ARIN 49 Public Policy and Members Meeting, Day 2 Transcript - Tuesday, 26 April 2022

This transcript may contain errors due to errors in transcription or in formatting it for posting. Therefore, the material is presented only to assist you, and is not an authoritative representation of discussion at the meeting. If additional clarification and details are required, videos from our original webcast are available on our YouTube channel.

Opening Announcements

Hollis Kara: Good morning, folks. Welcome back. It is day two of ARIN 49. Let’s talk about a couple of quick things. Again, a big thank you to our elected volunteers, Board of Trustees, Advisory Council and NRO Number Council, all in the house. Hope you had a chance to talk to them at the social or online. Hopefully a few will be able to join our virtual happy hour later to chat with our virtual attendees later today.

A couple quick reminders getting around the hybrid meeting: chat is for open discussion; Q&A – please, please use Q&A if you have comments that you wish to have read into the conversation and posed to the presenters and also include your name and affiliation.

Again, we exercised the help desk this morning. So we know that’s working. If you have need of assistance and you’re a virtual attendee, please do take advantage of that option and we’ll help you get to where you need to be. And that is right down at the bottom of the bar on the home page for the meeting website, along with all the other useful things that folks should check out, whether you’re online or here with us in person.

In-person participants, again, please make sure your devices in the room are muted. And when you go to the microphone, please be aware that we do have wipes if you wish to clean the mics before or after use, just because safety.

Reminders, the host, that’s me, the producer, that’s Bev, will help to queue our virtual attendees into the discussion portions. Again, if you’re in the room, also, please speak slowly and clearly. I keep trying to slow down so I don’t get a glare from the transcriptionist. I know I speed up as I go. So please make sure you’re speaking clearly and into the microphone and state your name and affiliation. And please make sure that you’re also adhering to the standards of behavior. Everybody did a really good job yesterday, so let’s keep that up.

We are recording and livestreaming. Slides are available on the meeting website. And, yes, the transcripts will be posted soon, I promise. And then cleaned up transcripts will be part of the meeting report, which will be available in just a couple of weeks.

Thank you again to our network sponsor, AT&T. Can I get –

(Applause.)

Thank you.

And to our bronze sponsors, IPv4.Global – I don’t know why I can’t say that, Hilco Streambank and IPv4Mall.

(Applause.)

Thank you.

Everybody knows the evacuation procedures. Doors across the way. Hang out in the Caterpillar parking lot.

For our agenda, real quickly, I’m going to be welcoming some folks up to the stage here soon. We have a Routing Security Update.

We also have updates - this is a new agenda item - I’m excited to have these. We have updates from our AC working groups. We’ll be hearing about what they’ve been working on. A cool little deep dive into exploring the Number Resource Policy Manual using Git. I’m not going to do it but some of you might want to. And an update on our fee structure and membership changes. Take a break. Then we’ll have our policy block. Today we’ve got three policies on deck to discuss. Break for lunch.

After lunch this is – typically your keynote, big event happens at the front end. We decided to move it to Tuesday after lunch to make sure everybody sticks around.

We’ve got a great panel planned with lots of interesting speakers. And it’s going to be on IPv6 and why the Internet hasn’t just switched over. So we’ll have a good, long talk about that, and have an opportunity hopefully to ask some questions of our panelists.

We’ll take another break and finish up the day with some updates from all of our RIR colleagues and an open microphone session.

Today we will be having Table Topics live at lunch. There will be signs on the table when you walk in. They’ll cover all the items you see listed here. You’ll be able to read the signs when you go in.

One thing I will point out is that if you want to go play with Git, that’s going to be happening in the green room, which is across the lobby. You can go in, pick up your lunch and walk over there and tinker with R.S.

That sounded wrong.

(Laughter.)

I just realized – that wasn’t – you know what I meant. We’re just going to leave it at that.

Anyway, we have a Virtual Happy Hour this afternoon starting at 4:30. We’ve got some fun and games. We’ve got a mixology demo and some breakout rooms for folks to catch up.

Folks that are here live, if you don’t have anything to do and you want to catch up with your colleagues that are joining us virtually, you’re welcome to join those sessions as well. They’ll be in the virtual event hub. And you’re welcome to join and play along from here, either in groups or independently.

And with that, I’d like to welcome our first speaker to the stage. Brad, if you’d like to come up. Brad is our Senior Product Owner for Routing Security. And he’s going to talk about some stuff. Stuff.

Routing Security Update

Brad Gorman: Good morning, everyone. Thank you for coming so early in the day after our very first social. Hope everyone enjoyed it.

As Hollis said I’m Brad Gorman. I’m the Senior Product owner for Routing Security. That entails me working with the community, listening to you and the community, hearing your requests, hearing your gripes, and then bringing that kind of information back into ARIN and working with the team to develop products that you are looking for and ones that will help the community as a whole.

What’s new since ARIN 48? At ARIN 48, we were talking about NONAUTH shutdown. And it’s happened I’ll get into detail about that. The ARIN publication service for RPKI has been developed. Got some statistics for you.

Talk about some new training and updates to existing training that we’ve got. And then talk a little bit about the upcoming product development.

So the shutdown. It’s done. What did we do leading up to this? Well, we had a consultation last year where we spoke with you, where we shared our intent and our reasoning for why we wanted to take down the NONAUTH.

Primarily, it was a desire that we did not want to maintain the database with sale or otherwise inaccurate information that couldn’t be confirmed. And since we had had an authenticated database created back in June of 2020, we felt it was time to take this data down.

We sent an email to all the points of contact for objects that were in the database. We had a number of reminders that we posted to the ARIN Mailing List on a regular basis to kind of keep it in people’s mind that the change was coming and to prepare.

We – I presented at NANOG 83 about IRR spring cleaning, basically instructing what the need and the importance of what the IRR is and again reiterated that the shutdown was coming.

We updated NANOG Mailing Lists regularly during the countdown, and we had blogs and social media posts. We did our best effort to communicate with people giving them information that we had.

So on the day, April 4th, 2022 - our original date was April 1st. We figured why do it on April Fools’ Day. It would be a terrible joke. And also April 1st was a Friday. We didn’t want to make such a substantial change on a date coming up before the weekend.

At 12 noon, we stopped the real time updates. We locked out any changes to the database. The email template method that has been used for many, many years was taken down as well. It’s no longer available.

And we took a final snapshot of the database, which is still up and a long-term file that’s on the FTP site where the file updates had been for those who pulled the data down that way.

The final state of the database - Well, I need to tell you where we were first. There were 65,000 roughly objects in the database when we started with our notifications back in June of 2021.

When we were finally done, we cut that about in half. We ended up with 34,000-ish objects. Most of them are route objects. And there were a few aut_num route_set objects left in there. And there were some percentages in there.

The resulting objects that were in the database, five Orgs were responsible for the vast majority of them.

We did do a great deal of outreach to Orgs that had thousands of objects in the database and worked with them on a weekly basis to help get their numbers down, help them out with opportunities that you could either enter in appropriate data so it would go into our authenticated database, or give them alternatives and help them work through the process of putting their objects into a third party database so the information would remain intact.

So since the shutdown has happened, the Routing Security team – me and two other folks, Jon Worley and Nathan Newman, who works on our RSD team – have been fielding tickets directly and also pulling in the information that our RSD frontline people have been being in contact, whether it was emails, entries into ARIN help desk, or through chat sessions.

And we’ve had a fair number of people, but there’s three main subject matter points that were common across all the calls.

First were legacy resources. Since legacy resources today are not authorized or enabled, able to use the authenticated database, they were – people who called in were looking for guidance on how to either get under an agreement, how to transition them to a third party database, how to communicate with their upstream provider who maybe created their objects for them.

There was a very well-received messaging from those people and some of them in fact produced – they had the desire and have started the process with signing agreements so that their legacy resources will now be covered here at ARIN.

Amongst the other pieces of information, we were explaining the impact that some folks had. Some people were truly not in good understanding of what this meant to them and to their resources. And then we had a number of people who did in fact have access to enter information into the authenticated database but didn’t know. So we helped them through the process and explained.

One thing that did happen, the RADb database, which is one of the largest third party runners of an IRR infrastructure database, stopped mirroring ARIN NONAUTH a week before. It was kind of a precursor to what we were going to see on April 4th.

And I believe, and those who have been answering the calls believe, that really kind of has evened out the curve of the calls. And more information was made available, and people became aware before the actual shutdown happened, so it’s our belief that that first step ahead of our planned shutdown was actually beneficial to getting the message out to people.

ARIN’s publication service for delegated RPKI customers. Big, big, long list, big name. But essentially the Publication Service that is by this name is intended to be used by organizations who have taken a step away or chosen not to do a hosted implementation of the RPKI services that ARIN runs.

And they were also not comfortable with running their delegated service with their certificate authority and the running of a repository and publication process that’s defined and required by classic, delegated installation of RPKI.

So what this publication service is, is offering a third party host for that delegated – excuse me, for the publication service, for the reporting process.

And this is something that the community’s asked for in multiple suggestions that have come into our page. It’s a common message throughout the whole RPKI community. And in fact the APNIC region turned up their service similar to this in November of 2020.

The NIR in Brazil, in fact, has never created their own hosted service. So any organizations that are in Brazil, under their purview, has been running a hybrid service – kind of a colloquial term – the entire time, and in the last 18 months more than 2400 organizations in Brazil have signed up for this service.

Looking at other regions of the world, there was definitely a desire for a process like this. So when we began – we started development for the product in September of last year – the development was completed in December. After the new year and everybody got back into the swing, we started a trial. At ARIN, my team has a test organization that has real resources and looks just like a community organization with resources.

And then we had a friendly company that wanted to work through the process with us, work through the development, work out some bugs.

And on March the 1st we released the product, pulled the covers back, and said here it is. And since then there have been a few people signing up. It’s kind of – they’re trickling in. The message is getting out. The understanding of what we’re doing and how we’re developing it is becoming known. And we’re expecting a rush forward. We still do.

Let me give you a little bit of statistics that we’ve got right now. Here at ARIN, the number of organizations that have been taking advantage has definitely been growing. Currently in our database we have 45,700-ish ROAs – ROAs being the route origin auth – authorization object or component of the RPKI. You can create – it sends the information to everyone who uses RPKI that, yes, this is my resource, and I am telling you this resource should be coming from a particular location at ASN.

Since January we’ve had a growth in the database. There have been 4,000, almost 4,100 new ROAs, which represents a nine and half percent increase since January 1st. And year over year it was a 73 percent increase of objects of ROAs that have been in the database.

We filed a resource certificate. A resource certificate is received by an organization who has chosen to run an RPKI service. The number of resource certificates, again, since the beginning of the year has increased by 360. And since last year, year over year, we had 900 plus, approaching 1,000 new organizations that have signed up for the service.

The importance of this certainly is anyone who takes the step to start using RPKI, the first piece that you do is create a ROA.

If that’s the furthest that anyone chooses to go with it, that is the important component that operators and organizations that make decisions based on RPKI validity data. This is the first piece that everybody can use, so it’s important for people to create those ROAs and in broad spectrum it helps the security of the Internet as a whole.

We’ve got some good features coming up and being developed based on what you’ve asked us to do. We’re working through two factor authentication.

Mark talked about this a bit in the engineering update yesterday. We’re getting ready to put out a new consult to get specific feedback from you on which options you would like to see discussed, what we are looking to develop, so, please take note of that. It should be coming out next week. Make your comments. I want to hear from you. ARIN wants to hear from you as to the direction we should go.

We’re starting the process of automatically re rolling objects. Historically, the ARIN service in the beginning created objects that were 10 years in lifetime. That was an initial take on it.

And over time more of a reasonable, more closer in date for the automatic lifespan of a ROA when created here in ARIN, changed it to 825 days.

Now what we’re finding is that we don’t want Orgs who have created objects that have been out there for many, many years. We are hopeful that people are paying attention to the dates. But this is a process where we will be helping or making sure that these objects don’t die out unbeknownst of those who created them.

So the automatic re-roll will be coming later this year. And it will be periodic maintained – maintain the livelihood of those and the validity of those objects.
This does not stop you from setting your own dates, but it is merely a catch basket for those people who maybe are not aware that this is coming.

We’re proceeding with working on bringing RPKI and IRR updates together. A lot of people have talked about this and understand that it is a way that we can pull the importance of how the IRR works into the world of RPKI and therefore the security products.

And, again, I’m looking for feedback on how we want to deploy this. Our desire at this point is if you create an object, a ROA and RPKI, it will create a route object in the IRR.

But, more details. You can please come to me and ask. And there will be more documentation coming up on the website.

One of the last things in the pipeline. We’re doing a lot of updates for you, the customers. Your dashboards are going to be revealing new information to you and providing you data that normally or historically you’d have to reach out to our RSC team to get. We’re providing more information based on the resources that you have and the status of those resources.

It gives you a better explanation of the state that they’re in and what maybe needs to be done so that you take advantage of the advanced security services that we provide at ARIN. And we’re also going to be looking at and making it easier for you to find these services. It’s something that’s near and dear to me. It is a little bit more complicated than it should be. So those changes are coming in the days and weeks ahead.

We’ve got some training currently being presented, new to come. Refreshing some of the training that we have in place. We had a ROA-thon on Sunday. And thanks to everyone who attended. I think it was well received and the messaging got across.

But the voices in this room are amongst those that can help the acceptance and understanding and deployment of RPKI. It’s not this big bogeyman. It’s a very easy thing to do. I think we got that message across. And we’ll continue giving ROA-thons moving forward in the new year.

Last fall we had a couple of webinars that I gave that was the basics of using ARIN’s RPKI services. It’s to enhance your routing security. And at the end of May, beginning of June, we’ll give a more advanced RPKI session where we’ll talk about the more advanced ways of creating data, using the API, using the web interface, going more in depth on what the hosted process works, knowing how the delegated process works and a deeper explanation of what the repository service is.

So you can find all this information, the newest updates and what we have provided right now on the link that’s down at the bottom. And more to come.

So, please, if you have questions, reach out to us. You can reach out to me directly. You can reach out to the team. We have mail alias of routing.security@arin.net. And you can always contact the Help Desk and ask what’s coming.

The best way to make your voice heard and request new features that you want ARIN to provide to you is using our suggestions portal. And that link is here as well. Make use of it. We’re here. It puts it out in front. The community sees the requests, and we address them as they come in.

So we do have a status page right now, statuspage.io, that gives you the opportunity to see where all of our services are with respect to whether they’re under maintenance, whether there’s action that might be impactful. You can find a link to that at the bottom of the ARIN website.

Hopefully I didn’t go too fast for the stenographers, and I kept my voice up. Are there any questions?

Hollis Kara: At this point, the microphones are open for any questions from the floor and I’d like to give it a few moments to see if we have any questions coming in from the virtual audience.

Brad Gorman: It looks like if no one is jumping up or joining in that everyone really enjoyed the social last night. Moving forward, if you don’t want to stand up and say anything, I’m here the rest of the week. Pay your waiters and waitresses, tip well. And, please, come with any questions. I’m here to help you.

Hollis Kara: I think we’re set. Thank you.

(Applause.)

Hollis Kara: Before I introduce my next speaker, I did want to circle back. There was a reminder that I didn’t remember. I hate it when that happens.

So for our folks that are joining us virtually, this has come up in chat, but I want to make sure that everybody caught it because sometimes that conversation flies quickly. While we try to control every aspect of this meeting, the one thing we can’t manage is the bit rate on Zoom.

If you’re seeing any blurring in that, we’re trying to drop the link to the presentation directly into chat so you can grab it there, if you’re having trouble deciphering the slides. Fortunately a little bit of blur on the speakers isn’t a bad thing but reading the slides might be helpful.

Okay. With that said, I’d like to welcome our next speaker to the stage. Amy Potter from the Advisory Council is going to give us an update on the Policy Development Process Working Group.

Policy Development Process Working Group Update

Amy Potter: Hi, all. I’m Amy Potter, I’m the co-chair of the PDP working group. The PDP Working Group was formed about two years ago. We were formed to review the current text of the Policy Development Process document and provide recommendations to the Board of Trustees about potential changes.

We have the members of the PDP working group up on this slide. Thank you to all of them for all the very hard work that they have put in over the past two years.

The current text of the PDP has been in place since 2013. We came together to review that text in light of feedback that we’ve received over the years and our own experience, using the document as members of the Advisory Council and as members of the community.

Following this review, we decided to go ahead and do a full rewrite of the document. And we’ve gone through multiple versions over the past couple of years since then, working very closely with ARIN staff and with John (Sweeting) to come up with a version that we think will work best for the community.

We’re at a place now where we think we’ve got our final draft, which we’re very excited about.

What were our goals here? Our goal was to put together a document that actually enabled people to use the PDP document in a way that actually aligns with their preferred use.

Instead of having to read through the entire document to figure out what’s the criteria for moving this particular policy that I’m concerned about to the next step, or what actions are available to me as a member of the community at this particular step, we worked to restructure the document to lay out all of the actions that are available for different types of users of the document at each step of the PDP and clearly lay out the criteria at those steps to remove the amount of work that everyone using the document had to have to go through.

We also wanted to be really clear about laying out the rights the community has at each step of the Policy Development Process to participate and to ensure that their rights are being protected there.

Our next steps. We as the Advisory Council will be voting on whether or not to recommend the draft that we have now to the Board of Trustees for adoption.

And then we’re hoping the community will get the chance to review the document as well and provide their feedback before the Board of Trustees ultimately votes on whether to adopt the text.

We really look forward to the community getting a chance to review the text. We look forward to receiving any feedback that you have because it’s very important to us, that we have a document that functions well for the community and that the community feels – ensures their ability to participate in the Policy Development Process that we’re all here working on policy proposals for.

Thank you. Any questions?

Hollis Kara: Okay. At this point we’ll take questions from the floor and from the virtual queue. Let’s give it just a few seconds to see if anyone is typing. And if anybody in the room has questions for Amy, feel free to approach the mic.

Okay. Y’all, come on. Did you skip coffee this morning? You are half asleep.

All right. I knew Kevin couldn’t resist the challenge.

Kevin Blumberg: Kevin Blumberg, The Wire. Just because you asked, Hollis.

Hollis Kara: Thank you.

Kevin Blumburg: Amy, just a question. Is it that you’re structurally changing it to make it easier to read, or are there actually going to be time changes or real changes within the document?

Amy Potter: For the most part the substantive aspects remained the same. There are a couple of changes, which we’ll highlight to the community when it goes out for review. For the most part the structural changes are just about ease of use.

But we’ll definitely highlight where there were substantive changes so that the community can give feedback on that without having to read through the entire document.

Kevin Blumberg: And I assume you’ve, just sort of on that, you’ve taken into account the significant difference with the remote work that we’ve now had over the last two years? Because this was done in 2013, it didn’t really, I think, envision that level of remote participation.

Amy Potter: I look forward to hearing what you have to say about the draft.

Kevin Blumberg: Look forward to it. Thank you.

Hollis Kara: All right. I don’t see any other questions, Amy, so I think we’re all done.

Amy Potter: Thank you very much.

(Applause.)

Hollis Kara: Next up, I’d like to invite Matthew Wilder, also of the Advisory Council, to come up and talk about the work that’s been going on in – wait, I can do this – that’s been going on in the Number Resource Policy Manual Working Group.

Number Resource Policy Manual Working Group Update

Matthew Wilder: Thank you, Hollis. Good morning, everyone.

So, NRPM Working Group update – NRPM is, of course, the Number Resource Policy Manual. It’s my pleasure to present this on behalf of Joe Provo, who is our chair, who is online today.

About us. I’ll go through our newly adopted charter just to kind of pick out pieces that may be of interest. Really, the key thing is our goal is clarification and simplification of NRPM to make it easier to deal with and understand what the ARIN policies are and what to expect in dealing with ARIN.

Our composition includes at least three members of the AC, the AC Vice Chair and one member of staff to keep us in line.

The scope of responsibilities, what I’ll pick out here is that essentially when we, as a working group, put forward a proposal, that will include all of the working group members as authors. And then whoever is assigned as shepherd and co shepherd will then come back to us if there are questions about the intent in clarifying the scope and the intent of the Policy Proposal.

Our group members. We have Joe Provo, who is our Chair; R.S. (Rob Seastrom); Chris Tacit; and myself. The AC Vice Chair is, of course, Kat. And our ARIN staff member is Sean, who keeps us in line, as I mentioned – usually procedural stuff and helpful tidbits here and there.

Completed work. ARIN edit 2021-1 is addressing the lack of formal definition of ASN and alignment of some text. ARIN-edit-2020 9 is looking at the larger scope for portions of text, and one of the things that came out of this is looking at what should we do about touching lots of different pieces of policy all at one time.

You’ve probably heard the term “omnibus.” We learned this is something that we want to avoid just to make it easier for the community to have a good discussion without derailing the entire policy, if there’s one piece that’s throwing it off.

Work that’s underway. We have Prop-305, which is Section 2 cleanup led by Chris Tacit. The intent is editorial in nature. We don’t want to create too much or any kind of substantive change that would change the dynamic of what someone is experiencing. But really just tightening up the language.

And we’ll have, again, because of that learning around the omnibus, we’re going to have more proposals to make it piecemeal and simpler to digest as a community.

Prop-307, removing the barrier to BGP uptake. Essentially R.S.’s idea here is let’s make ASNs easier to get. A lot of policy – this is going to be a theme you’ll see from our working group – a lot of policy is built around the idea of conservation. And 2-byte ASNs definitely needed that scrutiny in order to preserve that pool of resources.

With 4-byte ASNs that has changed. So we’re thinking about how we can make that an easier resource to get for our community members.

