been doing and what’s coming up. And I haven’t really thought about this presentation because I didn’t think it was coming until Wednesday morning, so I apologize if I’m a little bit scattered on this one. Bear with me.
Communications Department Update
Hollis Kara: So, first, the team: We’ve been dropping in Zoom grabs of everybody for a while. And that’s kind of boring. I decided this time, we’d ask everybody to pick an emoji that represented them to introduce themselves to the crowd. Take what you will from their animal selections. The department is compromised as myself as the Director; Beverly Hicks is our Training Development Program Specialist, and also producer for virtual events.
We’ve got Melissa Goodwin, who is our Meeting Planner. Jennifer Bly as External Relations Manager. Amanda Gauldin, Community Engagement Coordinator, who is running a fabulous Fellowship Program, and I forgot to welcome our Fellows earlier this morning. I knew I missed somebody so my apologies to that great group. We’ll be talking a little bit more about that in a moment.
Ashley Perks, who is with us, is our Senior Communications Writer. Craig Fager, new to the team, Technical Writer. Christina Paladeau joined us two weeks ago. She’s our new Social Media and Content Specialist. And we’ve got Tommy Baldwin rounding out the group with graphic and digital media design.
It’s a great group, and I’m really proud of the hard work they put in.
What you’ll notice, there clearly have been some changes. If you’ve been hanging around ARIN a while, there’s some new names on here you haven’t seen before. And I’ll talk a bit more about that in just a second.
I’d like to take a moment to give a special thank you to Jennifer Bly for her 11 years of service. Right before we left for ARIN 49, Jennifer regretfully informed me that she’s going to be leaving to take on a new opportunity here very soon, and I just wanted to take a moment to sort of wrap up her contributions to this department because I don’t know it’s really had enough visibility. You’ve all felt the impact, but you maybe haven’t had the opportunity to connect the dots and realize how much Jennifer has contributed over the years.
She started off in social media and in content and has grown and developed inside the organization as a leader, and she’s currently heading up things like our IPv6 campaign; she’s run that for years. Our Community Grant program. She has started up a strategic partnership program, coordinates that through the CCO office.
She’s facilitated all of our outreach and all the wonderful things that you see tracked on our calendar for years and has handled our public relations since we brought that function in house. You can see, she’s leaving some big shoes to fill.
And I’m not really looking forward to going back and figuring that one out after the meeting, but I would ask if I could get a round of applause for Jennifer.
All right. So what do we do? Which is clearly a number of things. Communications is responsible for content development, community engagement and then our social media and Blog, at the highest level.
So in content development, a couple things to point out, highlights. Our annual report. That’s an annual deliverable. It was just published the other week. This was Ashley’s first time having to spearhead that project. And so I’m really excited about how it turned out, and I hope you’ll take advantage and open it. It’s not a document that tends to get a lot of use so we’ll feel a lot better about ourselves if you do at least go open the page.
We also are in the process of developing some new videos on ARIN governance and on ARIN policy that are going to be a supplementation and improvement on our previous Leadership Development program that we’ve been running the last several years.
We realized that telling you guys what you need to do to be successful as a candidate for an ARIN elected body when we’ve opened nominations is maybe a little bit late to get that word to you. So we’re creating some more evergreen content that will help you understand what we require of the individuals that serve in those roles so that you can kind of set your course to get ready and maybe not just have a couple of weeks to do it.
We also are developing a lot of on-demand training. We have a lot of on-demand training available on RPKI, IRR and IPv6 address planning, and we have some new training coming up very soon. More about that in a moment.
We also handle community engagement through programs like Optimized, which is our webinar series for new customers. We run that quarterly. We have our Fellowship Program. More on that in just a second. And we recently brought back ARIN on the Road. We’re hoping to have three more events this year.
We had our first one in Phoenix. It was great to be back out in the community and talking to you guys face-to-face.
Our Fellows. Amanda Gauldin runs our Fellowship Program. We have a great crew of Fellows and mentors, mentors in the room. I think we have one Fellow in the room as well. I won’t make you stand up or raise your hand. And the rest joining us virtually for this meeting. The Fellowship Program has really grown into a more structured program. A lot is thanks to Amanda’s hard work and developing that program, and we’re looking forward to continuing to expand that moving forward in the future.
We also handle ARIN’s social media and Blog. The Blog has recently been moved into, in the last – well, it was right before ARIN 48, it was moved to the ARIN website from the site it had been on previously. Since ARIN 48, we’ve published 23 blogs. I hope everyone has read them all. If you haven’t, you have something to do this evening after the social. We also have had 40,000 views since we’ve migrated the content in, which is great. When it was living in its own space, it wasn’t performing quite as well. So the move has really helped it to become more visible and hopefully more useful to you. We now also offer a signup, which you can register, and you’ll get an email notice when we publish out there. Happens once, maybe twice a week. If you want to keep track of the information we’re publishing, it’s a good thing to do. And you can always interact with us through our social media on Twitter, Facebook, LinkedIn, all that good stuff.
Okay. Training. Brad Gorman. You’ve heard his name a lot. He’s not going to be up here at the microphone until tomorrow morning. But I’ll hype him again.
We’ve been working on developing our next chapter in RPKI training, which is entitled Delegated, Hybrid, and the API. Kind of, okay, you’ve got ROAs, now what will you do? Those sessions are held on the 25th of May and the 1st of June, and then that recording will be made available on demand for folks who can’t attend those sessions. We’re very excited to do that. Registration should be opening in early May, which is very soon.
Okay. You may have seen this sign last night with the weird little QR code on it wondering what the heck is that about? Here’s the thing: It’s a big year for ARIN. It’s our 25th anniversary and our 50th meeting coming up this fall.
All right. Thank you. I’m excited. So one of the things that we’re doing to try to build up some stuff so that we can get everybody hyped up for that meeting and kind of remember our path and where we’ve been, is we’ve set up a space. You can access it through this QR code. We’ll be publishing the link in more standard format elsewhere, where you can go in and tell us a story or a memory or share a great picture you have from a previous event, and it may or may not make an appearance in content and materials leading up to the meeting and to our 25th anniversary.
So I hope, for those who have been around a while or maybe even are newer to the community, if you have something to share, you will, because we want to hear from you as we celebrate this milestone.
And with that, yes, ARIN 50, please save the date. We hope you can join us in October. We will be at the Loews Hollywood Hotel. It’s going to be a blast. We’re bringing back some great things to make this a real celebration.
And with that, I think did I talk – I probably talked too fast. I still talk too fast, but we’re only five minutes ahead now. So I think that’s close enough.
