ARIN 50 Public Policy and Members Meeting, Day 1 Transcript - Thursday, 20 October 2022
On this pageSkip to main text Jump to related content
Hollis Kara: John Curran says get the show on the road, we get the show on the road.
Thank you, everyone. My name is Hollis Kara. I’m ARIN’s Director of Communications, and it’s my distinct pleasure to welcome you to ARIN 50.
I’d like to start off by thanking some key members of our community, without whom we could not bring you these meetings and run the functions of ARIN.
First of all, I’d like to thank our Board of Trustees. You’ll see several of them at the podium this week. And if you bump into them at any of our events, they’ll be wearing tags on their badges so they’re easy to spot. Please make a point to make yourself acquainted.
So thank you to our Board of Trustees. Can I get a hand?
Thank you. Sorry, I didn’t warn you. There will be some audience participation this morning.
Next up, our Advisory Council. These folks put in a tremendous amount of time to developing policy for the ARIN region. And they have brought 12 policies to the docket for today and tomorrow. So they’re going to keep us very busy talking about those things.
You’ll meet a lot of them as they come up to present. And, again, they’ll be wearing badges or ribbons. So if you see them at the breaks or the lunches, please do make sure to thank them for all of their hard work for the community.
Okay, guys, clap. I need a clap sign.
And then last but not least, we have our representatives to the Number Resource Organization Number Council. Hopefully we’ll have a little bit of time to hear from them, but with such a packed policy agenda and with elections, we may or may not get to hear from those folks at this meeting.
But, again, they will be wearing ribbons. If you see them, and you want to learn a little bit more about the NRO NC and how and why they get two sets of acronyms, be sure to check in.
All right, so let’s do a little quick grounding about how to participate in today’s meeting, whether you’re here with us in person or joining us online.
Now, for our virtual participants, we have chat. Chat is where you can talk amongst yourselves. Nothing that goes in chat will be queued for response at the mic. So if you want to participate in an open discussion, you’re going to have to either raise your hand or use the Q&A function.
Now, last meeting we had everybody typing their questions in Q&A, and it worked pretty well. But we did get some feedback that some folks feel like it would be easier to explain things if they said it in their own voice, so we have enabled that capacity.
You just need to let us know. If you would to speak, we will enable you to unmute your microphone, and then you can ask your questions directly when we’re having open discussion portions of the meeting. So that will be cool.
For our virtual participants, we’ll have a virtual help desk. If you’re having any trouble getting logged in, finding any information, you can stop in there either up until 9:30 today Pacific or during our lunch break. Same thing tomorrow.
In person, if you are using a device in the room, please make sure you’re muted and disconnected from audio. This will allow you also, if you would like to participate in the virtual chat, to log in to the Zoom. You’re welcome to do that, but we do need to make sure that devices are muted and disconnected from audio in order to make sure we don’t end up with weirdness happening.
Now, if you go to the ARIN 50 page, you’ll notice there are lots and lots of things in the navigation. I just want to point out that there is, along the bottom row, our virtual event hub, which is where, if you didn’t get your email to log in, you can always go there and log in to a session.
There’s also the virtual help desk, which will be available on the hours that are posted on that page. And then the Meeting Materials page is going to take you to meeting materials where you can download or open and view all of the presentations that are going to be given today and tomorrow.
All right. I don’t know that we had a chance to update the attendance numbers since yesterday. But you can see right here we’ve got lots of folks from all over joining us, and we’re very happy to have them here. Actually boasting, I think, record registration right now. I don’t have the final count as of today, but we’re over 300, which I love to see.
And I’d like to take a moment just to welcome all of our RIR colleagues that have traveled here to be with us and participate in the meeting. So we’re very glad to have your participation as well.
To give you an idea of the breakdown as of yesterday, we had 128 virtual participants in today’s meeting, and we had 187 in-person registered as of yesterday morning. I believe we’re well past 200. So we’re excited to see such robust interest in ARIN.
Some chat reminders when we get into the discussion. Please make sure your comments remain professional and that you stay on topic and that you are complying with ARIN’s standards of behavior, which are posted on the website.
Our producers and hosts, I guess that’s me, will coordinate the discussion flow and help the moderator during those periods. We do ask that everyone, whether it’s a virtual participant or here in the room, that you state your name and affiliation clearly when you start your remarks and that you try to speak slowly.
I don’t know if you guys can catch — I’m really — I got chided. I’m trying to talk slower this time. It feels very unnatural. If I seem like a robot, that’s what’s happening.
Questions, questions, questions, covered all of that. Standards of behavior, please be nice.
We are recording and livestreaming. You can go back and watch this all in reruns as many times as you like. Just give us a week or two to package it, and we’ll have it up on the website.
Slides have all been posted online in PDF form on the Meeting Materials page, if it’s easier to view them there than on screen. And transcripts are also available.
Now, I’d like to just take a moment to thank my team that has been working so hard to bring this meeting to you. Back on the riser, I’ve got Beverly Hicks, who is doing our hybrid and virtual production. Thank you, Beverly.
I’ve got my meeting planner, Melissa Goodwin. Is she in the room? No, she’s probably out chasing things down as she usually is. She’s been putting in a tremendous effort to bring us a great meeting. And you’ve got me. Yeah, me.
And we have our virtual host, Amanda Gauldin, on the chat in Zoom. We have Craig Fager at the virtual help desk. Stop by to say hi to Craig.
Tommy Baldwin has been assisting with video and livestream and some photography. Ashley has been making sure all our communications are clear and sent to you in a timely fashion.
And I’ve got Christina Paladeau here taking pictures and managing our social media. So if you see somebody running around with a camera, that’s probably Christina.
I’d like to thank our network sponsor, Zayo.
I didn’t even have to tell you this time, thanks. You guys are great.
Next our webcast sponsor, Google.
And our Bronze Sponsor, IPv4.Global Hilco Streambank.
Now, here we come to the fun stuff. Can I get a drum roll, please? Thank you.
We had our meeting orientation on the 11th of October. And for folks that participated, they had the opportunity to give us some feedback. And if they were kind enough to do that, they were entered in a drawing to win a $100 Visa gift card.
Do we have a winner, Beverly?
Beverly Hicks: We do have a winner. Our winner is Mark Hart. He is with us virtually.
Hollis Kara: Congratulations to Mark. And thank you to everyone who attended the meeting orientation. I forgot to click. We know that part.
Emergency exit. Please continue down the stairs and assemble in front of the Hollywood Methodist Church on Franklin Avenue in the event of an emergency. And somebody will tell you what to do at that point. It won’t be me. I don’t know.
For our agenda. You’ve been listening to me. That part’s almost done. When I am completed with these welcoming comments, we will be heading into our Policy Experience Report followed by our Engineering Update, our Services Update, and our Operations Update, followed by an AC On-Docket Report.
Then we all get to take a break, step outside and get a little bit of fresh air. When we come back from break, we’ll have our first policy block of the day. And that will run us up until lunch.
After lunch, the balance of the day really is going to be spent on the ARIN 50 elections. There will be an introduction and overview of the election process itself followed by candidate speeches.
After candidate speeches, we’ll take a break. Then we’ll come back and finish the day with our Advisory Council and Board Candidate Forums, and then close out with an Open Microphone.
So that’s the plan for the day. It’s going to be busy.
This evening we hope to see you in person over at Madame Tussauds from 7 to 11. It’s a short walk. If you head down to Hollywood Boulevard and hang a right, it’s just a little bit down past the Chinese Theater. We look forward to seeing you there for a fun evening.
For now, I’d like to pause and take a welcome from our sponsors. Roll tape.
Welcome from Zayo
Aaron Werley: Hey, everyone. Welcome to the ARIN 50 conference. My name is Aaron Werley, and I’m fortunate to lead Zayo’s technology team here in Boulder, Colorado.
We’re thankful for the opportunity to be the connectivity sponsor for ARIN 50. For those not familiar with Zayo, we’re an industry-leading communications infrastructure provider providing a full suite of services, from fiber, wavelength, Ethernet, IP, and SDWAN.
Over the past 15 years and nearly 50 acquisitions, we’ve amassed a network that spans 16 million fiber miles and connects over 44,000 on-net buildings.
This network is used by category-leading customers across a variety of industries every day.
At Zayo we believe we connect what’s next. ARIN 50 is no exception. With all the great planning and work that happens here, helping shape the way for the Internet, we were excited to open up our network for use during the show.
We’ve leveraged our expansive fiber network and our Tier 1 IP backbone to provide 10 gigs of capacity to ensure you have all the bandwidth you need to stay connected while at the conference and those attending virtually get the best experience possible.
For those at this conference, though, this is some good news and some bad news. Good news is you won’t miss a beat with the outside world. Bad news is your boss isn’t going to necessarily buy the line, “Ah, the Internet is horrible. I couldn’t join the Zoom meeting. You know how conferences are.”
I may have used that line once or twice myself, but I probably wouldn’t recommend it here.
But from us at Zayo, we appreciate all the hard work ARIN and its members have contributed over the years helping shape the way for the Internet and just networking in general. We hope the conference is productive and enjoyable. Thanks, guys.
Hollis Kara: Awesome. First up I’d like to actually welcome John Curran to give a brief welcome.
Welcome from ARIN President & CEO
John Curran: Thank you, Hollis. Good morning and welcome to Hollywood. It’s my pleasure to greet you all here at our ARIN 50 meeting.
Fifty meetings, two meetings per year. That means that ARIN has been doing this for 25 years, which is quite an achievement.
I see many familiar faces out there, but I also see some new ones. I think that’s both good. People want to come back, and new people are interested. So that’s encouraging.
I just want to say that we have continued to evolve ARIN. We continue to work on our services, how we relate to customers, what we offer in terms of value, both in terms of using ARIN as a registry and in terms of helping lead ARIN and govern it in policy development and in serving on the Board and the AC.
We know both are exciting. We’ll talk about both today.
You’ll have a little presentation about our services in the morning, some updates. And in the afternoon we’ll talk about the elections and serving on the Board and the AC. People are excited by this. At any time if you want to give feedback, I’ll be in the halls. Feel free to hunt me down.
I just want to say again, I thank you all for coming. ARIN is about serving you, and we look forward to hearing more from you.
With that, I’d like to turn it over to the Chairman of our Board of Trustees, Bill Sandiford. Come on up, Bill, for the welcoming remarks.
Welcome from ARIN’s Board of Trustees Chair
Bill Sandiford: Thanks, John. Welcome, everyone. Special welcome to everyone who is here in Hollywood for a milestone meeting for ARIN. As others have mentioned, it’s ARIN 50. So glad that everyone can be here.
It’s not the first in-person meeting we’ve had sort of since coming out of the pandemic, but it sort of feels like it’s the one where we’re getting the most participation and things are getting back to the most normal.
It’s nice to see everyone who has made the trip here. A special welcome to everyone on remote.
Once again, a special thanks to our sponsor, Zayo, as well as the staff for putting together a wonderful agenda that we’re going to go through over the next couple of days.
With that note, we’ll get on with it. Thank you, everyone.
Hollis Kara: Thanks, Bill. And next up, we’re getting ready to launch into presentations. Next slide. First up, we’ve got John Sweeting, our Chief Customer Officer, to give our Policy Experience and Implementation Report. Wait. Reverse that. Whatever it says on the slide, that’s what he’s going to do.
Policy Implementation and Experience Report
John Sweeting: Good morning, everyone. The sun shines bright today.
I do want to take one quick minute to congratulate Hollis on completing 15 years with ARIN. She’s been an awesome asset. Could we have an applause for her?
All right. So I’m going to be talking about the Waiting List. This is the Policy Implementation and Experience Report. This report we tried to point out policies that are working good, policies that aren’t working so good, policy ideas maybe that we could throw out there and the community can mull over and work with the Advisory Council to maybe move forward and put into policy, from our experience with our customers and the input we get, the feedback we get from our customers through our Registration Services Department and our Financial Services Department.
Today I’m going to focus on the IPv4 Waiting List policy. And I have to say there’s good news and there’s bad news.
Good news is that when the policy was revamped a few years ago to the current Waiting List criteria, it actually worked very well. And we have fulfilled quite a few requests over the last two years since that policy was put in place.
That criteria was that an organization could only have a /20 or less in total IPv4 holdings, excluding special reserve pools, and that they could request up to a /22 based on their two-year outlook of needs.
If somebody that was on the wait list went out on the transfer market and obtained IPv4 space, that immediately disqualifies them from the wait list and they are removed. And that space that’s obtained from that wait list has a 60-month hold period off of the transfer market, excluding mergers, acquisitions and reorganizations, which we refer to as the 8.2 transfers.
Recent data on the Waiting List, as you can see, it’s slowed down quite a bit. And the wait list is building up, and it’s probably only going to get worse.
But this year, prior to this year, we had been exhausting the wait list every quarter with our distribution.
And starting in the first quarter of 2022, we were only able to fill 73 out of 298 requests that were on the wait list. That went down to 41 in Q2 out of 364 because it was building up.
And the current distribution that was just done at the end of September, there were 505 requests, and we filled 69 of them.
You can see the total of /24s. That’s important. I’ll get back to that in another slide or two.
So, with the current IPv4 Wait[ing] List trends, if we project out to the end of 2023, we will have over 1,000 people on the wait list. It’s just going to keep building and building.
Our only inventory that we have for the wait list today is coming from space that has been revoked for nonpayment mostly. We get a few returns, but mostly it’s revoked space for nonpayment.
And when we get that space, we hold it for one year past the due date of the annual invoice. And after it’s past that one year anniversary of nobody coming in trying to reinstate it, it goes through a process that we have a few managers and directors on, and we go through it and we clear it for distribution to that wait list that quarter.
Some of the stats there, there’s about 180 requests added to the wait list per quarter. Projected out, we’ll fill about 60 requests. Waiting List will increase by 120 a quarter. So that’s how we get out to that over 1,000 on the wait list at the end of next year.
So what are the options? There’s some options that the community could do through policy if you so desire. You could lower minimum allocation size. You could lower the maximum IPv4 holdings for eligibility. You could restrict or eliminate transfer of Waiting List blocks.
In other words, instead of having 60 months, take it out to 10 years, or say, hey, this is a special reserve block for the wait list. If you get space off the wait list, unless it’s through a merger acquisition transfer, it must come back to the community, to ARIN for distribution to the community.
In other words, wait list space would never be allowed to be transferred on the transfer market.
And we’re also looking at if you’re sitting there for two, three years and you’re a small ISP that needs a /24, and all of a sudden you’ve been on the wait list for two years, you’re getting close to getting that /24 or 23 that you’ve put in and you were approved for, and you get an opportunity to add some customers, for whatever reason, but you need an address space right away so you go out on the transfer market and purchase a /24, maybe that’s not a good reason to take that organization off the wait list at that time since they’ve been waiting for so long. And they still need that space. They would have to re-justify that space, of course.
Here’s a little graph that shows by doing some of those options, what would happen. If the /22 max results, of course, in that 1,000-plus wait list, reducing it to a /23, it still grows, but not as fast. And if you reduced it to a /24, it would neutralize growth.
Basically, so that let’s see. I should have it. Yeah, here.
So under the current policy, 69 requests were filled, with 441 requests unfilled. If we had a /24 maximum allocation size, we would have filled 229 organizations with that /24, leaving only 276 requests on the list.
So the projected Q4 quarter fill would increase from 122 to 381. We have a projection of what we have, what’s going to be available for distribution in the fourth quarter.
And this is just showing you, hey, right now we’re projecting we’ll be able to fill 122. If it was just a /24 that those organizations could get, it would be 381 organizations that would be able to get a /24.
Impact of max holdings. If you changed the max holdings to a /21, growth slows by 9.3 percent; a /22 slows to 17.6 percent. And so on. /23, 25 percent; /24, 28.9 percent.
And if you said, hey, you can’t have any IPv4 address space, you need to have none of your own, maybe you have reassignments or something, then you can come in and get that’s the only way you can come and get space off the wait list, the growth would slow by 42.4 percent.
So an example with the current /20 maximum holdings, we project 561 organizations will be on the Waiting List in the fourth quarter. So the impact of reducing the max holdings, it would, as you can see here, it would reduce it down to, if 21, 509; 22, 463. And so on.
There’s a range of options. There’s several different ways to skin this cat. I trust the community and the Advisory Council. If you feel the need to do that, you will look at all the statistics we’ve provided.
That’s mainly what we’re providing. We’re providing you statistics so you can make informed decision policies and decide what you want to do, which direction you want to go in.
Needs-based source transfer, current policy places a five-year waiting period to transfer addresses received via needs-based. Should Waiting List blocks — I talked about this — should we just say, hey, this is a special reserve pool and we’re going to treat it special, just like the 4.4 and 4.10 space cannot be transferred. Only through 8.2 transfers should we say the wait list space can only be transferred through 8.2 transfers.
I see Lee looking hard at me, but that’s okay.
Needs-based recipient transfers, this talks about, hey, with the wait times being so long, if an organization has to go out and get space after they’ve been on the wait wist a fair amount of time, just being on the wait list, should we actually take them off?
Should it be, hey, they can only go once. Well, they’re on the wait list. All that’s up to the community and the Advisory Council to decide through the Policy Development Process.
So the example given here, then I’m there for two years. I think this is an example I already gave, which I do a lot. An Org on the Waiting List has waited two years for a /22. A customer has a need a for /24 immediately. Should they be eligible to acquire a /24 and stay on the wait list?
And the one thing that we learned the last time we had to make changes to the wait list is the community needs to be very careful in who it applies to. Would it be retroactive, would people on the wait list be grandfathered, and all of that.
As I said, it’s important to settle at the time of the change and be very cognizant of the feelings of the community as we go through this, if you decide that there should be tweaks made to the wait list policy.
How do other RIRs handle this? RIPE NCC, an LIR with no history of IPv4 from the RIR may request a /24 so long as the space will be used to make assignments and the space will be used on a network with at least one active element in the RIPE region.
APNIC, they abolished their Waiting List in July 2019. LIRs may request /24 and /23, requesting LIR must have used a /24 from their provider or demonstrate immediate need for a /24 with a plan for use of at least a /23 within a year.
I’m looking at George, if that’s correct. Awesome.
So questions for the community. Do nothing, no changes? I’m not advocating anything here. I’m just presenting the facts.
Lower the max block size? Lower maximum holdings? Allow needs-based source transfers? Allow small needs-based recipients to oh, to stay on the wait list, I think that’s supposed to say. And allow any retroactive policy changes?
So, that’s it. That’s the only one I’m covering today. So if there’s any questions, run to the mic. If there’s no questions, I will turn it back to Hollis.
Hollis Kara: Okay. Do we have any questions coming in from virtual, Beverly?
Beverly Hicks: No.
Hollis Kara: No questions. Do we have any questions?
John Sweeting: We’ve got questions.
Hollis Kara: Okay, great. If you could please approach the microphone, we will queue you up.
Mike Burns: Mike Burns, IPTrading. I was curious, you have projections going out to the fourth quarter of next year. And those, I assume, are based upon your receipt of returned addresses that are due to roll through the quarantine period and enter the Waiting List and the actual Waiting List entries there.
So you do a projection. I’m wondering how far out do you do that projection. And is that something you can share with brokers like me who have to advise people as to the likelihood of the Waiting List assignment or not?