Planned work. We didn’t have a whole lot in the pipeline, but we were looking at Section 6 – or beginning to, I should say. And in one of our meetings with the ARIN AC, we learned one of the other working groups, the PER working group, is actually looking at making some changes to Section 6 as well, driven by the need to simplify how our customers – how ARIN’s members and customers – have to deal with getting v6, whether it’s initial or additional allocation, looking at a line and simplifying that text.

Essentially our approach for the working group, on our working group, Number Resource Policy Manual working group, we’re looking at taking a step back and working to evaluate which pieces they’re going to be working on in order to avoid stepping on each other’s toes or maybe even introducing too much change to that section all at once. We’ll be communicating and coordinating with them on that piece.

Ultimately, to sum up the working group’s MO, it’s looking at continuous improvement to the Number Resource Policy Manual. The NRPM has been around for approximately two decades, and it’s evolved through many different phases in our community’s development.

Really, there’s a lot to unwind and re evaluate and simplify. We’ve got a lot of work ahead. Thank you.

Hollis Kara: Thank you, Matt. Do we have any questions from virtual? And, again, in the room, if you would like to approach the microphone. Okay. We’ll go to the floor.

Louie Lee: Hi, Louie Lee, Google Fiber: Thank you for the presentation. I just wanted to drop a little reminder that if you’re looking at parts of the manual that have global policy language, just drop a note to the ASO AC, so that not to get around any kind of conversation, but early warning kind of thing.

Hollis Kara: Absolutely.

Sean Hopkins: Sean Hopkins, Senior Policy Analyst. You did mention in there a third AC working group. Folks in the room and online will notice there’s no slot for that working group. It does not mean that they are not working.

There are three other AC members that are on that working group, the Policy Experience Working Group – Policy Experience Report Working Group. The reason they don’t have much to report on in the past six months is because the last time a Policy Experience Report was given, they worked extremely quickly and diligently and all their work product is now in the PDP, which we convened a meeting here for.

They’ll have plenty to talk about in October. They are developing a backlog. And that’s all I have to say about that.

Matthew Wilder: Thank you, Sean.

Hollis Kara: Thank you. I don’t see any other questions coming in online. Do we have anyone else on the floor? Looks like no. I think we’re all set. Thank you, Matthew.

Matthew Wilder: Thanks, Hollis.

(Applause.)

Hollis Kara: And thank you also, Sean, for that interjection about the third working group. I was going to mention it, but you did. So whatever.

(Laughter.)

Next up, I’d like to welcome Rob Seastrom to talk about how you can use Git to explore the history of the Number Resource Policy Manual.

Exploring NRPM History with Git

Robert Seastrom: Thank you, Hollis.

Up front I’d like to point out – thanks, John – we’re running ahead, that means I can run long.

(Laughter.)

This is a slide deck in development. We’re hoping to make it better. We’re hoping to make it better for general audiences.

If you try some of the recipes that are provided here, especially if you are a novice user of Git, especially if you’re a novice user of the command line, I’m very interested in your feedback and suggestions.

We want to make this something that’s suitable for general audiences as you’ll discover in the first few slides where we talk about a few things that are probably old news to most ARIN 49 attendees.

What’s the NRPM? I think everybody in this room knows what the Number Resource Policy Manual is. What you might not know is that there’s nothing in there about problem statements, slides, anything else that’s contextual from when we decided to put a particular policy into effect.

But the history is important because ARIN is a mature organization and there’s policy language that’s outlived its usefulness in the Number Resource Policy Manual.

We’re cleaning stuff up. You just heard from status reports on the NRPM cleanup. The historical context of why a given policy item is there can influence and inform our discussion of whether or not to get rid of it or not. Policy Development Process is how we get stuff into the NRPM.

Here’s the cliff notes version of the PDP. We have a proposal. AC takes it on to its docket. We have community discussion. It becomes a Recommended Draft Policy and gets forwarded to the Board. The Board actually validates that the Public Policy process has been followed. And the result is the new version of the NRPM is published.

So these last two steps, with the AC meeting and a motion to forward to the Board, and the Board validation bunches things up into a small number of PDP updates per year, where there are multiple policy proposals that are going in at each update.

There are other ways to get stuff into the Number Resource Policy Manual, by the way. There’s special policy actions for emergency PDP and policy suspension. These happen very seldom.

But if you take a look at the way that things get in here, Board action is required for a change to published PDP, but the emergency special policy actions are often not reflected in the published PDP because published and updated Number Resource Policy Manual is not specifically called out as a step in that emergency process and they’re intended to be temporary until they’re called out – until they’re ratified, rather, by the community.

So how do you find stuff in the history of the NRPM? You can’t really just search for NRPM text and Policy Proposal archives. Line breaks cause a problem. Text reformatting causes a problem. And we have had two ways of community developed policy making it into the Number Resource Policy Manual. Today we have the PDP.

But before 2009, we had something called the IRPEP, the Internet Resource Policy Evaluation Process. And there’s a link to the history of this for anyone interested in the history. But it often didn’t – it did not propose specific policy language.

There were policy proposals that said, ARIN should do X. And ARIN staff figured out what the actual language that would go into the policy manual would be.

When we probe history, the question we are trying to answer is: When did this particular text that I’m interested in first appear in the NRPM?

Once we have that information, we can look for Board actions. We can look for policy proposals. We can look for discussion on the Mailing List.

There’s good news. A binary search would be incredibly painful, thumbing through archived versions of the NRPM, terribly painful.

But in 2018, Sean Hopkins, acting on a suggestion from Owen DeLong, turned all of the archived versions of the NRPM into Markdown, which is a very simple text formatting language, and put them in Git. So we have a Git repository, just like software versioning, that we can search for this.

What’s Markdown? It’s actually human readable. It’s in the background of many Wikis and many website creators. There’s an example of it on Wikipedia that you can look for. It’s not WYSIWYG, but that’s okay. It’s good enough for humans to read, consume and understand.

You heard me talking about Git. If you’re not a programmer, this might be a new one on you. It’s version control software for keeping track of changes to code that you’re writing. It was intended for Linux kernel developers. It’s gotten a lot of mind share in daily use today. It’s probably the number one version control system being used.

It works on text documents. We’re lucky; Markdown is a text document. It’s not Microsoft Word. It’s not PDFs. It wasn’t really intended for timeline analysis of a single document, but, hey, it still works.

So NRPM plus Markdown plus Git, we can use Git to search for a section heading or a string being added or subtracted. In this case there’s only one file to search.

So let’s play with it. I’m going to present some recipes here for playing with it. Why am I not doing a GUI based – we have GitHub. We have all these other things that you can run on your laptop that will allow localized GUI based exploration.

It turns out that the feature set is not uniform across all of them. And Bitbucket which we’re on, because it’s an Atlassian product and ARIN pays for Atlassian licenses like Jira and Confluence.

For history searching, it’s not the greatest. GitHub is better. There’s stuff on your laptop. But the one thing that everybody has or can have easily is a command line. You type a command, and something happens. This is relatively easy to follow a set of directions on.

I’m going to have a get together at lunch. If you need help getting it onto your computer or something like that, we can have that discussion then, or we can just play with stuff on my laptop on a big screen.

Here’s a slide for how to install it on a Mac. We’ll skip that here. We’ll skip how to do it on Linux. And we’ll talk about a research question. One of the proposals that we have before us is getting rid of the Autonomous System Origins field in Whois.

When did that go in there anyway? Turns out it was a long time ago and it was long enough ago that the ERPAP was enforced, not the PDP. So, this was a good research question to dig through it in.

You clone the Git repository which means putting a copy on your local computer and you change into the directory that it’s in. There are two files here. One is the NRPM itself. You’ll notice that’s a whole 102 kilobytes long. And the other is the README document. And that just explains what the repo is about.

If you have an old copy of the repo, you can just do a Git pull, which will update the repo to the latest version.
We’ll do some searching using the Git log command. You can search for regular expressions, which is advanced – we’re not going to talk about that today. We’ll just talk about strings.

So Git log -S and we put autonomous system origins in the quotes – minus minus source, minus minus all – don’t worry about exactly what the flags do. This is the recipe. We’re not going to get into the chemistry behind how the bread rises.

It gives us one change. Oh, that’s convenient; it happened in the first change in 2007. We’re going to deconstruct the output of that and talk about how to look at it and understand what it’s about.

It looks for changes with that string either appearing or disappearing. It doesn’t find changes with the section with that title. Git knows nothing about Markdown, so it’s just line by line.

Taking a look, this got squashed a little bit in the reformatting here, so please accept my apologies for that.

The date that’s shown for the commit – the line starts with date down there – is the actual date that Sean committed this into the repo. Remember, I said that Sean did this big commit change in 2018.

So, ignore that. Look at the references and the tags. Those tell you what version is being committed into the repo.

For more recent updates, there’s a short period of time between the Board – from the Board meeting, so don’t count on the exact date that it was put on there. Just look for the year and which revision.

Now we’re going to look at, since we got the commit ID there, the line that starts with 29B716, we’re going to ask for it to create a unified diff output – and we’ll deconstruct that in a second, – that shows what changed in that commit.

Here’s the taxonomy for those changes. The important part to think about is the plus or minus, the line that was added or removed in the commit.

So as we look – there’s the output if you run that command of what’s changed. Very important to take a look at the pluses and minuses. So you take a look at Section 3.4 – 3.5 et seq. That’s what showed up in those changes.

Now, we can look for a Board action that happened around those times. We can find the policy proposals and drafts that informed them.

And we can use a search engine because once we have found the Policy Proposals and the Board minutes, we know which Policy Proposal was the source of this change and some Google search terms for looking for a specific Policy Proposal, list discussions and slide decks.

We can look at the presentations and the mail. And that is my presentation on this.

Are there any questions from the microphone? If not, if you’re too shy, please try this on your own. Please come and join me at lunchtime. We’ll be playing a little bit with Git. Thank you very much.

Hollis Kara: Just give it a second to see if we have any virtual questions.

(Applause.)

Robert Seastrom: Pardon?

Hollis Kara: Waiting to see if there’s any questions coming in from remote. Not seeing anything. Sean has something.

Sean Hopkins: Just noting that you do have your Pro Tip slides and two and a half minutes.

Hollis Kara: Thank you, R.S.

(Applause.)

All right. We’re going to keep going. There are Pro Tip slides. If you want to see R.S. at lunch, you’ll get to go through these, because you don’t want me to attempt to explain them. Click ahead.

Next up, I’d like to invite Joe Westover, our senior manager from the office of the CCO, to come up and talk about changes to ARIN’s fee structure and our membership structure.

Fee Structure and Membership Changes

Joe Westover: Good morning, everybody. I think following that with fees is a little bit of an illustrious start here.

I’m Joe Westover. I’m relatively new, about two years ago, under John Sweeting. And pretty much the day after, within a month or two from when I started, we were into this fee modeling update.

I want to go through and step through this a little bit. I want to revisit a little bit around why it was done, what was done, a little bit on the timeline, and a little bit of the kind of the fact finding and the things we found interacting with customers after this was actually taking place.

The objectives were simple. These were directed by the Board, directed by John Curran. We really wanted to apply an equitable fee schedule for the community. We want a uniform treatment of all customers as opposed to the prior end user and RSP fee schedule.

We want to allow ARIN to continue to invest in our services. A lot of those you heard from Brad Gorman and others – IRR, RPKI and DNSSEC. There’s a lot of changing needs in the community and demands to poise ourselves for the future and be financially viable to do so.

So I think sustainability was a large part of this. Reducing and eliminating a reliance on the reserve fund is part of that and also positioning ourselves for the future.

Another good part is we just streamlined and simplified the billing structure. That has a two fold improvement from my point of view. It’s easier for the customers to understand, prospective customers, and it’s easier to implement and support internally, operationally, systems, et cetera.

Now, what changed? Now, essentially we transitioned all customers from the prior end user schedule to, with v6, v4 resource holders, to the RSP plan. A lot of you are familiar with how that works already. So I don’t need to go too much into that.

We also provided a temporary IPv6 waiver for organizations in the 3X small category. And there were two additional fees that were implemented.

We increased the transfer process fee from 300 to 500. We also implemented a new $50 OrgCreate fee and a $100 OrgRecovery transaction. And when we did some of the modeling for some of this, we did take some rigor to look at some of the cost recovery, look at the internal processes that the teams put in RSD and finance, et cetera, that it took to process not only a transfer fee but an organizational create fee and organizational recovery fee.

A few other things that were notable that launched after the beginning of the year. And I do want to give a shout out, these look simple when you’re looking at invoice changes. The amount of work that went into it across the teams, across engineering was herculean to get this stuff done. I want to give a shout out to that.

What you’re seeing new in this, and when people first got their initial invoices at the end of the year for January/February, these weren’t on there, but they’re seeing them now.

We made a few changes. One is we’re including the Number Resource detail. And they’re in the form of ASNs, /24s and 48s. That accompanies the RSP line item. And one other ancillary benefit of that is a lot of the end users in this case are seeing that for the first time, including billing folks who are looking at bills and trying to approve paying them or not paying them.

It was a simplified structure before. You had two networks. You had one ASN. It adds up to a dollar amount that makes sense. Now they’re seeing things that say annual fee for size. Is that a T shirt size? What is this? So that helps reinforce that. And it shows the actual resources that people have to kind of bridge that gap.

There’s another change with the legacy RSA. There’s a fee cap involved with that, but we wanted to make them aware that, in this case, while they’re paying the fee cap of 150, they actually have resources equivalent to something much more.

So right now all the LRSA holders are seeing their LRSA fee for Registration Services Plan fill in the blank. And then it shows the cap amount, which obviously will increase $25 year over year.

I want to talk a little bit about the timeline. This is really just to get a little bit of perspective. I came in here in March 2020. There was already talk about this. By early summer, early May, we were heavy into modeling of what this might look like.

We looked at comparing, combining end user and RSP, other different models in terms of sizing and pricing differences. We looked at the organizational creates recovery transaction class to see what might help fill the gap and would transition something that’s more sustainable, implements a level of cost recovery that would make sense.

Ahead of that, we had consultation which a lot of people in this room, I’m sure, are aware of during a time period, that it was announced in the July timeframe. In September we actually pulled a reset of data for the folks who would be impacted, not the ones that were saving money or not having a change – I’ll get to that in a moment – but the ones who were actually having an increase.

We took that and we striated it in the different amounts. And we sent out committed emails to base off their resource contact information.

The people with the most got individual phone calls or emails from Mr. Curran and Mr. Sweeting and a few others. So we made sure to have that kind of robust campaign.

Starting in November, we started to actually do these things and started to be effective the first of the year. What I do now, we have basically a triage process. It’s on the invoice. It’s on the website. And it’s facilitated through our Financial Services Department and our Registration Services Department to kick over to what we’re calling a 2022 Fees at ARIN.net. And just so people are aware, the person on the other side of that would be myself.

It’s been interesting. We’ve had a lot of good feedback. We’re fielding not as much as you would think. I’ll get to that in a few minutes. But we’re fielding requests and so far it’s been fairly streamlined. I see that continuing probably through early, into early fourth quarter when the bills catch up with themselves for the year. We’ll keep that open. It’s noted as 2022 Fees, because the objective was in 2023 we might not need it anymore.

A little bit about the end user impact so people are aware. We did a large amount of modeling early last year. We pulled a set dataset in April of last year to use.

And at that point, when we assessed the impact of this final model we decided on, we found that, again, the takeaway here is roughly 70 percent pay the same or less – less, which is definitely a favorable thing to do.

You did have a few others that went up, but they weren’t a lot – 4K up 1K or less, 660 1 to 5. The 18 that went up 10K plus, they were on that list that were contacted by Mr. Sweeting or Mr. Curran. They also all represent multinational global companies.

The other part I like to touch on, I found this extremely interesting. I know when I was first informed about this – you’re going to take this over and you’re going to respond to them; you’re going to sit on Zoom sessions with people who want to talk, I was probably, arguably, admittedly a little hesitant about that. But it’s actually been an extremely positive experience.

Now I correspond via email to inform people. But in the few instances I’ve had an opportunity to get on Zoom calls for folks, we’ve been able to consolidate organizations.

We’ve been able to interact with people we normally wouldn’t be able to interact with. There’s been a lot of re education efforts there around the services we provide as a result of the new area that they’re actually in.

Data cleanup. There’s Org consolidations, and a lot of – it’s interesting, because one of the main use case or scenarios I see is with an increase it tends to be, I had an ASN and I had a /16 – $300 to X amount of money. And you’d be surprised at the amount of folks that are just not realizing what they had or what their options are.

That’s provided a good opportunity to have them work with them, what their options and direct them to where they may or may not need to go. That kind of sums that part up. The other thing I wanted to cover really quickly before break is the membership update.

Those who aren’t aware, historically we had trustee members and general members. At the first of the year we introduced a new category called service members. Service members is essentially as it sounds – anybody with a Registration Services Agreement or a legacy Registration Services Agreement and then also has IPv4 and IPv6.

And essentially you brought over all the end users who were previously unavailable to have that. They’re now a service member. Actually you can consider anybody in there to be a service member. And then there’s an additional class of general members.

At the beginning of the year, the general members transition automatically to be the new general member status. They didn’t lose a thing. They had the same voting opportunities they have had in the past. The exception now is that the service members, which is the former end users, now have the opportunity to vote and participate in ARIN elections. They have to opt into it. And there’s an option to do so. And there’s a fairly rigorous communication campaign that Hollis and her team does to get that out there on a regular basis – hey, you have this option if you’d like to do it. But it was an effort to give people opportunities.

Another thing I didn’t touch on, by virtue of them now being in the RSP, end users also have an opportunity to do things they couldn’t do before like reassignments.
There’s some ancillary benefits to that. And this cleans it up.

While we made similar changes in the fee schedule, this is very complementary in effect and allows the end users to have opportunities they didn’t have before under one common, uniform, easy to understand fee structure and membership structure, which we’re really looking forward to see how that goes.

The other part of that, before I talk about retention, is we’ve also set up a general member mailing group. So if you’re a general member, you can submit to that. And it’s publicized, I think, on the website. There’s not a whole lot of people in there. But it’s a dedicated Mailing List just for general members to discuss general member election related items.

I can say and I advocate anyone who is a service member and/or a general member wants to be a part of it because you need to be a general member to do that to submit into that. I’m not sure if we can share that information somehow after this or during?

Hollis Kara: We can.

Joe Westover: We’re taking those, we’ve only had 59 people so far. Definitely encourage more folks to get involved and put that. That’s something that the CCO office, when we get that request, we screen to ensure that they’re a general member, and then to qualify if they’re not informing them what they would need to do to opt in to become and apply to become a general member, to then come back and reassess and reapply for that piece.

One of the key parts about this, also, is there is a maintaining – a maintenance and general membership. So there’s always a catch, right? There’s always a catch. What we’ve put in place after the 2023 elections, all general members will be evaluated against their participation criteria.

That’s essentially did your organization vote or not vote. That’s fairly easy from a data point of view to validate or not validate.

If they haven’t done it at that point, they’ll be notified and moved back down to be a service member, at which point, after a year, they can always opt back in. This has to do with quorum and maintaining the civility of things.

If an organization has this changed, again, they have one year, a calendar year to do it, after which they can apply for general member status. Mr. Sweeting?

John Sweeting: John Sweeting, ARIN CCO: Just want to make one correction. That changed. There is no one year that they’re kicked off. If they lose general membership, they can apply for it the next day if they so choose.
The reason we did that, you’ve got somebody there that doesn’t vote for three years, they leave, a new person gets put in as the voting contact for that organization, wants to vote, they can apply and vote. There is no one year.

Joe Westover: Thanks for the clarification. Obviously there’s a bit of complexity as to a little bit of nuancing and a lot of new things that will come out in our general effort to improve the billing side and the participation side on the membership. That’s all I have.

Hollis Kara: The floor is open for questions. And virtual queue is open as well, so please start typing. For now we’ll go to the floor.

Larry Rosenman: Larry Rosenman, LERCTR Consulting: When I applied for general membership, I was asked for a DBA incorporation certificate. What about those people that are not a corporation, that are just an individual that might hold resources to become a general member?

Joe Westover: John, you want to speak about that? It has to do with the Registration Services process.

John Curran: It’s an interesting situation. ARIN serves organizations. If you’re not an organization we have a little bit of a challenge. But if you’re a DBA, doing business as entity, and you explain that, we have put people in the database and made them members that way.

The challenge we have is that it’s very hard if someone comes up and says they’re also you, for us to disprove that.

So we prefer for people that have incorporations for them to do that, provide that paperwork. It’s a lot easier for us, but we do have single entity DBAs as members.

Larry Rosenman: I was accepted. I was just curious for other people that might not have an official DBA on file.

John Curran: There are people who don’t and we’ll accept them, we will take them that way. But our preference is that you have the paperwork.

Andrew Dul: Andrew Dul, AC, 8 Continents: Question if you had any unexpected benefits or not benefits from what you have seen in the first four months of this transition? And if you could comment on the number of Org consolidations you’ve seen so far.

John Sweeting: John Sweeting, ARIN CCO. We’ve had a lot of unforeseen benefits, Andrew. We’ve had a lot of people that didn’t realize how much address space they had because they were paying $300 a year and they weren’t using it. But they didn’t care, they were paying.

Once they had to pay a little bit more, they called us, of course, and we educated them on what they had. So we’ve seen address space being transferred, put back into use. We’ve seen organizations collapse. Instead of having four or five organizations collapsed under one because under the current fee schedule, having three or four different organizations, you usually pay more than if you consolidate your holding. So we’ve seen all of that.

John Curran: There’s also another benefit that’s sort of indirect that people don’t think about. We try to avoid at ARIN breaking the law because we find that to be awkward.

(Laughter.)

So there’s a situation, when you end up becoming an ARIN member, we, by Virginia law, there’s a membership list that you’re included in. At the same time, though, you never told us you wanted to be on a public list, and some states, some governments have privacy requirements where we should be telling you about that.