Do we have any questions before we roll to break? Anybody? Anybody? No, okay. Thank you. The goodies are out there, don’t charge the door. We’ll be back for the remainder of the day at three. Thank you very much.
(Break from 2:29 PM to 3:00 PM.)
John Curran: If people will come and be seated, we’ll get started.
Hollis Kara: Okay. I think we have a few seconds left on the countdown. Just rolled over to 3:00. I think we’re good. We’re back from the break. What’s up next? What’s up next is Richard Jimmerson. He’s here with – he’s our Chief Operating Officer. He’s going to be giving an ARIN Operations Update. So let’s welcome Richard.
ARIN Operations Update
Richard Jimmerson: Thank you, Hollis. Welcome everyone back from the break. We have an Operations Update here. I always have a challenge with the Operations Update in the April meetings because in the April meetings, when we give the presentation for the Operations Update, it’s also followed by department reports inside the organization.
In the October meeting, I get to take everything. I get to put it in this presentation because we don’t have the department reports. But you’ll find that this presentation is a little bit shorter than it usually is.
Wanted to give you an update on the ARIN operational staff inside the organization to let you know how we’re structured and how many people we have and who is actually responding to your ticket requests and facilitating all the work that you’re doing here today and this week.
We have approximately 90 staff inside the ARIN organization, split between the several departments that you see reports from today and that you will see over the next few days. And we’re all actively working to get the job done on your behalf.
You guys are here setting policies that we use as a secretariat staff inside the organization and we implement those.
When you call the Registration Services Help Desk or submitting a ticket, you’ve got somebody behind that ticket that’s studying the Number Resource Policy Manual and making sure that they’re reviewing your request in accordance with the policies you set here in the room today.
Likewise, when we’re working on development projects inside the organization to improve services for you, oftentimes those are services that have been asked for by you through our suggestion process or some of these changes we’re making are directly related to the policies that you’re passing here inside the organization.
We have 90 dedicated staff to the mission of this organization and the work that we’re doing on behalf of all of you.
We’re fully engaged in our 2022 Work Plan. Our Board of Trustees comes together each year and reviews a budget plan for that next year. And they are very well tuned in to what you’re discussing in these meetings and the feedback that they are receiving from you throughout the year. And they approve an operations and budget plan for going forward into the next year. So we take that and we put together our work plans, and we engage in those fully at the beginning of the year.
We have continued to operate in the pandemic work environment at ARIN, like many of you may be doing. So around the June timeframe of 2020, as we were just getting into the pandemic – we had the office closed. It was closed from March to June. Nobody could use the office, and everyone was working remotely.
There are more unique individuals going into the office and using the space, but it’s still an option for staff to work from home if they choose. We are, however, now in the advanced planning stages for distributed workforce model at ARIN based on our learnings from the virtual work environment during the pandemic.
Last year, we had a study conducted. We had some discussions with our Board. We polled staff and the organization about what they thought about how we do our work in a post pandemic environment based on what we’ve learned. And basically we’re moving into a hybrid model in the ARIN organization. So people’s schedules will be split between some days during the week working in the office and other days working from home. Some positions may require more days in the office than others.
And so we’re going to be implementing that later this year. We’re in planning stages for that now. And when we do do that, we’re not just doing it for six months. We’ve made a commitment to the staff and organization that we would do that all the way through the end of 2024. At the end of 2024, we’ll reassess as an organization what our needs are in terms of office space use, make some more decisions based on it then. So we told staff we’re going into a hybrid work environment, and we’re certainly not going to pull the rug out from under their feet about that. And we’re committed to that over the next few years.
What we have found during the pandemic, the work environment, remote telework mixed together with in the office use, we’ve been able to keep up with our work requirements for you. And we found that we’re more efficient in some areas in this environment and less efficient in others. So it’s going to be helpful to us when we do go into this hybrid environment.
So as you know, our outreach and meeting participation is starting to shift back to in person. So we had our meeting in Minneapolis last year. We’re meeting with you guys here today.
And as Hollis noted a few moments ago, we’re going to be doing the in person and hybrid virtual again in October of this year, when we meet with NANOG, in LA County.
We continue to do enhancements to ARIN Online and our internal tools to facilitate customer service. A lot of the development work that we do in the organization you see directly in changes on ARIN Online and our service offerings.
But a lot of the work we’re doing you don’t see it directly. But where you do see it is our staff is more effective in providing service to you because we have an internal set of tools that we use to review requests to monitor services for you.
And as is often the case, those get less care than the external services do. And we’re going through a rigorous effort now to update those internal tools. There’s a lot of that work going on as well.
I had this on the slide last time, but it continues to be true. The demand for Registry Services continues to grow. I’m not just talking about telephone calls to the Registration Services Department or the tickets you submit. It includes those things.
Those are some of the things that we monitor. But it also includes the use of our directory services, the number of answers that we’re serving, the infrastructure that we continue to have to maintain to deal with that growing demand inside that space.
But not only there, as you guys heard with Einar’s presentation earlier, governments are taking a greater interest in what we do as a network community, as internet operators. And we’re upping our efforts inside that space to make sure that we’re doing proper monitoring of what’s going on in terms of legislation in the international space so that we can bring that information back to you. And we’re advocating on your behalf to make sure that your voice is heard inside those processes.
There is an upcoming membership survey coming to learn your preferences about our development priorities for ARIN services. We do this once every few years. And we’re planning for that later this year. So you’ll see a survey come out that describes all of the work that we’re actively engaged in for development of new services and improvements to our products.
And you’ll see everything that’s on our roadmap going forward, not just for the suggestions that you provided, but other things that are on our roadmap. And we’re going to ask you if you have a preference of ordering for those things. And it may make a pretty big impact on the planning that we make going into 2023 and 2024.
So keep your eyes open for that and please participate in that when you see it.
Again, we do have ARIN 50 coming up later this year. It’s also our 50th anniversary or 25th anniversary as an organization. And I don’t want to say much more about that. But I do want to talk – and this will not be the last time that you see this. Cathy, I saw you turn when you saw this.
But I don’t know if a lot of you know that if you got IPv4 address space back in 1995, there’s a very good chance that Cathy Clements satisfied that request.
Cathy has been doing this work since Network Solutions days. And a lot of the people who work in this organization today were hired into this organization because of Cathy Clements.
So I’m not going to ask for a show of hands for the staff here but if the entire organization were here there’s a very good chance that you were interviewed by Cathy Clements to gain your employment at the ARIN organization. And we’re all thankful to all the work that Cathy put over the years. Cathy is retiring. She has retired. And Cathy is right there. Let’s have another round of applause for Cathy.