John Sweeting: The projections I showed were based pretty much on fact because we know how much space was revoked last month, the month before. So all the way up to September we know how much space we have that will be able to be given out in those quarters next year.
To go any further than that would just be based on history.
Mike Burns: Because we don’t know that, how many you’ve revoked and how many are in the pipeline. I’m wondering if there’s any more transparency that might be afforded to people who have to advise wait list entrants.
John Sweeting: I’ll take that under consideration. I don’t see, is JC? —
Hollis Kara: He stepped out momentarily.
John Sweeting: No, we don’t publish what has been revoked we post what we used to fill the requests. I don’t believe we post what we revoked this month that will be eligible to be given out a year from now.
Mike Burns: You post the ones that are cleared to go out.
John Sweeting: Right, but that’s at the time they’re cleared. We know about them before they’re cleared.
Mike Burns: Right, but we don’t.
John Sweeting: Right.
Mike Burns: Something to consider.
John Sweeting: We don’t clear everything that comes through that committee. But let me look at it, Mike. Let me see what we can do.
Mike Burns: Thanks.
Hollis Kara: Nobody in queue online? Over to you on the floor.
Kevin Blumberg: Kevin Blumberg, The Wire. The one thing that worries me is the statistics only are even partially accurate while the levers are the same today. So we changed the levers and suddenly all the statistics get changed.
It’s a squishy bag. You make one change over here, something changes over there. So I think we need to take the projections with a massive grain of salt in that regard.
One, first question. 4.10. If somebody gets space on 4.10, does that remove them off the wait list?
John Sweeting: No. As I said, as I mentioned in the beginning, the special reserve space does not count against them. So 4.4 or 4.10, neither one count against somebody getting on the wait list.
Kevin Blumberg: So we’re double dipping in that regard?
John Sweeting: We’re what?
Kevin Blumberg: An entity can be double dipping. They can say, I have an immediate need, I’m going on the wait list. And I’ll get my space from 4.10 because I have an immediate need. And now I still have an immediate need for that other space.
John Sweeting: Remember the 4.10 space is strictly to be used for the deployment of IPv6.
Kevin Blumberg: I understand. How much of the 4.10 space has been utilized at this point?
John Sweeting: I think somewhere around 12 percent.
Kevin Blumberg: We’re very low on 4.10.
John Sweeting: No we have a lot. There’s almost 90 percent still left.
Kevin Blumberg: I mean very low utilization.
John Sweeting: Remember, it was a /10.
Kevin Blumberg: Okay, thank you very much.
Tina Morris: Tina Morris, AWS, ARIN Board. Just as a general transfer market I would be against publishing the space that’s coming out because that gives the impression of a guarantee that the wait list has never been.
And you could run into problems with that space that it can’t be released and then people are doing their business plan based on that. And that just shouldn’t happen.
Also, I get emails every day from people that want to help me sell my sites. And those obviously uneducated brokers would also use that data in a fearmongering way. I am suspicious of that.
So I would say the Wait List should be still treated as a bit of, oh, wow, I got space. That’s amazing. Not ARIN promised I would have a block on this day and I didn’t get it.
John Sweeting: On that point, we always, no matter who you talk to at ARIN , Registration Services, Financial Services, CCO office, Comms, anybody , always caveats there’s no guarantee with the wait list. There’s absolutely no guarantee.
And what you brought up, Tina, it’s one of the things of how transparent can you be with things that you’re not certain of. It’s easy to be transparent with things we’re very certain of. But when maybe somebody might go out on the transfer market, but ARIN is showing, oh, I’m going to get space in two quarters, and then it doesn’t happen, that can be a problem. I understand fully.
Hollis Kara: All right. We have one more question from the virtual queue. Beverly, you want go ahead?
Beverly Hicks: Robert Hoppenfeld: If we’re on the Waiting List for a /22 and the policy changes to only being able to distribute a /24, would there be a grandfathering in?
John Sweeting: As I indicated, that would be fully up to the community to I actually advocate that you actually make it very, very clear in the policy whether it’s going to be retroactive or people are going to be grandfathered.
We found that out the last time we had to do changes to the wait list. And it was a very good lesson. But it also showed that our Policy Development Process worked very well because the people that had some concern with that were actually made somewhat whole through that whole process.
Beverly Hicks: We’re clear over here.
Hollis Kara: Thank you, John. Alright, because he’s pacing,
Mark Kosters, our CTO, will be up here to give us an engineering update. Mark will now give his presentation.
Mark Kosters: Thank you for that. It’s great seeing you all here.
Last night when I was on the podium it seemed much taller than it is today. I’m sure you can all see me, right? Let’s go ahead and get started.
We’re going to give an engineering update, go through what ARIN engineering has been doing since the last meeting. We’re going to go through statistics, software releases, our operational improvements we had, challenges, and then talk about what’s next. So that’s our agenda for today.
Some of these things I’m going to go through fairly quickly. Some of them I’m actually going to slow down on, so it gives you some time to ponder as we go through it.
Accounts activated: it’s interesting in the sense that there’s about 14,000 new ARIN Online accounts created per year. I think it’s pretty amazing that the number of people coming in constantly, putting in ARIN Online accounts.
What’s interesting even more so, is the number of people who come back once they log in. And here we see that there’s a lot of people that go one and done. There’s a lot of people that actually never log in. And there’s a lot of people, a lot of people that log in 500 times or more since the inception of ARIN Online.
In fact, there’s one user who takes the cake, has logged in over 8 million times since the beginning of ARIN Online. Why is that? I think this is interesting. I just thought I’d bring it to your attention.
Here we have provisioning transactions. Now, we have three ways that you can actually change your records within ARIN Online, right?
One is you actually go to the website and you go ahead and make your changes. Another one is you use templates because you’re from 1992. And the last one used is you use the RESTful API.
Now, I tease a little bit about using templates because I acknowledge that we still have some things that we need to work out that templates may do that RESTful API cannot.
So we’re going to have to work through that, and we have some work to do in that area. But you can see from the side that the RESTful API is way overtaking here. You look at it and you say, well, “it looks like the template situation is sort of flat lined and has been for a long time.”
But if you look at this next slide, you can see that there’s a gradual decrease in time on templates. There’s valleys, peaks and valleys, but you can see generally that the number of templates being actually sent to ARIN has been going down.
Now I want to talk about Whois and WhoisRWS and, on the next slide, RDAP. You look at this slide and you say, “wow, things are definitely moving up to the right here on this slide.” And you say, “well, there’s this peak back in 2010. What about that?”
So back in 2010, a number of social media providers actually started putting in OAuth. Basically, you can log in using your credentials through, say, Facebook to log in to some third-party site.
And when they did this initially, and I don’t know why, they went ahead and said, “we need to do a Whois query against that to make sure it’s cool.” That’s why you see this huge spike, it’s from when that first actually was rolled out back in 2010.
We talked to the various providers and actually got them to take that out. So that’s why you see that spike there. And now it obviously quickly went back down and has gone away.
Now, over time, we occasionally have abuse. And we go ahead and look at that abuse and we go ahead and filter them out. We also have things like tarpitting, right, you can only do so many queries per second before you’re put into a holding pen.
And there’s other things that go on as well. This is sort of an active sort of cat-and-mouse game that goes on. And we have legitimate vendors out there doing legitimate things, for example digital rights management. There are people looking out to watch out for those people that are trying to abuse songs and movies and stuff like that, and they want to see where it’s coming from.
We also have threat intelligence companies actually coming and doing Whois and finding out where the IP addresses are coming from and who they need to talk to.
But we have a bunch of other things going on as well, some of which we don’t know about. And, for example, one of them is bulk Whois. Who here has bulk Whois? Okay. What did you promise to not do to pull down bulk Whois?
One of the things you promised not to do is not to redistribute it to others, right? But what about those companies that come in and say, “hey, I want the bulk Whois, I’m going to redistribute to others and I’m going to make money?”
That’s obviously breaking the terms of service. You can’t really allow them to do it; otherwise, why do you have the terms of service?
So, they’re turned off. Their response is, “well, I’m going to scrape Whois anyhow.”
Maybe some of this is as a result of that. Maybe this is the result of something else that’s going on.
But I think it’s interesting and I thought I’d call it to your attention as how we go forward. In future slides you’re going to see that we actually are overhauling our public facing services infrastructure, which includes the servers that actually services Whois, WhoisRWS, and RDAP.
You can see here; this is some of the things that we’re going through. I think it’s interesting. We’re fine; we’re actually dealing with this traffic no problem.
We’re seeing traffic loads that are much higher than our brother and sister RIR’s to a really high degree. So, the second place, like, service is not even half of what we see in terms of query load. So, again, just bringing this to your attention.
Here you see RDAP. Same thing. And one of the things I did here was break out both v4 and v6. And you can see based on the scale that v6 is actually fairly flat. It’s around 4 percent - 6 percent - hasn’t really changed over the years.
2FA adoption: As you know, we went out and actually incurred the ability of putting out two more services. We had TOTP for people who do 2FA - two-factor authentication. We added voice, and we also added SMS. When we did so, we actually announced this to the community, that we had these two new services available.
When that happened, you saw a spike in terms of number of people actually coming in and using 2FA. This is great. This is awesome.
And you see this download spike, then it’s starting to come down. The reason it’s coming down is that’s only half a month. So, it’s certainly going to keep on going and it’s going to keep on going up. But it’s a little bit misleading there.
So definitely letting people know that you have increased security available is useful. And people are taking advantage of that.
Again, I think this is interesting seeing this sort of reaction from the community based on some sort of email or some sort of communication that went out saying this is available.
Releases since ARIN 49: We’ve had a number of enhancements to billing, most of which you don’t see. That helps facilitate internal reporting. We put in a new premier service billing plan.
We have a new ARIN election system that you’re going to be using here very shortly. And it will be working.
We have listed resources covered under RSA and LRSA, so you can see what resources you’re paying for.
We have two-factor authentication enhancements - SMS, and voice, added. And we’ve had a large focus on SOC 2 Type 1 audit. That’s currently underway.
And of course, the reduction of technical debt. So, these are long running programs that we’ve had, especially the technical debt stuff. This is stuff that we’re working on, continue to work on, and will be working on to make sure we’re up to date.
Improvements since ARIN 49. From the operations perspective, we’ve done lots of end-of-life box replacements. We’re rolling out a new architecture for our Public Facing Services, mainly to serve the needs of Whois, WhoisRWS, et cetera, as well as RPKI, making sure it’s always available.
We’ve also done a third-party security audit that has come through. And we’ve showed continued progress on having good security hygiene.
Challenges: In ARIN 48 I talked about directory services and how people were abusing it. Back then there were cookbooks, actually still are cookbooks out there, how you can actually use CDN providers, et cetera, to actually harvest data from us.
There’s brute force attacks that happened in the last meeting. That’s why we’re actually starting to focus on two-factor authentication to remove that - protect our vector.
We also did improvements to the login system so that it’s more conformant to the existing standards.
And currently we’re working on the SOC 2 audit preparation. There’s been lots of policy development and lots of process checking to make sure that they match the policies that we put out.
So, this has been a pretty significant effort within ARIN engineering, and it continues to do so and will be for the upcoming years.
What’s next? We have a new third-party payment processor that’s going to be unrolled here. We had some secure routing enhancements that we’ve been talking about that Brad Gorman has been spearheading. Secure routing dashboard for IRR and RPKI. A new scalable method of updating our repository so we can add more as we go forward in the future.
And going back to this, I’ve heard a lot of comments from many of you in terms of, “hey, I’d like to see these improvements on the usability on ROAs creation and that sort of thing.”
And we’ve heard that and Brad has heard that as well, things that we can do to help make this easier for you all, to go ahead and make these changes and make improvements to the UI.
We’ve had 2FA enhancements. We’re adding FIDO2 for those people who really want to use their YubiKey and that sort of thing. That will be available this December - You can start using FIDO2.
So, at that point we’ll have four ways of doing 2FA: SMS, TOTP, voice, and FIDO2.
Tech debt: We continue to replace libraries that are end of life. This is a very long line project. But it will continue.
PFS site improvements: We’re going to be installing a reengineered hardware solution across all our PFS sites, of which there are three. We will be making improvements on that.
We definitely have seen improvements with the hardware has come out the last couple of years. Some of the hardware we’re running in our PFS sites are starting to get long in the tooth. And there’s definitely been lots of improvements with CPU, et cetera. We’re looking forward to seeing this as we go forward.
Ongoing SOC 2 compliance is a big thing as well.
And the last thing, and not least, is support for multisite logging and monitoring. So, if ARIN HQ was taken out, we could actually go to our production facility and work and vice versa. We don’t have to worry about having a single point of failure any place.
So, with that, I’m done. I did set a world record amount of time. Thank you very much.
Hollis Kara: Thank you, Mark. Great. If we have any questions from in the room, please feel to approach the microphone. We do have a rather robust queue from our virtual participants. All of a sudden, the mouse stopped working. I’ll turn it over to Beverly to read in the first of those.
Beverly Hicks: First is Steve Wallace from Internet2. He actually wrote it in three parts, but I’ll read it as a single piece.
“Can you share the allowed queries per second for the Whois service?” And he apologizes, he is one of the people that runs reports weekly that hammers Whois. He adds to the delays and would like to know what delay would be most effective.
Mark Kosters: (Chuckles) That brings up an interesting thing. I don’t really want to disclose this, but what people have done is they have figured out what our tarpitting rates are set at right now, and they actually engineered this to be right underneath it.
And they notice whenever we make changes and we’ve actually set down with a couple of them and said, “Hey, why are you doing this?” And they go through and say, “we’re doing this because of this, that, and the other thing.” And they “say, “well, you made this change on this date.” And I go, Yep, we did.” “We made the other change on this other date.” And I go, “Yep, we did.”
And it’s all dealing with tarpitting and other things that we’re doing to actually sort of increase the availability for people outside of those who are doing the abuse or using Whois or WhoisRWS or RDAP heavily for people to actually get service.
Again, we haven’t had this problem for a little while. He’s more than welcome to talk to me afterwards, and we can see what we can do.
Hollis Kara: Go to the floor.
Leo Vegoda: Hi, Leo Vegoda, with my PeeringDB hat on. Do you have plans to add support for RSC in RPKI over the next year or so?
Mark Kosters: This is a really good question for Brad. This is something we’ve been talking about, for doing. I see that Brad is coming to the mic.
And we’re very much aware of this. We’re following it within IETF big time, as well as a bunch of other things. ASPA is another big thing that we’re looking at. So, Brad, go ahead and take it away.
Brad Gorman: I’m Brad Gorman, the product owner of the routing security products here at ARIN. Absolutely yes, RSC will be in the development plan for moving forward in the future. We are in the process of evaluating where it’s going to fit into our schedule.
But, yeah, I’m assuming that soon thereafter, our next IETF meeting it’s going to be ratified, and we will schedule the development after ratification.
Leo Vegoda: Thank you. I’d love to chat with you about that.
Mark Kosters: Thank you, Leo.
Hollis Kara: I’m going to break my own rules. I see we have a question was initially, well, it just popped through to Q&A. We’ll cut back over to virtual for one more question.
Beverly Hicks: I have two more questions, but I’ll start with Kerry Culpepper from the Hawaii State Bar Association IP and Technology Law Section and a NRALA member. Her question is regarding Whois and the steps that ARIN is taking to enforce obligatory to report IP address reassignments.
For background, the IP owners rely on the Whois records to determine appropriate party to report abuse such as observed copyright infringement.
These efforts are often frustrated because some host providers do not report reassignments. For example, thousands of notices of piracy can be sent to a provider because Whois states the IP address belongs to a certain provider.
But when we go to the provider, we ask why no action has been taken. And they inform us that it’s been reassigned to a customer.
Mark Kosters: Yes.
So, this is more of this is more sort of a John question in terms of how can we get our reassignments actually updated in a more noteworthy manner? And I think Richard wants to say something at this point.
Richard Jimmerson: I just wanted to add that sometimes when someone reassigns address space to a customer, it’s smaller than a /29. That is not something that needs to be reported in the database. And there may be some cases of that.
It’s very often that someone will only assign two, four addresses to a customer, for instance, and that doesn’t have to go into Whois.
Another thing that has happened over the years is we used to have a large free pool of IPv4 address space, and people could request address space on an ongoing basis. And we would see these providers about every three months to get new blocks of IPv4 address space.
That doesn’t happen anymore because the free pool doesn’t exist. One of the pressures that was placed on the service providers at that time, when they came in to get additional IPv4 address space every three months, every six months, we would enforce the reassignment policy. If they hadn’t reassigned all their address space in the database to reflect their customer reassignments of /20 or larger, we would not give them an additional block of IPv4 address space.
They’re not concerned about that today because they’re not coming in to get the address space that way any longer. And some of them may not be reporting as much as they used to.
What we do not currently have in place - and this would require a very large effort - is some sort of other enforcement mechanism for ensuring that people are reassigning that address space in the database, and it’s not clear what the penalty might be if we found someone that wasn’t compliant.
Of course, we have a Registration Services Agreement with them. If we’re aware of cases where people are not complying with policies we will reach out to them and talk to them about that. And you’re free to report those to us. We have a facility for that.
But there may also be a future policy discussion in the community about that type of thing. And I just wanted to bring that up.
Mark Kosters: Thank you very much, Richard. I think John Sweeting wants to say something.
John Sweeting: John Sweeting, chief customer officer with ARIN. Richard is absolutely correct on everything he said. I want to add we still have need-based transfers, so people coming in for transfers, they do have to update all their reassignments. So, we do have that working for us.
But it is absolutely true that because we don’t have that big free pool, that people aren’t worrying about their reassignments.
But we have had a significant amount of cleanup just due to the transfer market and addresses changing hands. So, we don’t have that one big hammer, but we have several small hammers.
Mark Kosters: Thank you, John.
Hollis Kara: We’ll take one more question from the floor, then I’ll be closing the microphones. If you have something, yes, I’m aware that please approach the microphones now, and then we’ll have one more from virtual.
David Rodecker: Greetings, Dave Rodecker with WISP.net, my first ARIN event. I’m actually pretty impressed to see how the organization is run, unlike some other , um, I can elaborate on that, but I will choose not to at the moment.
First, a quick 360 photo.
I have a policy question, may not be suitable for this, but it would help me understand a little better. It was kind of surprising to see the degree of abuse or request for information. It seems to me that most of the data that ARIN has is fairly static and obviously it changes. And that would be interesting to get fresh data.
But why wouldn’t … is there a privacy restriction or concern? Why wasn’t all the data just freely published in a multigigabyte database?
Mark Kosters: That’s a really good question. There’s a static snapshot that’s generated once a day that’s called bulk Whois. And you can receive it if you agree to the terms of service that’s stated on the ARIN website.
And as long as you follow that terms of service, you’re more than welcome to actually grab this daily snapshot.
And so, when we were talking to various vendors about this, some of them are like, “gosh, I didn’t know about that. I’m going to use that from this point going forward.”
And, in fact, there was a DRM vendor that we talked to that actually started utilizing that service as well as a threat intelligence company that we talked to.
I think it’s from a lack of knowledge that they don’t know it’s available, but that is available for people to use.
From the most part, it’s really sort of… we need to think about how we can sort of propagate that through the community a little bit better, so people do know that’s available. So, thank you. Good question.
Hollis Kara: Thank you. All right. One last question from our virtual queue.