So one of the things we’re doing as part of this is if you’re a service member, you’re a service member. No one has to know except you. There is the Whois database, but we don’t publish it in any lists otherwise other than the Whois that everyone wants public.

When you become a general member, we say, by the way, you’re participating in the general membership. You’re going to be published on the Mailing List. This is part of the consent process.

So we’ve managed to tie the notifications we need to give you with the legal compliance that we need to make as a Virginia nonstock corp. So we tightened up our process here, where right now I have a lot of people on the membership list. I’ve never said, hey, by the way, you’re published on the membership list.

Over time that will get self corrected and everyone will be on – will have positively ascended, positively given us a voting contact, positively given us an affirmation to be on the public list. There’s a tightening up of general operations as well.

Joe Westover: It’s been generally very positive. I’ve been very encouraged by the interactions and the output, the positive output of those interactions.

Hollis Kara: All right. I see we have one question in the virtual queue. I’m not sure whether this one is going to be better answered by Mr. Curran or Mr. Sweeting. But, Beverly, could you read it in and we’ll see who makes it to the microphone first.

Beverly Hicks: W. Simon from Simon Tel: Given the difficulty of getting IPv4, is there any consideration to be given to adding pricing tiers? Example for like a /23, let’s call it a 2.5x Small at $375.

John Curran: I don’t understand the question. John, do you understand that?

Hollis Kara: I think the question if I can reread it, because I’m looking at it as well is, is there any intention to create a category for holders that are smaller than what’s currently our 2X small that might only have a /23 to have a lower bill since they’re below the threshold for 2X.

John Curran: I got it. We have this weird situation. When ARIN started, our fees were, our bottom fee was $1,000 a year. And they went up. They doubled, as they do now, based on size category.

Over time, we’ve been able to expand the number of members and with this change expand the definition. So ISPs and members who both hold address space, you get similar services, you’re all members. And we’ve been able to lower the fees. And now our fees are, our categories include a 500 and a 250. 250 is fairly hard to qualify for, because even our minimum IPv6 allocation can put you over that.

So we’ve managed to lower fees already substantially since we’ve been formed. We still have 15,000 legacy resource holders receiving services without fee. If those legacy resource holders come in, we’ll lower the bottom tier again and we could actually look at even sliding the scales.

ARIN’s fee schedule is set up so that the amount you pay for your service category is based on your max of your v4 or v6. So, everyone who has a v4 holdings can get a v6 block with no change. Even 20 years from now – we’ll talk about this in the panel after lunch – when we’re only doing IPv6 and IPv4 is gone, everyone who has a v4 category will be paying the same amount if they have similar IPv6 holdings.

So we’re actually set up. What we’re missing is more of the people getting ARIN services coming in and paying their share of operating ARIN. If that changes, we’ll have lower fee categories.

If you see someone who is getting free ARIN services as a legacy holder and decides he doesn’t want to pay for it for the last 20 years and he doesn’t want to pay for it going forward, that’s what’s in the way of us having lower fees.

Hollis Kara: Thank you. I don’t see any further questions. I think we’re set.

Joe Westover: Thanks, Hollis.

Hollis Kara: Thank you, Joe.

(Applause.)

Since Joe alluded that I might be able to add a little bit of clarity, and I’m at the mic and no one to stop me, I’ll do that.

We’ve been engaged in a considerable outreach program over the last couple of months to make sure we’re contacting all of our existing customers who moved into the service member category.

All those folks, the last of them will be getting an email this week that advises them of their options for general membership.

And then if folks are interested in doing that, and they haven’t seen that, if you go in and drill down, again as John stated, membership is on the organization level.

So if you go into your ARIN Online account, go into the organization tab, there’s a little menu that hangs off the right corner down at the bottom that, when you look at an Org, that is identified as having service membership, you can drill down. The request tab is there. It’s really simple. One screen. RSD will work through that with you.

And once that’s established, we have on our Mailing List page, the subscription tab for the general member list. You go in there. We just verify your general membership status is current, and then you can be on that list, which is very, very quiet. But if you want to come and talk, that will be cool. There’s that.

We have a little bit of time during the break so we’re going to squeeze in one more department update.

I’ll have John Sweeting come back up to the stage and he’ll give the Registration Services Update.

Registration Services Department Update

John Sweeting: Thank you, Hollis. If you guys weren’t tired of seeing me yesterday, you get to see me today. You were scheduled to have a break from me today, but that’s all right. You won’t have to listen to me up here tomorrow.

I’ll get to the Registration Services Department Report. I’m doing this for Lisa, who was unable to attend.

The current RSD staff. We have the director, Lisa. We have a transfer – new Transfer Services Lead, Misuk, who is here, out at the Help Desk. You can stop by and chat with her if you wish about transfers.

She’s actually Cathy’s backfill into that position. And she’s been trained very well by Cathy. Doing a great job.

We have Nathan Newman, who is the Technical Support Specialist within the RSD staff.

And then we have Reese Radcliffe, who is the Registration Services manager. And reporting to Reese, we have Prabha, Jenee, Henry, Alyson, Emily, Suzanne, Shawn, Eddie, Mike and James. A lot of those names, well, about half of those names are new.

We’ve had some turnover, and we’ve had some additional staff added to keep the level of service that the community has come to expect from RSD. It’s been a little bit tougher with the coordination of tickets and calls.

If you can imagine, we’ve got a help desk call in number, that’s used pretty heavily. It used to be very easy when everybody was in the office to transfer calls around, get them to the right people and everything.

Today, with everybody at home, we’re using Slack to accomplish that. You get the call; you answer the call. They want to talk to Mike about a ticket he’s working on. So they have to then Slack Mike and try to track him down, get him, and then transfer the call. So it takes a lot more coordination and time than it used to when we were all in the office.

And here we go. Happy retirement, Cathy Clements. Once again, Lisa really wanted to point this out. Lisa has told me several times that Cathy is the reason for most of her success.

(Applause.)

And she was going to be missed, but we ensured, as I believe Richard let everyone know yesterday, we have hooked Cathy and we have her on a retainer to consult with her as required.

And there is a lot. There’s a lot of times I go to Cathy and I say, hey, what happened back there in 1998, 1996, 1999. And guess what, she always knows. It’s just amazing. Sometimes she has to look up the documentation, but mostly it’s up there.

We have her on retainer, and Cathy, you are going to be missed. A little bit. You will be my designated partner at happy hours that we have, though, and I’ll take care of you there.

Organizations served by ARIN. John has alluded to this a few times during this meeting. We have 40 – almost 40,000 total organizations that we serve.

Of that, we have about 15,000 that we’re servicing and we’re receiving no compensation in return for that. That’s a big chunk of work that we receive no revenue for. It is what it is. And we’ll continue to work on that and try to convert as we can, but it’s nice for you guys in the community to understand exactly what’s going on.

We do have almost 8,000 ASN Only customers. I know people say why would anyone have an ASN only? Well, they get a connectivity to an ISP. They get space from them. They decide want to multi-home. They have to come and get an ASN. That’s all they get because they use the space from their upstream.

Also I believe there was a time when it was believed if you had an ASN number that you got IPv4 space easier. There may even been a policy that said something about if you’re multi homed, you can automatically qualify for – I don’t remember if it was a 23 or a 22. Cathy would probably remember. But I am not going to put her on the hook.

All right. Ticket processing. This is just a look at historically the number of tickets that are processed through RSD. As you can see, 2020 was a very high point. 2021 it backed down a little bit. It continuously is climbing.

And most of these tickets are online. But we still have hostmaster@arin.net hanging out there. And we get maybe 50 tickets a day into that mailbox. But it’s actually like 2,000 emails that come into that mailbox a day, of which like 50 are something that we have to read.

So it’s challenging. We’re trying hard to get away from the hostmaster ticketing system. But there’s some things that are just holding us and keeping us from getting rid of that. Legacy being one of them.

Okay. Monthly phone and chat totals. As you can see, it hasn’t gone down any. It’s stayed steady throughout the pandemic.

And this is the one that takes a lot of the phone calling, people calling in. It takes a little because they call in, they want to talk to the analyst that’s doing their ticket. And they want to provide them information. We have to do a lot of coordination on that.

All right. Wow. Cool. That was it. That was the last slide. I just want to emphasize, these guys, the resource services department, they do a lot of work for you guys. And they really enjoy when they make customers happy.

They hate to say no. Actually, they’ve been told they shouldn’t say no. They should be – well, you can’t do it that way but let’s find a way to get that done.

That’s how they work. And sometimes that takes a little bit longer than just saying no. But we don’t want to say no. We want to help you get done what you want to get done.

With that, any questions? If not, I think we can go into break.

Hollis Kara: All right. I don’t see any questions from the floor. So I think we’re good.

(Applause.)

Thanks, John. And as John said, we’re rolling right up onto our break. We’ll take a 30 minute break. We’ll be back at 10:50. Please enjoy, catch up on your email, stretch your legs, and we’ll see you back soon.

(Break.)

Policy Block 2: ARIN 2021-7: Make Abuse Contact Useful

Amy Potter: I’ll try to be very careful with the feelings of the abuse contact.

(Laughter.)

All right. So we’ve gone through a couple of iterations of this Draft Policy so far. For those of you that don’t constantly re read old PPML.

The previous iterations were about making, adding an abuse URL to the abuse POC that was mandatory. Feedback on PPML was that people didn’t love the mandatory aspect. So we switched this over to an optional abuse URL that can be added to the abuse POC.

The thought was that for a lot of organizations just having the email and phone contact doesn’t really fit well with how they actually do abuse reporting. And the abuse URL was more aligned with current practices.

We’ve made changes to the text to add into NRPM, but there is an optional abuse URL. Nothing too complicated there. So we got helpful feedback from the Staff and Legal.

We’re going to be making some changes based on that. But there’s one part, in particular, that I wanted to get community’s feedback on.

In our Staff and Legal, the staff stated that they understand the proposed changes in the policy statement to be a straightforward direction for abuse contact creators to utilize the existing public comment section of the contact record.

And so what I wanted to talk to the community about today before we went forward with our next round of edits is, one, do you support still having the abuse URL being added to the abuse POC as an optional addition.

And if you do support that, would you prefer that there was an actual abuse URL field added to the record that could optionally be filled in? Or do you like the staff interpretation of the current language that staff would add a straightforward direction when you’re setting up your abuse contact that you can utilize the public comment section to add in an abuse URL if you would like to do so?

So if any of you have feedback on that, I’d love to hear it.

Hollis Kara: That was a cue that it’s time for the audience participation portion. If you have a comment, please approach the microphone. Same thing, virtual attendees, please start typing.

Bill Sandiford: Not everyone at once. All right, front microphone.

Andrew Dul: Andrew Dul, ARIN AC, 8 Continents: I don’t think that just suggesting using the public comments field is what the author probably intended. The public comments field is, I guess, comment fields in general are dumping grounds for random things you want to put in there. And this person I believe was looking for a structured field that one could query.

My thought from your presentation today, which I don’t know if anyone else has said, is should a URL be a field that is just part of a Point of Contact record? Any type of Point of Contact record could have a URL associated with it, whether it’s a tech contact or a NOC contact or an abuse contact. That could be a useful field that people could redirect to a ticket system, website, all sorts of things.

But again, not a public comment field. A URL field has a URL in it. That would be a good thing, I think.

Bill Sandiford: Thank you. Rear mic.

Tina Morris: Tina Morris, Amazon Web Services: Likewise, a URL field would be much better than the comment section. Currently we have very specific abuse processes that are defined in the public comment section and they are flat ignored. Something that’s query and easy for people to find would, I think, be a good thing.

Bill Sandiford: Thank you. Front mic.

Chris Woodfield: Chris Woodfield, Twitter, ARIN AC: A question that comes from the abuse POC record is what types of abuse are people using these POC records to report? Back in the day, abuse was more or less defined as spam and usenet abuse.

Nowadays the types of abuse that people are looking to report are much more dynamic – DDoSes, hacking attempts, things along those lines, phishing attacks – far more security related as opposed to annoyance related for lack of a better word.

And as such, it’s not – I agree that email may not be the best route to report those kinds of abuses.

To the question, I agree with Andrew that I don’t think the public comment field is a great place to have that, to have that contact. I think we do need something structured, something that will show up as a field, as a key and an RDAP query, for example, that can be pulled into automated reporting processes. That would be my choice given those two options.

Bill Sandiford: Thank you. Rear mic. And a reminder to those online to get the comments in.

Hollis Kara: We do have a few comments.

Bill Sandiford: Okay, we’ll do rear mic, then we’ll jump to the online.

Robert Seastrom: Rob Seastrom, speaking for myself, specifically responding to Tina. I think that a URL to a web form intended for consumption by humans is, plus or minus, the same as having an email address.

But if only there were someone in the room who worked for an organization that was skilled at creating APIs and defining data structures that went around them that would result in something that was uniformly machine readable on the far end, that an API endpoint, rather than URL endpoint for human consumption, would potentially be a whole lot more useful.

Bill Sandiford: Thank you. Online.

Hollis Kara: Sure. We have two comments online. First – and it might help if we could pop the slides back up because it references this slide specifically.

Anthony Delacruz from Lumen said: We currently do – we do A currently and would also support B. So going to the questions that you proposed the last slide. Sorry. Wrong button. Back, back.

They do A, would support B.

And then, second, I have a comment from, and I apologize, I’m going to murder this last name, James Hulce, who is one of our ARIN Fellows, saying that he would support adding a URL field and that having a structured item is much better than an unstructured comment.

Bill Sandiford: Thank you, rear mic.

Kevin Blumberg: Kevin Blumberg, The Wire. Don’t agree with A. Public comment is not much use and couldn’t be used today.

B, absolutely. Machine readable locator data is – structured locator data is critical.

My only question is, is by using the term “URL” pigeonholing us? Rather than saying that keeping the NRPM clean rather than specificity, but machine readable locator data that we can define today as being a URL and in three years we can define as being a specific other kind of query, whatever it may be.

But I definitely believe this needs to be machine readable. It needs to be structured and it needs to be optional. Thank you.

Bill Sandiford: Thank you. Front mic.

Lee Howard: Lee Howard, IPv4.Global by Hilco Streambank: I have a couple of questions. First one is, does this need to be in the policy manual? If this is a “heads up, you may do something,” is that policy, or is that an operational consideration for staff?

Bill Sandiford: Good point. Thank you. Go ahead, John.

John Curran: So to the extent that you need us to enforce it on anyone in the registry, then it needs to be in the policy manual.

If you don’t care for it to be enforced, then you can put it in there because people might want to see it somewhere. But you could also put it in an informational document. It could be published in an RFC or some other repository.

That optional or nonoptional ends up being a big keyword there. Since we don’t know the output of that, the policy manual is a good place.

If it’s truly just optional, then it doesn’t need to be there.

I want to say one other thing. ARIN is transitioning from issuing number resources, where the policy manual was 98 percent about issuing number resources, to managing an ongoing registry with very little issuance.

So the policy manual is going to change to be much more about the care and maintenance of the registry and the fields in it and the format in it because that’s the only policy left for this group to develop.

Lee Howard: Interesting. In response to this, when it says “can add an optional,” that looks like an RFC 2115, “may” to me. That looks like it’s absolutely optional.

But I’m also glad you said RFC, because I think Mark Kosters said something yesterday about RDAP being the way of the future. And several people have said, I really want this to be structured data.

Would changing the data structure of Whois require an RFC from the IETF?

John Curran: No.

Lee Howard: Port 43 is free text. And the structure of the database is an ongoing consideration from Mark, right? Did I not understand what Mark was telling us?

That’s possible. There’s lots of things I don’t understand. Great, John is nodding. Yes, I did not understand. Good.

It also seems to me that the difference between machine readable and something that’s parsable from a comment field probably is much more useful if it’s machine readable. But I think that the people who I would want to ask what they need to see are the people who are doing reporting.

And as R.S. described – I think it was R.S. – there’s lots of different kinds of abuse that can be reported. I think it was Chris.

But I’m thinking about – gee, I toured the museum, the RIAA had lots of representation there. And I think they’re probably the ones who are among the groups who are most interested in how this field would be structured and used.

Bill Sandiford: Thank you.

All right, closing the queues in a minute or two. Online check.

Hollis Kara: I do have another comment online. Would you like to take that now?

Bill Sandiford: Go for it.

Hollis Kara: It’s from Joe Provo of Google and the ARIN AC. He says: Has the abuse community – EG, M3AAWG – been engaged to provide input as to the current best practice? We’ve seen many approaches to contacts in the anti abuse communities.

Followed on to say, for example, et cetera, URLs are real, active locations on the Internet regardless of method, URIs or indeed more general, but can refer to off line resources like books. In my opinion, optional URLs are a good thing.

Bill Sandiford: Thank you, Joe. Rear microphone.

Larry Rosenman: I’m of the opinion that also it needs to be – Larry Rosenman, LERCTR Consulting and myself – abuse URL is much better than an unstructured comment field because comment fields are just generically a pain.
I’m concerned also about having something to be able to tell what type of abuse.

I know I’ve sent abuse complaints for SIP scanners to people, to their abuse contact and hear nothing. And the abuse just continues.

I don’t know that there’s anything ARIN can do about that. But possibly setting up a way to know if it’s network abuse, send it here; if it’s spam, send it here.

Bill Sandiford: Thank you. All right. Closing the queues now. And front microphone.

Andrew Dul: Andrew Dul: This is probably a question for someone who is more familiar with the RDAP standard. Does the RDAP Point of Contact data structure allow for a field like an optional URL field?

Bill Sandiford: Is Mark in the room?

John Curran: Mark’s not here anymore at the conference. I’m going to say RDAP is a flexible format, so you can add any field you want.

Andrew Dul: Okay, I didn’t know there were requirements around adding fields or fields that were defined or not defined in the data structure.

John Curran: We’re not constrained – if you’re asking are we constrained by RDAP, no to the extent that there’s a field or format that doesn’t exist, we’d cycle the RFC accordingly.

Andrew Dul: Okay, thanks.

Bill Sandiford: Last check, any online comments?

Hollis Kara: There were a few in the chat that didn’t make it over to the Q&A. So we’re kind of where we’re at.

Bill Sandiford: All right. Thank you very much.

(Applause.)

Hollis Kara: Thanks again. Rather stringent reminder, I don’t mean to be difficult, but for our virtual attendees, if you can please, please, please make sure, if it’s a comment for the room that you would like included, to make sure that’s in Q&A because I just can’t differentiate between what pops into chat whether that’s amongst yourselves or belongs here.

So thank you for complying, I guess.

All right, moving along. We’ve had that discussion.
Our next policy topic will be presented by Alicia Trotman. And that is Draft Policy 2021-8: Deprecation of the ‘Autonomous System Originations’ Field.

Policy Block 2: ARIN 2021-8: Deprecation of the ‘Autonomous System Originations’ Field

Alicia Trotman: Hi. Good morning. I’ll start here. This policy is being shepherded by myself and Anita Nikolich. I’m sorry, Anita, for butchering your name.

So let me give you a brief history. We had this proposal in July of 2021. It became Draft Policy November 2021.
We’ve done several revisions and wordsmithing to make it a bit clearer for everyone to be able to read and understand. It’s quite simple, this policy.

So the problem statement outlines the fact that the way that the Number Resource holders published their routing intentions have evolved. It implies that Origin AS data is challenging to obtain, consume and employ.

Like I said, this policy if very simple. It’s basically saying the removal of Section 3.5 of the NRPM autonomous system originations.

The timetable for implementation would be one year after the Board’s adoption, if this goes through.

So the PPML, we’ve had very little discussion thus far. We’ve had one person who agrees with this policy. We’ve also had one person who disagrees with this policy.

And for some of the reasons that they’ve mentioned is that several community members still use this, including IXPs. And they’re concerned about the impact it will have on legacy address holders who don’t have an LRSA with ARIN.

So for today’s discussion, I’d like to have a chat with everyone, give your opinions. Does the community support the proposal? Are there a number of community members that this would place at a disadvantage? And that’s the end.

Questions? Discussion?

Hollis Kara: All right. So the microphones are open, if there are any questions. I believe we have a few comments in the virtual queue. Bill, would you like me to go ahead and launch those?

Bill Sandiford: Go right ahead.

Hollis Kara: Beverly, over to you.

Beverly Hicks: James Hulce, ARIN 49 fellow: Opposes proposal at this time. And autologous system origination field in ARIN Whois occupies a peculiar yet potentially valuable place in the routing information landscape. It provides an easy and authenticated way for everyone, including legacy resource holders, to communicate their routing intentions.

Origin AS does not suffer from the other problems associated with IRR, such as proxy records or multiple disparate databases. Several organizations, networks and exchanges report using the Origin AS field to generate filters and perform other operational tasks despite consumption issues. Without much known about its uptake, usage, accuracy and role, deprecation would be premature.

Bill Sandiford: Just keep going with the online ones for now.

Hollis Kara: Beverly, do you want to go ahead and read the next one, or do you want me to grab it?

Beverly Hicks: I’ve got it. Steve Wallace, Internet2: This is the only way that I was aware of that supports a legacy resource holder publishing their valid Origin ASN. I support the current comment that was mentioned before.

Bill Sandiford: Rear mic.

Jared Mauch: Jared Mauch, Akamai Technologies: I believe this is a direct result of work that actually myself and Heather Schiller originally put in, to go and get that information added in. That was before ARIN had very good first-party IRR support.

And so I think that similar, I think long-term – I think identifying that time horizon, I think long-term identifying how to balance the needs of the legacy resource holders as well as the fact that ARIN is now offering a number of ways to validate the IP space and put the ASN in, I think over time sunsetting this, but I think right now would be premature.

Bill Sandiford: Thank you. Rear mic.

Kevin Blumberg: Kevin Blumberg, the Toronto Internet Exchange, being a little different: We don’t use this data. We use IRR. We’ll be using RPKI data.