For the ARIN staff, yes, we’re going to miss her in the organization being here every day, answering our questions, giving us historical perspective and just being that person that makes it great working at ARIN. But we’re not going to miss her too much because we’re working on an agreement with Cathy. And Cathy, in her retirement, is going to be available for us for some consulting services over the years, where we do need historical reference back for things that happened in the mid 1990s. Or what is this request you did in 1998? Can you remember that? Or why did we set this internal process this way in 2001?
Not only does Cathy have those answers, she knows exactly where to find that information where it’s documented. Cathy is a great resource that almost nobody really knew the full depth of, but the ARIN organization is certainly going to miss you, Cathy, and we’re glad we’ll be able to continue working with you at least in a limited capacity in the coming years.
So with that – and, by the way, I’m not the last person who is going to talk about Cathy. I think that that’s going to come up again tomorrow or Wednesday as well. But greatly deserved.
Any questions about the operations of ARIN or current staff structure or work environment or services to you that might not be in one of the department reports that come out already or will come on Tuesday or Wednesday of this week, I’m happy to answer those.
Also available in the hallways to answer any questions that you have and via email from those of you who are attending virtually. Any questions?
Hollis Kara: I don’t see any questions in the queue, but I did want to note that the chat lit up with congratulations and thank yous to Cathy and shoutouts for all of her hard work and support over the years. So thank you from our virtual attendees as well.
There are no questions.
Richard Jimmerson: Excellent. Thank you, everyone.
Hollis Kara: We’re set.
Okay. Moving right along. Next up, I have Paul Wilson coming up. He’s wearing two hats at this meeting, both as the Number Resource Organization member of the Executive Council and Chair, and as the APNIC Director General. In the case of this presentation, he’s wearing his NRO hat. And he’ll give an update on that organization. Paul. Green button.
Number Resource Organization Update
Paul Wilson: Thank you, Hollis. Hi, everyone. Very good to be back at an ARIN meeting. My second travel this year which was after two years of being grounded. It’s really nice to be back here and to see a lot of familiar faces and friends.
As Hollis said, I’m wearing the hat as the chair of the NRO EC today. That’s a pleasure that each of us has once every five years to play that role as we rotate the officeholders around the NRO EC. A few more details about that coming up.
I’m sure most of you folks have seen most of this already. There’s some new material. But I’ll go through the standard spiel for the sake of newcomers and so on.
The NRO is the Number Resource Organization. You can think of it as the umbrella or consortium of the RIRs. It was formed on the 24th of October, 2003, a long time now, by an MoU that just establishes us as a nonincorporated body.
There have been a few changes and addendums signed just a couple of years ago, was to clarify some of the agreements we have amongst ourselves as the RIRs to preserve the Internet Number Registry System, the INRS, as we call it, to not take any measures that violate the uniqueness of the INRS, to take effective measures to promote it; to publish entries, publish the registry publicly; and to cooperate together in the provision of that effective global INRS. And you can see all the details, these details and others on the NRO website at that URL.
The mission of the NRO is to coordinate and support joint activities of the RIRs that are involved with providing and promoting that joint numbers registry with a vision to be the flagship and global leader for cooperative Internet number resource management as a central element of an open, stable and secure Internet.
Part of what I’ll be talking about today is the fact that all of this is under review because we’ve had some meetings in the name of strategic planning, I guess, a strategic review of where the NRO is and what we need to do together. I don’t think there will be any major changes to the mission and vision, but that’s part of what we need to finalize with the planning process this year.
The structure for this year, as I said, we’ve got five executive committee members, five heads of the five RIRs. We’ve got rotating officeholder positions. So this year I’m the chair. Hans Petter from RIPE NCC is the vice chair and secretary. John Curran, the treasurer. And Oscar and Eddie from LACNIC and AFRINIC respectively aren’t playing officeholder roles at the moment.
There’s a permanent secretariat, full time executive secretary, German Valdez, who is based with us at APNIC. And he’s supported by Laureana, part-time, based in LACNIC. And they’re providing all of the necessary support for the EC and the coordination groups and other parts of the NRO.
So part of the structure of the NRO for the time being are these coordination groups. We’ve got four kinds of main groups with annual plans and budgets, which are set each year, and they serve Communications, Engineering, Registration Services, and Public Safety.
And we’ve got several other less formal groups who don’t have specific plans and budgets, but they do coordination on public affairs, policy, finance, legal and human resources.
This year we started a strategic review of the NRO. As a part of summary, we looked at all the priority goals. The most important and urgent of the goals of the NRO and selected three of them as the number one, two, three in priority. The first one being to provide a robust, secure, coordinated RPKI service across all the RIRs. The second, to support, ensure the cybersecurity of the RIRs working together. The third, to proactively engage governments as critical stakeholders in the number registry system.
And each of those goals is being assigned to a formal program of the NRO, which will be led by a dedicated, employed program manager, probably full time; that manager reporting directly to the NRO EC, working with the staffs of the RIRs to achieve their goals, funded by the NRO.
That’s a fairly major change because we haven’t employed people within the NRO to carry out this kind of programming project work in the past. But we’ve felt that, at least on these top three priorities, this is really necessary to achieve what we need to achieve.
It’s probably worth saying that the goal of these programs is not to take over the entire function of, for instance, RPKI across all of the RIRs but to identify and work on the coordinated – the aspects of the RPKI that need to be coordinated amongst us. And there’s a fair bit of that as you probably understand.
The implementation and planning is underway for those in order. And I think the next thing we’ll be doing is defining the expectations and the goals for the program manager for the first of the programs: RPKI.
A bit of change also to the way we’re setting up coordination groups and expecting them to work. And one is that those groups will continue but no longer being tasked with or relied on as kind of voluntary coordinators across the RIRs to achieve significant NRO priorities because we’ve decided that the direct resourcing is more appropriate there.
But that will continue in the sort of self directed routine – coordination, sharing, knowledge and experience and so forth, which is really important for the staff around and across five separate RIRs in all those different areas.
A bit of an update here about the budget for this year. The budget in terms of expenses is shared across the RIRs according to a proportional formula, but it includes nearly half a million US for general operations, and that’s staffing and comms and some travels that are funded.
We’ve been making and we plan to make this year 133K and a half thousand US dollars contribution to the IGF. And there’s 823K contribution to ICANN, of which 650K is contractual and we round it up to the previous agreed contribution level by making a voluntary contribution of 173K to that total, nearly one and a half million US dollars across the RIRs.