Beverly Hicks: Again, Steve Wallace, Internet2: “Can an Org require its POCs to use 2FA? That would be great.”
Mark Kosters: This might be something that might be coming up soon. We will see.
Hollis Kara: Thank you, Mark.
Moving right along. Next up I have Joe Westover. He’s our Senior Manager of the Office of the CCO. He’ll provide a services update.
Joe Westover: Thanks, Hollis.
First off, I am thrilled to be giving a services update as opposed to a fee schedule update, like I had to last time. It’s mostly an all-positive news. And I will say Mark did prelude a little bit of something we’ll get to in a couple of slides.
So just to kick start first, the CCO office was created for, and continues to be hyper focused on services. That includes the availability, working with development, working with internal operational processes. That’s what we do on a daily basis.
April 2021, we launched the Premier Support Plan. And what that did is it provided Registration Services Plan customers who were in a size 2XL or above category, and that’s somewhere between 0 and 100, not a large number, but that was provided for free.
As of August 8th, we launched a paid subscription service. And Mark noted a little bit about development to get a billing system set up for that. There was a lot of work to get that done so it would be flawless. We’ve done a lot of operational support, systems for tracking through lessons learned, et cetera, for the 2XL customers over that time period, and we had plenty of time to do it.
So, when we did eventually roll this out as a paid component, we have our ducks in a row. We’re solid.
And I do lead that program myself. So, I’m intimately aware, when people come in, how they’re tracked, how we communicate from a program specific nature.
I also would like to say - good news - that we’ve actually had a number, several actually new customers, as of the 8th. That’s positive.
I would encourage those who were not aware of it to take another look at what the service offerings are. And should you have any questions, you can contact me directly. You can go to our arin.net site, and you’ll see the PSP service offerings there and it will give you instructions on how to sign up.
I’m not going to go through these ad nauseam. It’s a priority service. You do get enhanced handling. There’s direct technical services.
Probably one of the key elements is the 24/7 on-call support. That’s not for tickets, per se. We’re not necessarily as robust to support that. But for any service impacting event, you’re provided with a 24/7 number that rings through a system that we have internally and gets escalated as needed.
There’s a quarterly PSP customer focus group with John Curran and a number of other executives which is a complete open topic, open forum, whatever you might want to say.
And of course, if we are talking about the monetary aspect of it, there is a waived transfer request fees for source on that one, which is also positive, depending on I don’t know what people’s motivation might be, but whatever that is, we’re happy to accommodate.
Two-factor authentication update: Mark touched on all this, but I’ll go into it a little bit more. As you know there was a consultation held this past summer. New voice and SMS. FIDO2 is coming. TOTP was already there. That’s kind of obvious what people know.
And then the new one here. There was a question earlier on making 2FA mandatory. So, I’ll give you a little 11-day preview here.
On or about November 1st, Hollis, we’ll start sending out scheduled emails for February 1st, date of, making this a mandatory 2FA enhancement for all accounts. More will come on that. If people have questions on that, we’ll be happy to answer those.
Speaking a little bit to the adoption, this just kind of builds a little bit more from a percentages aspect of what Mark talked about. For me it’s that 18 percent uptick. You saw a steady state over time. You saw the blip. 18 percent is not trivial.
Obviously if it’s made mandatory, you’ll see another reason for that percent to increase. But I think that voluntary aspect of 18 percent is definitely a net positive.
Recently we have had some RSA Registration Services Agreement changes people are aware of. And people know the section, Section 7, and that was changed to rename the ‘no property rights’ to acknowledge rights to include number resources.
I think those in the room are aware of it. People have been asking for it for a long time. We’re hoping that takes away a lot of the hindrance with some of the LRSA signings.
And, of course, it doesn’t impact, nor does it alter, ARIN’s position history speaking. The Internet number resources are not freely held property. I’m not going to read through that, but that original ‘no property rights’ section was created at a time when this clear statement was necessary. It’s been deemed no longer necessary. So that correction was made to get us moving forward into the future and to respond to the community’s needs.
Routing Security Update: As you know, Brad Gorman, the product owner, on this. He and I work fairly tightly together. I kind of know a little bit about it. I’ve learned a little bit about it, a lot about it, actually. It’s been interesting.
Recently there were some TAL updates, as recently as of October, rather, 29th of September. It was modified to remove the prohibition on the public TAL.
And I think it’s key to note that, as of that, ARIN encourages all relying party validators, software developers, rather, using that to include the ARIN TAL and new releases, now that it’s made available freely. And anybody with existing validators should add the ARIN TAL.
Any questions can be directed to Brad Gorman or anybody on our executive staff.
RPKI growth: Again, percentages are key to this. The sheer number of organizations using it are rising. There was a huge increase in 2021 of 50 percent. We still have a very positive uptick of 29 percent through September 30th - through the third quarter of this year. That’s a positive.
Within those, ROA counts continue to rise. Same 35; 137 the year before. And the RPKI valid prefix origin pairs are also rising.
So, again the takeaway, this is good news. People are using it; people are adopting it.
Some of the routing security features, Mark touched on this a little bit. Some of the automatic reroll RPKI objects is in development this quarter - Q4. And that should eliminate the impact of untimely expiration. That’s awaiting the 2FA enforcement. So, while it’s in development, it will be ready, it needs a 2FA enforcement to actually be deployed, which will obviously be post February.
Tighter integration for IRR and RPKI: And that will be ROA generation will actually create the IRR route object. And if there’s an expiration or deletion, it will delete the IRR route object.
The understanding is that’s a manual thing you have to go back and do which is not terribly convenient for customers.
There was note about a new routing security dashboard, which is future. Again, Brad would be the one to go to about that. That is something he’s looking at fairly diligently right now to just up the game on the interface with customers and improve the visibility into not only the status of the resources, but also the ability to cause action on those.
And training and surveys, as I kind of round this up: So, this is just something, a little bit of a filler slide, but we have a lot of on demand training that’s basically on your schedule that Hollis and her team have been developing with the use of with Brad.
So, this has been fairly robust. We get a lot of real-time attendees for these sessions with a lot of really good feedback. However, of course, it’s all been made on demand available to you. So, you can read through.
We’ve got everything from IPv6 address planning basics, RESTful API, IRR Online, and RPKI - which is probably the big hitter out of those nowadays.
We recently also just did Services Prioritization Survey. And the takeaway from this is really around people are focused on routing security enhancements, technical debt reductions and 2FA enforcement.
If you heard a theme so far, that is the focus and of course it continues to be the focus internally within ARIN. So, we’re taking that to heart.
And just a quick shout out: This is my last slide, for those who may be think back every three years, every three years we have a Customer Satisfaction Survey at ARIN. I came on board three years ago. This is probably my first major task to do that.
Luckily, this time around I can delegate that to staff. However, we will be doing that in Q2 2023, so probably on or about the spring meeting we’ll announce that and deploy it in the term right after.
As always, we encourage participation. We want to meet your expectations. We want to assess your satisfaction and I think especially want to identify and prioritize areas for improvement.
So, we definitely took a lot of that feedback from prior, and we fed it into a lot of our operational improvements, focused not just on the CCO office but across the organization.
And that is all I have for services today.
Hollis Kara: All right. I’d like to open the microphones for questions. So, if there are any from the room, feel free to approach the mic. We’ll give just a second to see if our virtual participants are typing.
Beverly Hicks: Does not look like we have anything coming.
Hollis Kara: That was a very thorough presentation, Joe. Looks like you’re in luck.
John Sweeting: Wait, wait. John Sweeting, ARIN CCO. I just want to point out, like, the big takeaway I got out of that presentation was the TAL, the ARIN TAL, is now able to be packaged with all the other four IRR TALs. That is a huge step.
I know Joe covered it, but I want to point it out. That was a big step for ARIN to take and get that pushed through. And thanks to all the ARIN staff that worked to get that pushed through.
Hollis Kara: Thank you, Joe.
Next up, lurking behind me I have Richard Jimmerson, our Chief Operating Officer to give an operations update.
Richard Jimmerson: Good morning, everyone. So, in the April meetings, if you come to the April meetings, you’ll notice we have many more reports than we do today.
So basically, you get a report from each department in the April meeting. With the abbreviated schedule in October, because of the fact that we only have a day and a half, we have fewer reports.
So, what you’ll see is some of the things that you would normally see in some of those other department reports inside this one here today.
So, inside the organization, inside the last month, we were fully staffed with 97 people with no open positions. Of course, there’s rotation of staff all the time, but it was nice to actually hit that fully-staffed point within the organization.
We’re fully engaged in a 2022 work plan right now. Just so you know, the way that works is each year the Board of Trustees comes together in the August timeframe, and they create the vision for the organization. They lay out what it is that we’re going to be doing as an organization in the next year.
We take that strategic direction from the Board of Trustees. We create an operations plan that very closely matches what they provided to us. And we execute on that plan in that given year.
We actually published that on the walls of the organization. We discuss it with the staff on a regular basis. It’s a topic of the leadership meetings. And at no time are we to ever be working on anything that was not directed by the Board of Trustees that you’ve elected as the community of this organization.
And at times staff members have great ideas about things that we might be able to do, and those absolutely do get pushed back. And what they do then is they go to the next strategy meeting with our Board. I just want to let you know that we very carefully track that and pay attention to that.
We did transition from pandemic operations to a new hybrid workforce model in July of 2022. Like many organizations here, we actually worked remotely for most of the pandemic. We had a limited reopening program that allowed staff to come into the office and work in the office if they chose to do that. But no one was required to work in the office during that pandemic period.
We did a study with an outside firm, and we had a large conversation with the staff team inside the organization and decided what our hybrid workforce model would look like. So basically, it’s a mix of days working in the office versus days working from home inside the organization. Some teams have more in-person requirements at the office than other teams. But we’ve moved into that hybrid workforce model as of July of this year, and it’s working well.
As you know, and as you can see and as you saw on that NANOG meeting that happened just before the ARIN meeting this week, we returned to mostly in person participation in meetings.
We had great participation, it looked like, at NANOG. We’ve got better participation in person at this meeting than we have over the last three years. And a lot of our outreach has moved to back in person, but some of that is remaining online. It actually worked better. And that’s the way we’re delivering it.
We continue to make enhancements to ARIN Online and our internal tools to facilitate new services for you. Joe mentioned that a little bit in his last presentation. And that’s very high focus for us inside the organization.
And we have a very strong customer service concentration for this growing demand of registry services. We’re not seeing a falloff in demand. It continues to increase, and we continue to get better to provide services to the organizations.
As noted earlier, we’re updating our payment contractor and expanding payment options. We were quite limited with the service that we were using. So, we’re making some changes there for you.
We did retire a service earlier this year. So, one of the things that’s been very hard for the registry to do over the years, we’re adding all these new services and all of these new features, is actually removing some of them. And we were able to do that.
We created a new ARIN Routing Registry several years ago. And when we got that developed and we rolled it out, the decision was made that we were going to retire the NON-AUTH, our older Routing Registry. And we were finally able to do that.
There are some other services that may be lined up here in the near future for removal from ARIN’s service offering. And of course, when those come up, we will do a consultation with the community before we remove those or look to remove those.
Again, we’ve added the 2FA options, as you saw in the previous slides - I won’t dig more into that one - along with our enhancements to RPKI offerings.
I do want to say a little bit more about our preparation for our SOC 2 Type 1 audit. For those of you who have been through SOC audits, you know the Type 1 is all about documentation and your procedures and making sure all those things are lined up. You have somebody come in, and they audit that. And they pass you into a SOC 2 Type 2 audit after that.
This week we’re finishing up our SOC 2 Type 1 audit. There’s been an enormous amount of work put into that inside the ARIN organization. The actual service inside the organization that we’re covering by our SOC 2 audit right now is RPKI, and we’re looking to add other services that we have inside the organization to SOC 2 going forward.
But provided that we pass our SOC 2 Type 1 audit this week and next week, we’ll move right into a SOC 2 Type 2 phase, where they will actually audit our controls over the next year to verify that all of the procedures were being followed. Thank you.
This is the first time that we’ve done this. In order to enable this, we actually hired, as you recall, previous meetings we discussed, we had a Vice President of Information Security, Christian Johnson, that’s joined the organization that’s managing these processes with our internal teams. That’s been a great addition.
The reason he’s not here with us today at the meeting is because we are in that SOC 2 - Type 1 audit right now.
I’d like to congratulate the 2022 ARIN grant recipients: DNSOARC, DNS Research Federation, and Network Time Foundation, Inc.
We have a grant program inside the ARIN organization, and we have a committee of staff and community members that comes together. And they review all of our grant applications. And those are the organizations that were approved for grants this year.
More information that’s available, more information about that is available on our website.
ARIN 51 - we’re planning for in person of course. That meeting will be in Tampa, Florida. And we’ll have robust virtual participation, participation facilities like we do today at that meeting. That’s not going to fall off. We’re going to continue that going forward.
We do plan to resume the in-person component for the ARIN Fellowship Program. We do have ARIN Fellows for this meeting, but we did not do travel for this meeting for Fellows, neither in the previous couple of meetings because of the pandemic. But we feel safe in turning that back on. And in April of next year, you’ll actually see your Fellows in person here at the meeting.
Plans subject to change depending on pandemic status of course, but we hope to see you in Tampa.
With that, I’ll take any questions, and we may be back on time to do our next presentation before the break.
Hollis Kara: Correct. All right, the microphones are open if there are any questions or comments in the room for Richard. Giving our virtual participants a moment to type.
No one is typing. We’re good.
Richard Jimmerson: We have one question on the floor.
Hollis Kara: We’ve got one. We’ve got a runner.
David Rodecker: Quick question. So, the SOC 2 Type or the SOC compliance altogether, are we required to do that? Is that something we are just opting to do, or is there any sort of governmental oversight that we should be concerned to do that for?
Richard Jimmerson: There is no requirement currently for the ARIN organization to do SOC 2 audit on any of our services. And this is the Board that you’ve elected as the community made this a requirement for the organization, that they wanted SOC audits added.
We brought in a VP of Information Security, and we’re going to be expanding that even more.
So, the first service that we are covering under our SOC 2 audits is the RPKI audit service. That is the one that we started with.
We’ll likely add others in future years now that we’re moving into the SOC 2 - Type 2 phase for RPKI. We’ll look at doing SOC 2 - Type 1 for some additional services, for instance, ARIN Online and some others.
Now, it’s not currently a requirement for us. However, we do get questions about this all the time. So, what happens is other organizations who might be government contractors, for instance, will come to us and they’ll ask for our SOC 2 audit report. And they want to actually see those findings. And we have nothing to give them right now.
So instead, what we do is we turn them on to an internal resource that can answer the questions that they have. And when they send the questions to us, it’s often about 12 to 15 pages long. We’ll answer their questions. We’ll send that back to them. A lot of our customers need those types of things.
In the future, once we have our report from our auditor, we can just turn over that report to them.
David Rodecker: Sounds good to see the internal self-compliance.
The only other thing, and it’s probably already done, is PCI compliance for taking the payment methods online. It’s fantastic to see the self-internal compliance.
Hollis Kara: Excuse me, real quick, John. Before you start and before you walk away, can I get name and affiliation for the transcript?
David Rodecker: Sure. I’m Dave Rodecker, and the company is WISP.net. Log in is server ISP in case anybody needs it.
Hollis Kara: Awesome. Thanks very much. All right, over to you, John.
John Sweeting: John Sweeting, with ARIN. I just want to point out to Richard; we do get benefits for doing this. I believe it saves us a lot of cost in insurance.
Richard Jimmerson: It does.
John Sweeting: Wanted to point that out. We’re getting good benefits from this other than what you would think.
Richard Jimmerson: When I noted that the Board was the start of this process, that’s actually a compliment to the Board that you’ve elected as a community, that you have a Board that’s asking this organization to do these things.
It’s a very heavy lift, for those who have done this in the past, you know it’s a very heavy lift to do this. It is a compliment to the Board when I say that they pushed us forward in doing these audits. That is a great thing.
As John described, there are actually other great benefits to the organization. For any of you who were involved in updating annually your company’s limited liability insurance coverage, you’ve noted that cybersecurity and those types of things has become a very big topic with insurance companies.
They’re actually dropping coverage for a lot of companies today inside that area because of the risk involved with the organization that they might be insuring. And having these types of completed audits actually help us with our insurance renewals each year as an organization and actually saved costs for the organization overall.
Any other questions?
Hollis Kara: I think we’re clear for questions. Thank you, Richard.
All right. One more presentation before our first break in the day. Leif Sawyer, ARIN Advisory Council Chair and champion of the foosball tournament - Just saying.
Advisory Council Docket
Leif Sawyer: Thanks, Hollis. Good morning, everybody.
I’ve been the Chair here for a couple of years, and I have a really, really strong and great Advisory Council. They make everything here look really easy for me. All I have to do is come up and try and press the button to move the slides forward.
We’ve had a lot of activity, actually, since the last ARIN meeting here. We’ve sent a couple of policies to the Board for review and for adoption.
We’ve got some new NRPM updates here. We’ve got a new PDP I think — oh no, sorry, that’s a little bit later on.
We need a little preview slide. I think that would be really helpful. That would be great. I can’t remember what order these slides are in. It’s too early in the morning.
We’ve advanced seven draft policies here, and we have a lot more to go. Four of them are classified as editorial changes, really easy to do, two Recommended Draft Policies. Definitely hearing a lot about our 10 draft policies.
And that’s really the slide deck here. That’s it, right? Really simple. I’m standing between you and the break, so now you know why we’re going through this quickly.
But if you have any questions, I invite you to all look for the Advisory Council flag. Find out which policy they’re going be presenting and ask them directly. Otherwise, I’m more than welcome to take your questions now.
Hollis Kara: Microphones are open. Queue is open as well. Any questions for Leif?
Leif Sawyer: I see one in the back.
Hollis Kara: Oh, that guy.
John Sweeting: I feel like Kevin Blumberg from The Wire, but I’m really John Sweeting from ARIN.
You started to mention a new PDP and then you stopped and you thought it was on another slide and it wasn’t there. Maybe we can help.
So there was a consultation done for a new PDP, and those — all that feedback has been given back to the AC Policy Development Working Group.
Leif Sawyer: Yes.
John Sweeting: And they’re incorporating that. There’s a new PDP. The community has seen it, if they looked at the consultation. So if you have any more on that?
Leif Sawyer: So, as you did mention, yes, we received back the information. I know that Andrew and the rest of the PDP Working Group, Amy and folk, have been working diligently to add all of that together.
We will be reviewing that again internally tomorrow afternoon. And hopefully we’ll be submitting that to the Board again. And we’ll see what happens next. Yeah, I’m excited.
Hollis Kara: Awesome. Thank you, Leif. Anything else? Anything else? No. We’re good.
Leif Sawyer: No virtual?
Hollis Kara: Nothing in the queue.
Leif Sawyer: Thank you.
Hollis Kara: Tina, if you wanted to ask a question, I can make him come back. Alright. Are we ready to go to break, Melissa? Alright, Tina, go ahead.
Tina Morris: I wasn’t going to ask a question. I just feel like we always have to brag about the AC more than we do.
Hollis Kara: Please.
Tina Morris: They do an amazing job. They take raw suggestions from authors in the community. They develop it into a policy. They evaluate the community’s desire for these changes. And then they bring them back and show them to us.
So I always think the AC is the lifeblood of this organization, and without them we would not be as successful as we are. So thank you.