And the concern that I have is it is putting an expectation that this data is being used by others or should be used by others when in fact it shouldn’t. There are, as Jared brought up, much easier and better ways of doing things.

I agree that this data may be used by some. I don’t know what that number is. But it may be used by some. So the appropriate thing is what was just done with ARIN-NONAUTH, which is to sunset it, have a date that it’s being turned off, get the message out; put in a long frame, maybe three years, maybe five years. That isn’t a problem for me.

But people having an expectation that by using this data, others are going to rely on it, is a false assumption. And really we should be focusing on IRR and RPKI.

This is not a standard field that is used across the board. So doing nothing is just as bad as turning it off right away.

Give it a long sunset; let people know this is going away, is the appropriate way of dealing with it.

Bill Sandiford: Thank you. Check for online. Any more comments?

Hollis Kara: I don’t have anything at present.

Bill Sandiford: Final call.

Beverly Hicks: I see someone in the process of a comment. We might give it a second.

Bill Sandiford: Happy to do so.

Beverly Hicks: I was right. There it is. Anthony Delacruz from Lumen. Please do not remove this. It is a helpful field to us and other ISPs to use to indicate when a multi-homed customer borrowing space from us intends to announce to other ISPs and saves us a bunch of time in doing [indistinguishable].

Bill Sandiford: Thank you. Seeing no one else in the room and no further online comments, we’ll move on to the next presentation.

One more, one last one.

Louie Lee: What are some answers being provided to people who are using this as their Origin AS information? Are they actually being directed to other databases to put their information, or are they just going to be out?

Bill Sandiford: That’s a good question.

Louie Lee: Any answers to that?

Jared Mauch: Jared Mauch again. Hi, Louie. Haven’t seen you in a while.

I know some people, like I said– and you heard the comment from the gentleman from Internet2– use it. I think, and I was having a conversation with Kevin, who was sitting next to me, about this as well. This is a unique thing that exists only in the ARIN region as a direct result of the weird way in which ARIN operates itself compared to all the other registries on a global basis.

And so I think, as Kevin said, if we identify a timeline to sunset this, I think that’s going to make it easier. But there are people who are clearly using it, including researchers who are valuable to the community.

They help us understand the Internet infrastructure very well, as well as some operators use it, as we have heard from the comments.

So if it’s going to be replaced with something, like I said, this was originally put in place before there was a really good first party IRR support at ARIN, because ARIN, for a long time– I’m sure I don’t have to explain it to you– but for a long time didn’t really support that very well, shall we say.

And so I think at this point, now that there is something, there’s a place for the members to go to for that, I think that this is helpful, any members should get transitioned there, and then identify a sunset period for non members.

Bill Sandiford: Thank you. Any further onlines?

Hollis Kara: We do. We have one more that popped into the queue.

Beverly Hicks: David Farmer, University of Minnesota: Do not support sunsetting at this time. However, it does need to remain in the NRPM.

Bill Sandiford: All right. Thank you, everyone, for your valuable feedback. The AC will take that under consideration.

(Applause.)

Hollis Kara: Moving right along. We have our final policy discussion of the day. Chris Woodfield is going to come up here, and he’s going to talk to you about Draft Policy 2022-1: MDN Clarification for Qualification.

Policy Block 2: ARIN 2022-1: MDN Clarification for Qualification

Chris Woodfield: Hi, everybody. I’m Chris Woodfield. This is a Draft Policy, the first policy of 2022 to come onto the docket.

So the history of this proposal, it was originally submitted in December of last year. It was adopted on to the docket as Draft Policy in March and published to PPML. A helpful suggestion for rewording was made as part of the PPML discussion.

We took that suggestion, revised the policy, published it again later that month and pushed it back out to the PPML for additional comments.

So far PPML discussion has been light but supportive. I’ll characterize it as that. So this proposal is a product of the Policy Experience Report Working Group that Sean has mentioned.

I believe this was one of the final outstanding items on the backlog at the time. And the issue here and the problem statement is that we have requirements for transfers in Section 8.5 that do not address multiple discrete networks.

The requirements as is assume that an operator has a single pool of space with single ASN, while other sections of Section 4 explicitly handle qualifications for an operator running multiple discrete networks.

And that’s defined by, if you’re an operator that has multiple ASNs that have their own prefixes assigned to them that are not connected onto a single network, that way your network resources are not fungible between them.

I am not going to read this block of text. But this is the new language that’s been proposed. The nutshell is that the 80 percent utilization requirement for a transfer is per discrete network as opposed to applying to an organization as a whole.

An organization can qualify for an in bound transfer if only one of their discrete networks is more than 80 percent utilized instead of having to show that their entire network resources are over 80 percent.

There is a limit on what they can receive, which is currently up to a /16 in the language as well.

Staff and Legal: Staff understanding is that it expands the address block criteria to clarify the qualification criteria for Multiple Discrete Networks and specifying, as I said, each network must be assessed individually for utilization thresholds.

This is apparently already current practice and per Staff and Legal Review is clear and understandable. Implementation timeframe estimate is three months. Standard staff training, documentation, updates to internal procedures and guidelines.

No tooling or software development is apparently needed to implement this. A link to the text assessment can be found in the slide as well.

Implementable as written. Yes. No impact on ARIN registry operations and services, and no material legal issues.

So this Policy Proposal brings up a few questions for the community. The first one is does this proposal, this Policy Proposal, solve a problem that affected organizations could solve by other means?

If an operator with multiple discrete networks has one network that is running full and another network that is not, is it reasonable to expect that, instead of adding this policy, we could expect those operators to reallocate resources to more evenly utilize their different networks, depending on how your network is– the architecture of the network. That may or may not be the case. But is this something that needs to be solved by policy?

Second question, does the total amount of space for which an organization can qualify, the aforementioned /16, does that seem reasonable?

And number three, does the stated problem justify the additional complexity added to 8.5.7. As you saw there’s quite a bit of text being added, and does the net addition to that text– does the problem it solves justify the additional complexity of that policy. The readability and understandability of the NRPM is an important goal, and are we going the wrong direction if we adopt this?

So with that, open up the queues and open for questions. What do you think?

Bill Sandiford: All right, looks like a stampede heading for the microphones. Any comments from online yet?

Hollis Kara: Seeing if there’s anyone is typing.

Chris Woodfield: I can say something about IP leasing.

(Laughter.)

Bill Sandiford: Dododo… all right, guys. We’ll give it another 10, 15 seconds or so for those in the room to change their minds and have a mad dash for the microphones or for those online. If you get one from online, Bev, just go ahead.

Beverly Hicks: We’re in the clear, and everyone has been advised if they do have something last minute to raise their hand so I can see it. No one has their hand up and there are no questions.

Bill Sandiford: You’re just that good, Chris. Just that clear and precise. Thank you very much.

Hollis Kara: Thank you.

(Applause.)

Just because we’re running ahead does not mean you escape. Give us a moment. We’re going to have Brian Kirk – do we have those slides up? Yep. There it is. Brian Kirk, our CFO, is going to come up give us an update on our Financial Services Department.

Financial Services Department Update

Brian Kirk: Hello, everyone. Good morning. My name is Brian Kirk. I am the new CFO. I’ve actually been at ARIN for 27 months, 25 months of those I’ve been working from home. So it still feels new to me, especially here at my first in person ARIN meeting.

It’s a pleasure to be here. It’s a pleasure to finally meet some of you. And I look forward to meeting the ones that I have not met yet.

So my purpose here today is to talk a little bit about FSD, the Financial Services Department.

Here we go. I’ll start with the billing and accounts receivable area. You can see from this slide, the core functions that this area works on –and we couldn’t do the work we do without the cooperation and partnering with the RSD team and the CCO team.

It’s a big help to us using their knowledge, combined with the knowledge from my team, to get the work that we need to get done for the customers and have it done in a timely and accurate way.

In addition to that, we also couldn’t get our work done in this area without a lot of support from the engineering team. They work tirelessly to help keep our systems up and running. We thank them very much for that.

There’s a total of five people on this team that’s led by Tammy, who has been with ARIN since the year 2000. And, you can see that Tanya, Amaris and Amy also have extensive years of service with ARIN. Plenty of knowledge in this area to support the customers.

And then recently Cathleen joined the team in 2019 to help complete some of the volumes of work.

This slide shows some of the billing activity that we work on each year. In 2021, we had just under 27,300 invoices prepared. And that was for a total of just under $23 million.

And because we send out so many invoices, there’s a lot of customer service activity to work on. Here you see the call volumes from 2020 and 2021, which is always around 3,000.

But that’s not just the only way we work with or communicate with the customers. Many more transactions and customer touch points are done through ARIN Online and/or through email.

The other area within FSD, it’s really broken down into two – the accounts payable and disbursements area and general accounting and financial statements area.

This slide shows the area or the core functions in each one of these groups. I don’t know– it wasn’t on purpose, but one main item was left off of this slide. And it’s everyone’s favorite.

It is, of course, the annual budgeting process. I don’t know if that was Freudian in leaving that off. But it is something that’s important to my area, important to the company. And it’s something that we do starting in the third quarter of each year.

This team also has many years of experience. It’s just that that experience is not with ARIN.

Ray, who leads the department or this area, is the Accounting Manager. He started in 2020. And he was followed by Melissa, Senior Accountant.

The three of us are still in the process of learning some of the ARIN business together and learning how that affects the accounting systems and our financial statements.

But just because they haven’t been there with ARIN for too long, we’re still able to get a lot of the work done.

And some interesting information on the disbursement side of our work. This slide shows the types of disbursements starting in the year 2020.

And as you can see, the green bar indicates how many checks or the percentage of checks that were prepared each month for disbursements, for payments to our vendors and the like.

And you can see that the green bar is the highest bar, until really– it starts to trend down in the fourth quarter of that year.

And this was necessary because, of course, we were out of the office because of the pandemic, and we needed a way to figure out how to get these disbursements to the vendors in an easier way.

So as you can see, in 2021, the trend of fewer checks and more ACH type payments continued where we’re really now in a situation where it’s easy to get payments to the vendors without heading into the office, and we really just need to do that once in a while to get a couple of checks done.

So combining those two charts really shows a dynamic process of how we went from many checks, which was 65 percent in 2020, to now, in 2021, it was only 16 percent of the disbursements by checks.

So it’s an example of how we, just like many organizations, have had to adapt our processes during the pandemic.

So what else? As I said, I was in the office for two months. And I was lucky to have those two months to at least get to start developing a relationship with my team members and the other employees of ARIN.

I did not get to meet everyone. But just the fact that I had those two months in the office was a big help and allowed me to continue to work on some of the things that needed to get done in the area.

This slide shows many of the things that we’ve accomplished over the last two years. We’ve tried to update and automate some of the accounting systems. We’ve had to implement new GAAP accounting policies.

We went to the market to consider a new auditor and eventually change from RSM to BDO, who just finished their second audit. And the financial statements and the audit report were just confirmed and approved by the Board this past Sunday.

Very happy with the relationship that’s developing with BDO. They’re very competent, very service oriented and have been very helpful to me as I have started my career with ARIN.

In addition to that, we went to the marketplace to see if we wanted to change investment advisors. And we ended up doing that – and have been working with a company by the name of Fiducient Advisors since– I think it was – February of last year.

They have helped us look at our asset allocation, and in working with the Board, in April of last year, we did de risk, a little bit, our portfolio and that was a big help to the organization as well.

We will continue to work on some changes that we’ve identified that can take place within the department, continuing with really reviewing the accounting processes and trying to drive automation.

One thing that will be interesting to hopefully many of you is the investigation of a new payment portal that will provide, possibly, new payment options and actually make it easier for us within ARIN to maintain the systems and still service you as best we can.

Just a couple of final thoughts. And I stole– I borrowed– this phrase from a coworker at a previous job. And that’s to be brilliant at the basics.

And again, when I look at and think about FSD, it’s a lot about transaction processing, accurate and timely financial statements and other reports, managing the cash effectively, andmaking sure we have positive and effective internal controls.

But those are all things that really need to be done just to keep the company functioning from a financial management perspective.

And we need to be really brilliant at all those things. But when I think of the value that FSD provides the community, it’s really the statement that when FSD is doing what we do well and what we do accurately, we can actually be an enabler for the other ARIN departments so that they can deliver the value creating products and services that you guys expect and that you guys need to do your work and run your businesses.

And it’s also the fact that when FSD is doing the work we do, and if we do it well, that we are facilitating the protection of your assets, of the community’s assets, to help ensure those assets are used in the right manner and used to support the mission of ARIN and for the community.

That’s what we do at FSD. And I think that was my last slide.

Hollis Kara: The microphones are open. Are there any questions for Brian? Does it look like we have anyone typing, Beverly?

Beverly Hicks: No.

Hollis Kara: All right. Thank you.

(Applause.)

You still don’t get to escape. While I’m giving the team a moment to pull up the next presentation, I want to talk about what doing this one now means for the overall agenda for the meeting.

We have successfully managed, because you guys are apparently resting up after last night to get ahead of ourselves a little bit. We’ve been able to complete the schedule that was planned for after the break tomorrow.
So what that means is we’re going to be finishing up a little bit early tomorrow.

I don’t know if you planned that because you wanted to go downtown, poke around a little more or what, no judgment, but we are still going to be making a box lunch available.

I do encourage and invite everyone to pick up their little picnic basket on their way out the door when we break tomorrow.

And I see the slides are up. So I’ll stop talking and invite Erin Alligood up to give the Human Resources and Administration Update.

Human Resources and Administration Department Update

Erin Alligood: Good morning, everyone. I’m between you and lunch. So I’ll make this as painless as possible.

As Hollis indicated, I’m Erin Alligood. I’m the Senior Director of Human Resources and Administration here at ARIN.

There we are. So first I want to introduce our team. I thought it would be fun to show a Zoom shot since this has been the way we’ve been meeting for the past two years. I know you’ve probably seen these screen shots over the last two years repeatedly.

But first you’ll see Lori Gheitanchi. Lori is our Facilities and Travel Manager. Lori’s been with ARIN almost three years. As her title indicates, Lori manages our facility located in Virginia. And she also books travel for our employees and she also manages our relationship with our travel agency.

Denise Alston is our receptionist, and Denise has been with ARIN for almost eight years. During the pandemic, Denise has stayed busy with obtaining our mail from our P.O. Box location and our office location. And Denise is actually doing something interesting, where she’s assisting our software integration team with doing some user testing as well in her spare time, which I think has been a great value add for Denise.

And some exciting news. Denise received her bachelor’s degree just last year. So congrats to Denise.

(Applause.)

That was a wonderful accomplishment for her. So you’ll also see we have a vacant picture for our HR generalist. We actually just hired a candidate. And I’m happy to report they’re starting next week, which is May. It’s hard to believe it’s already May of 2020 – 2022. Don’t want to repeat 2020. That will be really exciting for our team.

So because our team handles such a wide variety of responsibilities, I usually like to show this slide during my presentations. You can see here that our team handles all facets of human resources.

And then we have some other items sprinkled in to include travel administration and office and facilities management.

So Richard Jimmerson, our COO, covered some of this yesterday, but I just thought I would cover it again today, just in case you missed his overview.

When the pandemic hit in 2020 of – March of 2020, ARIN was very responsive and moved all employees to working from home. And most of us are currently continuing to do so during the pandemic.

But employees do have the option to go into the office under a limited reopening program that Richard described yesterday, which is basically a program that we established in the summer of 2020. And employees are able to come into the office and just adhere to guidelines for office use during the pandemic.

But, with the pandemic hopefully improving, we’re currently working towards a general reopening of the office later this year. As part of our reopening plan, we took into account feedback from our employees by conducting an employee survey on what the employees are looking for as we reopen.

We also conducted a workforce study with an outside consulting firm to determine the future work environment for ARIN.

Based on these two data points, ARIN will be moving into a hybrid work model where most positions will be designated under a hybrid schedule.

So here you’ll see ARIN’s value statements. I’ll just read them briefly.

We are passionate about our mission; service to our members, customers and the global community; our people matter; and we are accountable.

We thought it was important for you as members of our community to see what ARIN strives for as employees and an organization.

These values are part of our everyday work here at ARIN and are even tied to our 90-day, six-month, and annual performance discussions. These statements are a great representation of what ARIN is about from an employee perspective.

Moving into some of our employee statistics, which is probably one of my favorite slides to show here at our meetings. Fully staffed, ARIN is at 93 employees.

And as you can see here in this graph, our average tenure is quite impressive at over eight years. And you might remember that we had to add a category for 20 plus years, because we do have seven employees at ARIN who have been with ARIN for 20 or more years. So that’s quite an accomplishment for those employees. Some of them are here today.

And then as you look a little closer at the chart, two-thirds of our employees have been with ARIN for five years or more. But at the same time, we’ve been successful in drawing new talent to the organization in the zero to five-year category.

So what’s next for us for the rest of this year? I’m very excited to be onboarding our new HR generalist next week. We’ll also be conducting our salary survey later this year. We typically do these every other year. And this is an exercise for us to evaluate our employee compensation structure and ensure that our staff is compensated both within the range of our demographics and the employees' specific roles at ARIN.

As you can imagine, in the Washington D.C. job market, the market is very competitive. And this exercise is extremely beneficial for ARIN with regards to maintaining that favorable employee tenure and ensures that our overall compensation package is competitive when compared to the market.

And then of course we’ll be focused on our reopening plan for later this year.

All right. Lunchtime, unless you have questions. I think lunch. I don’t want to misspeak.

Hollis Kara: You’re good. You’re good. Anybody have any questions for Erin? No. Erin, you’re all set. Thank you so much.

(Applause.)

Hollis Kara: A couple quick reminders before we dash out to lunch, which should be ready in just a moment, so if you can walk very slowly down the hall to make sure they have time to finish setting up.

We are breaking a little bit early. That said, we will be coming back as scheduled. Let me verify – somebody changed my paper – at 1:30. And we’re doing that for the benefit of our virtual attendees as well as the virtual panelists.

We will be spending our time after the lunch break on our IPv6 panel. I’m really excited. Please, let’s get back in the room on time. Just a hint.

See you at 1:30. Lunch break is down the hall in Symphony 1. There will be signs on the tables for the Table Topics today for those of you who wish to participate.

And, yes, R.S., please grab your lunch and head over to the green room if you want to test drive, using Git to explore the history of NRPM.

And, again, the Table Topics today will be routing security, CCO feedback – so any complaints you want to have, take them to Joe Westover. IP leasing, Alison Wood will be running a table to talk about that. Internet governance and international political conflict with Alyssa. Hopefully there are no raspberries. Simplifying the Number Resource Policy Manual with Chris. And then improving policy discussions with Anita. And exploring NRPM history with R.S. just down the hall.

And virtual attendees, there’s no reason to close out of the Zoom. We’ll have a timer come on so you’ll know when we’ll be starting back. And please, everyone, enjoy your break.

(Applause.)

Hollis Kara: Welcome back from break and lunch and all those things. We’re getting ready to start our afternoon.

Very excited to introduce our panel today. I’ll bring John Curran up to take the lead. We’re going to talk about why the Internet hasn’t just migrated to IPv6. Seems like a reasonable question. John, you want to come up?

IPv6 Panel

John Curran: So, good afternoon. We’re trying something a little different here with an exciting panel. I have the privilege of having an esteemed set of guests.

I’m going to introduce the remote ones and the ones in the room, and the ones in the room can come up as I introduce them.

So we have a six-member panel. The six-member panel will be discussing why doesn’t the Internet migrate entirely to IPv6. Three remote panelists, three panelists who are here. We’ll be going through in a pretty strict order to make sure we can keep things organized.

The first panelist, I don’t know if he needs any introduction, a gentleman named Vinton Cerf from Google. Vint, are you out there? Do we have Vinton available remotely? Yes, very good.

We also have joining us Geoff Huston of APNIC, also a man who needs little introduction, and Brent McIntosh from MCNET SOLUTIONS, our three remote panelists.

Here in the room, if I could have Byron Holland come on up. And Lee Howard – Byron is with CIRA. Lee Howard, IPv4.Global, and Jared Mauch from Akamai. Come on up, Jared.
Byron, Lee and Jared. Just to keep my mind straight.

Okay. So I actually gave them a set of questions that they could be prepared for. And I’m going to go through them in order and I’ll let each one respond. And then we’ll open it up to your questions, but let’s do mine first.

So each panelist, I want to address the topic of, the question of why does the Internet completely migrating to IPv6, what does that mean to you? And do you think it will ever happen? That’s the first opening question.

So really I ask Vint, what does the Internet completely moving to IPv6 mean to you and do you think it will ever happen, Vint?

Vinton Cerf: The answer to the second part is, yes, I think it will happen. I think IPv4 will still be around. But IPv6 only capability is going to be important.

I’m going to take advantage of having grabbed the microphone first that I would start with an apologia, and that will offset what Geoff Huston has to say, which explains why we are so stupid as to think that IPv6 will ever happen.

So, 1996, we adopt the standard, and I thought and a lot of other people thought, we would implement it immediately because why not? It wasn’t a very big network at that point still.

The trouble is that the dot boom was underway, thanks to our friends at Netscape Communications going public. And the result was people who have plenty v4 address space didn’t pay attention to v6 because they didn’t need to, and they were too busy catering to the World Wide Web and the dot boom.

However, with IoT and mobile and 5G and everything else, I think the number of devices we expect on the net is enough to justify moving to larger address space. So I think we should just stop tinkering with it, which is still happening, and get busy and implement it. We need to shake out the security bugs. We need to verify interoperability. We need to assure cloud implementation. We should reintroduce the interop process where people demonstrate their ability to enter work. We should have hack-a-thons. Procurement process should include incentives because if it doesn’t inhibit or impede adoption of IPv6.

And finally, I think we should all be demonstrating at least that we can run with IPv6, nail down the Whac-A-Mole problems and reliance on IPv4. I think we should do it. I think we could do it. And Geoff and others can explain to us why we haven’t.