The way that’s shared is according to a cross distribution formula, which is based on the respective Registration Services revenues, proportionally for all of the five RIRs for the previous year.
So the 2022 budget is being distributed in terms of responsibility to costs, according to those percentage proportions that you see there. So you can see ARIN, for instance, is responsible for 23.6 percent of the NRO costs for this year.
The RIR Stability Fund, just a related matter on the front end side, we’ve made pledges combining up to over just $2 million. This is not contributions into a pool or fund that actually sits in an account anywhere. It’s just a total accrual of pledges, which would be drawn on by mutual Board agreement if needed for the sake of RIR stability.
So far the first and only sort of action that we’ve taken under that banner has been to provide some funding for last year for AFRINIC for some of their legal representation expenses incurred last year, and that’s been charged to last year’s budget. And there’s more on the Joint Stability Fund at the URL there.
There’s quite a number of publications of the NRO, global Internet Number Reports, as we call them. There’s the status of the global Internet number resources themselves updated quarterly. There’s global stats for the IPv4, IPv6 and ASN resources under the name of what we call the Delegated Stats Files, available for download, updated daily.
We’ve got RPKI Adoption Status Per Economy also, updated daily, all – there under the URL/statistics on the NRO website. There’s also a Comparative Policy Overview, which can be a very useful resource for comparing exactly how the respective RIRs deal with access to delegation and registration services comparatively across all the five RIRs. And that’s updated quarterly as well.
Finally, some notes here on the IANA Review Committee. This is constituted a little like the ASO Address Council, which you’ll hear about shortly, in that it’s a committee of 15 members, three from each RIR. And it’s got a purpose of advising the NRO and assisting in the review of the service levels of IANA numbering services. And they meet on a regular basis with public archives and minutes, and an annual report. The 2021 report has just been recently published.
And the members of the INRC are here with the ARIN members in the middle there – Chris, Martin as the two community members, and John Sweeting from RIR staff, serving for ARIN.
Now, that’s all I’ve got to say for the NRO. Happy to answer any questions if you have any. And if not –
Hollis Kara: Okay. We’ll open up the floor. Do we have anything? Anybody on mobile? No, I think you’re free to go.
Thank you, Paul. We’re going to press ahead with our NRO theme with a slight change of our lettering selections.
I’m going to invite Kevin Blumberg up here as the chair of the Address Supporting Organization Address Council to give the ASO AC update, which you’ll come to find is also the NRO NC, if you didn’t already know.
ASO AC Update
Kevin Blumberg: Thank you. So we’ll just start out with a little bit – did I turn that off by accident?
This is the update. I wanted to just start off with some terminology because on badges that Chris and I and Martin would have, it says “NRO NC,” and the title of this is “ASO AC.” We love acronyms. They’re basically the same thing, as far as how you would use it. The NRO is when I am standing inside of an RIR meeting. The ASO is when I’m inside of ICANN, looking towards ICANN and working with IANA or dealing with global policy.
So when I come back to the community, because the community’s talking about a global policy, I’ll be wearing my NRO NC hat because I’m here as an ARIN representative inside this fora. When I go over to ICANN, I use the ASO term, because that’s what’s codified within ICANN’s bylaws and et cetera.
So it’s mostly just terminology. It’s really the same person at the end of the day.
We consist of 15 members, three from each of the regions. Two are elected. In the ARIN region, the next election will be at our October meeting. And one is appointed. I am the chair of the ASO AC for 2022. I’m also the appointed position for the ARIN region on the ASO.
We have RIR staff and observers to all of our meetings. All of our meetings are now open. Minus some very selective meetings related to Board appointments and things like that, all of our standard meetings are open. You can join them at any time. The teleconference information is there. If you want to see what we’re doing, how we’re doing it, or would like to observe what the process is, you’re more than welcome.
We did a review – the ASO review was almost five years ago now. And one of the key parts for that was transparency. It wasn’t that it was a concern; it was that the more transparency we have, we really need to make that our primary function to make sure that at all turns transparency is there. So you’re welcome to join. The mailing lists are open. You’re welcome to see all the information that we have on the website. Things on the website are things like attendance. On the website are all of the meeting minutes. Everything we do is there and documented.
Just a shout out to something Paul said a minute ago. The Secretariat, German, who provides support both to the NRO EC as well as to ASO AC, is invaluable to us being able to operate as volunteers. And I think it’s important that we all recognize this within the volunteer communities, the individuals that are assisting, whether it be the ARIN support staff or the ASO support staff, are invaluable for volunteers to be able to maintain and do what they do.
Each of the – just going back on to it, each of the terms are a little different. Some positions are one year terms in the RIRs, two year terms, three year terms. They’re all a little bit variable. But for ARIN, it’s a three year term, correct? Yes, three year term, across the board, very simple.
So what do we do? There’s a couple of functions. The most important is global policy. We shepherd global policy. We don’t write global policy. We are there to make sure it’s actually global policy; that the global policy is consistent among all five of the regions; that all of the checkboxes of what was meant to be done in the regions are done.
We are there to monitor to make sure that if global policy does show up, that we are all aware of it. That is one of the main tasks. And to be specific, global policy is not two or three or four regions wanting to do something about transfers.
Global policy is about the RIRs' ability to get space from the IANA, from PTI, and back and forth, and that arrangement. So it’s from IANA/PTI to the RIRs. It’s not between the RIRs. That would be a globally coordinated policy, a global policy specifically for that section. The last time a global policy changed was I believe now almost eight years ago that there was a global policy.
The ASO AC has, from time to time, been asked for our confirmation related to a question, rather than it be a clarification, rather than us be asked to write a new – or to shepherd a new global policy, just a clarification. And I believe the last clarification was in regards to 2 byte AS’s and 4 byte AS’s, if there was a difference between them.
We’re responsible for appointing two ICANN Board members – I’ll go into that a little later – as well as one member appointed to the ICANN NomCom.
Again, we do meet monthly. Our last face to face was pre COVID. It would have been in March. Not happening. We look forward to hopefully next year being able to meet again. It definitely makes a huge difference to be able to do that.
So as you can see, here’s a list of all of the ASO members. Myself as the Chair; Mike Silber and Hervé Clément are the Vice chairs. If you notice, they’re all from different regions. This is all codified in our procedures. The Chair can be from any region, but the Vice chairs then have to be from two separate regions.
We really like to separate things out. And as long as consistency is met with the procedures, then everything is good, but we do try to move things around quite a bit.
Okay. As I mentioned earlier, we have something called the PPFT – again, wonderful acronym – the Policy Proposal Facilitator Team. After the social tonight, you’ll have to say it five times fast. Okay.