Hollis Kara: As we head into break, I want to remind folks that we’ll be starting again at 11:00 promptly for our policy block. While you are on break, break is outside in the Salon 3.
We have our Help Desks. Go check out our user testing if you have a few minutes. If you have a question for RSD or about elections, you can also talk to someone from staff there as well. Otherwise, I’ll see everyone back here at 11:00. Thank you.
Hollis Kara: Alright if folks want to come in and get seated we’ll get started with our first policy block of the meeting. JC do you want me to give them one minute or should we go ahead and get started? Alright we are going to get rolling.
Couple of quick housekeeping items before we start, first of all, at the request of our AC chair, from our presenters, so you know: The righthand confidence monitor is now going to give you presenter view so you have a sneak preview and notes if you need them. You may need to squint. I’m not sure. We’ll see how it works. We’re going to try that out.
I also want to explain for those who attended the meeting orientation we demoed a new polling procedure. Thank you very much for being guinea pigs in that process. We uncovered a couple of things that we want to make sure are locked down before we use that live in a meeting.
So for this meeting we’re going to go with the standard procedure that we’ve used in the past of pulling in Zoom for the virtual participants and a show of hands here in the room. So don’t be surprised.
With that, we’ll launch into our first policy block. And our first presentation will be from Rob Seastrom — Rob, if you want to come up — on Recommended Draft Policy 2020-6, lots of words.
Policy Block I
Recommended Draft Policy ARIN-2020-6: Allowance for IPv4 Allocation “Swap” Transactions Via 8.3 Specified Transfers and 8.4 Inter-RIR Transfers
Robert Seastrom: Thank you. Recommended Draft Policy ARIN-2022-6 is for IPv4 Address Swaps. Here’s a little bit of the history of it.
This has been around since 2020, which you could have guessed from the policy number. It moved to Recommended Draft Policy on the 2nd of May of this year.
So the intent of this policy is to make it possible to downsize one’s address holdings into a smaller aggregable block without breaking up the bigger block in order to have less address space and make it possible to do this without jumping through a whole bunch of hoops that ARIN policy requires because it didn’t really countenance this sort of transaction.
The staff understanding, there are three slides here. I could read them verbatim, but basically, they repeat the intent of this policy to allow downsizing prior to doing specified transfer. And it would codify the practice of obtaining and renumbering into a smaller block without having to deal with weirdness in the policy.
Staff made a recommendation, which we accepted to, I think, but we’ll doublecheck as we go through, for the language if the larger block is not transferred within one year of receipt of the smaller block, the organization will be ineligible to receive any further transfers under this section until they transfer out the larger block.
So there’s also potential ambiguity in 8.3 and 8.4. And finally officer attestation has been deprecated. We’re no longer requiring that. So staff and legal recommended we remove that language.
Here we go. Time to implement, three months. So the current problem statement, which I’m going to read from verbatim, is, “Organizations wishing to swap out a larger block for the smaller one in the interest of avoiding deaggregation as opposed to breaking up their existing block and transferring only a part of it are forbidden by existing 8.3 policy from being the source of the transfer for their larger block after receiving a smaller one for 12 months after receiving the smaller block.”
Which is to say that the current policy only really thinks about organizations that are growing, not downsizing.
“In practice, ARIN staff has been allowing Orgs to transfer out blocks after receiving smaller ones inside of the 12 month window, but many ARIN resource holders are not aware of this. Some resource holders have worked around the restriction by creating a new Org to receive the smaller block, but this practice has implications on Wait List policy, as the new Org is now technically ineligible to apply for Wait List space while the original Org is not.”
Similar language is present in NRPM 8.4. As such, the practice should be sanctioned for these type of transfers as well.
So now we have four slides of policy statements to make changes across four different sections that are interrelated of NRPM. Policy statement, the first one, clarify the conditions under 8.3 and 8.4 that explicitly allows transfer to a larger block in exchange for a smaller one as part of a renumbering plan by making the following changes in 8.3, 8.4 and 8.5.
8.5.5, block size, organizations may qualify for the transfer of a larger initial block, or an additional block, by providing documentation to ARIN which details the use of at least 50 percent of the requested IPv4 block size within 24 months. An officer of the organization shall attest to the documentation provided to ARIN.
Policy statement two of four.
Add 188.8.131.52, transfer for the purpose of renumbering organizations with larger direct allocations or assignments than they require may receive transfer of a smaller block for the purpose of renumbering onto the smaller block if they transfer the entire larger block for a qualified recipient under Section 8 within one year of receipt of transfer of the smaller block.
If the larger block is not transferred within one year of receipt of the smaller block, the organization will be ineligible to receive any further transfers under this section until the larger block is transferred.
184.108.40.206.1, smaller block size organizations may qualify to receive a transfer of a smaller block by providing documentation to ARIN which details the use of at least 50 percent of the smaller block size within 24 months. Current use of the larger block may be used to satisfy this criteria.
Policy statement three of four.
8.5.6 currently says: Organizations with direct assignments or allocations from ARIN must have efficiently utilized at least 50 percent of their cumulative IPv4 address blocks in order to receive additional space. This includes all space reassigned to their customers.
And add 220.127.116.11, transfer for the purpose of renumbering. Organizations receiving transfer of a smaller block under Section 18.104.22.168 may deduct the larger block they are transferring to a qualified recipient when calculating their efficient utilization of previous blocks under Section 8.5.6.
Last slide, I think, for the policy statement changes. Yes.
Current text in sections 8.3 and 8.4 under conditions of the source of the transfer. The source entity must not have received a transfer, allocation or assignment of IPv4 number resources from ARIN for the 12 months prior to the approval of a transfer request. This restriction does not include 8.2 transfers.
Change that to: With the exception of M&A transfers under Section 8.2, the source entity must not have received a transfer, allocation or assignment from ARIN within the last 12 months. This requirement may be waived by ARIN for transfers made in connection with a renumbering exercise designed to more efficiently utilize number resources under Section 22.214.171.124.
There we go, should use the proper button.
Questions for the community. Do you support this Policy Proposal as written? If not, are there specific changes that you would advocate for that would make it better?
And the microphones are open.
Hollis Kara: I’ll ask our chair, on his way up to moderate. Please approach the microphones if you have questions. Queue is also open for virtual questions.
Bill Sandiford: Not everyone all at once. All right. Rear microphone.
Kevin Blumberg: Kevin Blumberg, The Wire. Since no one else is stepping up, do I support the policy as written? Yes. With two small caveats. I like “exercise,” but I don’t know if “exercise” is a word that is used in the NRPM anywhere, renumbering exercise.
A synonym for something that’s more appropriate, an editorial correction to that may be appropriate. I just don’t like adding in new terminology where it’s not needed. So that’s just one thing.
If you can go back to the policy statement, I think it was three of three,go back one,are there any commas you can put in or any other things to put in to split that up from a 32 word sentence? It’s an unbelievably long and protracted sentence, and it’s just a suggested editorial modification.
But, otherwise, I think this is a useful policy, and I don’t expect that anything that I have just said should hinder the passing of it. Thank you.
Bill Sandiford: Thank you, Kevin. Anyone online?
Hollis Kara: I don’t see any questions in the virtual queue.
Bill Sandiford: All right. Front microphone.
Chris Tacit: Chris Tacit, ARIN AC and Tacit Law. I support the policy and I also agree with Kevin’s first suggested change of removing “exercise.” I think just removing the word might be sufficient, just say renumbering.
On the shorter sentence, maybe you can do something, maybe you can’t. I’m not that fussed about it. It looks pretty good to me. Thanks.
Bill Sandiford: Thank you, Chris. Calling any others? Last call for those online.
Beverly Hicks: We have an online. Just a moment. We have someone that would like to speak. Just a second. Here we go, zoom is unmuted. Mr. Jweda, you should be able to speak. Maybe. There it is.
Bill Sandiford: Alright, online go ahead with your question.
Leo Jweda: I don’t have a problem with the change, but
Bill Sandiford: Can we get your name and affiliation for the record, please?
Leo Jweda: previous policy that they have to have used at least half before they can ask for more IP addresses. And I was wondering if you could provide some more context for that.
It seems a bit low that they can request for more when they’ve only used half. I would assume they need to be closer to their limit before they could ask for more. It’s not related to the change, but I feel like it would provide a bit more context to help make a decision on whether the changes are justified or not, thank you.
Bill Sandiford: Are you clear on the feedback?
Robert Seastrom: I’m clear on the feedback.
Beverly Hicks: That was Leo Jweda. I do not have an affiliation.
Bill Sandiford: Maybe, Leo, you could type your affiliation into the chat if possible so we can get it for the record.
Robert Seastrom: Thank you very much for the feedback, especially about the rather breathless phrasing of that one sentence. And I did notice on my own as I was presenting this that apparently our response to staff and legal about not reverting the need for officer attestation did not actually make it into our editorial process.
So you’ll be seeing this again probably on PPML. I don’t think it’s going to need to come to another meeting. Thank you very much.
Bill Sandiford: All right. This one’s a Recommended Draft Policy. So we’ll do the poll to see those who are for or against the policy as written. So are we ready with the
Beverly Hicks: Can I just add that Leo Jweda is from the Consumers Council of Canada.
Bill Sandiford: Thank you very much, Leo.
If the esteemed counters are ready, I would ask those of you who are for the Policy Proposal as written indicate now by raising your hand high. One hand and one hand only. And those online can follow the process as it’s been outlined for remote participation.
Beverly Hicks: If anyone online is having any difficulty voting in the poll, you can also type in the Q&A your response.
Bill Sandiford: Looking for the signal from the back of the room that they got all right, thank you. Lower your hands.
Those who are against the policy proposal as written please indicate by raising your hand now.
I think we’re good in the room. For those of you online
Hollis Kara: Are we ready to close the online poll? We are. Mr. Sweeting will walk over and get the virtual count, and then he’ll bring it up for you.
Bill Sandiford: Survey says? All good? Are we going to give the count?
John Sweeting: Yeah, I can give the count. John Sweeting with ARIN. Participants in the room, 84; remote, 56.
Show of hands for: In the room, 33; remote, 25; for a total of 58.
Against, zero plus zero equals zero.
Bill Sandiford: Thank you, John, and thank you, everybody. Your feedback will be forwarded to the AC for their consideration. Thank you, R.S.
Hollis Kara: All right, here we go. We did the discussion.
Next up, I’ve got Chris Woodfield to present on Recommended Draft Policy ARIN-2022-1: MDN Clarifications for Qualification. That’s a weird title. Okay.
Recommended Draft Policy ARIN-2022-1: MDN Clarification for Qualification
Chris Woodfield: Hi, I’m Chris Woodfield with the ARIN Advisory Council, and I’m here to talk about ARIN 2022-1, the very first proposal we got this year.
This is regards to requirements for multiple discrete networks, which is kind of what it says on the tin an organization that is operating more than one independent network where independent networks require their own v4 allocations that are not easily fundable.
So Section 4.5 sets out all of the requirements for a multiple discrete to have multiple discrete networks, organization with a single entity, geographic distance, diversity between network requirements, et cetera.
But that’s all laid out. There’s quite a number of conditions there to define what a multiple discrete network is.
I am the shepherd. And Brian, my co-shepherd, I think is in the room, who has been very helpful with this.
Latest Staff and Legal Review is that this Draft Policy expands Section 8.5.7 actually, back up; this is a Recommended Draft Policy, I believe expands Section 8.5.7, Alternative Additional IPv4 Address Block Criteria to qualify, clarify qualification criteria for organizations with multiple discrete networks, specifying that each network must be assessed individually for utilization thresholds. Which is consistent with the intent of Section 4.5, which was the qualification criteria for allocations from the free pool. The text codifies current practice and is clear and understandable.
Latest Legal Review: Implementable as written, no impact, no material legal issue. Implementation timeframe estimate, three months. No technical updates needed for implementation, training documentation, procedures, updates.
The text of the policy, our problem statement is that the requirements for transfers involving companies operating multiple discrete networks under Section 8.5 of the NRPM are unclear and need clarification.
Most of this language didn’t make it into Section 8 from before. So we are replacing 8.5.7 to expand the section on multiple discrete networks. And I’ll read the text here: “Organizations may qualify for additional IPv4 address blocks by demonstrating 80 percent utilization of the currently allocated space.
“In organizations operating multiple discrete networks, each discrete network may be assessed individually for the 80 percent utilization threshold to qualify under this policy. The organization must provide justification that each network is discrete per the criteria described in Section 4.5.”
As I mentioned, there’s quite a checklist there. Did not bear to not need repeating here.
Each discrete network must meet the projection requirements in Section 8.5.5. Nothing different about qualifying for each individual network.
And each discrete network for which the IP addresses are requested must meet the utilization requirements in Section 8.5.6. Organization that may receive one or more transfers up to the total size of their current IPv4 address holdings up to a maximum size of /16. Timetable for implementation, any?
Two community questions. Number one, does this language appropriately capture requirements that are fair and impartial towards MDN operators as well as to the rest of the ARIN community?
One of the implications of these sorts of policies that target specific operators of a specific type is we want to make sure that we are treating both treating them, that specific operator with helping them with the specific need without shortchanging the rest of the community by doing so.
B, are there any specific needs to qualify for an inbound transfer that an MDN operator may have that are not incorporated into this proposal? Have we properly understood the need and does our policy reflect that?
Those are community questions. And —
Hollis Kara: The chair will join us on stage. We have a question at the back mic.
Kevin Blumberg: Kevin Blumberg, The Wire. Can you go back a slide. At the bottom it says Recommended Draft Policy, but the questions make it seem like this is a Draft Policy. What I will say is I support this policy as written as a Recommended Draft Policy.
I believe as a Recommended Draft Policy those questions are well past the prime if somebody has a problem with the policy as written. Then it’s going to punch it back to Draft Policy and we’re never going to get anywhere.
This is probably a good way to deal with the problem. There could be improvements to it later on as more people do it. But this policy has been sitting around for two years, and my suggestion is just get it done unless there is no support for it. Just move it forward and don’t keep it as a Draft Policy or put it back to draft. Thank you.
Bill Sandiford: Thank you, Kevin. All right. Looking for others. Rear microphone.
Sean Hopkins: Sean Hopkins, Senior Policy Analyst for ARIN. Just a minor clarification just so no one is confused on the earlier bit.
Bill Sandiford: A little louder, Sean.
Sean Hopkins: Sure, I can be much louder.
Hollis Kara: And slower.
Sean Hopkins: Well yeah, that I can work on.
In March, there was a Staff and Legal Review. In May, this advanced to recommended draft. So you’re going to see folks in the room, this come up with many draft policies where there will be a staff and legal that takes place prior to further work being done and then after that it comes to the meeting. Just minor clarification on that.
Bill Sandiford: Thank you. All right. Any discussion, please approach the microphones now. The microphones are open. Remote participants, we welcome your comments.
Hollis Kara: Do you see anything coming in the queue? No. Nothing in the queue.
Bill Sandiford: Going once. Going twice. All right. This is a Recommended Draft Policy. So we will take a poll of the participants again.
So those in favor of the policy as written, ask you to indicate so now by raising your hand and following the online poll process for those online.
You can lower your hands.
Those against the policy as written, please raise your hand now or follow the online procedure.
Can we possibly go two for two with none against?
Will the person with the results please stand up?
John Sweeting: John Sweeting with ARIN. Participants in the room, 84; remote, 55.
Show of hands for: In the room, 20; online, 22; for a total of 42.
Against, zero plus zero equals zero.
Bill Sandiford: Thank you very much. Thank you, everyone. Your feedback will be passed to the AC for their consideration.
Hollis Kara: Thank you.
Awesome, moving right along. We had that. Next, I’ll invite Amy Potter to come up and lead a discussion about Draft Policy 2021-7: Make Abuse Contact Useful, which I still think seems like it’s a little bit pejorative toward abuse contacts because I do believe they try.
Draft Policy ARIN-2021-7: Make Abuse Contact Useful
Amy Potter: So this Draft Policy is about adding the ability to put in a URL in the abuse Point of Contact. This policy, or Draft Policy has gone through a few different versions.
When it started out, it was about making it mandatory to add a URL for abuse, reporting to the abuse Point of Contact. The community hated that, so we switched it up to making it optional.
It’s been through a couple different staff and legals, in the most recent staff and legal, the staff pointed out that the change would necessitate adding some instructional text for the public comment field during Point of Contact record creation and adjust workflow.
I’ll go through the full problem statement here so we can consider it here.
ARIN’s process of attaching abuse contacts to resource records is of limited utility. The phone number is often unmanned with a voicemail that directs callers to a website. There’s a similar problem with the email field.
With responsible network providers the process for dealing with network abuse instead usually starts with a webpage. The webpage provides instructions and may offer forms for describing the abuse.
So this has gone out to PPML a variety of times. We’ve changed syntax throughout the PPML to make it an option to add this to your abuse Point of Contact.
When I say that responses on PPML were mixed, I mean that there were a variety of different reasons that people objected to every version of this policy. The closest thing to support has been people that have said, eh, it’s probably okay. But not a lot of people have really said that this is a problem that needs to be fixed.
So what I’m here for now is some direction from the community. Is this a problem that you want to solve? Should we be working on this? Please let me know.
Hollis Kara: Thank you, Amy. Going to have Bill come up and join you on stage.
If people would like to come to the microphone or typing, if they would like to join with a question virtually, we’ll get those queued in.
Bill, if you’re okay —
Bill Sandiford: I’m good. We’ll start front and center.
David Huberman: David Huberman from ICANN, speaking on my own behalf. In its earlier iteration, I get it, why this is a policy, a Draft Policy.
In its current iteration, this isn’t policy to me. This is an ACSP. We looked in the NRPM while you were talking and don’t see operational text that directly relates to this.
There’s no text that seems to forbid ARIN from simply enabling such functionality in ARIN Online. So I would suggest that this isn’t policy. Thank you.
Bill Sandiford: Thank you. Rear microphone.
Kevin Blumberg: Kevin Blumberg, The Wire. I echo Mr. Huberman’s response. This is not a solution in policy.
But even if we take that leap and say that it’s a solution in policy, having it done in one region, in one way, creates further problems. This either has to be coordinated and codified and as a standard that is actually machine parsable and usable, or we are wasting our time and we’re going to have another policy to remove it out in ten years, just like we’re doing with the origination field because we were the only ones that did it and nobody else is doing it.
So I don’t believe this policy, the way it is written, is movable. I believe it should be tried as an ACSP, or I believe there should be some coordination among the communities between the RIRs if they want to see something that is actually usable globally. Thank you.
Bill Sandiford: Do we have anyone online? Let’s go to online first.
Beverly Hicks: Kerry Culpepper from the Hawaii State Bar Association, IP and Technology Law Section and NURALA member.
As a new member, I’ve unfortunately not been able to give perspective of IP owners. IP owners have to send abuse notices to thousands of IP owners. IP owners usually use the email address to send auto messages. If you required IP owners to auto fill a form, you would substantially increase the work to send notifications.
The law gives the ISPs benefit from having these abuse notices. They have a responsibility to maintain these email addresses. And, similarly, a copyright office requires service providers to give an email address for notices. And there are other legal remedies for people flooding with fake abuse notices.
Bill Sandiford: I’ll go out on a limb and assume that when she’s referring to IP owners, she’s referring to intellectual property owners. Maybe she could clarify that. We want to make sure of that.