(Laughter.)

John Curran: With that, thank you, Vint, and I’ll turn it to Geoff. Geoff, what does completely moving to IPv6 mean to you? And do you think it will happen?

Geoff Huston: Yes, good afternoon all event staff. It’s good to be here, even virtually. And I wish I was there in person.

Look, John, I’m going to rewind it back even further than Vint and look at the late 1980s and the evolution of networking at the time. There was this big issue about how do we identify endpoints. And the whole idea was we’re going to use these permanent tokens that both the network and the host could use to identify itself. These were addresses. And the whole Internet was based on static addressing.

When we, in 1989, got told by Frank Solensky the plan was falling apart and we would run out of addresses, we started two things going at once. One was the short term fix. And the other one was the long term solution.

Interestingly, the short term fix was address sharing. It was the idea that we would suppress for clients the fact that they needed a permanent address. We’d just loan them an address.

Now this is interesting because the evolution of computing wasn’t that everyone runs a mainframe. We don’t have a billion mainframes out there in the world. We have billions of clients. And clients, as we’ve found, don’t need addresses.

So fascinatingly, we’ve built a server client network that uses names as its currency of connectivity. And addressing is actually a 1980s concept.

Now, we still need addresses. We still need those ephemeral session tokens to distinguish one conversation from the other on the net.

And so far, v4 is holding out in many places. But even with sharing, even with all of that, we’re seeing the end of the wheelbarrow. It’s running dry.

So what’s going to happen is that more and more, as we deploy v6, particularly in the big retail networks – and you see it in all the big mobile networks – as we move to v6 in the servers, the networks move to v6 by default.

Thank you, Happy Eyeballs, and the pressure on the net pools decreases. So I can run bigger and bigger retail networks with smaller and smaller pools of v4 addresses because the NATs don’t matter anymore. What does that mean?

Well, eventually v4 is going to slowly whimper and die, but it won’t matter. We won’t see it because we’re name based networking in all but name. We’re now doing tricks with names that we never thought possible. Tens of thousands of webhosts sit on one IP address.

So all of a sudden, addresses don’t matter. And by the time we start looking, v6 will have disappeared. And that’s the definition of complete migration to me. Thank you.

John Curran: Thank you, Geoff.

I’ll turn it to Brent. Brent, what do you think? What is the end of IPv4, complete migrating to IPv6 mean to you? And do you think it will ever happen?

Brent McIntosh: Awesome. Good afternoon. It’s a pleasure to be here to meet such great colleagues.

So I’ll give you my perspective. And initially, I focused a lot on what’s happened in the Caribbean. And as you know, the Caribbean is pretty small when you compare to the rest of the world. And we usually follow the trends of the bigger countries.

I spent a lot of time looking at research from Vinton, from Geoff, from APNIC resources for SixLab results on IPv6 adoption and readiness statistics.

Now, to me, those are just components of moving to full migration. Would it ever happen? Absolutely. When? I just can’t say. Because to be honest, at this stage, I didn’t even think we would have gotten as far as we have reached with IPv6 adoption and migration.

So while we were wondering if it would ever happen, there’s great progress being made. But just give a little insight of why I think it will happen.

As to date we’re seeing content delivery networks – Akamai, Google, Facebook – who have fully migrated to IPv6. The challenge that we see is that smaller businesses and enterprises and smaller ISPs are still lagging because, oh, I can get IPv4 addresses still even though we have completely run out of IPv4 address space, I can get from IPv4 brokers.

We’re even hearing talks about maybe the Class E address space maybe being freed up to provide more IPv4 addresses, right?

So the question is when will it happen. And to be honest, we can’t say. But I think that it’s going to happen, but it’s going to take a holistic effort. And I think Vinton and Geoff really put in perspective of what can happen and what should happen. That said, though, it will be great later on to share more perspectives on that entire full migration.

But to sum it up for me, full migration is when we have every network running IPv6 natively. And that’s my take on it, John.

John Curran: Excellent to hear. Really good.

I’ll turn to Byron now. CIRA, what does completely moving to IPv6 mean to you? And do you think we’ll ever get there?

Byron Holland: Coming from the names side of the names and numbering house, I probably have a slightly different perspective or at least maybe a different set of metaphors. But when I hear “completely,” I actually think what does that word actually mean.

And “completely,” is it from Telco routers and switches through ISPs, DNS operators like myself, webhosting shops, on down to the very edge in home networks and those routers that have been in closets for a decade or more, or as Lee said to me this morning, smart TVs.

Now, is that full stack completely going to be migrated to IPv6? I think the short answer is not anytime soon. But that doesn’t mean it still shouldn’t be the goal, and particularly as Internet of Things really takes root in a meaningful way, of course it needs to still be the goal.

But I look at it probably a little bit more like take something – oh, not a politically hot topic at all – but something like the electrification of the automotive fleet.

Ironically, given the timeline, we just heard about — late ’80s, early ’90s — GM had a pretty good, at least, city based electric car.

Thirty years later, we’re really just starting to see that market take shape in a really meaningful way. And it’s probably going to be decades more before the fleet is electrified, which if you’re a car guy or a car woman, and you’ve driven the latest and greatest combustion versus electric, electric is just better — even if you’re a car guy — in many, many ways, many ways.

And we can argue qualitatively, is IPv4 better than IPv6 or vice versa. Let’s say, at least from a scale perspective, IPv6 is better. We’re headed that way. I think we need to be ready for a much longer transition than perhaps this community would ideally like.

John Curran: Good insights. Very nice.

Now, Lee Howard with IPv4.Global. That’s one of the people with, providing IPv4 addresses to those who want to keep it going.

Lee, what’s your thoughts on moving completely to IPv6? And will that ever happen?

Lee Howard: It’s a really interesting panel for me to be on. I think it’s a good idea. So, actually, thanks, I think you gave me a great point to start from in what’s this definition of completely migrating to IPv6.

It seems to me that I don’t care if there are pockets of IPv4 in some dark corner of the data center somewhere or in somebody’s home someplace. That’s not what matters to us on the Internet.

On the Internet – for the Internet to migrate to IPv6 means that you don’t need IPv4 in order to connect usefully to this super set of networks that connect to other networks in order to interoperate.

That’s what I would be looking for. When will we stop using IPv4? Well, when do we stop using DECnet or SNA? When did we stop using buggy whips? There’s still buggy whips being manufactured because there’s still people who are riding buggies.

Okay, that’s fine, but we don’t need to manufacture our roads to be exclusively capable of handling buggies anymore.

What will it look like when we migrate there? We’ll have pockets of connectivity that are – maybe even pockets of disconnectivity to the rest of the Internet. What I’m mostly concerned about is making sure that the things we need to be able to connect to each other can use a common protocol.

Probably the long term best protocol would be IPv6. And, so, when will it happen? It’s increasingly happening, but I really – I don’t know.

John Curran: Actually, “I don’t know” is one of the world’s best answers.

Lee Howard: It’s turning out to be a longer tail of migration than I hoped 10 years ago.

John Curran: I’ll now turn it to Jared. Jared, what does completely moving to v6 mean to you and when?

Jared Mauch: I’ll actually start by answering the when. I think we’re probably about 25 years away from that.

John Curran: Okay, a date.

Jared Mauch: Set your calendars, come back to me in 25 years and, like, let’s have that conversation. But I think we’re probably out there on the horizon like that.

But the completeness, I think a lot of the other members of the panel got us there, is completeness is when an end user who is using a device in their home, on a mobile network or something can’t tell.

That’s the real – for me that’s the real test, is when a consumer using the service, the technology people, just like the car analogy and everything else, we’re going to care about all of the inner workings of it.

But if the end user can’t tell the difference of what address family, what IP protocol is being used on the other device, that’s when we have truly completely migrated, I think.

And that’s really when it’s going to be there. But I think when you talk about product lifecycles, you’re probably about 25 years.

John Curran: Okay, very good to hear.
We have our next question I posed to the panelists was: What are the hurdles? What are the hurdles of getting there?

25 years is a long time. I don’t know. I heard another “I don’t know.” It could be decades. Why is it so long? What are the big hurdles? What do we do about them?

I’ll start with Vint again with our remote panelists and move to Geoff and Brent afterwards. Vint, what’s the big hurdle?

Vinton Cerf: One of the big hurdles seems to be getting the ISPs to offer IPv6. And for a long time that wasn’t happening. It’s beginning to happen. I used to make regular calls to Verizon Fios saying when can I get my IPv6 address.

And I actually got it just about, I don’t know, three weeks or four weeks ago. They came out, installed new routers and, voila, I now have both v4- and v6-capable devices around the house. So I think the ISP impedance has been part of it.

My understanding is that most equipment, edge equipment – whether it’s laptops or pads or routers, what have you – all have v4 and v6 capability available, even if it just hasn’t been turned on.

My argument is that it’s mostly ISP impedance, that is why. But I’d be very interested to hear different perspectives from the other panelists.

John Curran: Very good. Geoff, Mr. Huston, what do you think of the big hurdles?

Geoff Huston: The first trouble is thinking the Internet is one network, where it’s actually thousands of component networks. And what we actually see are a number of different markets with different perspectives. Markets that are expanding and booming are actually more advanced than the v6 part. So the mobile markets, the consumer markets, they’re actually embracing v6 very quickly.

Look at India. They’re now, some 70 percent of the country is now v6 enabled because they decided to launch a $2 handset. And that massive expansion set, they had no choice. So not only did Reliance Jio do it, the other four big providers did it.

And what we see in many economies – Vietnam, Korea, America – is that the big markets have already moved because they’re under growth pressure.

So, who’s not moving? Interestingly when you look at v6 numbers, weekdays are lower than weekends – lower.

Enterprise markets are not moving because there’s no need. They’re not growing. So they’re quite happy to use old technology because they understand security issues, they’ve got their tools developed, they’ve got their staff. For them, it’s a comfortable non-decision to wait.

And because the perspective is v6 doesn’t do it better, it just mitigates future risk, those enterprise markets feel under no pressure. So that diversity is a big factor here. Some markets will move quickly, the big ones. The smaller ones won’t.

The second issue is the price of v4. For almost a decade since exhaustion, the transfer markets were pegging the price of v4 address really quite low. They didn’t move.

They went from about $12 an address US up to $20 over that ten year period, which really reflected a view in the industry that said: What problem? There is no scarcity. We’re not reflecting scarcity in price. Last year the price doubled. Doubled every year.

There is an increasing view that this resource is under competitive strain in the marketplace. And quite frankly that strain is the other huge factor that is driving transition. Because as I think Tony Hain pointed out many years ago, and appropriately Howard, as well, one of the biggest incentives is if we get to $1,000 an address, it’s not going to stay there for long because we can’t afford it. It’s going to collapse at that point.

And so watch that price. That’s a big signal. Thank you.

John Curran: Excellent, Geoff. So we need more growth to drive v6 and we need higher prices. That’s good to know.

Brent, what’s the hurdles?

Brent McIntosh: John and team, to be honest there are tons of hurdles. And how we solve them, again, that could be a long list.

Initially when I was looking at the questions, I was sort of focusing on what’s happened in the Caribbean side. But I’m so happy to hear that some of the challenges mentioned by Vint and Geoff, it’s pretty much similar to what’s happening in the Caribbean.

That said, though, a critical aspect of getting IPv6 migration on the stream is what value does it bring?

And I say that because I had many discussions when we started that IPv6 forum in Grenada, as to what can we do to help push this process of IPv6 on.

And we had the topic, the topic was: Maybe customers need to put more pressure on ISPs, because ISPs were the ones that were not making the moves at all.

That said, the responses were the customers would never ever put any sort of pressure on ISPs to migrate to IPv6 because as far as they’re concerned they have the end to end services that is working, no problem.

So one of the challenges we see and similar to what Vint was saying, in the Caribbean, we see ISPs are not making moves fast enough. But that’s the challenge.

And I did some research a couple years ago for a couple of ISPs I worked for. And the question was, okay, guys, it’s time. We need to start focusing on IPv6 migration.

And the executive team, the first question they would ask is: Can you just do a cost benefit analysis and let us know? Then we can make a move. Maybe not move.

So the issue of cost – what it would take to actually do that, you know, that has a lot of bearing on that transition process.

We see ISPs – and, again, I’m focusing on ISPs because that’s where I see one of the major hurdles is. They’re happy to continue doing carrier grade NAT, IPv6 assessment, replacing hardware. All these are challenges for them.

So these are some of the key areas, right?
The second one that I would want to focus on for just a few more seconds –

John Curran: Sure.

Brent McIntosh: Is security. We’re moving to cloud services. While cloud security is now a big thing, it’s still not fully understood. Moving more closer to the cloud connected by IPv6 might be another challenge. And the review with technical engineers on IPv6 migration, security is always one of the top priorities, from my experience.

Most times, they can tell me a thousand reasons why we should not move to IPv6 as opposed to maybe two reasons why we should.

So you have education, the value proposition, security concerns and general competitive nature of businesses.

John Curran: Got it.

Brent McIntosh: This is going to make me make more money. How is this going to help my business?

So it’s a lot of hurdles, John and team, but we can get over these hurdles. As for how and when, again, that’s up for discussion.

John Curran: Got it. Brent points out there’s a lot of things we need to work on.
Byron, what are the hurdles? Is the DNS a hurdle?

Byron Holland: I think DNS is going to be the savior, actually. Look, there’s Geoff nodding. Thanks. Back me up on that one.

I think in terms of the hurdles, though, we just heard one of the key ones, which is ISPs. If you think of, from their perspective, and I’m not an ISP, but if you’ve got a roller truck with a service tech, put in a new device. Depending on traffic, it’s a couple of hours.

The cost of that per home, and you’re going to have to call that customer and say, you know, somewhere between noon and 6:00 PM, a tech is going to show up and enter your home. Other than going to the dentist that’s the next lowest priority on anybody’s mind is having an ISP tech show up.

So you’ve got that. But downstream of that – and some of these are my customers – there is no appetite to do work, to do engineering work, to get new gear, where there’s no revenue associated with it.

And for me to try to push that, to maybe have a flag day or self-service or something, there’s just no appetite for that. And these are key channels through which v6 must flow.

So that to me is one of the big stumbling blocks and hurdles because there’s no customer demand. There’s no revenue flow.

The flipside of that in v4, this kind of incredible organic market has come up over the last, pick your timeline, a decade or so.

Obviously, policies have been put in place over time. But this was capitalism doing what capitalism does. It sprang organically from this space, created its own market. Now there’s some rules and policies.

But until Economics 101 that supply and demand and the price – and Geoff talked about it a little bit – that continues to satisfy the market right now. And until that price escalates to the point that people aren’t willing to pay, then there’s not a lot of pressure to migrate, interestingly, to this giant free pool over here. But there’s this wall and hurdle and the price isn’t high enough yet to get us over that hurdle.

And until that starts to change, I think, the laws of supply and demand will be in effect.

John Curran: Got it. So, Lee, apparently the problem is, you just need to charge more. Can you talk about the hurdles? Apparently your low price is a hurdle.

Lee Howard: Apparently the fact that prices have only doubled is insufficient. And, of course, I don’t set prices. The people who have addresses, they aren’t using – decide how much they’re willing to accept. And people who need more addresses than they have decide how much they’re willing to pay and that’s how it becomes a market.

I don’t know. Of course, I think it was Geoff said everybody should do a cost benefit analysis.

I think I did that when I was working for an ISP, and said, I can deploy NAT or I can buy addresses or I can deploy IPv6 and what’s the right combination. And I shared my thinking with NANOG and I came back 10 years later and shared it with NANOG again. And I’ve been pretty public about that. But of course, everybody has their own calculus.

To my mind there’s three legs to the stool. There’s the network operators. And I divide those up. I think that I disagree with everybody else. I think ISPs are doing fairly well. The growth in IPv6 on ISPs is linear. And it’s been linear for several years now. It’s not the swooping up to the right curve that we were once seeing. But it’s continuing to grow a pace. And that will continue as networks deploy IPv6 and as CPEs are swapped out.

But there’s also the enterprise operators. This is back to – and the enterprise operators who don’t have growing networks – or any operator, as Brent was saying – any operator that doesn’t have a growing network doesn’t need more IPv4 addresses. So it doesn’t matter how much IPv4 addresses cost. It’s not going to be an incentive for them to avoid that cost until they come to a point where they say maybe I want to sell my ISP because it’s worth – the addresses are worth more than the revenue. I don’t think we’re quite there yet for most cases.

So that’s a hurdle that I’m worried about is what do we do with the people who have enough addresses, enough, and there’s no motivation for them right now other than maybe lower latency.

I worry about content. I’m not seeing quite the rate of growth in content deployment as I’ve been seeing in eyeball networks, whether it’s mobile or ISPs.

But mostly I worry about – and Byron said this – mostly what I’m worried about is the consumer electronics. It’s the devices that nobody is buying – is buying their next smart TV based on whether or not it supports IPv6. Why would they?

So the real hurdle to me is the complexity of the externalities of, “I need everybody to adopt IPv6 so that I can avoid this cost or so that I can make this revenue.” But I can’t influence those third parties over there to enable IPv6. And that’s the hurdle that I’ve been trying to figure out a way how to get around and how to make it more of an Internet community of, an ecosystem where we can influence each other.

And I’ve had some ideas but I don’t think that we’re ready to try and apply pressure to those companies who aren’t going to see a direct revenue or cost avoidance benefit from deploying v6 or enabling IPv6.

John Curran: Interesting approach. I had the thought that, as we’re sitting here, we’re building a bigger hurdle and devices that don’t support IPv6 being bought and they don’t need to today.

Lee Howard: We go back to the question of when. Well, it’s when the last current smart TV is out of the last household. So that’s –

Jared Mauch: That’s where my timeframe –

Lee Howard: Is it 25 years? Maybe.

Jared Mauch: Yeah.

John Curran: Go ahead, Jared. 25 years, might be longer if we have a lot of these TVs. What do you think the hurdles are?

Jared Mauch: I think we only have an hour for the panel, right?

(Laughter.)

So I think that’s the challenge, is that there’s an insurmountable list of hurdles that we need to clear.

So one of the biggest ones I see out there is what I’ll call the building code issue. We have this new framework. It’s been defined for over 20 years now, codified in RFCs – this is how you do it. But we have all these new networks. And they’re the ones who are standing up and they’re using these new standards because there’s a shortage of the address space.

All of these existing networks out there, all the existing back end systems – OSS, BSS – all those types of systems, they also need to enable IPv6 on their side.

They need to update their databases. They need to move to native IPv6 data types on the backside. Moving all of these things, these hurdles, each one is a small one. But these are the things that prevent websites from turning on v6 on the front end.

When I talk to website operators, they say we need anti-fraud, anti abuse, good geolocation for our end-user data, to go and identify who is accessing our website and such.

I was in Europe about a month ago for IETF. I couldn’t go to my local county government website because I was physically in Europe, and they have the IP addresses geoblocked. So are they going to say, now I need to import a new data feed for v4 versus v6? They don’t have the sophistication. They have to rebuild all of this.

Part of the reason for my 25 year prediction is it’s not just about the technology and the systems that we’ve deployed today. But it’s also about the people, the people who are buying the equipment, the standards that everything is built upon.

And some of us who are used to memorizing and being like, oh, I know the IP address of the first DNS server I ever typed in because I typed it in 4,000 times when you had to manually do stuff before DHCP was really a thing. I’ve got that embedded in my brain. I don’t think I’ll ever forget that IP address.

But on v6 you can’t do that. So you have to change that entire mindset around it. You have to change people and how they think and how these software systems work and how do we go about reducing the friction of deploying the technology. Because it’s really about that friction and interacting with it.

They mentioned – Lee mentioned the smart TV. Nobody’s going to buy their newest smart TV based on that. They’re going to buy it based on a bunch of fixed priorities, which is going to be the technical specs of the display, whether or not it supports the Wi Fi standards you’re using in your house, maybe an Ethernet port, and that’s probably about it, unless you’re really worried about how a bunch of them do like pixel data privacy stuff.

Like, after that, you’re not going to go and do that. And you just want that consumer electronic device to work. And if it doesn’t work, then the person’s going to return it to the store.

John Curran: Got it. Given the issues, the addresses you’ve memorized and everything we’ve heard over the last – the answers to these questions, let’s go contrarian. Lee raised an interesting point: If IP addresses get so valuable, someone’s going to turn around and say maybe I don’t need mine. I’ll sell my business. Maybe I’ll switch to using NAT and free up addresses.

Do we really have to do v6? I asked each of the panelists the question: Should moving to completely IPv6 even be a goal? Do we care? Why don’t we just reutilize much better, think about all the addresses that haven’t actually been liberated by companies using them today because they’re not at a high enough price?
We might be able to keep this running for decades and decades.

Is v6 really a necessary goal? I asked this of the panelists. Vint, what’s your answer?

Vinton Cerf: I think it’s still a necessary goal. To get there, it would be simplifying the world because having to run both stacks all the time just seems like an additional burden, to say nothing of the opportunity of security problems.

I actually have a question you could consider later, maybe.

John Curran: Sure.

Vinton Cerf: There’s a scenario where eventually you can’t get IPv4 at a price you can afford, so you choose to use IPv6. Other people who are still running v4 have customers trying to reach the IPv6 people. How do they get there if they don’t have IPv6 available?

That argument was used to try to convince ISPs they should at least get IPv6 in addition to v4 to allow their customers to get to the v6 only people.

John Curran: That’s a good question there that we’ll need to pick up in Q&A.

Vinton Cerf: Okay.

John Curran: Geoff, what do you think? Should v6 even be a goal? There’s a lot of addresses if we slice them really finely.

Geoff Huston: Let’s continue that thought. Let’s press a little hard on that button.