But as you can see in the ARIN region, Martin Hannigan is there to monitor, as an example in our region, the ARIN PPML to see if there’s global policy or something that may be relevant to the work that the ASO AC does and to inform the ASO AC. So we delegate out the responsibility to the five PPFT members to allow them to monitor each regional for global policy.
We talked about transparency again. Here’s a list just quickly on the thing, you can grab it off the slide deck later on, and all of the work.
The one thing I didn’t mention is our work plan. We actually every year do up a work plan, all the things we want to do. And at the end of each year we review did we actually meet the items that were in the work plan, what needs to be moved on to the next year that we may have not been able to do, did we do the right job with that. So we are always looking at that. We also have a transparency review as well that we do at the end of each year.
So the current appointments: Maemura Akinori is Seat 10 for the ICANN Board. His term is up, I believe, at the end of the June meeting – sorry, the October meeting – for ICANN, 2022. He’s currently from the APNIC region. And Alan Barrett, Seat 9, until 2024 from the AFRINIC region. And Brajesh Jain is our ASO representative in the NomCom.
I think it’s time to actually say thank you to Maemura Akinori. He served two consecutive terms on the ICANN Board and from all accounts was a wonderful addition, and I’d like to thank Maemura for taking on that role.
So we’re coming up right to the end of our current process. The ICANN election process that the ASO AC follows starts all the way back in September, continues on and on through. And we are on the last day of the ASO AC’s voting process.
Once that is completed, we should have the announcement this week or beginning of next week for the Board Seat 10, and then we’ll start on Board Seat 9 probably in a year from now. There’s a little bit of a gap between them.
But we’re at the end of this phase. All of the information on all of the process is on the site. There’s a public comment phase. All of that is on the ASO website, and you can see all of the information, how we went through it.
I’d like to actually say thank you, because this is the first time in a number of years we’ve not had to extend any deadlines; that what we posted all the way back in I believe September is the timeline we’ve met. And that is incredible given the impact that COVID has had on a number of things.
RIR meetings. So you can see where they were in the last six months, we like to include that. So there’s all the ones that have shown up. If you want to go and look, see what’s happened at those meetings, they’re there.
And the most important, thank you, Hat. So I’d like to say thank you to Louie.
Who’s at the back of the room. And really it’s about his hat. Louie, how many years did you serve on the ASO AC? I believe you’re almost legal in terms of your term to drink in many countries.
But if you could confirm that for everybody.
Louie Lee: I think about 12 years.
Kevin Blumberg: 12 years. That’s an unbelievable amount of dedication and commitment and travel, fortunately or unfortunately, towards bettering the goals of the Internet. And many thanks from all of us.
And that’s it for me today. If you have any questions, please, I’ll be around for the next couple of days, obviously. And if you have any questions for everybody here, by all means I’ll take them.
Hollis Kara: Any questions coming in on the queue?
Kevin Blumberg: Wonderful. Have a great afternoon.
Hollis Kara: Thank you.
Thank you, Kevin. Next up we have our last of our NRO reports, this one is the Internet Number Resource Status Report.
And John Sweeting, our Chief Customer Officer, is going to come up and give that one for us. Thanks.
Internet Number Resource Status Report
John Sweeting: All right. You’re probably all tired of seeing me up here today. But here I am for the – I think this is the last presentation of the day, right? Before Open Mic.
Hollis Kara: Open Mic is next.
John Sweeting: I’ll run through the Internet Number Resource Status Report that Paul talked about that is located on the NRO website statistics page.
And we’ll get right into it. This is, of course, prepared by all five RIRs. The statistics are pulled every quarter. We send them into German. He puts them all together. It goes back out, sends us this deck here. We all look at it and verify it.
So real quick, I’m going to give a shout out to some of those resource, our Registration Services folks from the different RIRs that are here. Carla and Vivek from APNIC. They’re back there. Marco and Smahena from RIPE, and Lorenzo – and Alfredo was here but left, but Lorenzo is from LACNIC. And I think James is out there somewhere from AFRINIC. So they’re the ones that put the work in to get all these numbers crunched and put into this report.
So this is just the overall – this hasn’t changed in a long time. But it is the distribution of the 256 /8s out from the IANA perspective of where they actually reside these days.
This doesn’t get updated – it gets changed a little bit with the transfer market, things move around in the transfer market, but that never gets updated to the IANA page because this is as IANA gave it out.
So, okay, so this is the total address space that is managed by each RIR in terms of /8s. As you can see, ARIN has a lot, but half of that – less than half now – I’ve got to stop saying half, because we’ve actually made a big increase. But a lot of that is legacy space.
The available space in terms of /8s at each one of the RIRs, as you can see, there are three 0s, and then APNIC has a little bit. And AFRINIC has a little bit still left in the free pool.
How much space has each RIR issued per year? Again, this is IPv4 space. As you can see, it dwindled right down to not very much is given out these days.
All right. Transfers, exclusive of M&As. So these are all the intra RIR IPv4 transfers. So within the regions. And this is number of transfers, and this is the number of addresses transferred.
You can see there’s a difference between who had the most transfers and who had the most space transferred each year. All depends on the size of the transfer and how that works out.
Okay. This is the inter-RIR number of transfers.
LACNIC has been – I think they’ve been active in the inter RIR for at least a year, maybe a little bit longer, Lorenzo? Two years? Two years.
So you’ll see there’s – AFRINIC is zeroed out there. We had them in there but AFRINIC doesn’t have an Inter RIR policy. So there’ll be zeros in all of their columns. Again, these are the number of transfers themselves. So that could be a /24 in one of them. It could be a /10 in one of them. So that leads to the number of IPv4 addresses in /24 – no. Yes. No, that’s not in /24s. That is in actual IP addresses.
All right. On to IPv6. Some day we won’t have to have IPv4 slides. But I won’t be around here giving this presentation when that day comes, I can guarantee you that.
All right. So all the IPv6 address space, this is how it’s been allocated out to the RIRs. There was that space that was given out – I’m trying to remember what – right now you can see the allocations since October 2006.
RIPE and ARIN, as you can see, are the only two RIRs that have gone back in for their second /12 since the policy that said, hey, we’re going to have – IANA is going to give out /12s to the RIRs.
So that’s why we have a /11 and RIPE has a /11; AFRINIC and LACNIC both have /12s. We’ll probably see APNIC be the next one that goes in for another /12. I’m not sure. But that is where my money would be.