Front, center microphone.
Lee Howard: Lee Howard from IPv4Global by Hilco Streambank. I was going to make the same clarification that I suspect that IP owners, the other IP. And I really appreciate the legal notice there. That was really great comment to tie it in.
I tend to agree with David. This may not be a policy matter, per se. I also tend to think that maybe we don’t have exactly the right respondents in the room. And maybe Leslie would like to ask M3AAWG, for instance, what they’d like to see for the the Messaging AntiAbuse Working Group. Maybe they have opinions about how they would like to see abuse reported or how they’d like to report abuse.
Bill Sandiford: Thank you.
Beverly Hicks: And clarification from Kerry Culpepper that, yes, intellectual property owners was the clarification.
Bill Sandiford: Thank you, Kerry, for the clarification. I just want to make sure we’re talking about the right IP in a room. We’re in a conference about IP of IP, whatever.
Rear, center microphone.
Kevin Blumberg: Kevin Blumberg, The Wire. Just as one other followup. In Canada, we have some in other jurisdictions I’m in, we have some very specific governmental regulations in regards to abuse. And the whole question becomes if we change our policies, does it then require a government entity to review their policies and create a whole backandforth that has to go on as well?
I think there’s unintended consequences that come with this policy as well. Thank you.
Bill Sandiford: All right. Final call for comments either in the room or online. Few more seconds.
Hollis Kara: Nothing online.
Bill Sandiford: Nothing online. Seeing nobody charging the microphones in the room.
Thank you, everybody. This is Draft Policy, so there’s no poll of the room on this one. But thank you, everybody, for your feedback. We’ll take it to the AC for their consideration.
Hollis Kara: Thank you, Amy and Bill.
Cruising right along. And next up I’ve got Alicia Trotman who is going to be presenting Draft Policy ARIN-2021-8: Deprecation of the ‘Autonomous System Originations’ Field.
Draft Policy ARIN-2021-8: Deprecation of the ‘Autonomous System Originations’ Field
Alicia Trotman: Good afternoon. My name is Alicia. I’ll be presenting on Draft Policy ARIN2021-8: Deprecation of the ‘Autonomous System Originations’ Field.
So I’m the primary shepherd. My co-shepherd is Anita Nikolich. We went through a couple of revisions on this policy. The last one being the 21st of September, 2022.
Here we have the latest Staff and Legal, which was distributed on October 5th, 2022. One of the things I would like to pay attention to in the Staff and Legal is the statement where staff recommends careful consideration of impacted customers and their ability to find alternatives to information contained in the original AS field within the stated implementation timeframe. That was right here.
To give a synopsis of this policy, it has two parts, which is, one, the removal of Section 3.4 and the removal of the Origin AS field from the database.
There are two timelines to consider here. For the removal of Section 3.5, this would be immediate after ARIN Board of adoption. And the removal of the Origin AS field, this would be December 31st, 2024.
I know my community. I know my ARIN people. We love statistics. Here’s a couple of statistics in anticipation of any questions persons might have.
We can see that 16,624 that have the Origin AS field filled out and do not appear in the IRR or RPKI. This accounts for about 57.3 percent in our last statistics of the 28,999 blocks that have the Origin AS value set, the number not in IRR and RPKI.
The question to the community: Will the impacted customers have the ability to find alternatives to information contained in the Origin AS field within the stated implementation timeframe?
And that is it.
Hollis Kara: All right. We’ll have Bill join us up on stage. If folks have comments or questions, please approach the microphones. Same thing for our virtual queue, please start typing.
Bill Sandiford: All right. We’ll go rear center microphone this time. Rear center.
Kevin Blumberg: Kevin Blumberg, The Wire. I support the policy. May I recommend one suggestion? Instead of just saying December 31st, 2024, put in “plus 36 months from adoption.”
This policy may take another year or six months. So having a fixed date is probably not the best way to do it, but get people at least two years. My recommendation is actually three for this.
If you can go back to the slide with the percentages. Thank you. My issue with these numbers is that 16,624 people really don’t have IRR or RPKI. The Origin AS may or may not be used in many cases.
So that number is kind of a red herring. It’s not actually showing what the real impact or any impact would be because these people are not in IRR and not in RPKI. So I don’t believe that that the effect to these organizations will really be there.
We’ve had very few organizations even come up and say that they use the Origin AS data for their routing. I do know of one organization that is doing it. No other region is doing this.
So once again we’re propagating an ARIN-only solution from years ago, where really the answer should be use IRR and RPKI. That should be the solution.
And we should be giving organizations notice, this is the most important part, they should be given notice to know that this is going away. This isn’t the proper way of doing things, rather than perpetuating something that is not actively being used in routing policy decisions. Thank you.
Bill Sandiford: Thank you. Front microphone.
David Huberman: David Huberman from ICANN. I wanted to give a little historical perspective on why this exists.
All the way back in roughly 2005 we used to have network researchers and security researchers commonly attending NANOG and ARIN meetings. And one of them, our friend Sandy Murphy from SPARTA, had an idea this was a precursor of RPKI. This was a way that the research community could derive useful and interesting routing information out of Whois and then correlated with what you saw in the DFC. This was how we could bolt onto BGP without any security.
Well that was 17 years ago. We now have a much better fleshed out IRR. We have an RPKI which is enjoying wonderful participation at larger providers and increased participation at smaller ISPs.
So, remembering how we got to where we are today I think is helpful when you think about this policy.
And I wanted to make one other quick remark. Kevin, you keep saying we have where are you, Kevin? There you are. You keep saying that ARIN is an outlier on Origin AS. And I do understand why you say that.
However, the LACNIC community has now introduced a new Draft Policy to introduce Origin AS into LACNIC Whois. And they’re doing so, I believe, for RPKI purposes, which, I’ll be honest with you, I don’t understand.
It may be worthwhile for someone, Sean, to take a look at that Policy Proposal. Thank you.
Bill Sandiford: Thanks, David, for the insight. David, are you for or against or neither?
David Huberman: Neither.
Bill Sandiford: Neither. Front microphone again.
Matt Erculiani: Hello, Matt Erculiani, ARIN 50 fellow, Google. Generally opposed to making information more accessible or less accessible. And somebody’s going to end up writing an RFO when this goes into production. Somebody is going to have an outage resulting in this. They either missed the notice, didn’t update their automation. I just hope it’s one or two people that end up writing RFOs and not a whole bunch of people.
We just don’t really know the impact right now of what this is going to have on people’s automation.
Bill Sandiford: For the purpose of the transcript, for those who don’t know about RFOs, because they’ve never been in an operational network and had to write one, maybe you could just tell people what your RFO is.
Matt Erculiani: A Reason for Outage Report.
Bill Sandiford: Thank you. Any comments online?
Hollis Kara: I don’t see anything from the virtual queue.
Bill Sandiford: All right, we’ll go rear microphone first.
Rob Seastrom: Rob Seastrom, ClueTrust, CapitalOne, and ARIN AC. I get a little déjà vu whenever I look at this policy because this is the example that I used in my presentation back in April about how to use Git to dig around in the PDP history.
And we found Sandy’s slide decks. So I’d like to add on to David’s comments that she was always very explicit that this was sort of an interim thing, that this was not intended to be a thing that would persevere in perpetuity.
It was a patch, a way to put some information out there until we got to whatever BGP security thing that we cooked up, which eventually became RPKI. Thank you.
Bill Sandiford: Thank you. Front microphone.
Tina Morris: Tina Morris, AWS. I just wanted to share one thing that might be interesting to check on these numbers is when AWS originally launched Bring Your Own IP, we used this field. We had customers fill this field out to show positive control of the IP space.
We’ve now moved on from that. We don’t use it at all anymore. But there may be several of those blocks that are labeled that have RAS 16509. That’s all residual old data that might be skewing this usage. Not to say all of these, by any means. And I am in favor of removing this or this policy.
Bill Sandiford: Thank you, Tina. Final call in the room, and we’ll do one more check with the online.
Hollis Kara: Don’t see anyone online.
Bill Sandiford: All right. Okay. Thank you, everybody, for your comments and your feedback. The AC will take it into consideration. Thank you.
Hollis Kara: Thank you, Bill.
Since we’re running a teensy bit ahead of schedule, we’ll squeeze in an extra presentation before we go to lunch. See it says that. It’s not true. Waiting for just a moment. We’ll get some slides queued, up and John Sweeting is going to come up and present the Internet Number Resource Status Report from the NRO. Just waiting for slides. You can walk slow, John.
Also, just a reminder to the room. I noticed a comment in the chat. We all tend to fall back to using acronyms a whole, whole lot when we’re talking about policy and about issues. And for the benefit of newcomers, to the extent that you can express things in full words and speak slowly for the benefit of the transcriptionist, it will help with folks’ ability to keep up with what’s being discussed today.
Admonition aside, I’m going to hand it off to John Sweeting.
Internet Number Resource Status Report
John Sweeting: This report is hot off the presses. It was just put up on the NRO site this morning. These are all up to date numbers as of 30 September 2022.
So, this is the chart we show all the time. It doesn’t really change. It’s just all the IPv4 address space and where those 256 /8s are distributed to.
There are a few, there’s some stuff going on with that experimental, no, not the experimental box, 240 /4. I’m not covering it in that. I just want to point that out.
Total IPv4 addresses managed by each RIR: Those numbers are a little bit skewed because ARIN, of course, a little bit less than half now. We actually used to be 50/50 with legacy and what ARIN had obtained directly and issued out directly.
But a lot of that, probably about 40 percent of that now is legacy space.
Available IPv4 space in each RIR and by available IPv4 space: This is talking strictly what’s available, free pool that was issued, well for AFRINIC, it was issued from IANA. APNIC, I’m not quite sure what that available space is. That’s one of their policies. I’m not really sure. Maybe George can get up and let us know at the end of this how APNIC has .16 of a /8 available.
In terms of /8, this is how much space each RIR has issued per year. So, this is a historic lookback for the last ten years. And of course, it went down, down, down, down.
IPv4 transfers, not including mergers and acquisitions, number of transfers per year: Intra-RIR, so this is within the regions. And AFRINIC actually does have intra-RIR transfers. They do have transfers within the AFRINIC region. So, as you can see there, RIPE has an extremely large number of intra transfers. Last year, they actually have had the most intra for a while.
When you get to the number of addresses transferred per year, it’s a little bit different story. You’ll see that the number of addresses transferred within the regions - ARIN has transferred the most by address count. So, I guess what that would tell you is that the ARIN transfers are a lot larger transfers than the other RIRs.
So, the total number of IPv4 transfers between RIRs - so this is the inter-RIR transfers, or what we here in ARIN land refer to as 8.4, Section 8.4 of the Number Resource Policy Manual. And as you can see, AFRINIC has zeros across.
And this is the number of transfers, not the number of addresses. Again, we’re talking about the number of transfers. You see a lot of action between APNIC, RIPE and ARIN, with LACNIC starting to pick up. I think LACNIC, their inter-RIR transfers have been around for a little over a year.
And then the number of addresses are here. And as would be expected with ARIN in the large legacy pool that we had within the ARIN region, there’s been a lot of transfers out of ARIN to APNIC and RIPE.
This year we saw a little bit of change where we’ve had some big transfers coming into ARIN, especially from RIPE. There was a /14, couple of /16’s that we hadn’t seen before.
I don’t know what that tells you exactly other than possibly the larger blocks in the ARIN region are becoming less available. So, our buyers are going outside of the ARIN region to find the larger blocks.
What else do we get from this? I guess just, I would just point out that that’s not necessarily bad that more address space has left the ARIN region. Most of that space was legacy space. It was space that we were managing freely without any reimbursement from the organizations that held that space. It was a lot of space that had problems with the accuracy of the data, which had to get cleaned up before they could do those transfers.
So, it’s helped in a lot of ways. It’s taken down the amount of address space we’re actually managing without any kind of reimbursement on that. And it also has helped with the Whois accuracy.
IPv6: This shows you the distribution of IPv6 is how it’s been allocated to the RIRs. I think those first ones are what - I wasn’t around at that time so I’m not sure how IANA issued out those first blocks of IPv6 to the RIRs. But I know it is now the RIRs get a /12 and that’s what you see.
And there’s two, ARIN and RIPE, have both, are the only two that have gone back so far for an additional /12 from IANA. So, you’ll see there in the allocation since October 2006 that ARIN has gotten a /11 and RIPE a /11 and the other three, /12’s.
IPv6 allocations issued by the RIRs: Once again, RIPE has done quite a few allocations over the years. Not a lot else on there. It’s a comparison, who has been given out IPv6.
When you get to the total allocated IPv6, RIPE leads the way. Again, I don’t think there’s anything on there that needs explanation or is shocking or surprising.
IPv6 assignments: Probably the only strange thing that you might see there is that if you see in 2022 there’s no assignments by ARIN. That’s because ARIN does not do assignments any longer - We only do allocations. So, where we were doing assignments all along there, there’s, 2022, there’s not been an assignment from ARIN to anybody of IPv6. They’ve all been allocations. But the number really hasn’t changed of the prefixes that were given out total to the allocations and assignments.
So, total assigned IPv6 space: LACNIC actually, I believe, they had a policy that had them give everybody - assign everybody - an IPv6 block. That’s why they’re way up there. I think they actually have, like, 99 percent of their customers have IPv6 because they had that policy that was put in place for them to issue IPv6 to all of their customers.
This slide I don’t really like because it’s very hard, well, it’s not so hard not on the big slides, but to see the stripes. So, the striped portions of these numbers are the members with IPv6 only, which probably means they have reassignments or reallocations from the upstreams of IPv4. And they then wanted to get into IPv6, so they came and got their own IPv6 because they didn’t want to be relying on their upstreams for that.
Moving along, AS numbers: So, again, this is what’s from IANA out to the RIRs. The striped ones are the 32-bit and the solid is 16-bit.
ARIN handles its AS numbers, it was probably 10 years ago the community said “there’s no such thing, there’s only ASNs, there’s no 16-bit or 32-bit. So have a pool, ARIN, and you just issue it out.”
So that’s what we did. And we issue it out, of course, the lowest number, whatever the lowest number is that’s in the pool that’s available to be put out, that’s what goes out.
Every once in a while, we get some AS numbers back in. We happen to have gotten a large block from a certain entity earlier this year that had it was a block of a little bit over 200 AS numbers, and they’re all three digit and four digit. There was 999 in there and 888 and 777 and 1001.
It was a run on the ASNs. All of a sudden, the word spread like wildfire, “ARIN’s giving out three-digit ASNs; get your ASN request in.”
We had a fire sale, I guess you would call it, on ASNs. Those went quickly. We followed the policy. We had to, they had to show why they needed an additional ASN if they already had one. If they didn’t have one, it was much easier for them to get one. But they went very quickly.
The only other thing, at some point in time we do get some lower numbers, three digits, four digits back. People are always asking for them.
What we do, we hold them for the period that our policy, our process says to hold them. Then we throw them in the pool, and whoever happens to be the lucky one next to ask for them, asks for them, and they get approved and out it pops. And that’s what they get.
This is how many ASNs have been issued per year: The stripes, again, are 32bit; solids are 16bit. I have a hard time reading that. I think it’s probably APNIC that’s doing the most. I can’t tell from the colors. I’m sorry. I’m a little colorblind. It’s RIPE NCC. Okay.
John Curran: Do a 2021. For 2021 that’s APNIC.
John Sweeting: APNIC, that’s what I thought.
Moving right along, total ASNs assigned by each RIR: You can see ARIN and RIPE have pretty equal on the 2-byte. And RIPE has been putting out quite a bit more on the 4-byte.
LACNIC and AFRINIC, you would expect them - the size of their populations and the region, the size of their regions and numbers of ISPs in their regions - would be where they are. Nothing real exciting here.
References: You can find these statistics on NRO.net/statistics. And the IANA Number Resources you can find at IANA.Org /numbers. Thank you.
I’m trying to talk really slow so the stenographers can catch it.
Hollis Kara: Any questions or comments? Looks like we might have a question virtual. Go, Beverly.
Beverly Hicks: Kerry Culpepper. I don’t see an affiliation. We have it from before. “Has ARIN received complaints that some actors are using the IP blocks transferred from ARIN to RIPE to engage in nefarious actions such as foreign actors getting IP addresses that will still geolocate to the US from RIPE, thanks to the transfer? When intellectual property owners observe abuse at the IP addresses, we look up WHOIS and see the RIPE reassignment. Often it becomes a black hole with no new information.”
John Sweeting: I mean, we get feedback and hostmaster email and Ask ARIN questions a lot on those types of issues. It’s very difficult. I’m not sure if John would like to address that because we have, we have an issue where people think we’re the spam police of the Internet. And we get a lot of this stuff. So, John has some opinions on that, I know.
John Curran: So, the challenge we’ve got, of course, is that at present, the geolocation information is not something that’s really part of the registry. It is something that can be put in, in IRR data, for example, but it’s not part of the resource record itself.
And so, people come to us, and they say, well, this block tracks back to ARIN. We’re like, that block has transferred to RIPE or APNIC or wherever.
And so, I guess the question for the community is, we do have obviously you can derive a location from contact information, but that’s really the person who has the rights to the resource, actually has the rights to the entry in the registry, not where it’s necessarily being used or routed.
To the extent that the community wants geolocation information in the registry, whether that’s where it’s being used or where anybody that has the rights is located, you need to be very explicit and put that in the registry.
All we can tell people when they come and say this block has been transferred and being misused is “it’s been transferred. You have to go to the other registry; you have to go to the entity that’s actually routing it.”
So not a good answer, but it is what’s currently happening.
I do know people are transferring blocks from ARIN to other regions to get US geolocation because it takes a while for the geolocation people to catch up.
John Sweeting: Thank you, John. Kevin?
Hollis Kara: Go ahead, Kevin.
Kevin Blumberg: Kevin Blumberg, The Wire. To John, this actually has now come up four or five times during the NANOG in relation to geolocation companies. They don’t do a good job, and we all get affected by it, and we shouldn’t be blaming the RIR’s. We should be blaming the geolocation companies who take 30, 40, 80, 180 days to ignore, to just blatantly ignore us.
As a community we should stop blaming the RIR’s. What we could ask the RIR’s to do is just please reach out to them and show them, because they seem to be a little dense, as to where the information is, like remark fields in IRR, to get a better update threshold because 30, 45 days is just not acceptable in our industry anymore.
Thank you, Kevin. Lee?
Lee Howard: Lee Howard from IPv4Global by Hilco Streambank. I bumped into Warren Kumari earlier this week, and he reminded me of RFC 8805, a format for self-published IP geolocation feeds. So, we operators, people who have addresses allocated to them, there is a format to be able to publish similar information and provide additional detail for the use of the geolocation feeds.
But honestly what I really want to propose isn’t for here. I think that I would love to have a BoF, birds of a feather organization…
Hollis Kara: Thank you, Lee.
Lee Howard: …meeting at maybe a future NANOG with geolocation operators to say, how can we make this better?
John Sweeting: That’s a pretty good idea, Lee. Thank you. Anything else on virtual?
Hollis Kara: Nothing else from virtual.
John Sweeting: I’d like to point out, since we did talk about IANA in there, that Kim Davies and some of his staff are here at this meeting. Kim, are you in the room? I don’t know if he’s in the room. He’s just outside.