We’re using NAT. So we’re taking 32 bits and we’ve added 16. Wow, that’s 48 bits of usable address space. But that’s not all. We’re timesharing those extended 48 bit addresses.

So the true capacity of IPv4 is equivalent to 1980s address space of around 52 to 53 bits in size. Interesting, because in our current deployment plans for v6, a lot of ISPs are giving their customers 48 bits.

John Curran: Right.

Geoff Huston: Now the issue is if we pack v4 as tight as it will go and then go, all right, now we’ve really run out, v6, come on down, your day is now. And v6 goes, oh, hang on, we’re full too.

(Laughter.)

This doesn’t work because we’re so extravagantly full, we’ve relived the early class ADC days of v4 and v6. We’ve been so extravagant in v6 and we’re handing out addresses like there’s no tomorrow. We’ve actually replicated the same density factors in v4, oddly enough. We’ve made v4 more efficient. We’ve wasted v6. It has about the same address space. We’re going to hit the same wall twice at once. This is a problem.

So let me continue the other thought. The other thought is we don’t need new addresses the way we have been using them.

Happy Eyeballs is not an addressing issue; it’s the first DNS response. We are making the DNS jump through extraordinary hoops. The whole reason why I’ve spent the last five years deep inside the DNS is I think the DNS is the Internet’s future.

We are doing name-based networking. We just don’t talk about it. That’s where we are. Names are much more important than addresses, John.

So does it matter if we do v6 or not? As far as I can see, no. It’s just a cost contention down the stack to the commodity folk because the real money is in apps and names. The real money is not in shoveling bits around and addresses.

I don’t think we’re going to care anymore in a few years.

John Curran: We’re not going to care. Doesn’t matter.

But Geoff says we need to make it a goal because otherwise there’s a dead end that we’ll hit sooner or later and there’s no out at that point. What do you think, does v6 have to be a goal?

Brent McIntosh: I absolutely think it’s got to be a goal. And from the perspective of being a dual stack end user and an IPv6 geek, I pretty much test every application at every website that I go on and just compare at times the performance.

To actually gauge the performance, you really have to be deep in this. And I love the end to end performance of IPv6. Would an average end user know about that? Maybe not.

But that said, I’m just thinking of the – now with the focus on IoTs, what else is going to make a difference but IPv6?

As a matter of fact, maybe about three months ago, a neighbor of mine told me, he said, I’m deploying some security cameras to a client and I noticed that they’re getting a private IP address and I have a challenge because I now need to go and enable port forwarding. Is there a solution for this?

This guy’s a brilliant IoT type installer, but he has no idea what IPv6 can do. I said, yes, there’s a solution. It’s called IPv6.

And that said, having that true end to end connectivity, I think that is how the Internet is meant to operate. Of course, as Geoff mentioned, DNS being the core of that sort of connectivity.

So yeah, this is absolutely should be a goal.

And I just want to add – and I was going to speak initially about the education process because I can speak of ISPs in the Caribbean now – I didn’t get to sign off on time to actually mention that ISP – but they’re moving to full native IPv6.

I’ve been checking on Cisco 6labs, and I’ve seen small items in the Caribbean, their IPv6 deployment index has moved from 1 percent to as much as 14 percent.

That said, though, some form of NAT64 is still happening, but the intent is there and that’s what’s important.

So while the actual process is slow, we understand that it seems to be the goal for ISPs and so in the case of Caribbean ISPs.

And if that’s the goal, then, absolutely, we’re heading in the right direction. But personally, I think, absolutely it’s where we should head.

John Curran: Got it. Very good to hear.

Apparently we need to get back architectural purity and double down on. Vint said the same thing.

Byron, what do you think? Does v6 need to be a goal?

Byron Holland: I think it does, absolutely. In spite of the fact that we’re seemingly in a very, very long transition period. Given the number of devices that are coming on, it seems to me that we must have it as a goal.

On the other hand, as we slice and dice v4 more effectively, more efficiently, is that market has germinated. We can all do the easy math. I think the high price, high watermark is $60. Four billion addresses. That’s a quarter trillion dollar market, kind of one way to look at it.

Are people going to get creative and effective on slicing and dicing and timing? Probably, quarter trillion at stake, probably. And what will that do over time? It probably just continues to push out that timeline.

That said, IPv6, I believe, certainly has to be a goal. Though, if anybody reads Geoff’s research, which I’m sure most people here do, there’s concerns about performance and effectiveness of IPv6 right now failing over to v4 still at probably unacceptable rates.

There’s still some work to be done. I actually don’t see that transition time extending as a bad thing.

John Curran: Okay. Vint says we have to get there. Geoff says we have to get there. You say the efficient market may be pushing that out.

Byron Holland: You have literally countervailing forces at play here now that this market has germinated in the way that it has. Its interests, the market’s interests, arguably, are a countervailing force to the more rapid, in quotes, adoption of v6.

John Curran: Lee, do you think the market, A, do we have to actually get to v6? And if we do, is an efficient market getting in the way of that?

Lee Howard: That’s an interesting question. So when you ask the question, should IPv6 be a goal, my response is for whom? Because for some people, when I was working at an ISP, it was absolutely a goal for us because we knew that we were going to have to – because we knew we were going to run out of IPv4 addresses. We kept turning up new services and adding new customers. We had to do something. We did the math.

In that case an efficient market was absolutely a countervailing force that drove us towards IPv6. But there are nonmarket participants. And this back to – we’ve got the enterprises and the consumer electronics folks who don’t feel the pinch of either market prices or of running out of addresses. So there’s less incentive for them.

Although, there are still, I wrote a guest blog for ARIN a couple years ago about IPv6 has lower latency than IPv4. That’s an interesting potential argument that some people might care about that’s not market related.

And actually, I’ve talked to some companies that have said, wow, that’s really exciting. We were not concerned about buying addresses. But if I can improve our performance by 15 percent, that’s fantastic.

It turns out – this is somewhat related to the question Vint started to ask – I think that part of the reason that v6 performs better is that Android doesn’t require IPv6 in software on their handsets, on their devices.

So they have a SHIM in there that translates from IPv4 to IPv6 in the handset, on a v6 enabled mobile network, and then it gets carried out over the mobile network over v6 and maybe gets translated back to v4. I think that SHIM, that software is adding a little bit of latency.

And Apple requires all of its apps to at least certify that they work with native IPv6, and so therefore they don’t have the latency.

Maybe Geoff can set up a test to do this. I haven’t been able to set up a lab to confirm this theory, so I’m sharing the theory in case someone can run a quick test while we’re here and let us know how that performs.

John Curran: Got it. Very good. We’re hearing IPv6 gives, the end to end architecture gives better intelligence for geolocation and lower latency. And this is sounding pretty good. It’s almost like an electric car versus a combustion car.

Jared, is the experience that much better on v6 and we’re just not marketing it? Do we have to get to v6?

Jared Mauch: We absolutely have to get to v6. It is really the future of where we’re going. I think Geoff hit on it earlier, is that we use the DNS system to go and translate all these things. I think 25, 30 years ago, everybody was thinking, okay, you have identifiers, you have end to end. You have all this stuff.

Almost all communication happens from a client device to a server in a few selected cloud providers or service providers of some sort.

And the way we initially got through some of this initial IP address sharing stuff is in the http spec, we added the host header.

What’s the host header? That’s the DNS name that Geoff was talking about before. We did this back, in, what, the late ’90s, where we added the host header as the identifier for talking to.

And so when you go and you look at this and you say, okay, how do I do all of this stuff, you end up with this entire ecosystem that is heavily driven on IP addresses. I don’t go into my firewall and configure www.Akamai.com as a thing. I configure an IP address.

Once we can figure out, okay, how do we get the technical ability, how do we get audit and compliance and a lot of these things in place, I think that’s going to help.

The other thing is, in a lot of the smaller markets – for a big carrier like a Verizon or an AT&T or Time Warner Cable or Comcast here in North America – they manage the device at your house for you. They specify the firmware, they test it, all of that, up to that CPE device up to the house.

For a lot of the smaller markets it’s still not default to have IPv6 on. This is a huge barrier. So if you’re a small to medium sized ISP, you’re actually probably using a MikroTik device or Ubiquiti equipment or one of these other carriers.

And when you’re going and using that, I own on the side, a little, I call it my hobby ISP that I run. I’ve got v6 enabled, and I get v6 requests from three customers or so, or four. I think it’s maybe four, and three of them I personally turned it on on their routers because it wasn’t default.

And so you’ve got folks like – you know, Amazon’s got their Arrow brand, and it’s interesting, because I look at somebody like an Amazon, just like anyone else. It’s, like, okay, they’re getting IP addresses on the v4 side and the consumer electronics they’re producing have v6 turned off by default on the other side.

And you have to go and take these companies and bring them together, not only internally – we have the same challenges inside of my own company. I don’t mean to pick on Amazon. But it’s – we have these same challenges in every single company of how you get these systems, how they work together, how they cross work because ultimately it may end up being – it doesn’t matter that the end users on v4 and the origin is on v6 because you’re going to have something else in the middle, be it some cloud front or Akamai or Fastly or Cloudflare or somebody else who is doing that translation for you. And they’re doing that as a service either for the website or somebody else.

And that’s what we’ve largely gone to is people don’t want to run the servers. That’s what AWS and DigitalOcean and all those places have been widely successful is people don’t want to run the servers, they don’t want to manage the infrastructure.

John Curran: We absolutely have to get there, and we need to use services to do it; we can’t all rely on Jared, the IPv6 angel to –

Jared Mauch: But you have to have – somebody is filling that gap already in the marketplace. And it’s making those things default. And people at Akamai have tried very hard to go and say, okay, we want v6 to be on by default for all the new websites. But going and touching every existing customer config and changing it, that’s the hard part. That’s where we need that progression of time.

John Curran: It’s interesting. We’ve had all the panelists pretty much say we have to do this. This is a goal that we all have to share.

Now, ARIN, of course, our philosophy is whatever. You want v4? Have v4. If you want v6, have v6. It’s interesting because we’re involved in addresses. And our philosophy is, do what you want to do. Okay?

So I guess the question is, and I did pose this to the panelists, none should be particularly shocked: As a Regional Internet Registry, if we have to get to IPv6, what should ARIN be doing?

Vint, what’s your thoughts on that?

Vinton Cerf: If you’ll forgive me for one anecdote. Most of you are aware by now that Google ran out of IPv4 address space in its cloud and had to switch over to IPv6, which I thought was rather interesting.

The second thing is that in the cloud world, this is not like the early days of a single CPU timesharing system, where you landed on that machine, that the IP address mapped directly to that machine and then you got access to whatever processes there were.

In the cloud, you land on a thing that figures out which machine you’re supposed to land on in the cloud. That’s often a load sharing system, and it’s an opportunity to terminate protocol and open up something else to get to the interior. So that makes the end to end notion somewhat less clear because the end may be at the edge of the cloud’s implementation.

Anyway, your question is what should ARIN be doing, and I think ARIN is doing the right thing, which is enabling parties who need address space of any kind to somehow get access to it.

So if you facilitate access to v4 through a brokerage and you facilitate access to v6 by allocations, both of those things seem to be the right thing to do.

John Curran: Okay. Very good to hear.

Geoff, what should ARIN be doing? We have to get there. What should we be doing?

Geoff Huston: First, and most importantly these days, the RIRs are not what they used to be. They used to be the guardians of conservation. They used to be the folk who were trying to extend the life of v4 – which in 1990 was predicted to be four years – for as long as they possibly could.

So they were the rationers. They were the gateway to which you had to humbly beseech and make your case in order for everyone to have access. And that was almost their primary role.

But there was a second role that I think is now the primary role. It’s taken over, which is the registry – the one place where that unique association of the address holder to the address is maintained as a public record.

So whether I get my addresses from a direct allocation from an RIR or from the marketplace or I picked them up somewhere out on the street, it shouldn’t matter. If I obtained them legitimately and can prove that to the satisfaction of the registry, I’m the registrar; my record should be there.

Collectively, those five RIRs should be able to accurately say, at all times, where addresses are, who’s got them – all the time.

If you do that, that’s 95 percent of the job, done. Just be a good registry, and no barriers. Check the address and it’s legitimate, allow me to express that in your registry, John, and the other RIRs, and I am the world’s happiest address holder.

John Curran: Keep track where they are, and it really doesn’t matter if it’s v4 or v6. That’s 90 percent of the job.

Brent, what do you think? What should a regional registry do? What should ARIN do?

Brent McIntosh: To be honest, this is my favorite question, because I didn’t have to give it much thought.

To be honest, John and team, I think ARIN as an Internet registry is doing their fair share. And there’s two points to that.

You are supporting and engaging your stakeholders even with your IPv6 deployment stories and publications and supporting, publicizing what other companies have been doing in IPv6 migration. It’s a big deal.

Recently, we have learned a lot from it. Again, I always mention the Caribbean experience because we tend to nominally adopt the technology that is becoming popular around the world because we are small.

Secondly, I think you have a really, really great supporting team in ARIN. This has been maybe for the year, maybe my fifth or sixth supporting client applied for address space. And it’s becoming easier every time.

Now I know your team by name. And they will say, okay, no problem. You only have to pay for – I know this is specified in the notebook, but just pay for the IPv6 allocation. And the /24 you’re going to get, don’t worry about it.

What can you do, John? I think ARIN should just continue doing what it is. It’s as simple as that to me.

John Curran: Stay the course.

Brent McIntosh: You already have a great platform.

John Curran: So, Byron, as an RIR, what should ARIN do? We have to get to v6. What should we do?

Byron Holland: As a fellow registry operator in a different space, first and foremost, I agree with one of the comments made: Like, job number one, run a highly effective, efficient and bulletproof registry, which includes who has what, where and when and the ability to transfer – register, transfer, et cetera. So to me that’s job number one.

I think that there’s also an opportunity potentially for a little more activist role in terms of education and awareness. I mean, right now, that may feel like shouting into the wind, but nevertheless, as a center of expertise and knowledge, the ability to share that, to educate with the different types of actors in the space, and also recognize that given this market that has developed around IPv4, where ARIN may have started as purely a technical operator and registry, now there’s an element of rules of the road for this market, and kind of owning that and doing the best possible job of making sure that you have good, fair, transparent and policy and policymaking process around that, because that’s here to stay for a while. And it, I think, it’s a huge market.

John Curran: Got it. Okay. Lee, what do you think? As an RIR, what should ARIN be doing? If we have to get to v6, what should we do?

Lee Howard: I don’t think I’ve ever been shy about telling you what I think ARIN should do.

And an example of what ARIN has been doing well is when R.S. got up to give his presentation on how to use Git to pull the history, the NRPM. I said, Git, really? You’re going to show me GitHub and I’m going to say, there’s no Quad A. And my hair is going to be on fire.

And he went, no, Bitbucket. And I went, of course Mark chose Bitbucket because it’s something that has a Quad A – and I did a dig. And sure enough, ARIN is requiring IPv6 for its services and has been doing so for a long time and is doing it well. And I keep spot checking it, going whoops, once again, there you go. Good job. So I appreciate that.

There are a couple of other things that I have seen for – AFRINIC has done a couple of IPv6 deploy a thons. And I was able to go to one of those and support the team. And it was really interesting to say – they had some requirements you have to bring a laptop capable of running an emulator that can actually emulate a network of a decent size.

And we sat down with the team with the different network operators who were there. We helped them build out their network in a model. And then say let’s come up with your address plan.

And then let’s talk about – what are the commands that you need to issue on to each device? And we started working through them on the technical details on how to roll it out on a backbone and how to begin rolling it out towards the edge.

Really interesting, really useful. And of those initial ones, I forget what the number is, but all of them have at least done some level of IPv6 deployment on their network. That’s a really good –

John Curran: Very helpful.

Lee Howard: I was talking to Edward earlier this week also about the NANOG hack a thons. There’s still a surprising amount of open-source software that does not support IPv6. I think Chris gave me the example of Hadoop. It’s kind of silly that it doesn’t there. That’s another case where maybe ARIN could either sponsor or provide some testbeds or more developers.

John Curran: Very helpful. Jared, last one on this question. If we have to get to v6, what should ARIN be doing?

Jared Mauch: I don’t think much, honestly. ARIN should be really focused on its core function, which is maintaining the registry of the numbers that have been subdelegated to it from IANA, allocating out of those pools.

And then I think additionally, if anything, it’s ensuring that when people are coming for services, coming for numbers, go and say, we have a lot of this whole IPv6 thing for you; it’s really great. And here’s your supplier list and our website all works on it. And all of that.

I think it’s more of making people understand that this is actually a real legitimate strategy for executing.

And I think what Vint said earlier about Google cloud, and I think there’s Mythic Beasts in the UK who offer, like, IPv6 only services and that’s the first thing they do. I think also OVH, I think, started doing that as well, where you have to pay extra for v4 and stuff.

But going and pointing people at these services where you say, hey, here you go. It works fine on your cell phone. If it doesn’t work at your home ISP, maybe you need to upgrade your equipment there or you need to have a conversation with them.

But if you can only say, hey, it works on my mobile handset, I don’t know what’s wrong with your system, you need to go talk to your IT guy –

John Curran: That’s an issue.

Jared Mauch: It’s a bit of an issue, but I think that’s the type of message that needs to be sent.

John Curran: Got it. Very helpful. Quite a diversity of views here.

We’ll start opening it up to questions from the microphones, remote and in the room. People can start lining up at the mics or submitting remote questions.

I’m going to pick up on something that Vint raised, and I’ll pose it as a question to the panel. And, Vint, I may not get it right, but it triggered something in my mind.

We may have some people who decide v6 isn’t for them. Some operators who just say, I’m just going to keep going with v4, I’m going to keep it running. And when they do, the cost to keeping the v4 only crowd and v6 only crowd connected, it’s borne by the v6 community right now.

Is that really fair? If we go 20 years and we have pockets of v4, only v4, when is it that they get to run the translator, not v6? Any of the panelists want to talk about that?

Lee Howard: Yeah.

John Curran: Lee, you want to talk about it.

Lee Howard: That’s exactly, precisely to the externalities that I was talking about, is the people who are paying the transition costs or the people who most need the growing network.

I will say that part of the reason that I worked for an IPv4 address broker is I tried working for a company that was providing translators between IPv4 and IPv6. And it turns out I can push 200 gig through a 1U pizza box, but it turns out there’s not that much demand for it. It’s just too easy to do on your own or with commodity hardware. I wasn’t able to make the sales.

John Curran: Got it. So you think that it’s going to be the way it is and that’s just unfortunate?

Lee Howard: I haven’t figured a way around it. I will say that Google’s open access NAT 64 does seem to be an interesting move in that direction, the DNS 64 platform they developed and released.

John Curran: We’ll go to the mics. Do I have a remote, anyone on the remote mics? Yes in the back, go ahead.

Beverly Hicks: Question from Steve Wallace from Internet2: Question for John – can you describe your vision for the future of IPv4?

(Laughter.)

John Curran: Folks, I’m the panelist here. I’m supposed to stay behind the curtain mostly. Let’s just talk about a little bit about this really briefly.

So ARIN’s historical approach has been that you can v4, you can have v6, it’s your choice. We do encourage people – we try to do outreach and try to tell people about it. But the moment you try to do more – ARIN, as the Regional Internet Registry, we have a bit of authority. And we have to be very careful, because nearly anything we do to more strongly encourage v6 gets in the way of keeping an accurate registry with v4.

So we need to use great caution. We don’t want to tell someone, we’re not going to work with you on getting more v4 addresses or updating your records or doing something with v4 because you’re not playing with v6, because that first statement runs contrary to what Geoff said – job one, keep an accurate registry.

Does that work for now? It does. Does it work forever? There may be a point in time when people causing the network externalities for everyone need to be told get with the program. I don’t know.

This is your ARIN and you’re the community. It’s actually you who tell me that vision.

Jared Mauch: John, why don’t you just, anyone who comes for transfer space, also say, by the way, here’s your v6 on the side as well for free?

John Curran: We have had that happen, actually. So there’s RIRs who have experimented with when you come you get a v6 registry even if you didn’t ask.

The problem is that that sits idle. The work that Lee spoke about with the deploy a thon of addressing plan and how you’re going to use it –

Jared Mauch: But then when the technologists later finds out that the IP address specialist actually has the space –

John Curran: You think it just happens?

Jared Mauch: Absolutely.

John Curran: Okay. That’s an interesting thought.

Jared Mauch: I had this happen where it’s, like, I don’t know who to talk to to go do this, but if you know it’s there –

John Curran: If you know it’s there, maybe it will be deployed. That’s a good point.

Jared Mauch: And somebody can use it later.

John Curran: If the community wants to do that, you get a v6 – you have a v6 address and you get a v6 address! Everyone gets a v6 address!

Jared Mauch: They’re under your chairs.

(Laughter.)

John Curran: I’ll go to the center, rear microphone. Go ahead.

Kevin Blumberg: Kevin Blumberg, The Wire. Two interesting words that came up through this whole thing – building codes, compliance. Two words I heard.

Up to five years ago, four years ago, even today, v6 is an add on, licensing wise, for many vendors. You don’t get into your car and say, I bought the seatbelt upgrade. I licensed the seatbelt on my car.

Thankfully, today, it’s gotten a lot better with vendors and there is very close to future parity. But I think what Jared brought up is one of the key concerns. It’s off. V6 is there. The feature parity is there when it comes to the standards. But it’s off. That’s one problem.

So I think as an industry, we have to be much better about making sure that people don’t treat v6 as an add on. It is a building code requirement for the Internet today. Don’t call yourself an Internet capable device. Forget about this v6-ready stuff. It should not be considered an Internet-capable device if it’s not feature paritied.

My one question is, you mentioned 25 years, Jared. You mentioned smart TVs. In the last four weeks, a number of IoT manufacturers, because of the market, have gone bankrupt. Tens of millions of devices are now dead in their homes.