IPv6 allocations issued by RIRs, which is – I guess it’s kind of weird because we don’t just do – I don’t know. Anyway. I guess that’s allocations and assignments together, unless I’m going to run into assignments.
It’s weird for me because we do all allocations now. ARIN, due to the fee change and everything, we don’t do assignments anymore. Everything is an allocation. Everybody can reassign and all that.
So I haven’t been through this deck in a while. But this is the allocations by each RIR per year. That’s the total allocated IPv6 space from each of the RIRs. RIPE’s way up there, APNIC and ARIN and AFRINIC and LACNIC. There are assignments for IPv6 assignments issued by RIRs.
In 2022, I think you see that there’s nothing on assignments for ARIN. So while you can see ARIN had assignments all the way up to 2022 for that first quarter 2022 so far this year, ARIN has not assigned any IPv6 space; we’ve only allocated.
There you go with the total assigned IPv6 space over the years. That’s the total.
Percentage of members with IPv6 in each RIR. So anybody that has seen this presentation prior to 1 January this year. ARIN, I believe we used to sit at about 56 percent of members with IPv6. But now that we have all members, which are – I guess we’re actually a little bit – this is the cart ahead of the horse because we haven’t given the presentation on how our membership structure has changed.
But basically all our end users got converted to Service Members. So everybody that has IPv6 or IPv4 resources under an agreement with ARIN are considered members, which changed our total percentage from I think it was 56 – maybe 59 percent – is now 44.4 percent.
Interesting. AS Numbers. So this is a breakdown of all the AS Numbers from IANA out to the RIRs. You can see it’s broken down by 32 bit or 16 bit. This is how many ASNs have been issued by each RIR by year. We’re actually – we never did get to talk – at the RSD, we had a meeting yesterday, and we didn’t get around to talking about our slides, but we absolutely want to improve the quality of our slides.
I think this is one of the ones that doesn’t render that well with all the stripes and stuff in there. So we are looking at that, and we are going to update that. This one’s probably even worse with the stripes. But this is total ASNs assigned by each RIR, total. The stripes are the 32 bit, and the solid is the 16 bit. As you’ve seen before, this can be found on the NRO.net/statistics page. Or in the IANA.Org/numbers page for the IANA stats. And that is it.
I don’t think I have any questions on that one.
Hollis Kara: I don’t see any questions. Leif has questions. Yes, we’re going to insert another presentation right before we get to the Open Mic this afternoon. Leif Sawyer, our Advisory Council Chair, is going to come back up for a repeat performance today. This time he’ll be giving the ARIN Advisory Council Report.
ARIN Advisory Council Report
Leif Sawyer: All right. This is actually supposed to be given on Wednesday. So it’s a little bit different than you’re probably expecting.
But shout out to all of our AC members here who have done a great job this week or will do a great job this week of presenting all of the Public Policy that we’ve been doing.
As you all know, and we’ve talked about it plenty, COVID has brought a lot of changes. I wanted to do the AC report a lit bit differently, because we’ve all been struggling to find our new normal.
And in that time we’ve been working to improve a lot behind the scenes. And there’s been a lot of requests for how we can make the AC better. Part of that, I wanted to reach out and thank some people:
Kat, my vice chair. Hugely, hugely instrumental in my success. Sean Hopkins, without him I’d be dead in the water. The working groups, who you don’t see working as often, but they’re there in the background. We’ve got three reports later this week. And they’re doing amazing work. And all of you, everybody else, the staff, yeah, we can’t do this without everybody.
So getting better. Be more like Dolly. Right? We’re in Nashville. Everybody likes Dolly Parton, because Dolly Parton has spent her life making the world better. And sometimes that means removing barriers to participate. Right?
These are questions that already asked: How do we capture more voices? How do we understand, or how do we have better understanding of policy and how can we improve our person to person communication during these hybrid meetings? These are all things that we’ve grappled with and they’re all things we talk about internally and that we bring to you, our community, for your suggestions and your ideas. What gets you excited about participating in our policy development?
And speaking of participating, I was talking to Larry earlier this afternoon – so this is for you, Larry – who are the Advisory Council? Well, you know us by face and name. But what do we represent? Well, we represent you, in terms of geographically diverse, linguistically and within the industry we’re all part and parcel.
We span most of North America. We lost some people over the past couple of years. We’ve lost the Midwest. But pretty much coast-to-coast, we’ve got people everywhere. And we don’t just speak English. We’ve got people speaking lots of different languages, some very fluently and some just conversationally.
We embody diversity. We’re not just all the same middle-aged white men up here. We’re almost 50/50 male and female. And there’s a lot of different sectors that are represented. It’s not every sector, but it’s a lot. And we’d like to see more. So if you’re interested in participating, it’s never too early to start thinking about it, Larry.
And there’s always gaps to fill. So come talk to us. The nominations are going to be opening soon. June 17th is when we’ll start opening them up. And they will close about three weeks after that. And the candidates will be announced in mid to late September.
So how do we build up the AC? Because it’s a diverse pool of talents and skills, we want to understand better how we can quantify our competencies. And so we’re developing a matrix of those competencies and skills, and we’ll be doing a self assessment so we can better understand where our gaps are.
And so I put up on here just some of the things that are interesting from the AC perspective. And I’m looking – not right now – but if you have ideas about what you think is important to represent on the AC, I’m soliciting your feedback. Open Mic is coming up. It’s great time to talk about that.
And we’ll be using that to help inform the NomCom - Nomination Committee - of how we can bring people to the AC to round us out.
And that’s it. Thank you very much. If you have any questions, I’m all ears.
Sean Hopkins: Sean Hopkins, Senior Policy Analyst, minor clarification. That opening date, not entirely final, but definitely this summer. If that particular date comes and goes and nothing occurs –
Leif Sawyer: Date was as of what was on the website as of the creation of the slide deck. So yes, subsequent to change.
Sean Hopkins: Fluidity is fluid. Thank you.
Tina Morris: Tina Morris, AWS, former AC member. And very proud of the work you’re doing. I don’t think enough attention gets pointed out to the work you do in following policy and developments in the Internet community and other RIRs.
During this time, the AC has been attending the other RIR meetings regardless of their time zone. Many of them do not get time off from their day jobs to do so. So they’re up at 2 a.m. following meetings, things like that.
And often that was attributed to a travel perk. It is not. It is the heart of what the AC is doing and they’re trying to learn from others. And during this last two years, nobody’s been on a plane, nobody’s done anything, and they have buckled down and done a ton of work and all that. I wanted to say thank you.
Leif Sawyer: Anything else before we head on to Open Microphone?