I just wanted everyone to know they’re here and that they’re very approachable and you can ask them any questions you would like to ask them about IANA and PTI and the functions there.
Other than that, we do have George here from APNIC, too, that you could - George - if you have questions about APNIC. I’m not sure we have anybody here from RIPE. We do have some people from RIPE.
And LACNIC and AFRINIC, I don’t think we have any staff here from AFRINIC. We may have some board members but no staff.
All right. I think if you’re hungry enough, I’ll let you go to lunch.
Hollis Kara: Thank you, John. We will, in fact, be breaking for lunch. This room will remain open. So please take your personals if you’re concerned about safety with that.
We will be over in Salon 4 and 6. Folks who are online can just leave the Zoom running. We’ll be back at 1:30 PM for ARIN elections.
ARIN Elections Introduction
Hollis Kara: All right, folks. If you would like to come in and get seated. We’ve got a packed election agenda for this afternoon. We need to get started.
All right. We’ve entered the election portion of our meeting. And now this slide says that Jason, who is coordinating our elections this year, will be giving our introductory presentation. He, however, is busy making sure eBallot is up and running properly.
In his stead, his boss, John Sweeting, who is having a chitchat with Michael on the far side of the stage is going to take over. So, here’s Johnny.
John Sweeting: Thank you, Hollis. See what you get after 15 years, you get amazing. That’s what you get.
I’m not Jason Byrne. I’m not Kevin Blumberg. I’m not from the Wire. But I am John Sweeting from ARIN, and I’m now going to run through some election information.
So, Jason Byrne, who is our election expert, is sitting over in the other room next door at the election help desk. If you have any questions or any problems or any issues or anything, go see him if its election related.
One quick note, elections opened at 3:00 PM Eastern time. So, they have been open for a little while now, an hour and a half, I would guess, and we have actually had 25 votes cast and we’re happy to have seen that because we are using a totally different system this year. We are using E ballot. In the past we’ve used BigPulse.
So, kudos to the engineering team and to Jason and everyone else involved for the changeover from one system to the other. It’s been pretty seamless, and we’ve gotten a lot of additional functionality out of the eBallot that we didn’t get before.
As you can see, arin.net/elections is your source for all election information as well as any ARIN staff that’s here. You can talk to us or you can go straight to Jason. Statements of support are open until voting closes. If you haven’t put in that statement of support for your favorite candidate, you have plenty of time to do it.
The election calendar and all process documentation can be found at arin.net/elections. And there’s the step-by-step instructions on voting.
So, who can vote? It’s always a good thing to know if you can vote or not.
A voting contact of an organization that has been, that is a general member in good standing as of 5 September will be able to cast a vote. If you’ve changed voting contacts since September 5th, that voting contact will not be able to vote because we had to have a cutoff was September 5th. We had to validate all the members in good standing, all the general members in good standing and the voting contact at that time.
The step-by-step – eligible voting contact should log into their ARIN Online, select the “vote now” link, which should be prominent once they log in to their account, and then cast ballots for Board of Trustees, Advisory Council, and an ARIN region representative for the NRO Number Council.
One, two, three, they can vote for whatever election they want to. They can vote in all three. They can vote in one or not the other. It’s all up to that voting contact.
As I said, voting is open from 3:00 PM Eastern time so it’s open right now through 7:00 PM Eastern time on 28 October, which is next Friday.
All right. Open to attendees of the NRO NC, the Number Council elections has been open for several days because it’s open to attendees of NANOG 86 that are not ARIN voting contacts, and attendees of ARIN 50 who are not ARIN voting contacts.
You should have gotten emails so that you could vote, cast your vote for NRO NC. And you had to have been registered by 13 October 2022.
An email with a unique voting link was sent. Voting is open now and voting also closes at 7 PM on 28 October, next Friday. So, we have a new election system as I said. It’s eBallot.
So, when you’re viewing your ballot, you’re going to see that your name and vote weight, the organization you’re casting a ballot on behalf of and the email addresses that will receive the confirmation email for your vote.
You’ll get the full ballot will come up. All three offices will be presented at one time on the same screen. You have to scroll to obviously see all of it, go down to the bottom.
And you can choose up to three candidates for the Board, five candidates for the AC and one for the Advisory Council and one for the NRO Number Council.
Then you’ll go to a screen, and you’ll be able to review what you have selected. If you see, “oh, wait, I didn’t want that one, I wanted the other one.” And you then will have to edit your selections.
You’ll also have to click that little box down there to agree to the participant consent and transparency agreement. And you’re done; you’ll submit it.
Once you submit it, you’ll receive confirmation that the vote is received. And you may print out a receipt. And you’ll also receive a confirmation email at the address indicated.
Again, you can contact us at email@example.com if you need any assistance. Or while you’re here for the rest of today and tomorrow, you can contact any ARIN staff member or go straight to the expert over there at the Elections Desk in the hall next to us.
Candidate speeches and slate of candidates, I’ll run into it real quick and go into the actual candidate speeches. The 2022 Board of Trustees candidates are Naseem Bawa, Ron da Silva, Muhammad Adeel Javaid, Hank Kilmer, Bill Sandiford, Rob Seastrom and William Sylvester.
The Advisory Council candidates are Jawaid Bazyar, Douglas Camin, Gerry George, Brian Jones, Kendrick Knowles, Gus Reese, and Alison Wood.
And 2022 NRO Number Council candidates, Kate Gerry, and Nick Nugent.
And it’s weird, I messed up the easiest name on the list. But that would be me.
All right. So, reminders, voting opens today for the ARIN elections. Voting opens actually at 3:00 p.m. – actually voting is open as I’ve said before. And it closes at 7:00 PM Eastern, 4:00 p.m. Pacific on 28 October, next Friday. All right.
Hollis Kara: Before you run away, I do have a question from virtual. Beverly, do you want to read that?
Beverly Hicks: Steve Wallace from Internet2 says, if you were just, as in yesterday, assigned as a voting POC for an Org, how does that Org vote, given your comment that they need to be vetted, can a previous voting contact vote?
Hollis Kara: So, if the voting contact changed after the 5th, would the ballot go to the previous voting contact? Is that a Jason question?
John Sweeting: I don’t know if that voting contact still has a login and an account, we will send it to everybody that was validated as the voting contact. But it’s a question that we probably need to have answered by Jason.
Hollis Kara: I would suggest that Mr. Wallace reach out to Jason directly and get some clarity on that one.
John Sweeting: That was Steve Wallace?
Hollis Kara: That was Steve Wallace.
John Sweeting: I’ll get to him. Is that it?
Hollis Kara: That is it. Thank you, sir.
ARIN Election Candidate Speeches
Hollis Kara: It’s my distinct opportunity to start bungling names. I’ll try my best not to mess up pronunciations.
We’ll bring each of the candidates up in turn. We have a few that will be joining us virtually with recorded video. We’ll play those in turn. We’ll go in alphabetical order.
There’s a timer on the floor. Candidates asked to keep their remarks to three minutes. And we’ll start with the Board of Trustees.
The first candidate I would like to call up to speak about why they’ve chosen to run for ARIN’s Board is Naseem Bawa. And yes, I just realized that was way too fast. I’m sorry, Denise.
Naseem Bawa Speech
Naseem Bawa: Good afternoon, everyone. I see what you mean by the lights. It’s pretty bright. So the Internet has undoubtedly transformed our world. Imagine the impact to the economy if the work from home option was not available during the pandemic.
As with most innovation — especially innovation with such broad adoption — along with benefits, there are often unforeseen and unintended consequences.
Access is not universal. About 3 billion people around the world remain unconnected. And unfortunately, many bad actors use the Internet to defraud and bully unsuspecting people. These types of challenges can only be tackled through appropriate Internet governance.
Good afternoon. My name is Naseem Bawa. Thank you very much for giving me the opportunity to speak with you this afternoon. I want to serve on the ARIN Board of Trustees because I want to contribute to ARIN’s success in helping shape the evolution and use of the Internet through appropriate governance.
I’m new to the organization, but hopefully you won’t hold that against me. I offer diversity of thought and experience. I’m a lawyer and a business executive who, over three decades, has worked in various industries and served on and advised boards.
In addition, I have extensive experience working collegially with interdisciplinary teams and people from all over the world. That includes engineers, by the way.
And through this experience, I have learned to appreciate the value of listening and learning from others and presenting my perspective in a respectful manner without disturbing the existing chemistry.
Further, having worked with organizations that collect sensitive personal information, I’ve learned to appreciate the importance of privacy and cybersecurity. And I believe, and I think this was confirmed by a lot of the discussions today, privacy and cybersecurity considerations need to be at the forefront of any executive decision-making process. So hopefully I would get an opportunity to contribute to that.
I’m a passionate, flexible and hardworking person who wants to make a difference in people’s lives. Through my work at Blackberry, I experienced the joy of working in different parts of the world and enabling people living in countries with inadequate infrastructure to access the Internet and wireless services through their Blackberry devices. Helping transform how remote parts of the world accessed information and people was extremely gratifying.
If I’m selected to serve on the ARIN Board of Trustees, I hope to use my experience, skills and knowledge to play a role in the dissemination of digital assets and the evolution of the Internet.
Please support me in this election. I’ll work hard for you and I will definitely bring a different perspective given the fact that I’ve negotiated and met with people throughout the world.
I do speak many languages, but I don’t put that on my resumé because as I grow older a lack of practice has resulted in me not speaking fluently. So I do understand and speak multiple languages and I have worked throughout the world and hopefully some of those skills and attributes would serve me well on the ARIN Board.
Thank you very much for your time. If you have any further questions, I’ll be around and happy to answer. Thank you.
Hollis Kara: Thank you. Next candidate for ARIN’s Board of Trustees would be Ron da Silva. Where are you? Come on up.
Ron da Silva Speech
Ron da Silva: Good afternoon. I am Ron da Silva. I know a number of you already in the room but those I haven’t had an opportunity to meet yet, greetings. I would love an opportunity after this, later this evening, especially at the social, for those of you that we haven’t had an opportunity to get to know each other, to take some time to share who I am, where I come from, what I bring and get to know each other more on a personal level. So I’ll start with that invitation.
I would also like to start by saying thank you. I made a run last year in the election process, and in the process that was very different than this year, there was a whole petitioning component that required getting additional support just to be on the ballot. And I had pretty overwhelming support from a large part of the community to meet that petitioning process and to be added to the ballot, and through the election process had a lot of support from a number of you. And I want to say thank you. I wanted to acknowledge that and the appreciation with it.
That said, there’s been a lot of changes. I want to just commend the Board for responding to these transparency and accountability mechanisms that I think were flagged through the election process last year. And a lot of the changes implemented were in fact in response to that. And I’m really encouraged to see the work of the Board to put that forward and make some changes.
I think there’s still more work to be done, in particular around furthering good transparency practices and good accountability practices for the Board.
That’s one of the things I look to bring as a member of the Board of Trustees is really helping to continue to grow on the work that’s already been done and to provide additional transparency and accountability.
So what do I bring? I’m not new to this community. I’ve been here. Some of you know me from as late as the ’90s when I first began participating in Internet governance and technology forum, like NANOG and ARIN both. I initially joined the Advisory Council. I chaired the Advisory Council for a number of years.
I later came back and was a member of the NRO Number Council. I did that for a number of years. I was appointed by my peers on the NRO to join the ICANN Board. I was on the ICANN Board for six years as a representative of the numbering community in the broader work that ICANN is focused on.
I have business and technical expertise. I’ve been involved in technology and strategy and as well as the economic side of what it takes to build infrastructure.
It’s my executive experience and my board work, which began with ICANN and branched out into other areas. I sit on the board of a credit union today, which is a regulated financial institution which provides a great opportunity to express governance skills but in a completely different discipline.
I’ve been in executive leadership roles in a number of companies that all of that combined provides a package for me that is representative of best practices across industry, across businesses, for how best to keep the work of the Board accountable and transparent to you, the members. And that’s really what I’m looking to bring.
I ask for your support and your vote and again extend an invitation later today, would happily be available to further expound on my qualifications and experience. Thank you very much.
Hollis Kara: Thank you, Ron.
Our next candidate is not with us in person but did submit a video speech which I’ll get queued up now. This is Muhammad Adeel Javaid. Do we have his video ready?
Muhammad Adeel Juvaid Speech
Muhammad Adeel Juvaid: Hi, ladies and gentlemen. It is that time of year, ARIN is going to hold elections for the Board of Trustees and I’m standing as a candidate.
My name is Adeel Javaid and I’m a cybersecurity researcher and consultant since last 15 years. And I have the honor to serve on many nonprofit boards as a board member, including the board member of disabilities for international and various forums. And as a member of the vendor Advisory Council of CompTIA and I’ve also served as a board member of various startups and skill labs.
So I have a strong reason for ways to encourage Internet governance, particularly participating in policy-making for practical management of IP addresses to ensure privacy of Internet users and corporates. There is currently limited involvement of stakeholders including government and disabled society in the policymaking for practical management of the IP addresses to our Regional Internet Registries. They encourage the stakeholders to participate, but I think there is a need to evolve a model in which all interested stakeholders, including the national governments, can play a decision-making role in IP address management and this is not just about the private sector.
The decision making about issues such as resource allocation and IP address policy has always been in the hands of the Internet community. In order to be as close to those who require and use the resources as possible, it is the participative model that is close to the end users, and that can lead to the phenomenal stable growth of the Internet because Internet community and its bottom up processes are constantly evolving in response to changes in needs and availability.
And I also think that there is a dire need for ensuring privacy for our end users. There is need to restrict the use of resources like Whois database and access to all these resources that contain the publicly identifiable information or any other information that can help the bad actors to achieve their motives.
It should only be restricted to law enforcement and regulators. And IP addresses are an integral part of any corporate network and companies large and small and they are consuming them faster. So overlooking the importance of getting a handle on IP addresses can prove disastrous. And last word, we need to make sure that we not only educate and train our users but also we provide them all the resources they need to make sure that they stay safe on the Internet. So providing a safer Internet, that is my first priority. And this is, I think, this should be the priority of all of you. So thank you very much and looking forward to your support for my candidacy. Thank you.
Hollis Kara: All right.
Next up I’d like to invite Hank Kilmer to come on up and share his thoughts.
Hank Kilmer Speech
Hank Kilmer: I’m Hank Kilmer. I appreciate the time here. I’ve been in networking since the ’80s – late ’80s, but ’80s. ’90s, joined UUNET and been doing sort of the core infrastructure networking ever since.
On and off involved in NANOG and other Internet governance places, including ARIN. Was on the Advisory Council before.
And as an operator, you go through your career building and fixing problems and having the time to really dig into some of the problems that you want to address — your wants get pushed down over the actual needs of building and running things.
I’m at a point in my career where I’ve got the time, the energy and the desire to invest in whatever is needed for this role.
I’ve been on boards. I’ve been on member nonprofit boards before. They have an interesting twist to just being on a board of a company. It’s more of a challenge in some respects and in other respects, kind of cleaner.
So I’m very familiar and I bring that experience. I’ve been on a handful of boards before. I’ve been in management for a long time, running departments and engineering and policy.
And at Cogent, which is my current role, I run their IP network. And myself, along with Gus, whom you’ll hear from later, are responsible for managing a good percentage of the legacy IP space that Cogent has taken control of over the years.
So it brings interesting challenges in the ARIN community. You have challenges for the small up to the large. My current role in my day job is a large problem. Some of the — but it gives you the full range.
And I’ve seen it all through the years. And want to take my experience and help ARIN through the next evolution of its life.
I’d appreciate the vote and I appreciate the time. Like Ron said, I’m around. I’d love to get to know people at the social so the people that don’t know me, come right up, we’ll talk, whatever you want to know. I’m an open book. So thank you very much.
Hollis Kara: Thank you.
Next I’d like to invite Bill Sandiford.
Bill Sandiford Speech
Bill Sandiford: Thanks, Hollis. Hi everybody. For those of you who don’t know me, my name is Bill Sandiford. I’ve been involved with ARIN since 2009. I started my time with ARIN on the Advisory Council where I spent four years before moving on to the Board of Trustees after that.
Outside of my work at ARIN, I’ve spent the bulk of my life since I left university in the Internet service provider space. I ran a small/medium-sized ISP up in Canada from about 1996 until 2014 when it was successfully acquired. And since that time I spend my professional time consulting for other organizations that were similar to the one that I once ran.
In terms of experience, outside of my experience with ARIN, I’ve worked with other boards in the industry, whether it be a trade association in Canada called CNOC that we— I say we because it was done with other peers in the community — founded to ensure that our industry was properly represented at the regulators.
I’ve been on the board at the Toronto Internet Exchange. I spent nine years on the board of the Canadian Internet Registration Authority, which manages the .ca domain name for the government of Canada. And I’ve been generally involved with a lot of the industry, particularly those under the ICANN hierarchy.
I’m very proud of the work that our current Board has done. We’ve got a very strong Board, certainly one of the best boards that ever I’ve worked on. We’ve got a great diversity of thought and people on the Board from all walks of life.
The last few years have been particularly rewarding in terms of some of the governance reform initiatives that the Board has undertaken and brought to fruition. As Ron mentioned this year wrapped up a multiyear attempt to reform some of our election processes. So that was good.
In particular, over this last year, we’ve really taken management to account with regards to cybersecurity and ensuring that the organization is protected from probably what will be the largest threat that any organization faces in the coming years.
I believe strongly in ensuring that the organization has proper governance in place so that we can continue to maintain ARIN in a way that it provides part of the safe, stable secure Internet ecosystem.
I’m looking to continuing to serve the community in this role. I’m asking for your continued support and your vote. I’d be more than willing to take any questions anybody wants to chat more, find me, I’m around. I’m kind of hard to miss. Thank you very much.
Hollis Kara: Thank you, Bill.
Somebody read my slide because I see that Rob Seastrom is already on his way up. Come on up.
Robert Seastrom Speech
Robert Seastrom: Thank you, Hollis. Hi, I’m Rob Seastrom. I served on the ARIN Advisory Council since the beginning of 2004. Today I’m standing before you as a candidate for a Board of Trustees seat.
So it’s fair to ask why I’m looking to serve on the Board rather than continuing to do what I’ve done for the past 18 years, shepherding and crafting good policy. Over the past three decades, I’ve worked with small shops and cofounded startups and nonprofits. A dozen years ago, I was on NANOG’s Board as we transitioned to a standalone organization.
I’ve also been a technical individual contributor at a couple of very large organizations. Even today, outside of my day job, I remain hands-on with technology looking after the networking routing side of a very small colocation provider.
But in late 2019, my career pivoted away from building infrastructure as I chose to work in an oversight capacity asking inconvenient questions about security and reliability of network and cloud infrastructure at a large bank.
I joined Capital One in February of 2020. Today, I’m a distinguished engineer in the information security office contextualizing technology and business risk for our senior leadership team.
As Richard noted this morning, ARIN is in the process of getting a SOC 2 certification, which is an assessment of whether one has appropriate controls in place and then in a later phase, whether those controls are effective.
This is an important step and one which I support wholeheartedly. But risk management is a journey and not a destination.
Like the industry as a whole, ARIN’s risk appetite, not just for technology and cybersecurity risk, but for business financial and operational risk, is ever changing.
If we engage thoughtfully in risk articulation by embracing established frameworks for doing so, we can add additional dimensionality to discussion of our priorities as well as avoid wasting finite resources by overcorrecting.