Thankfully, one of the downsides of IoT is it is not designed to last. So hopefully – hopefully, the next iteration of IoT devices that people bring into their houses are v6. There’s no difference between them. They run v6, they run whatever they need to do. We don’t keep making the same mistakes. We’ve got the opportunity – whether it comes to equipment, refresh cycles or whatever – to do v6.

And just I don’t like the idea of 25 years because it’s giving up on the fact that we do need to keep refreshing.

Jared Mauch: Just to respond a little bit. The reason why I said 25 years, and I brought up building codes specifically is, I’m not sure when this hotel that we’re in right here was built. But at some point along the way, when you do a renovation to your network, when you go and you do these things, there’s new standards that come along. And in my house, if I go and do a renovation, upgrade to my electrical system or something, some inspector is going to come in say, hey, these things don’t meet – they met code when you built, but they don’t meet code now.

We need to be building that next infrastructure across the board. So what John is saying, we’re not going to allocate v6 to people unless they ask for it, unless the community decides by policy, I think if we as – I see ISPs in the room, I see others – if we’re going and we’re taking a forward looking step on this and say, okay, I’m going to enable it on every port, I’m going to have it available, I’m going to have a shadow allocation for all of these customers, so when they come for it, it is there, that I built it to this new standard.

Now, most network operators I know, they don’t have time to do the stuff other than solve the problems that are actually on fire. But when they get that time to do something, if the resources are available and they have the authority to go out and make those changes, they can go and build that in their next-generation infrastructure.

John Curran: Jared, the challenge, of course, is that building standards are things done by governments in order to make sure for the public good that a certain segment’s operating in a certain manner.

We don’t have a lot of people who do public good standards for the Internet that have regulatory authority. And yet if you want to have someone say, I’m sorry, ISP, the NAT spew from your network is polluting the world, then you need a standard and you need someone to actually regulate that. Are you asking for that?

Jared Mauch: I’ll turn it around to you, John. You, as ARIN, accept credit cards. And when you accept credit cards you have to record certain information, like the IP address upon which I did the transaction from. And you have to do these compliance pieces that are associated with that.

So it may not be, hi, I’m the Internet police, I’m here to come and arrest you because you didn’t do v6. But it may be that you have to undergo auditing and compliance work as your organization, as Akamai may or somebody else may in doing this.

It may be indirect regulation and compliance that comes into play. That was the other thing that Kevin mentioned. It’s maybe indirect things like that where they’re going to say, yeah, you need to make sure you’re logging all of the v6 and v4 addresses of these endpoints and when you do a security scan.

John Curran: It’s possible that regulation in other areas for the benefits could cause the pressure you’re talking about.

Jared Mauch: Absolutely. They cascade in just like supply chain things where you say I’m going to put in a vendor supplier agreement which is going to create that market.

John Curran: Do we have another remote? No? Yes? No. At the microphone we have someone.

John Sweeting: John Sweeting with ARIN, but I’m really talking back to my ISP days.

The point that the price is going to get too high for people to – people won’t buy IPv4, I don’t think that’s really what’s going to happen. As long as I have – if I have IPv4 space that’s available I’m not using, if I can’t sell it for a thousand, I’ll sell it for 500. If I can’t get that, I’ll sell it for 100.

As long as there’s IPv4 space available – and we have to admit, as a community we didn’t do a great job with conservation because otherwise most of the IPv4 space would be used today; we wouldn’t have so much out there available to transfer back and forth.

So until the majority or all of this IPv4 space is in use, we’ll probably still be seeing that transfer market.

John Curran: It’s a deep, deep pool.

John Sweeting: Yes. Wondering if there’s any opinions from the panel about that.

John Curran: Any panel views on that – that there will be a market and good availability as long as there’s a need?

Lee Howard: Again, there’s the diversity of kinds of buyers and sellers. So there’s a lot of supply still unused, a lot of address space still going unused on the Internet. And that is a goal of ours as a community.

And we are still – Geoff gave the example of Reliance Jio in India, who decided to sell, they couldn’t buy – and you gave the example of Mythic Beasts delivering web services on a Raspberry Pi. It’s a $25 device, but addresses cost $50. My economics aren’t working here. I’m not buying addresses anymore.

So that changes the marketplace a little bit. I think we see more and more of those cases where people stop buying addresses and look to alternatives as prices rise.

There will be buyers. There are certainly organizations that can make 300, $1,000 per whatever they’re selling that they need IP addresses for. They’ll still buy as long as they need to do that. And I think the market begins changing as prices change – supply and demand. So maybe other sellers will say, I don’t need the addresses. Quick, let me get out of the market.

It will be interesting to see when the tide turns if there’s suddenly a flood and everybody goes, oh, I missed the peak; get out now.

John Curran: It is interesting. I don’t know if the ARIN community remembers, but we actually predate the market. The policy came first in 2009. The ARIN Board of Trustees said, uh, yeah, this isn’t going to work without a market, because if you tell people your answer is return addresses and there’s no other option, we’re going to end up with no recording of the transactions happening.

So we actually established the private market transfer policy prior to transfers ever happening.

And people say, why did you do that? Well, you sort of see now. The need for IP address blocks certainly is greater than I think a lot of us perceived. We thought it might be a brief thing when we ran out for a few years. And now we’re talking about what’s going to be the price in 10 and 20 years.

But the market is now an essential part of this. And the question is: Is it helping; is it hurting? It’s running on its own. And I’m wondering, how does that affect v6? If the people on the panel have thoughts, I’ll take that. Otherwise, I want to go to a question from the floor.

Yes, Geoff.

Geoff Huston: This is Geoff, John. And I think you’ve got to remember that the Internet was born out of 75 years of regulation.

75 years of acting as a public service utility under effectively a very tight relationship between the government, sort of the public role, and the operators.

When you took the brave step to actually unleash capital markets into this space, we were working on the principle that those incumbent monopolies were actually filing their public duty.

And we were relying, if you will, on a very rich, competitive market to actually serve what customers need without knowing what they need. The idea was that markets themselves would react to customer need, focus on what the customer wanted and deliver at a competitive price.

Now, I get my Netflix. This is working. Cool stuff delivering over the Internet, stuff with astonishing price and astonishing capability. Now I’m not going to stand in the way and tell a trillion-dollar industry how to spend its money. And neither can ARIN. You can’t do that anymore. In some ways the markets have actually taken on their own momentum.

And the whole issue about this technology base is, again, a marketing based issue. It’s a market. And, yes, there’s a market for v4 addresses. Oddly enough, there’s a market for v6 addresses, and the fact that ARIN gives it away at a relatively low price creates its own market dynamics.

Now, what’s going on here is entirely natural. What is unnatural is for ARIN to sit there and go: No, I’m not going to register a transfer; no, I’m not going to do this. And try and impose a constraint on a market, because at that point we’re going to get into a tussle as to who has promise here.

And I suspect, being a bit of an amateur economist, that the money always wins. The money always wins, you know. Whatever the market says, the market gets.

So what we’re finding right now is actually a transition to a very, very weird space. It’s the rise of the server role, content distribution networks. All the money is tipping into the application space and the content space.

John Curran: Got it.

Geoff Huston: Why do we need globally unique addresses if most of my packets travel a few kilometers to the local datacenter? And if you think about that question long enough, you really start to think about what do we need in the next 20 years – a unique global addressing space or enough to get my packets over a few kilometers to the local multipit of the data storage, which is just in a curbside a few meters away from my house?

So in some ways we love the old arguments. We love debating the 1980s and 1990s technology because we’re all good at it. We’ve done it so often. But trying to look forward and trying to understand the market motivations that drive this industry is actually the hard bit.

And I think the hard bit is trying to understand at what point do we actually discard technologies, which are becoming a boat anchor to the industry, which actually are becoming an overhead.

So in some ways it would be good if we could ditch unique global addresses when we don’t need them, when we’ve managed to sort of push this server role to a completely different space.

And I suspect that this entire coping with exhaustion of v4 has led to a feeling that we’re never going to do this in v6, that running out of unique global addresses is not going to happen in v6 because we’re not going to be reliant on unique global addresses anymore.

We’re going to build around this problem. So ponder that.

(Laughter.)

John Curran: Other than that, we’ll be fine.

We’ve unleashed the market, and we have to realize that we’re now the tail on the dog. We have time for one more question. Leif?

Leif Sawyer: Leif Sawyer, GCI Communications, Alaska: Do you think that v4 only is a technical debt issue? And if so, how do we get companies to address that technical debt “turtles all the way down" problem?

John Curran: CIO magazine, how are you dealing with your IPv4 technical debt? Panelists, who wants to go first?

Vint, go ahead.

Vinton Cerf: One possible way of dealing with that is effectively to say I won’t buy the product unless it does v6. And this is one of the things at least that the federal, US federal government is now saying, at least on the Defense Department side, that the product they buy must be v6 – must be fully capable of running v6 only.

So it’s perhaps one way of imposing that requirement, we guide it and at least implement it.

John Curran: Very good. Anyone else want to comment on the v4 technical debt? I think we have one more question coming in remote.

All right, let’s go to our final question, remote question. Go ahead.

Beverly Hicks: Dan Oachs: Do you think the US government requirements for IPv6 will have an impact at this time?

John Curran: Question is, does the US government has adopted requirements for IPv6. Do you think that will have an impact on deployment?

Jared Mauch: No.

John Curran: Jared, no.

Vinton Cerf: I’ll say that it will have a modest impact, but it will probably not have a global.

John Curran: A moderate impact, but not on a global basis.

Any other panelists want to comment?

Lee Howard: There’s a lot of interesting questions embedded in that question. But one of them is: Well, then what does the US government do with their 170 million addresses?

John Curran: What are they doing with their own 175 million?

Lee Howard: 175 million IPv4 addresses. John Curran: Okay, any final comments from the panelists?

Vinton Cerf: They’ll pay down the national debt.

(Laughter.)

Lee Howard: Their IPv4 debt, right. John Curran: It will be amazing if the Internet IPv4 pool bails out the US government. Can’t even go there.

I’d like to take a moment to thank our panelists both remote and local. Round of applause.

(Applause.)

Thank you, everyone. It’s been a wonderful panel. Thank you remote panelists. And now we’re going to go to break.

Thank you, everyone.

Vinton Cerf: Bye, everybody. That was fun.

[Break]

Hollis Kara: I hope everyone really enjoyed the panel. I think that was a really great session. And I’m glad we could include that. If we could hear it for our panelists.

(Applause.)

And hopefully we’ll be able to follow up with publishing a blog or something about that content in order to make sure it gets a little bit wider distribution and has some historical record. So that will be great.

Okay. So we’re back. We’re getting ready to wrap up today.

One of the nice things about being back in person and folks being able to travel again is that means we’re able to bring back our RIR updates from our fellow RIRs. It’s always nice to get a report and hear what’s happening in other regions.

For starters, we’ll have James Chirwa come up from AFRINIC. He is the Acting Manager of the Member Services department. And he’ll give an update on the AFRINIC region.

Hi, James.

Regional Internet Registry Updates: AFRINIC

James Chirwa: Thank you. Good afternoon, everyone. It’s a pleasure to be here today with you. So I’ll just give a brief update on AFRINIC services for this year and overall.

We basically serve 55 economies. As of now, we have over 2,030 members. Our membership, we have LIRs and end users. So, as you can see, this is the trend that we have had over the period. This is when we just reached the mark of 2,000.

On the resource part, these members are consuming almost 95 percent of our pool of IPv4. So we have over 150 million of v4 that is already used. The 5 percent that is remaining is made of about 1 percent which is under policy reserve. And the remaining 4 percent is divided between what is currently available and that has been reclaimed and we have to put it back in the available pool. So it’s kind of quarantined at the moment.

So over the period we’ve also issued out of 9,000 IPv6. Right now, our IPv6 update has kind of slowed down because you’re not putting much attention– more attention has been put on deploying IPv6. I think from the previous session it was also mentioned. So we’re putting much focus on that through our deployments and also help desk.

Over this year, we have issued out only 28 prefixes, different sizes for v6. So that’s a kind of low update. But also that has been a new policy that came in which mandates deployment within 12 months. So other members who feel like they’re not ready, hope not to move forward with v6 prefixes until they feel they’re ready to go live.

We’ve seen kind of a shift in the Autonomous System Numbers update. Recently, the past few years, we’ve seen more members getting v6, either new, those who didn’t have before or those who are actually having different, or maybe changing their addresses points and needing more than one ASN.

So we’ve had an uptick in the past few years. This year, we’ve already issued about 67 ASNs. And in total, out of the 2,030 members that we have, we’ve already issued over 2,100 ASNs.

So our pool right now, like I said earlier on, we have 1.6 million that is available for issuance. We kind of also are in a bit of a slow exhaustion period, just because of the current policy, what we call the soft landing policy phase 2, where the maximum we are issuing is a /22.

But members can come multiple times. There’s only the restriction that they have to justify their needs, but also need to reach a threshold of 90 percent.

So that 1.6, we went into the soft landing in 2020 January. So from January, the distribution of IPv4 has been a bit slower than before we were able to issue more.

We are trying to drive the update of v4 still through recruitment of new members. So we’re hoping that something will slightly pick up this year, next year.

So next up, I’ll talk about the PDP process in AFRINIC, the status at the moment.

So we do have– currently we do have four policy proposals, which are still under discussion. One of the policies is about PDP working group guidelines and procedures. This is just trying to define and clarify how the PDP should work. Some of the community members feel that there’s a gap in the current PDP process or procedures the way it is written. So there is a proposal to modify that.

The second one is the inter-RIR transfer, which the author coined it as comprehensive scope because we had multiple policies that we are competing and with different approaches.

So for this one, actually, it’s more open. It involves– it proposes entire transfer for all resources, either legacy or those in the AFRINIC pool. So the discussions are still ongoing.

The third one is publication of information. So some of the proposals, that after two years or another– if they can define another period– but after that particular period, the justification that somebody provided to get resources should be published, considering that period. Confidentially, the issues would no longer be valid.

So we are still– it’s still under discussion, the publication of information proposal. And then that one is also update of the PDP. Also just to change the– this one actually is clarifying some text in the PDP process.

In our previous PPM, the policy meeting, we had three proposals that reached consensus. Out of those, three of them are under appeal.

So there’s one that is about inter-RIR transfer as well. So this one, for the transfer, it only allows the legacy resources out, but allows any kind of resource in. So there is an appeal against it. We’re still waiting for the outcome of the appeal from the appeals committee.
The next one is abuse contact. It also mandates having an abuse contact in the resources such that– it’s more about making it more efficient.

We currently have a proposal– I mean, a policy that makes adoption of, to have an abuse contact through an IRT, but this one wants to makes it mandatory for all members. So this one also went through consensus, but it’s under appeal.

The next one is about policy compliance dashboard. This is simply just coming up with a dashboard which can give a member an outlook of they are compliant with respect to different policies.

So in the same PPM, one proposal, which also went through is under implementation at the moment. This is now the RPKI ROAs for unallocated and unassigned space. So only that space that is not issued should have an AS zero ROA to avoid bogon prefixes.

So next up, I’ll just talk about our capacity building efforts. So in capacity building efforts we do have the academy, learn.AFRINIC.net. We have a good uptick so far on enrollments. The academy is focusing mostly on IPv6, IRR, RPKI, as well as DNSSEC.

So, so far I’m also training on the Whois, management of the Whois.

So we do have the academy. But we’re also doing deploy a thons where we do work with the members. I think it was also mentioned in the previous panel. That’s another thing that we are pushing.

So deploy-a-thons, also covering v6 and the services, mostly RPKI and IRR.

We also have a help desk for v6 and the services as well, where we do hand hold the members who feel like they need additional support in deploying v6 and other services.

But also we do have occasional webinars throughout the year. I think these are also pushed mostly during the pandemic period when we are mostly in the house. We had most of the webinars going through.

So on the other part, we are also working on some products.

We are revamping our member portal. This is the platform where members log in for resource management. So that’s the MyAfriNIC portal. We are working on a complete revamp and coming up with version 2.0. We anticipate to go live in Q3 of this year.

The other product is the WhoWas, mostly for the historical records, which you can get in the current Whois. The current Whois is limited especially for resources that have been deleted.

So we’re working on a product that would give a comprehensive history for each record. However, we are still navigating a few other things just to make sure that data compliance, I mean, data confidentiality and privacy roles are not– we don’t find ourselves on the wrong side.

So the other thing is now just to speak about our next event. We are having the, what we call the Africa Internet Summit, AIS, 2022, just like this ARIN 49.

We are having our annual meeting this year. It will be in a hybrid model as well, starting from the 30th of May to the 3rd of June, during which we also have the Annual General Members' Meeting.

So during the Annual General Members' Meeting, we do expect to have some Board elections and also an AS associate election.

Last, I just want to talk about the initiatives on the outreach and engagement activities. So apart from the summit, we also do have other engagements through regional– dealing with regional NOGs and also other working groups like the IGFs and other technical communities. We also provide sponsorship on Internet programs. And also we do have government and law enforcement agency engagements.

Lastly, we also do community outreach just to improve the relationship with the members as well as impact or fill the gaps that we do see between the services that we provide and expectation from the members.

So this is all I have for you today. Thank you.

(Applause.)

Hollis Kara: Thank you, James. Next up, if you want to read along with me, we’ll welcome Paul Wilson, the APNIC Director General, to give the APNIC report. Come on up, Paul.

Regional Internet Registry Updates: APNIC

Paul Wilson: Thank you, Hollis. Welcome to the highlight of the week. I hope you enjoyed the warm up show before the break. I thought they were pretty good. Cheers, John. Thanks for that.

Actually, it’s the highlight of my last two years to be here. After being grounded for all this time it’s great.

I’m going to be presenting the APNIC update, which– I can’t actually see on the screen below. Is it possible to see there?

Over there. Over there. Oh, there they are. All right. Settle down.

(Laughter.)

APNIC update. Here we go. We’ve got a strategic plan. We’re halfway through it. It’s illustrated by this classic diagram here which shows our five strategic pillars of membership, registry, development, information and capability.

All our planning and reporting goes according to those pillars and the 18 or so work streams that sit underneath them.

And that’s quite useful for giving us sort of a sense of where the planning and the reporting is going over this period of time from year to year.

Also from– in each year we decide on a number of focus areas which tend to evolve over time. But this year, it’s security, integrity, resilience, next-generation registry, connected online community and capacity for development, as APNIC is growing a fair bit at the moment, with new resources for Internet development in our region.

But on the standard business and member services we’ve got– this is as of the beginning of the year, actually– 8,700 or so members, having grown 5 percent only in the last year.

But our NIRs have been growing pretty rapidly, with 12,000 additional organizations served by them. So 20,000 or so in total served in the region.

We look at service satisfaction metrics. The SLAs for our help desk. We take feedback from voluntary members who decide to help out by joining the group. And we action and resolve as much as we can of what we hear from the members.

Few charts of our delegations and transfers. IPv4 and IPv6 both peaked sort of mid decade. And they’ve been kind of recovering or sort of ticking along ever since then.

The ASNs are interesting — that’s just because we did a couple of very large ASN delegations to research and education networks in China and India.

The bottom three charts are three different types of transfers, IPv4 transfers, which are ticking along at about a dozen each per month of transfers within APNIC or between APNIC and other RIRs and mergers and acquisitions.

Very unpredictable. They just seem to sort of go up and down with the wind, depending on what happens to be happening out there.

IPv4 address pool. This is here because we’re here in the middle of a pretty substantial IPv4 reclamation effort at the moment. Our members have been asking us, begging us to bring back as much v4 we can to keep distributing.

So in the last year we managed to reclaim up around half a million v4 addresses voluntarily. There’s at least a million to be reclaimed this year.

So we’re maintaining some availability in the IPv4 pool, even looking at seeing some policy proposals coming up to increase the minimum allocation that’s being given out because we’ve really got many years worth of allocations to be made at current rates.

We’ve also got, on a sort of related matter, a new treatment of historical registrations and the organizations that hold those, requiring them to take out a membership or a formal agreement with APNIC from 2023. And that’s in the– that’s affecting possibly 3,000 or more address holders.

We’ve been accused of some sort of a– or it’s been suggested we’re kind of looking for money in this case. But the point is, this is about fairness. And as we get a rebalancing of revenues from different, from across the membership, we’ll have an opportunity to lower the baseline for all members as that actually comes in over the following year.

RPKI, 11 countries in our region reached 90 percent plus ROA coverage during the last year. We’re doing a lot of RPKI training, publishing success stories on the blog. We’ve got a new ROA measurement tool, thanks to Geoff and APNIC Labs. We’re sort of looking at how the percentage of address space covered by ROAs is growing, IPv4 and IPv6, and charting that.

There’s quite a bit of fluctuation as blocks of addresses come and go from being certified, but the lower graph there shows that we’ve just got a constant upwards, pretty satisfying upward movement on the number of holders who are using ROAs on the APNIC system.

The APNIC Academy is our training delivery. We’ve got community trainers, 30 of them out in the community at the moment, in addition to APNIC’s training team. And we use those for– 68 of those community trainers for 68 events during the last year, where we’re retaining quite a number of those trainers on a retainer system.

We have a new technical assistance process and technical assistance sort of request platform, providing hands on technical assistance. It often arises out of training that happens with our members who often are asking questions and asking for more help.

A lot of work on courseware for new courses and updated courses and translation. And there’s a few stats there showing quite a few thousand students in the year who are coming to virtual labs; face to face, instructor led courses; and self paced courses on the APNIC Academy.

The blog is hitting about 70,000 views per month, several million views in total. And we’ve got a new podcast called PING, which is a podcast of people who are looking at Internet measurement. So you can find PING on many of your podcast platforms.

A new development at APNIC is something called the Asia Pacific Internet Development Trust. This has been established between APNIC and an academic body, the WIDE Project in Japan.