Hollis Kara: I don’t see anything in the virtual queue. So I think we’re good. Thank you, Leif.
All right. At this point I’m turning it over to John and Bill for Open Microphone and to close out today. Thank you, all.
John Curran: You can lead.
Bill Sandiford: All right. The microphones are open for Open Microphone discussion. Feel free to approach the microphone should you wish, and/or enter your comments or questions into the online participants section.
David Huberman: David Huberman from ICANN. John, Einar referenced it earlier. I was hoping you would share some of your thoughts today on what we as a community here at ARIN and then here in the region, broadly, as operators, where do you think we’re going next with the FCC and secure routing?
John Curran: Sure. As Einar pointed out, there’s an open FCC Notice of Inquiry, request from the FCC for comments about what technologies were available to secure Internet routing, secure BGP, and what the FCC’s role should be.
That’s a very interesting question. So I did let people know this was going on, and we’ve talked about it a bit. I’ll note that it’s really a question for the operator community and not, per se, for ARIN.
What I mean by that, is that while the big technology everyone talks about is RPKI – and that is a service that ARIN offers in the region – we didn’t go out and poll the ARIN community about what do you think the answer should be here.
Not because you don’t have a say, but because really it’s your organizations and what they think should happen with respect to securing Internet routing. It’s not, per se, just an address management question; it’s a network operation question.
So we did file comments. Comments are on the website. If you take a look on the ARIN website as well. And we said, yep, there’s a BGP technology, secure BGP called RPKI. It’s based on our services. Our services are available to everyone in the region with an agreement. There’s a whole bunch of people in the region who don’t have any agreement. You need to know that because the legacy parties only get the registration services that were information when we were formed; if they want more, they can join and be a member, participate like everyone else.
So we did file comments to that effect. We talked a little bit about some of the issues in terms of RPKI but noted it’s production ready. There’s been many comments filed from organizations around the country. And we actually are doing a reply round to clarify. Some people didn’t quite understand – either they didn’t understand RPKI or our role, or they didn’t get across in their filings.
So we’re updating the FCC on some minor issues that didn’t come across.
But I highly recommend organizations that are involved in Internet routing to read the Notice of Inquiry. Even if you didn’t file any comments the first round, you can reply to the comments that have been filed and make your position known. The date is May 9th. I’m looking for Einar or Michael. Michael, what’s our cut off, reply comments, FCC NOI?
Michael Abejuela: May 9th.
John Curran: Cutoff is May 9th for filing your response comments. The FCC is an independent agency of the US government and may or may not have rulemaking authority over the Internet or Internet routing.
It’s definitely something to think about, folks. They may do something here. And that could be good. I mean, it could be really good. It could be something people say it’s time for us to tighten up Internet routing and prevent hijacking and make the Internet more reliable.
It’s also true that could be a cost for everyone that you need to bear operationally, one more thing. For people who run an ISP, I’ve run a couple, there’s a lot of filings. This would be one more set of obligations and filings.
So we didn’t take a position. We actually, three times in our response, said it’s not our job to take a position here; it’s the job of the operator community to do so. So I’m asking you folks who are part of the operator community, if you didn’t file, you’ve still got a chance. Go read the comments and file a reply. That’s it. Thanks.
Bill Sandiford: All right. Rear microphone.
Kevin Blumberg: Kevin Blumberg, The Wire. John, what you’re saying about the FCC filing is very, very topical, timely and important. Thankfully, ARIN got rid of its NONAUTH a couple of weeks ago. And so you have an authoritative database, at least for some of the things, which is a very good step.
I believe that took ARIN 18 months from when you first announced it to when you finally turned it off on April the 4th.
I think it’s important for the community to ask the question of, if we – to self regulate versus to be regulated – to self regulate, we need to be in an AUTH environment for IRR, how long do we need to do that? Because we saw with the turning off NONAUTH, 18 months, for many people, wasn’t enough time. But if we have to go down this path as a community, how long do we need to be able to do that?
It may be forced on us if we don’t think about it now; we might have a much shorter time. To that end, yes, operators are responsible for this data.
O ne of the things that I would ask from an open mic perspective is that NONAUTH databases, I believe that the AUTH databases should be able to requisition through technology removal of NONAUTH data at the request of an AUTH database.
John Curran: Yes.
Kevin Blumberg: I think this is a very important part that I should not have to go to some random IRR to have my authoritative information removed that somebody else put in and that the technology, the way the IRR D works, should be expanded.
So from a community perspective with ARIN, I don’t want you to say this is just an operator issue, have the operators go out and remove this data, I believe there’s technology that it’s important for you to say I am the authoritative on this route. I need you to do X to it. And if they don’t do it, that’s a different problem.
John Curran: If there was some way that you could, with integrity and cryptographic signature, issue a statement that said I want my routing to go this way, sort of attestation of routing and you could somehow publish that, that should take precedence when people pay attention. And only you can issue it because it would be tied, of course, to the ability to control the resource.
To my knowledge, that actually works today. So if you have things that are in nonauthoritative databases like IRRs and you’re worried about the routing, the quickest way is to publish a ROA, and that will almost universally burn off any misrouting from unauthenticated data.
Kevin Blumberg: RPKI is wonderful. Don’t get me wrong. RPKI is not deployed anywhere to the same degree as IRR data is today.
I don’t believe that is a valid statement saying if you put in a ROA it’s suddenly going to burn off – IRR data needs to be looked at and cleaned up. It will be around for a very long time.
And even with RPKI in place, there are use cases for IRR data that RPKI does not necessarily completely address. They are two very useful pieces of datasets. Yes, RPKI will help. But if you burn off, quote/unquote, an IP, a route, a block, that’s not a guarantee because the uptake on RPKI is years away from being able to do that.
John Curran: Is there particular changes to ARIN’s IRR service that you think we should make?
Kevin Blumberg: I believe that ARIN’s IRR service with mirroring between the – because you mirror between the different ones, people pick up – I believe it needs to be as much of a –
John Curran: We don’t mirror anything now.
Kevin Blumberg: You allow others to mirror you, correct?
John Curran: We allow people who control resource to publish records with regard to that in the IRR. We don’t currently have content filters on what’s published. We don’t prevent you from publishing misstatements relating to your own block.
Now, we can do that; but if you’ve got a suggestion for how you want us to restrict people using the IRR service, then I need to hear a specific suggestion.
Bill Sandiford: I think what Kevin is referring to is that we allow others to mirror our database. Is that what you’re referring to, Kevin?
John Curran: Many people mirror databases.