At the end of the day, more formality and thoughtfulness in risk governance will allow ARIN to better serve its constituency.
I believe that having lived in the formal risk evaluation environment for almost three years, combined with my deep institutional memory and hands-on experience with both technology and ARIN’s policy give me a unique perspective and ability to contribute to ARIN’s risk in governance future.
I ask for your support and your vote in the current elections. Please come and find me at the social. Thank you.
Hollis Kara: Thank you.
And for our final candidate for the Board of Trustees, I’d like to welcome William Sylvester.
William Sylvester Speech
William Sylvester: Thank you, Hollis. For those who don’t know me, I’m William Sylvester. And I’m here to ask you for your support and vote. For the past 30 years, I’ve dedicated my career to the Internet, starting with Internic, which is a project in Network Solutions, I worked with IP numbers, domain names.
And in 1997 we spun ARIN out of a project called NetReg, network registration, and the independent organization that it’s become today. And what an organization it’s become. It’s really exciting to see what’s happened in the last 25 years.
Today, I support the community, working to help the Internet continue to be secure and grow while we work to adopt IPv6.
As many of you know, IPv4 was limited. And I remember a time in the late ’90s where IPv4 was running out and the sky was falling and we were going to be out. And this new thing called v6 came out or IPng for those of you who remember.
Things that I care about are good governance with a balanced environment for all members, where we have a community with reasonable fees and responsible budgets while providing stable and secure services for all of our members.
A community that values fairness and equality. I believe in openness and transparency. And together, we shall continue to build stable services like RPKI to help continue to improve the security of the Internet, and continue to maintain existing ARIN services for all members.
We need to be diligent with the changing global landscape from the sanctions that we face, to sustaining the RIR system. These are things that are very important to our ongoing community.
I’ve demonstrated the leadership that, if elected, I’ll work closely with my fellow Board members. I intend to listen and collaborate while we guide ARIN today, laying the groundwork for what we hope to be another very successful 25 years.
I ask for your support and vote. As the other candidates have said, I’ll be around at the social. Come up and ask. Happy to chat with anyone. But thank you and I hope you can support me.
Hollis Kara: Thank you.
That concludes our speeches from candidates for the Board. We’ll move ahead into speeches from candidates for the Advisory Council. We’ll start with a video presentation from Jawaid Bazyar.
Jawaid Bazyar Speech
Jawaid Bazyar: Hello, my name is Jawaid Bazyar. And I’m the chief technical officer of Vero Broadband, a medium-sized regional Internet provider in Colorado and New Mexico.
I’ve been involved in the Internet from the late ’80s at the University of Illinois where I earned a bachelor’s degree in computer engineering, where we were fortunate to have an early Internet connection with the lightning speed of two T1s. And even before the web browser was a thing, I was amazed at the power of the Internet for communication and collaboration, developing a number of software projects jointly with people from all over the country. I saw even then the incredible potential to democratize information.
In 1995, I started FORETHOUGHT.net, an early website development and hosting company specializing in electronic commerce. Over time, we morphed into a full- service Internet provider. And today, under the name Vero Broadband, we offer fiber to the home, fixed wireless, cloud, email and voice services specializing in rural markets.
One key thing that I’ve learned in that time is that it is rural markets that are the hotbed of Internet development with fiber construction often bringing communities from three megabits up to gigabit speeds. And what I see time and again is that the small, relatively new companies that are driving much of this development are struggling with a lack of access to IPv4 resources.
This results in an Internet experience for rural citizens that is hampered by multiple layers of NAT, complexity, lack of reliability and situations where some applications just don’t work well or at all.
And the costs associated with deployment of CGNAT, which is at best a stop gap, are absolutely prohibitive to many smaller companies.
At the same time we see that old legacy companies that have dwindling numbers of direct end users, often as a direct result of the upstart fiber to the home and fixed wireless operators, are sitting on vast unused IP resources. So much so that a number of these large entities are now trying to directly monetize their otherwise dramatically-underused IPv4 space by renting address blocks.
We all talk like IPv4 is depleted, but in reality, there are vast unused or underused IPv4 resources. They’re just not in the hands of the businesses that need them. This situation is hampering competition and it is harming the ability of rural citizens to have an equitable Internet experience.
If elected, I will make it a key goal of my tenure to identify and develop policies to address this disparity, this digital divide, and to allow all citizens, urban and rural, to experience the same modern, fast and fully-connected Internet.
If you share my concerns and my vision, I humbly ask for your vote. Thank you for your consideration.
Hollis Kara: Thank you. Next up will be Douglas Camin. Did I get it right?
Douglas Camin: You did.
Hollis Kara: Yes!
Douglas Camin Speech
Douglas Camin: Hi, my name is Douglas Camin. I’m a candidate for the Advisory Council. And I’m very new here. I’m coming in cold and learning all about ARIN and what it does and the ways that this group operates. And it’s been a pretty overwhelming and energizing experience.
My background, I’m a chief information technology officer for a large nonprofit in the health and human services field. Kind of an unusual background. And prior to that, I was 10 years as a municipal CIO for two different counties in upstate New York.
Through that, I had a lot of exposure to emergency services work, 911 critical infrastructure types of things. And that’s actually kind of how I became to be exposed to ARIN and the work that ARIN does through that.
Also as a part of that, I worked with the New York State & Local Government IT Directors Association. So I have a lot of exposure and experience to what other entities in that kind of space work with and what they want to see and do.
One of the other things that I do, as I serve on the board of roughly the 50th largest credit union in the United States. So I have a lot of experience. I’m the chair of their supervisory committee. And in that role, you do a lot of work with, we do a lot of work with policy development and cybersecurity and auditing and things like that.
Why do I like and what am I excited about here? I’m excited because this is a member-centric and member-driven organization and I really like working for those types of nonprofits. My work with the credit union is very similar. Unpaid volunteer exposure with a very complicated organization that has impact all around.
What do I think I bring? I feel that I bring a different lens to the Advisory Council, just kind of a new exposure. I have a track record of building consensus and leading and working with other volunteers and organizations. And I bring a lot of enthusiasm and interest to processes like these.
So I hope that, when all is said and done, I can earn your vote. And I look forward, if anybody has any questions for me, I’ll be participating in all the events through this evening, too. Thank you very much.
Hollis Kara: Thank you.
And next I’d like to invite Gerry George to come up and tell us why he’s chosen to run for the Advisory Council.
Gerry George: Hi, my name is Gerry George. And I’m a candidate for the Advisory Council. My profile already has some information here. I’ll give you some background for context.
After studying in Ontario, Canada, a bachelor’s in economics, of all things, and Massachusetts Boston, Massachusetts, I did a master’s in Management Information Services, I returned to my home country back in 1995 with the aim of changing the ICT space.
I came back to a country where we had telecoms, monopolies, and ICT was pretty much a new thing then. Having been exposed to the freedoms of the Internet, I wanted to encourage this wonderful and transformative and democratizing technology called the Internet to the islands.
Who would guess? Crazy fella. Within the region, there was around that time a project came out, an IT-sponsored project where they rolled out liberalized ICT legislation across the region, a project called iPCA. And they started having consultations.
However, since I was initially outside of those circles of consultations, I opted to crash the sessions whenever they were held in my local space to ensure that the smaller independent voice was heard.
And it got to a point where I was eventually, I eventually became recognized and accepted as a strong and fearless advocate for liberalization of technology for ICT. And we eventually saw liberalization in 2000 throughout most of the islands in the region.
Following that, I was appointed on recommendation as the technical commissioner with the local telecoms regulator. That happened back in 2012 — 2011, sorry — and I’ve been in that role since then, having been reappointed or appointed, renewed five consecutive times under four different governments.
And for those of you who are familiar with the Caribbean, with Caribbean politics, you will accept that and understand that this is a testament of my effectiveness to bridge different governments.
On my business card, I identify myself as an ICT consultant and also an open-source evangelist. And I’ve been an ICT practitioner for almost 30 years.
Started with the Internet in just around the mid-’90s when applying for Internet numbers was something you did directly to the, following the National Science Foundation, pre-Network Solutions as they stand now and IP numbers were free.
I have worked, back home I’ve worked to revive a then-defunct ICT association which I’ve served in different capacities and I currently serve as a president. I have initiated local chapters for ISOC, ICANN At-Large and other tech-related advisory and advocacy activities, as well as working to host CaribNOG sessions and – one so far, hoping for more – ARIN in the Caribbean event.
I first participated in ARIN events about the early 2010s, was a Fellow in ARIN 37 and ARIN 41 and a Mentor in ARIN 43. And while there’s been lots of encouragement from my peers to participate and to involve myself more, I’ve been a bit reluctant. However, finally I am here today.
Having been a regulator, telecom regulator since 2011, it has provided different perspectives for me, especially sitting across the table from ISPs, dealing with and helping to shape, tweak and enhance legislation, regulatory legislation, government policy and operational procedures to the benefit of stakeholders, including, especially, the use of community.
What do I bring to the table? In brief, a commitment for the wider community perspective and continued involvement, continued advocacy on issues which impact the industry, promoting greater interest and engagement primarily within the Caribbean space — where I feel it is somewhat lacking.
While not directly under ARIN’s responsibility, though, Internet governance, which is also something quite important and becoming more critical. These are privacy and consumer protection issues, particularly with the rapid expansion of big tech and Internet platforms.
And of course, increasing the Caribbean involvement, representation, and participation – hoping that we continue to have a voice.
I ask for your support, your confidence and your vote. Feel free to engage me in the room outside, at the social events and so on. Just walk up to me. I’ll try not to bite too hard. Thank you.
Hollis Kara: Thank you. Where does that put us? Ah, yes, Brian Jones. Here he comes.
Brian Jones Speech
Brian Jones: Good afternoon. I’m Brian Jones. I work at Virginia Tech. I’ve been working in IT for almost 40 years now and I bring the academic IT perspective to the community.
I’m finishing up a one-year term on the ARIN AC where I have learned a great deal. Didn’t realize what all went underneath the hood. There’s a lot that goes on.
I would appreciate your vote. I have recently led our organization to come under a full RSA agreement. And I think it was the right thing to do. And I would appreciate your support. Thank you.
Hollis Kara: Thank you, Brian. And next up, I have Kendrick Knowles. There you are, sir. Come on up.
Kendrick Knowles Speech
Kendrick Knowles: Good afternoon. So I wanted to come up with a simple phrase that would sum up my speech in a way that’s meaningful enough for to you make a decision about my candidacy and after several iterations of this phrase, I came up with three simple words: Thank you, Dad.
Fellow ARIN members, Advisory Council candidates, I am aware that your vote for me will not simply be on the basis of the love of my father. But I’m hoping your understanding of me could be.
Let me explain. It all started on a tiny island called Nassau, Bahamas. I was born to two amazing parents, Karen and Kendrick Sr. Kendrick Sr. worked for the only telecommunications provider at the time, BTC. He was one of the engineers responsible for bringing the Bahamas online.
So he would come home with these books on this thing called Internet protocol. And that’s when I was exposed as a teenager to 32 bits, an IPv4 address, and the caveat that by the time I established my career, 128 bits would be the order of the day.
I’m sure you can remember from ARIN 49, the sluggish statistics with the global adaptation of IPv6. So clearly that caveat was a bit off.
My father started my IT career. He enrolled me straight out of high school into the A+ certification and eventually the Network+ certification. And something crazy happened after the Network+ certification. The owner of the company asked me to teach the next course. And the next course was filled with my dad’s coworkers.
So I was teaching subnetting to the guy that taught me IP addresses to the guys’ coworkers who taught me IP addresses, which was crazy.
I then did the CCNA certification and I was asked if I can teach that. So I said okay. And I went on to do my CCMP certification and several Microsoft certifications. With 14 certifications later, all of which I taught, I became a network and IT evangelical, so to speak, carrying the gospel of the good news of everything networking and IT.
Many years later, I had this realization that IT is so cool and networking is so cool, but what’s even cooler is the policy decisions that are made around the users of IT and the Internet specifically. So I decided to go into management.
So I studied management at the University of the West Indies. I got a certificate of management from Harvard Business School. And I ended up working for a carrier, Cable Bahamas, that was the competitor to BTC, where my dad worked, where it all began ironically.
In 2019, I successfully paired the first nonservice provider with provider independent address space by using BGP multihoming. That was a first for the Bahamas actually.
And so why am I here? I’m here today to say to you that I get it. I get the need for what ARIN does and the ability to keep a proper running registry and the Internet at large and ARIN sitting at the center of it all for our region.
I’m someone who spent his entire career helping companies create policy at different levels for adaptation and acceptance, and I simply want to say thank you for the opportunity to be here today.
And most importantly I want to say those three words that I don’t get to say as much as I would like to: Thank you, Dad.
Hollis Kara: And our next candidate is Gus Reese. Come on up.
Gus Reese Speech
Gus Reese: Good afternoon, everybody. Can you not hear me? Is this better now? Too loud. Good afternoon, everybody. My name is Gus Reese. I work for Cogent Communications, and I’m running for a position on the Advisory Council.
Little bit of background about me. I have been in the industry since about 1998 when I got my start for a small little dialup ISP in Fort Worth, Texas called FlashNet. From there, I went on to a couple of other companies before landing here at Cogent. Part of my responsibilities every day for the past eight years is to manage a team of eight engineers. And we configure basically the edge of a network, anything that touches a customer or peer.
And part of our duties is we also have to allocate IP resources to customers who have a demonstrated need.
So in the past 14 years, we have tried to push for wider IPv6 adoption in the industry. Yes, I know it’s hard to get people to do that. But we want to try to remove all the barriers from doing that.
So why did I decide to run for the Advisory Council? Up until 2020, I was not really that active in the community. And I attended my first ARIN meeting and kind of got hooked. And then the pandemic happened and then everything went to virtual.
And so we had ARIN 49 in Nashville earlier this year. And I started talking to folks who were on the Advisory Council. Had questions for them. And it was really with their support that gave me the confidence to throw my hat in the ring.
So I’m hoping to work with our community on new policy proposals to better help our community.
So thank you very much for your consideration for a position on the Advisory Council. Again, I’m Gus Reese. Thank you.
Hollis Kara: Thank you. All right. And our final candidate for today will be Alison Wood. Come on up. Always great shoes.
Alison Wood Speech
Alison Wood: Hello, my name is Alison Wood, or in some circles Alison Woods.
And I’m running for the Advisory Council. I’ve had the privilege of working with you over the past few years, shepherding your policy ideas, exploring different table topics, collaborating and advancing your ideas in the community.
I’ve served as a mentor and an advisor. I’ve been a fellow, a table talker, a chairperson and I’ve been on several committees within ARIN. And I’m very proud of the accomplishments that we’ve made together in those different avenues.
And in addition to serving on the Advisory Council, I have worked for the state of Oregon for 25 years as a network engineer and now as a network architect of data analytics.
And we serve, in the state of Oregon we serve several counties, municipalities, K12, higher ed and 40,000 end users. I’ve also volunteered on a few different Internet exchanges. And I continue to support peering in the state of Oregon and within the ARIN community of course.
My company, like yours, is directly affected by the policies that we discuss on the ARIN Advisory Council. So I understand the need to continually mature the NRPM and I also understand the technical repercussions behind those policies.
I am deeply committed to this community. I love the ARIN community. And I will continue to work hard to progress your ideas, to help your policies and from the text of our PDP, I am technically sound. I am fair and impartial. And now I seek community support. I would appreciate your vote to continue improving policies for all of us. Thank you, everyone.
Hollis Kara: And the award for the most — what was I going to say — the most creative use of the PDP goes to Alison Wood. There was a thought; it just had to get all the way through.
We’ll wrap up with our speeches for the NRO NC representative for the ARIN region. First up, Kate Gerry and Abby.
Kate Gerry: I apologize. I’ve not done public speaking. Never been my thing. I’m Kate Gerry. I’ve been a network director for 15 years now. I’ve been a member of the Internet since I was yayhigh. Been using the resources and have been wanted to give something back.
I volunteered on the PeeringDB admin committee a bunch of years ago, back when it had changed to the new format. I felt like I did an okay job. And now I’ve been working on volunteering with Paul on NinjaIX, trying to get that going.
But I appreciate your support. Vote for me if you want to, or vote for Nick, whoever you think is great. Thank you.
Hollis Kara: Thank you, Kate. Our final candidate speech will be from Nick Nugent, who is on his way up.
Nick Nugent: My name is Nick Nugent. I’m Senior Corporate Counsel at Amazon Web Services. And I appreciate the opportunity to tell you why I think I’d be a good fit for the NRO NC.
I’ve met a number of you at ARIN meetings or through just business interactions, but for those of you I haven’t yet met, I’ll tell you a little bit about myself.
I received my undergraduate degrees in music and computer science, but after a short stint as a programmer and an even shorter stint as a performing musician, I changed course. I became a lawyer and eventually joined Microsoft as one of the first Azure attorneys.
I also spent several years in business roles, both as business development director for Microsoft and as a senior product manager for Amazon Web Services.
In my current role as an AWS attorney, I support Amazon’s web services including CDN, DNS, firewall and networking. But most importantly, for purposes of this community, I support Amazon’s IP address matters. That work includes IPv4 acquisition, IPv6 deployment and number policy work.
I like to joke that I’m basically just permanently on call for Tina Morris and Amy Potter.
I’ve worked with a number of you on IP matters from IPv4 deals to cross-company collaborations on RPKI. And I also teach Internet law and governance at the University of Virginia School of Law, and it’s a major focus of mine to train up the next generation of Internet policy makers.
Why am I interested in this position? Because I’m passionate about Internet governance, especially when it comes to global policy such as the relationship between ICANN and the RIRs. We live in interesting times, to say the least, in terms of global policy. And I think Internet governance is increasingly going to become quite relevant. I’d like to be a part of it, frankly.
That’s what I want. But what about you? Why should you vote for me? What do I bring to the community?
Well, three things. First is my technical background. I understand addressing. I understand networking. I’ve worked for the better part of a decade on the core protocols and technologies that power the Internet.
Second is my policy experience. That’s what I do as an attorney, policy, wordsmithing. Considering how the slightest changes in word choice or phrasing or even emphasis can have significant consequences. Then communicating those and debating them and negotiating with other stakeholders, it’s just what I do as my day job.
And I’d apply that same attention to detail to global policymaking to identify policies in ARIN or other RIRs that could have significant global consequences or that could affect the relationship between ARIN and PTI.
And finally and perhaps most importantly, is what I don’t bring. I don’t bring an agenda. My role will be to shepherd the global policy process, not to use it to advance any policy preferences that I have. I understand that the primary mission of the ASO is to maintain civility. And I believe I can do that.
So I ask for your vote. And I’d be happy to chat with anyone afterward if they have any questions. Thank you.
Hollis Kara: Thank you. That concludes our candidate speeches. We’re going to take, approximately, checking the watch, just shy of a 30-minute break and reconvene at 3:00, for our Candidate Forums.
We’ll start with the Advisory Council Candidate Forum and then followed by the Board. So, please, everyone, enjoy the break. And we’ll see you back here promptly at 3:00.
ARIN Election Candidate Forum Advisory Council
Hollis Kara: Before we start the Advisory Council Candidate Forum, I’d like to give a brief reminder on how the Candidate Forum works and how it came about.