And it’s helping to fund two different areas of activity. One is regional research and education networking. So there’s a new backbone network being established with circuits coming in and out of Guam to serve our region. And the APNIC Foundation, which was set up in the first place more or less as a fundraising for APNIC’s development activities to help attract resources. And it successfully attracted a couple million dollars in the first few years. But that’s now been increased to quite a few million dollars a year, thanks to the Internet development trust.

And that’s how you see quite a bit of the development of training and related activities at APNIC these days.

So save the date for the next APNIC conference, which also, like this one, will be a hybrid event, face to face and online. We try to adopt an online first method or approach to all of our conferences from here on in. Really trying to attract and make sure that we’re inclusive of people who can’t join face to face.

We’ve always tried that and somehow the COVID pandemic has given us a lot of practice in doing it more so we want to continue.

That’s being held in Singapore, co-located with Singapore NOG, Asia Pacific regional IGF and the Asian Pacific School on Internet Governance.

That’s all from me. That’s a smaller group of APNIC staff than we are these days. But thanks from all of us.

(Applause.)

John Curran: Paul, if I could ask a question. There’s a bullet that says membership required as of 2023. For historic registrations, how does that work?

What is, I guess, required, how, and if I don’t, what happens?

Paul Wilson: In order to maintain our registry services, which includes registration and presence in the Whois database and additional services like reverse DNS and RPKI, that will be necessary to have a contractual relationship with APNIC.

We’ve already and for some time have had a small annual fee called a historical resource maintenance fee, which is applied to some but not all of those historical resources.

The APNIC UC decided last year that we would extend a formal relationship and a consistent fee structure. Although the APNIC conventional fee structure has got an annual fee that’s paid to a logarithmic, formula based number of address spaces that people hold.

Those historical blocks will not be counted, will not be included in those. It’s a nominal annual fee that’s required for–

John Curran: But it’s required for participation and required agreement.

Paul Wilson: That’s right.

John Curran: Okay, thank you.

Paul Wilson: Welcome. David.

David Huberman: Hi, Paul. David Huberman from ICANN. Really I’m here just as a numbers geek– audience full of numbers geeks.

There’s about 70,000 AS’s participating in a typical view of a DFC. And I couldn’t help but notice in yesterday’s NRO presentation, in your presentation today, that APNIC allocated 7,000 or so AS numbers which statistically is way out of whack.

I was wondering, just because we’re numbers geeks, if you could tell us just a little bit about what that was.

Paul Wilson: That was a couple of single allocations to large research and education networks in China and India during the last year. So groups of multiple thousands of ASNs for re architecture that happened to happen kind of independently across those two networks.

So it’s a once off. You see the APNIC AS number total per year has been ticking along at a fairly low rate actually compared with other RIRs. And it spiked up. And we’ll be looking at that spike and explain it for the next 10 years until it drops off the chart on the left hand side. But that’s what it was.

Thank you.

Hollis Kara: Thank you, Paul.

(Applause.)

We’re right back where we need to be. Yay. Next up, I’ll welcome up Oscar Robles to the stage. He’s their CEO, and he will give a report on LACNIC, which makes sense since that’s where he works.

It’s been a long day, guys. C’mon, work with me.

(Laughter.)

Regional Internet Registry Updates: LACNIC

Oscar Robles: Thanks, everyone. A pleasure to see you again and to be present again at your events.

If you were not around our events in the last year, let me give you a quick update with five short topics.

First, IPv4 exhaustion finally arrived in 2020, August 2020.

And we implemented the Waiting List. We don’t have too many recovered space, to watch for recovered space. So, the Waiting List is basically growing in terms of solicitants expecting to receive space.

Currently we have waiting time approximately of one year for the space that we are allocating at this time. But we calculate that the new requests will be receiving their space approximately in three years– the ones that are released at this moment. So this is how it is.

IPv6 deployment is steadily growing with almost 30 percent of the uptake in the region. Of course, this is not our decision to deploy IPv6, but we do our best to promote and to provide skills to the community. Last year we trained around 6,000 professionals in IPv6 online courses.

So I think this is relevant because we will require a lot of highly-trained people to complete all of these deployments in the next years.

Also we had conversations with decision makers, not only with technical guys but with those that make decisions of the Ministry of Communications or Ministry of Finance or– mainly in the smaller countries where they actually pay attention to whatever we say.

And that we try to deliver some messages, why IPv6 is strategic and this is not a technological decision anymore– not only a technological decision.

So RPKI uptick is also growing with almost 40 percent. This is one third, but it is– now it is around 40, 42 percent of RPKI update and deployment in the region.

Regarding the policies, last two years, we were very busy with a lot of proposals, but fortunately most of them were not to the actual policies but to the manual– to the procedural topics rather than actual policies. Anyway, we needed to provide the full mandate and the tools to have a discussion for every of those proposals.

And last year, we implemented three key policies, policy proposals. One of them is the validation of the abuse contact, abuse contact.

And we calculate that by the end of the year we’ll have 98 percent of the abuse contacts already validated, and almost 99.5 percent of the space in LACNIC with the abuse contact validated. Which is very good.

We have a very strict policy for the abusee, which has to be not only a valid address but they have to prove that somebody similar to a human is behind this email and is kind of answering periodically to our contacts.

What else? As you know, yesterday they told you about the policy, the policy proposals that are in our region. One that may be relevant to you or of interest to you is the one related to leasing space.

Basically they’re suggesting, the author is suggesting to specifically establish that the leasing is conditioned to revoke space. So in case you’re interested, please follow our policy discussion in LACNIC.

Number four, you may be aware that last year, together with APNIC, we launched this study. And the purpose of this study was to see what principles, what of the original principles that were taken for the Internet design were still present, and how they impacted to the success of the Internet.

So if you’re interested, you may find this document in English, of course.

And I think that this is an important tool to talk with several audiences, mainly two audiences– the government, so they understand the value of those decisions that were not by chance but actual decisions made to have this possibility that the Internet already now offers.

But also to our technical community, to value what we have. Sometimes we romanticize what we used to have before, the good old Internet, the good old open Internet that sometimes people feel that it is not as open as it used to be, that the end to end principle is working, that the traffic is dead, whatever.

But with this study, we tried to arrive to the conclusion that most of those principles are present. This is not a binary condition. This is not that some of them are or are not. But they’re still there. And those principles are still relevant to keep the Internet growing and helping the development of our communities.

And finally, something very similar to APNIC, we make our strategic planning last year. It was a very difficult process to make it online.

Some of you that have done strategic processes before– strategic planning processes before know that this is a very boring process. So to make it online is twice as work as the other ones.

And we come up with some small changes. Most of what we come up with is the same as we had in the last cycle, because we are still a registry– we’re still LACNIC. We are not changing our role. So probably we will focus on different things, but we’re still a registry and that’s why this is the main pillar of what we are.

But we changed slightly why we think LACNIC is relevant. And that’s why we have come up with this definition: That we are building a regional community for a better global Internet. So that’s our focus to try to keep this community-building process in a permanent fashion. That’s why these face to face events are so relevant for us because that’s the way we can keep this community engaged in proposing relevant things to the policies to learn many things about IPv6 and other relevant protocols on the Internet.

And well, this is the final map. Most of this, probably ten out of these 15 strategic goals are the same as the previous process. As I mentioned, we don’t expect that much change. For those familiar with this kind of process, you will see that in for-profit companies, the lower goals are often the final goals.

For us as a not for profit organization, our final goals is to deliver value to our customers– or associates, members– and to the community, the extended community.

That’s the top of this (indiscernible). And the fundamentals, the base to build all this– I’m sorry– to build all this and to approach all these goals are the financials, the stability, the resiliency, the risk, awareness, and of course the labor climate.

That’s why we allocate a lot of resources, paying attention how comfortable is our staff working with us.

So, this is it. And just finally, we are having our LACNIC 37 meeting next week in Colombia. We have almost 800 registrations so far, with 55 percent of them saying that they will be present physically. And we are offering, of course, online participation, so feel free to follow us in the topics that you are interested, and hope to see you soon. Thank you.

(Applause.)

Hollis Kara: Thank you, Oscar.

Rolling right along. Our last presentation of the day, and then we’ll be on to Open Microphone.

We have Marco Schmidt from RIPE NCC. He is the Registry Services Assistant Manager. And he’ll give the RIPE NCC report.

Regional Internet Registry Updates: RIPE NCC

Marco Schmidt: Good afternoon. It’s very nice to be here and glad to be back. And I noticed I’m the last person standing between you and the Open Microphone and a free afternoon. And I think I have 12 slides and 10 different topics.

So I will talk very fast, which is probably not a good idea with my German accent. Or I will just give you the highlights and you will see on many of the slides, you can see some links for some additional information for those topics.

And then I recommend, if you want to know more about them, just download my slide deck and you can get more information on those.

First one, like everybody – Oscar for LACNIC and Paul for APNIC – also the RIPE NCC recently released our strategy for the next five years. And basically you can download it on the link here, but we continue to improve our position to be a reliable and strong registry that provides world class service to our members.

Something that’s impacted us quite a lot in the last months, since end of February is, of course, the war in Ukraine. It impacted us in several ways. We have several colleagues in registry services that are from Ukraine, that are from Russia. And luckily, they’re still very good together. They’re in good relations with each other, but they’re all strongly impacted on a personal level.

We also received quite some demands to take a position to take some steps to retaliate or something like this. And actually our Board put out a statement that our goal and our mission is we have to be neutral. We need to be there for an open Internet. We have to be there for– have critical services are being protected. And yeah, it’s not always easy, but we have to stand on our neutral position there.

Something that we did for our members in the Ukraine that now have problems or might have problems to pay their yearly invoice, we already sent out a message that they do not have to be concerned that they will face deregistration and close off their membership because of those issues that they are fighting right now.

Again, if you want to learn more about what steps we take and what we are facing, there’s, on our website, an information page where we list all the actions and all the latest developments.

Something what we also did, we used our measurement tools, Atlas and other ways, to see how the war has actually impacted the Internet in Ukraine and Russia. The good news actually is it’s pretty resilient in the Ukraine. There are many medium to small sized ISPs, which helps to keep the Internet running, because if one network has an outage, it can be easily taken over and there’s not a wide impact.

And a similar situation in Russia. It’s still connected in many ways to the rest of the world, which hopefully helps to keep the Internet open despite all the limitations that the Russian government apply there.

Looking at our registry. We did see last year a sharp increase in transfers, which is not surprising, because we have no IPv4 left. Until the end of last year, we had basically a quite reasonable pool of recycled IPs. And the demand was not so high, but it increased sharply. So people can’t get IPv4 from us anymore without a long waiting time, so they go to the transfer market.

We also added some additional staff to our team because not only we had to deal with more requests, but also we had to deal with additional requirements. One of them are the application of EU sanctions.

We have to– we re implemented some automated rules to make our lives easier, make it more consistent. But you can imagine, again, due to the war in the Ukraine, especially Russian members, a lot of sanctions were applied to different organizations and we had to check which of our members might be impacted by them.

And despite all those challenges, we keep looking at ways how to improve our services, to make it more customer friendly, and to make it faster.

And just coming back quickly to IPv4 and the Waiting List, as I mentioned, we have right now more than 700 LIRs waiting for a /24 location.

And considering the amount of address space that we are deregistering and that we are recycling, right now we can estimate the people that are now joining the Waiting List, they have to wait for approximately one and a half years before they get a /24.

Another service that we are offering is the AuthDNS. And we actually give now the opportunity to network operators to host one of these instances in the network. And benefit for them is they have faster access, especially to requests to top-level domains, and overall, such hosting is increasing the resilience of the DNS system.

So in the case you would be interested, yes, you can apply for such, for being a host on our website. Again, the link is included here.

Another activity that many of you know is the RIPE Atlas, our national network. It’s now quite widespread, but we still want to focus on some areas that are still underrepresented.

We do this amongst others with a sponsorship model because sponsors have a much better outreach in those areas. And, once more, if you might be interested in becoming a sponsor, you can apply for it, and my colleagues from the Atlas team will follow up with you.

Another of our several activities is, of course, from our learning and development team. We offer several courses that are open to everyone. Some of them are certified, so you’ll get an official certification. And we have just released a new exam there to be an IPv6 security expert.

And also on the RIPE Academy, we keep adding additional content. We keep maintaining and updating the existing content. One of the new developments is so called micro learning, so short, 15 minute training units where you can get information about very particular topics like packet switching, trace route and so on.

What we also do regularly, we look about country reports in our region, how is the Internet there. Because while the Internet is global, it is always quite interesting to see what are facilities, what are specifics for different countries. And we do this since about two years, and the latest report was just released.

It’s about Cyprus, Israel and Malta. And had some interesting findings actually, that they’re pretty good, have pretty good penetration. But because of their location, islands, and in a special environment, they rely a lot on submarine cables. Very interesting article that I can recommend you have a look at.

And, again, I mentioned already a couple of times RIPE Labs articles. It’s a nice place. It’s a website where research results, observations can be published. And I also invite you, if you have something that you would like to share with the Internet community, to approach my colleagues from the RIPE Labs team and we have a competition there. Recently the first winner was announced. And if you join, maybe you might be the next winner.

Last but not least, as other RIRs, we have a community project fund of 250,000 Euros that we give to projects that are good for the Internet and also have a relation to our service region, the RIPE NCC service region.

We did already find a lot of interesting activities. And once more, if you might be involved in such a project and it has relation to the RIPE NCC service region, I invite you to have a closer look at this community project fund.

Last but not least, in a bit less than three weeks, we are very excited to have our first hybrid RIPE meeting again. It will be in Berlin. So you’re all invited to join. And if you cannot do it in person, maybe virtual. That would also be nice.

That’s the end of my presentation. Thank you very much.

Hollis Kara: Wonderful. Thank you, Marco.

(Applause.)

Okay. Here we go. So, well, we’ve got closing announcements but are we doing Open Microphone today?

Bill Sandiford: We sure are.

Hollis Kara: Guess what, y’all? You’re stuck a little longer. To Open Microphone time.

Open Microphone

Bill Sandiford: Open Microphone session. Reminder for those online, we’d love to hear from you as well, too. So please, make your comments through the online question and answer, not the chat, correct?

Hollis Kara: Correct.

Bill Sandiford: And for those in the room, the microphones are now open.

Hollis Kara: And I do, in fact, already have one question lined up in the remote queue. Beverly, do you want to go ahead with that.

Beverly Hicks: From James Hulce, ARIN Fellow: Can you speak about any pushback or hurdles encountered regarding the mandatory registration of legacy resource holders at APNIC?

Hollis Kara: That was a question for you, Paul, if you don’t mind going to a microphone.

Bill Sandiford: I never knew that our Open Microphone was subject to other RIRs.

(Laughter.)

Paul doesn’t seem to be shy.

Paul Wilson: Paul Wilson. Thanks for the opportunity to talk about APNIC some more in the ARIN meeting.

I think there has been some comment, as I mentioned. Maybe some suggestion that APNIC is just looking to raise revenues from legacy holders.

But we’ve shown in the past that the APNIC fee structure is very plastic and is able to be adjusted up and down by quite fine degrees.

And we have made adjustments in the past. Actually, we’ve both lowered and increased the base of fees and certainly expect, in the interests of fairness, that if we are raising – and we have yet to see how much – but if we’re raising some substantial extra our revenue base, then we can reduce the baseline fee, in the interests of fairness to all members of APNIC, which I think is the main motivation for the decision about that.

Hollis Kara: Wonderful. Thanks, Paul.

Bill Sandiford: All right. Microphones are open. Not seeing anybody in the room running to microphones – maybe one.

A reminder of those online to get your comments in soon as we might be closing earlier than we thought.

Gaurab Upadhaya: Hi, this is Gaurab, speaking as the Chair of APNIC EC. Hi, Bill.

To clarify what Paul said, we just wanted to add that we took almost a year and a half to come to that decision. One of the reasons we had to regularize was the way legacy addresses, what we call legacy, were handled, is because they don’t sign our members amendment, equivalent of the ARIN RSA. We were not able to offer any kind of services other than this maintenance.

And it was a lot of community that said, hey, why can’t you give us RPKI? Why can’t I have these new entries in the database?

We’re, like, hey, with this new system, you are just an associate member. We’ll treat you like a member, but one exception we did do was our membership fees are based on your resource holding.

So we kept the spirit of that legacy space where the fees were fixed and said you’ll continued to pay the same fees that you paid previously, but we are going to now make you an associate member.

And there’s a minor increase to align with our associate membership fee, which as Paul said, if you feel like we’re making too much money then we always reduce it.

So the drivers were not finance. It was entirely about being able to make sure that the address space that is legacy, people were not updating it because they saw hindrance because we couldn’t give them MyAPNIC access, could not give them access to RPKI, they would be able to start doing that.

Just to clarify that. It was a big community feedback that we got, and the reason for the last couple of years.

John Curran: Thank you. The parallels are uncanny in that in the ARIN region we simply said if you want to have new services you should have an agreement with the organization.

Our fee structure is also logarithmic based on total holdings. But the legacy fee holders we put a cap in to keep it very low and affordable. So it was completely and independent derived, but it ended up in a very similar place.

Tina Morris: Different topic, Tina Morris, Amazon Web Services.

We talked yesterday about two-factor authentication and all the things there. And I know this will be a support request, but I wanted to say it here as well.

Overall user permissions, there’s a couple of user types, which is an improvement. It’s not enough. We need much more granular user permissions for our internal users.

John Curran: Can I ask one question on that? Imagine you have the ability to control your users and what permissions they need. You need the ability to control individual user account permissions, including the ability to have those users control individual account permissions?

Tina Morris: No, there could be one master.

John Curran: That’s all I want to know because the complexity level is N squared when you do that.

Tina Morris: Yes. No, thank you.

Bill Sandiford: Rear mic.

Kat Hunter: Kat Hunter, Comcast. Plus one to what Tina said. Our people that pay the bill do not necessarily have to – security and bills and all that don’t need to cross over and we usually don’t want them to.

John Curran: Okay. Thank you.

Bill Sandiford: Anything from online?

Beverly Hicks: Yes, we do. Steve Wallace, Internet2: How many legacy IP resources are without an ARIN agreement?

John Curran: I think we actually presented that number. About 17,000 address blocks aren’t under agreement right now, representing about 36 percent of the total address space.

17,000 address blocks and 15,000 of them are /24s. And it’s been dropping, I’ll go with 2 to 3 percent a year. But we have a recent surge in how fast legacy resources are coming under agreement.

Beverly Hicks: Follow up to that is, do you know how many /16s?

John Curran: I missed that.

Bill Sandiford: Do we know how many are /16s?

John Curran: Actually, that’s in the presentation we had on the Number Resources that John gave on the first day. If someone can pull it, Sweeting – John are you here?

How many in your table of legacy address blocks not under agreement, how many are /16s?

John Sweeting: I believe there’s 2,916.

Bill Sandiford: Are you sure it wasn’t 2,917, John?

(Laughter.)

John Curran: We’ll pull that number.

Hollis Kara: We’ll pull that deck.

John Curran: They’re busy calculating.

Bill Sandiford: Any other comments while we’re waiting?

Hollis Kara: Looks so. Beverly, do you want to read that one?

Beverly Hicks: James Hulce, ARIN Fellow: Follow up to Steve Wallace. How many organizations with legacy blocks not under agreement? I think that’s the same question.

Bill Sandiford: I think the first question, I think he asked that the first time but the answer was given as blocks as supposed Orgs. Now he’s specifying the number of Orgs.

John Curran: That’s a great question. We don’t have a distribution of Orgs, but I’ll note that it’s – first, it’s no more than the number of blocks. And it’s likely less.

But it’s not – actually the 15,000 organizations that have a /24 generally have – that means 15,000 /24s, many of them are held by one organization. So the order of magnitude count is the 12,000 to 15,000. We can find the exact number. We just didn’t do the distribution.

But many, many legacy resources are single /24 resource holders.

John, did you have the /16 count?

John Sweeting: Yes, /16 count was 2,173. Somehow I put the 9 in there.

John Curran: Brokers, start your engines! 2,000 plus /16s out there not under agreement.

Bill Sandiford: Not seeing anybody approach microphones in the room. We’ll give one Last Call and then we’ll end our day.

Hollis Kara: I don’t see anything.

Bill Sandiford: All right. Hearing and seeing nothing, we’ll close the Open Mic session and we’ll move to closing announcements. Thank you, everyone.

(Applause.)

Closing Announcements

Hollis Kara: So start off with another thank you to our network sponsor, AT&T Business.

(Applause.)

I love a meeting when there are no network issues.
Thank you to our bronze sponsors, IPv4.Global – I did it right that time – Hilco Streambank and IPv4Mall. That should not be hard for me to say after all this time.

(Applause.)

And just a reminder: At 4:30, we’ll be opening our virtual happy hour. Please, folks that are here on site, if you don’t have anything else planned and you’d like to drop in, it’s a great opportunity to connect with some of the folks who maybe weren’t able to be here in person or meet some new friends.

We’re going to have a little bit of an icebreaker game, some mixology demos and then breakout rooms to chat. It’s just an hour of your time, so I hope we’ll see a lot of you there.

The meeting survey is now live. It’s actually going to pop up when you close out of the session today for those who are online. For those here in the room, the link is on the screen, but you’ll also get that in an email probably today, definitely tomorrow, probably sometime next week.

Basically, please tell us how we’re doing. It’s a good way to maybe get a free iPad and it helps us make sure that this meeting continues to improve and that we’re able to do the best meetings possible for the community.

Tomorrow morning, we will be starting at 9:00 AM. We’ll have breakfast at 8:00 AM, same place as today. And we will have boxed lunches when you depart at the end of the session.

And thank you very much for your time and attention. Really happy to have you here.

(Applause.)

(Meeting adjourned at 4:00 PM.)