Kevin Blumberg: I’ll take it offline. I have some very specifics, and I don’t want to eat up the Open Mic. But all I’m saying is please keep along the clean up IRR mantra that you’ve done, whatever you can do, that would be appreciated.
John Curran: Specific suggestion, Kevin, get it into the suggestion process. Happy to do it. Gotta know what it is.
Kevin Blumberg: The second completely separate one is with IPv6 – ARIN has sparse allocated the blocks that were given out. And at some point, sparse allocation, you use up those blocks.
Where is ARIN in terms of that? Is there a scenario where /32 space that was sparsely allocated is now no longer going to be able to be expanded? Do we have any timeline on when something is no longer going to be sparse allocated?
John Curran: Let’s dig into that. We do have sparse allocation use, particularly with IPv6. And we probably need to look and see and report back. We can do that at the next meeting.
Kevin Blumberg: Thank you.
Bill Sandiford: Did we have anybody online, Hollis?
Hollis Kara: We do have one in from the remote. Beverly, do you want to read it in?
Beverly Hicks: Sure. It’s James Woodside, ARIN 49 Fellow, with a suggestion of a future ARIN meeting in the Bahamas.
Bill Sandiford: I think we’d all love that.
Bill Sandiford: Last call to approach the queues. We’ll be closing the queues shortly. And we’ll proceed to the rear microphone.
Robert Seastrom: Oh, boy. Unlike Kevin Blumberg, I have no compunctions about eating up all of Open Mic or creating all sorts of difficulties. You might not want to close mics just yet.
Bill Sandiford: Too late.
John Curran: We have a session tomorrow as well.
Robert Seastrom: This may be some good agenda bashing for the social track tonight.
Rob Seastrom, speaking only on my own behalf, not with any Orgs I’m affiliated with that pay me money or otherwise. I’m about to say something that goes against 25 years of tradition here at ARIN. So feel free to come look me up at the social and tell me what a horrible person I am. I only ask that you leave rotten tomatoes behind.
For the entire time that ARIN has existed, we’ve insisted on strict vetting of demonstrating need when an organization applied for IPv4 number resources. This requirement served us extremely well in avoiding step functions and addressing inventory and ensuring an orderly runout. It’s been years since ARIN’s free pool ran out. There’s no longer a free pool to defend.
What if the community decided that here in the future, when a request to get address space from the transfer market is likely to get far more scrutiny from one’s CFO than ARIN could ever provide, we were to decide as a community that a lighter touch was appropriate for vetting demonstrated need?
Section 8 transfers already get nowhere near the scrutiny that Section 4 free pool allocations and assignments used to get, especially in the final days before runout.
What if we were to decide that, rather than extensive utilization documentation, a simple attestation that address space acquired was to be used by the registrant org on an operational network was sufficient?
I’m interested in hearing here and now if you want to risk getting Bill’s ire rised, or later, the community’s thoughts, good, bad, or indifferent about loosening the documentation requirements in the interest of streamlining the process of interacting with ARIN for Section 8 transfers.
But beware, regardless of your position, I might “hey buddy” you to write a Policy Proposal. Thank you.
John Curran: May you have an interesting social, R.S.
Bill Sandiford: We’ll consider the queues closed other than those in them. And we’ll take it to the man in the good looking hat.
Louie Lee: Thank you. Louie Lee. I work for Google Fiber, but whatever I say is not representative of them.
I want to correct the answer I gave earlier. I said I was on the ASO AC for 12 years. Apparently I’m not good with my memory or my math, because I started in January 2004, when Kim Hubbard left her seat and I replaced her.
John Curran: Thank you, Louie.
Bill Sandiford: Any others online?
Hollis Kara: We do have one more question online. Beverly, do you want to read that in?
Beverly Hicks: Steve Wallace from Internet2: Would ARIN consider acting as an IDP for other IRRs or services so they could act knowing the user is the authorized holder of the resource?
John Curran: What ARIN will consider doing, that’s a great question. We’ll consider anything that this room says “go do, John”.
So if you folks are convinced that that’s a good thing, just submit a suggestion to that and get it supported on the consultation list and we’ll make it happen.
I will say you need to think carefully of the pluses and minuses of offering services affecting data from other locations. We just managed to clean up quite a bit of old data. And old data is created when things are replicated over and over again. So it’s up to this community. If people want a service to that effect, put a suggestion in, support it on the consultation list, and we’ll spin it out.
Bill Sandiford: All right. And the final comment from the microphone.
Chris Tacit: I just wanted to follow up on R.S.’s suggestion for questions to the community and say these are very important and timely questions. And I think all AC members would love to hear from the community, whether it’s the social the next couple of days or whatever.
And since the AC will be meeting on Wednesday, we do have an opportunity to talk about any input that we get from all of you.
So I hope you will give us your input and thoughts so that we can really start thinking about whether that kind of shift is something that the community would support. And if so, how we might go about doing it.
John Curran: Excellent point, Chris. Could the AC members in the audience please stand up.
Okay, folks, this is what they call a target rich environment.
Find one; share your views. Thank you, Chris.
Beverly Hicks: Mr. Provo would just like you to know that he stood up remotely.
Bill Sandiford: Thanks, Joe. All right, Hollis, you have some closing announcements?
Hollis Kara: I do. I’m happy to take those, or if you one of you want to work through that deck.
Bill Sandiford: Go right ahead.
Hollis Kara: I guess it’s me.
John Curran: And I’ll do the close.
Hollis Kara: You can do the close.
John Curran: Even has my name up on the slide. Look at that. I thought I was up here.
John Curran: We’ve come to the end of our first day of ARIN 49. And I think it’s been a wonderful day. We’re going to have a great social tonight. I want to talk about few details before we get there. First, thank you all for your participation.
And thank you to our network sponsors, AT&T Business.
Our Bronze sponsors: IPv4.Global Hilco Streambank company and IPv4Mall. Big round of applause.
So our in-person social event. Country Music Hall of Fame. Tonight we’re going to be there. Join us for a night of delicious food and music. It should be wonderful.
Buses will leave here at 6:45, 7:00 and 7:15. Now, the weather is good right now. But if it’s raining, recognize, instead of leaving at the front of the hotel, they’ll leave right across in the portico so we’re a little covered.
Right now, the plan is out front, 6:45. They’ll return to the Loews starting at 8:30 every 30 minutes and last bus is 11:00 p.m. Pay attention to that.
Okay. With that, join us again tomorrow. Breakfast will be next door at 8 a.m. and we’ll start the meeting at 9 a.m. in this room. I look forward to seeing everyone at the social. Thank you very much.
(Meeting adjourned at 4:11 PM.)