Several years ago, there was a request that we create an opportunity for the community to pose questions to our candidates.
The way that shook out is that a few weeks out from the meeting and the elections we put out a poll, we asked people what would you like to hear from the candidates about.
And we get submissions. We take a look at those to make sure they adhere to the ARIN Standards of Behavior. Once we verify that, we put those back out and, okay, these are the questions you gave us, which ones do you really like. We allow folks to vote on those.
The questions you’ll hear in these Candidate Forums have come up through that process. The AC will have three questions. The Board will have four. Each of the candidates will have two minutes to answer. And we will work through that in an order that will be established by our moderator.
One of the requests that came out of the election process last year was that we have a third-party moderator for the Candidate Forum to ensure impartiality.
So we have brought Paul Marshall in from Boyden who is going to lead the Candidate Forum. And I’ll turn it over to him. And I’d like to invite our AC candidates to come up and join on stage. The chairs are labeled. We’ll seat you in alphabetical order. If you’re not sure, check, there’s a sticky on the back of the chair.
We’ll do pass the microphone to answer questions. Everybody clear on the logistics. Are we good? I think we’re good. I’ll hand over to Paul and he will run the Candidate Forum.
Question 1: What experience do you have with ARIN registry policy development?
Paul Marshall: Excellent. Thank you, Hollis, for the introduction. I’m pleased to be here to participate in this panel. And as Hollis mentioned, we’ve got three questions for this group and two minutes each. Each in the interests of time, as everyone gets settled here, I think we’ll jump right in.
And we’ll start with the first question for Alison. And then I think we’ll move across to Douglas at the end. And we’ll go on screen to Jawaid, and then for the second question we’ll start with Jawaid and switch things up for the third. I was supposed to have a clicker, I think, Hollis.
First question — this is for Alison to start – what experience do you have with ARIN registry policy development?
Alison Wood: As a member of the ARIN community, I have submitted policies, some of which have become recommended policies as well as editorial policies.
I have served on the ARIN Advisory Council for two terms. And I have had the privilege of being the Chair of the Policy Experience Report Working Group, and that working group has submitted seven draft policies in the last 12 months. We’ve submitted more policies before that, but in the last year, seven, which we’re super proud of the work that we’ve done in that group and my fellow people on that committee.
My most or my largest accomplishment, though, is working with the community and helping the community bring about their policies. So you will frequently see me sitting at tables, doing table topics, and helping you guys to formulate your ideas and help them to become policy.
I’m also happy to meet with you in any social situation, in hallways, in meetings or even on our own time outside of ARIN meetings to discuss your policy ideas.
So that’s my biggest accomplishment as councilmember is helping you develop your policy ideas.
Paul Marshall: Thank you, Alison. Over to you, Gus.
Gus Reese: So what experience do I have with the ARIN registry policy development. I do not have any policies that I have actually introduced. I’m fairly new to the policy process here. But I do participate in the PPML.
I have been to ARIN meetings for the past few years. So I’ve given some feedback on draft policies that have come up for or come up at the meetings there.
So again, short and sweet, that’s about the extent of my policy development so far. My running for the AC, I hope to increase that knowledge base there for me.
Paul Marshall: Thanks, Gus. Kendrick.
Kendrick Knowles: Thank you so much. None. No experience. Next question. (Laughter.)
So, that is true, though, I don’t have any experience, but my intention is to leverage the experience I have with my private-sector clients and network design and obviously my carrier network experience and kind of find the intersection with both to provide some value to the council.
I believe there’s a good case to be made that the policies that you make and adaptation of those policies will be good to have a perspective on the council from someone who is obviously –who has clients affected by those policy changes. Obviously I worked on projects with ARIN to ensure, for example, that clients get preapproval and ensuring that 8.3 transfers are successful.
Long and short, no experience. This is my first time, but I am hoping my experience outside of the council will provide tremendous perspective on the inside this time.
Brian Jones: I’m currently co-shepherd on two draft proposals or recommended draft proposals for policy. I’ve spent the last few months working on the ARIN Advisory Council and I’ve learned about the Policy Development Process in that time and hope I can continue to parlay my experience into good policy development.
Gerry George: I have not originated, shepherded, crafted any policy. However, I have followed on — followed on the PPML. And on occasion, when there’s a discussion that I felt may be able to, a particular perspective could be represented, I weighed in.
Although I have usually found that most of the persons on there tended to be fairly comprehensive.
However, having said that, as a regulator, one of the things that we do is a lot of public consultation on policies, and so that exposure is something that I have really been involved in. We do consultation on public policy for anything that comes in.
And although the ARIN process is much more democratic, but the end result is really the same. You get input from persons and you make changes as required and move on and so on.
Douglas Camin: I also don’t have an extensive background in policy development with ARIN, but my background with many of the organizations I serve does include a lot of policy development experience, working with a financial institution, like a credit union, a member service cooperative.
We have a fairly democratic, with the board and other entities that manage the organization, process for policy development that’s pretty robust there. And of course working through government. I have a lot of experience with legislative work and things of that nature as well.
I’ve been doing a lot of research on reading up, because since I’m so new, understanding where this how this process works with ARIN. I’ve been deep inside the Vault on the website and things like that as well.
Paul Marshall: Excellent. Thank you. We’ll go to Jawaid on screen.
Jawaid Bazyar: Hi. I’m also a newbie to ARIN, I should say. I have 27 years’ experience operating service providers. And so all of my ARIN experience is kind of looking in from the outside. I think that experience, both as an ARIN customer for so long, and in operating companies that rely on ARIN heavily will be good and a much-needed perspective.
I don’t think there are any operators on the current Advisory Council, if I’m not mistaken. And I feel, a newbie or no, that perspective would be very valuable there.
Paul Marshall: Thank you, Jawaid.
Question 2: What is the biggest challenge, technical or otherwise, that you see on the horizon for ARIN? How would you see this challenge tackled?
Paul Marshall: Jawaid, I’ll start with you for the second question. The second question is, what is the biggest challenge, technical or otherwise, that you see on the horizon for ARIN? How would you see this challenge tackled?
Jawaid Bazyar: I think the elephant in the room is that there’s a huge sort of rebuilding at the Internet, what is this now, the fourth or fifth time we’ve chucked out the last technology and are replacing it wholesale.
And that comes with a lot of new companies and new operators, bringing services to markets for the first time.
And as I noted in my speech, many of those operators are struggling with lack of access to IPv4 resources.
We can all talk about IPv6 and how that will be the future. We can operate IPv6, but practically speaking, IPv4 is still an absolute requirement.
And this current digital divide where people are going to get very different Internet experiences between urban areas with large incoming carriers that have all the IP addresses they need plus more, and the smaller upstarts that struggle with lack of access to IP resources. I think that’s the key challenge, honestly.
There are many unused IP resources. And as a community we need to figure out how to, I think, juice things up and accelerate and simplify and encourage the transfer of those resources to where they’re needed.
IPs are a public resource and not, as was noted earlier, really a private property.
Paul Marshall: Thank you, Jawaid.
Jawaid Bazyar: Figuring that out is going to be quite the challenge, I think.
Paul Marshall: Great. Douglas, over to you. We’ll make our way down to Alison.
Douglas Camin: As somebody who is new here, this is a hard question for me. But I think for me, the answer is that I do a lot of listening to start.
So since I’ve been here, just a couple of days, talking to folks, asking questions, listening a lot, I hear a lot of things about the transition from IPv4 to v6, how does that look, what are ARIN’s roles in that, how is the encouragement, how do you deal with issues surrounding inclusive practices of distribution and things like that.
I think those are all things that appeal to me. I don’t know that I can give a definitive answer here as somebody who doesn’t have a deep history to say, oh, this is the thing that I see. But I do I think one of the lenses that I bring is an ability to look constructively at those things and understand them and try to figure them out, and that’s something I look forward to doing.
Gerry George: I think the slow adoption and resistance, actually, to migration to IPv6 will create an issue, when we do get to the eventual exhaustion of IPv4; yes, IPv4 has been depleted but there’s still a few floating around via viable waiting lists and transfers and allocations and so on.
What I think will eventually happen when they get to that point is it will introduce new — it will introduce things like arbitrage and companies finding ways around the policy so that they can still get IPv4 addresses.
And I think this will impact the existing policies where some of the policies will have to be adjusted for those specific eventualities.
Brian Jones: I think maybe training the next generation or a younger group of people and educating them on how to better utilize IPv6 or to start out with IPv6, if they’re a new organization, versus trying to cobble along with an older technology would be a good, a big I think it’s going to be a big challenge for the ARIN community and the networking community in general in this region.
Paul Marshall: Kendrick, over to you.
Kendrick Knowles: So I think that one of the challenges ARIN may have would be for future Advisory Council candidates scheduling these questions after lunch.
Because I’m so sleepy. But seriously, I scanned the candidates and I realize that I’m the youngest in the group. So apologies.
But seriously speaking, I think that as it relates to IPv6 as an example, with the sluggish global adaptation of IPv6, I think that ARIN — a challenge I think would be to resist the urge to be too involved with that. And I say that because I believe that ARIN is doing a good job as a registry, and I believe that most organizations have to resist the temptation to go outside of its core purpose.
And I remember looking at the formulas, a formula a guy popularized for change, and the gist of it is the level of dissatisfaction in anything should be greater than the cost of implementing the change.
I think that’s what’s happening with IPv6 in the region specifically. A lot of end users, and even some carriers, are sufficiently dissatisfied with IPv4 to accept the cost of change of IPv6. And that’s just my experience.
So I think ARIN’s ability to resist the temptation to get involved with that and channel its resources towards other things such as RPKI and maintaining a proper registry, I think would be a good thing to do. But it’s so tempting to get involved, right?
Gus Reese: What is the biggest challenge that I see for ARIN on the horizon? And this is, in my opinion, is participation from new members.
Perhaps we have members who have not participated, who choose not to participate in policy discussion. And over the past couple of years, you keep seeing the same people on the PPML, same people come up to the microphones on policy discussion at the ARIN meetings there.
While this is absolutely not a bad thing, but having some of the same voices may not always foster a full discussion or exploration of an issue or policy as well. So how to tackle this issue, man if I knew the answer to that I would be a rich person. A wealthier person.
ARIN is doing a lot of community outreach, perhaps further community outreach. And how I got involved into this was the last ARIN meeting, both Leif and Amy over there, I met with them during the social, and they encouraged me to get involved.
So perhaps more AC I know it’s not a job, but more encouragement from ARIN and its staff to get people involved.
Alison Wood: I find the biggest challenge right now for ARIN is RPKI adoption. And without RPKI adoption, we have instability in our routing tables. We have some insecurity on the Internet.
And I do think this is the biggest challenge for all Internet registries, not just ARIN. But the tackling has begun.
I work for the state of Oregon. We are recent RPKI adopters. And I found it was super easy. There are some really cool how-tos that ARIN has put out.
There were a couple of webinars that were super informative on how to implement RPKI. And the process took less than a day. And I think that as — so that was the tackling part.
And I think that as the word gets out, I think we’re going to have a lot more secure Internet and a lot safer Internet. So RPKI adoption.
Question 3: What purpose does the IPv4 Waiting List policy serve, and why shouldn’t it just be a single /24 austerity policy like in the other regions?
Paul Marshall: Actually, I was going to switch it up a little bit, start with Kendrick and come this way to Alison. We can move things over to Brian and finish with Jawaid on the screen.
So the next question. What purpose does the IPv4 Waiting List policy serve, and why shouldn’t it just be a single /24 austerity policy like in the other regions?
Kendrick Knowles: I think the purpose for IPv4 wait list policy is to ensure that there is an objective and fair way for persons to apply or request for free address space that was reclaimed or revoked from businesses.
And obviously it’s important that we have a way in which these organizations can gain address space, and I think the wait list pretty much supports that.
Should it be a single or steady policy like other regions? I think based on the statistics that we’ve seen today, and obviously we expect the wait list will continue to grow and grow to the point where it will be years before I think, if someone applies today, or two or three years before they get a response on availability. So I think that there is a case to be made for a single /24 policy. I think that will shorten the number of requests.
Paul Marshall: Gus.
Gus Reese: I’ll take this question in reverse order and answer the single /24 austerity policy first.
ARIN, I believe, is the only RIR that has a policy where you can request up to I believe it’s a /20 on the Waiting List there. And I’m in favor of moving that down to a /23 or /24 to bring it more in line with the RIPE NCC or LACNIC.
And yes, the wait times for certain RIRs to get IPv4 resources is long. I think the LACNIC said that with the current list, they will fill it by 2027. I think ARIN said by 2024. And NCC is in 18 months.
Then you have your APNIC and your AFRINIC, and they will issue you resources, but especially with APNIC, only if you’re a new member there.
So back to the first part of the question about what is the purpose or what purpose does it solve? A little bit of a cynic here. So in 2022, I don’t believe that it has a purpose other than a glimmer of hope to obtain a small amount of affordable IPv4 resources. And as long as you keep paying your ARIN bill, it’s yours.
There is a lot of inequality in the marketplace right now. And if you have the financial resources, you can obtain IPs as much as you want.
But ARIN still has that needs-based justification. So that prevents private equity firms and whatnot, people with deep financial pockets from buying up all the resources and then hoarding them.
So IPv6 is not the answer today. New startup ISPs in developing markets have every incentive to adopt v6, yet they cannot sometimes do that and default to v4 just because of maybe a vendor issue, maybe a small ISP in Bogota, Colombia is firing up and they need a /24 or /23, yes, they went to LACNIC, got their AS number and they got their initial v6 allocation but the vendor for the equipment doesn’t support v6. So they would need v4 for that. That’s my time.
Paul Marshall: Thanks, Gus.
Alison Wood: The purpose of the wait list is to distribute IP address space to community members that demonstrate a need for that space. And it’s made up of the reclaimed and returned IP address — well, occasionally returned IP address space, and different members of the ARIN community have distinct and unique IP address space needs.
And the NRPM has set policy on how much space can be requested to discourage fraudulent use of that space. And on the Advisory Council, that’s something we put a lot of time and effort into.
Currently the maximum size you can receive on the wait list is a /22. And customers holding an aggregate of a /20 can even receive space off of the wait list.
Because of the allocation of what you get on the wait list is based on a needs assessment, I have less apprehension about keeping it to a /24. However, after Mr. Sweetings’s presentation this morning, we can meet a lot of needs if it is limited to a /24.
So I look forward to any policy ideas that might come in on that. Thank you.
Paul Marshall: Thanks, Alison. Brian, over to you.
Brian Jones: I have to agree. After seeing John Sweeting’s presentation, I will be in favor of lowering the Waiting List allocation to a strict /24.
The Waiting List serves the community in that for the available IPv4 space left, a way to fairly disseminate those addresses across those who demonstrate need for those addresses and maybe for many of those smaller organizations that need those as well.
I’m in favor of the Waiting List.
Gerry George: The purpose for a waiting list or the purpose of the Waiting Wist policy serves: Simple, efficient allocation of resources. And there’s scarcity, so there needs to be some method by which those resources would be allocated to persons.
The policies currently look at the needs of the community. Someone making the request has to demonstrate that need. And upon analysis, upon review, then that determination is made.
Should there be a shift to a single /24? Well, all of the members of the, not just members, all the operators within the ARIN space do not have similar needs. So would a single size fit all? Maybe. Maybe not. We’ll let the membership decide. We’ll see if policy’s presented to address that.
Douglas Camin: For me, of the three questions this is my favorite in part because it allowed me to get real curious about things, what goes on here.
I spent a bunch of time doing research, reading up on the wait list. I looked at RIPE’s policies and what’s different there, trying to understand.
And I talked to some of the other members of the Advisory Council just to feel stuff out. Like, this is new to me. Do I understand this?
When I was answering this question to myself, I thought about the framing of the question is, really, compared to an austerity policy, what’s the purpose of what we have?
And I think that, as a couple other folks had pointed it out, one of the really critical pieces was data to this. And the data presented this morning was pretty compelling.
And if I’m going to [talk] about what happens if it’s moved to a /24. And you know for me that comes down to the ideas of about, if there’s one bias I’m going to acknowledge when I’m in a democratic-framed organization, it’s a bias towards inclusivity and being approachable to broadening out the base of what’s there. And I find that to be a worthy cause if this policy does get revisited.
Paul Marshall: Thank you, Douglas. Jawaid, we’ll go to you on screen.
Jawaid Bazyar: The Waiting List policy is just a fact of life. There was, as noted earlier, there’s a limited source of address blocks and much more demand. So first-come, first-served.
And I think ARIN chose to do /22s instead of /24s. And yes, it’s because of the differing needs of folks.
Look, if I’m a network operator and I can only get a /24 every couple of years, that means I can only add 200 and a few customers every couple of years. That’s not a practical solution for service providers.
If I’m an enterprise and I need a /24 just so I can do BGP or something, sure, that might be a workable solution.
I think the austerity policies handing out just /24s in the other regions is premised on the idea of you get a /24 and you stick it in front of your CGNAT but you’re otherwise an IPv6 operator.
And CGNAT adds a lot of complexity and significant costs. I don’t know if any of you have ever priced CGNAT systems. But if I’m a startup, in many markets in the country, that’s just not going to happen. You’re looking at hundreds of thousands of dollars and up.
Not to mention the CapEx and the operational costs. So I would say ARIN should not only not have a policy of restricting these to /24s, but I think the focus should be on the supply side, what can ARIN do to encourage and foster organizations that have IP resources they’re not using to return them for the benefit of the community.
Paul Marshall: Thank you. And that concludes our Advisory Council Candidate Forum. Thank you.
You did great. Thank you.
Hollis Kara: We’re running a little bit ahead of schedule, which is not a bad thing. I think that we’re going to go ahead and move into the Board Candidate Forum next. Paul will stay up here to moderate that session as well. If I could invite our Board candidates that are in the room. Do we have our virtual candidate online? We don’t.
Hold on one minute. Everybody just keep on coming up.
Beverly Hicks: Our virtual candidate is not available. We’re watching in case he does show up, but at the moment, we still don’t have him. He was expected about 20 minutes ago.
Hollis Kara: Looking to Mr. Sweeting and Mr. Curran, do we want to proceed with our six candidates in person, or do we want to wait to see if our virtual candidate joins online?
It was supposed to start at 3:45, but he was supposed to be online by now.
So we’re going to — sorry, guys. It was a fire drill. You did a great job coming up on stage. If I could get you to go back down . What do we want to do?
We just had a break. Is Mr. Blumberg in the house? Kevin, do you want to come up and talk about the ASO AC?
The Board candidates will hang out here to be a supportive Greek chorus. They may sing; they may not. I don’t know.
Was he here?
Beverly Hicks: Does Mr. Blumberg have slides?
Hollis Kara: Mr. Sawyer is running to get Mr. Blumberg. I feel I need to do a play-by-play. Is he on the terrace?
Beverly Hicks: Ms. Kara, does Mr. Blumberg have slides?
Hollis Kara: He does have slides. That would be the ASO deck.
John Curran: I’ll ask that the candidates step down. We’ll do a brief 15-minute presentation on a global topic, and I’ll handle that and we’ll come back up in 12 minutes.
Hollis Kara: If my Board candidates will leave the stage, we’re going to let Mr. Curran come up and do a 15-minute improv set, for which I’m sure he is abundantly prepared.
And I do thank him for saving me when my backup presenter didn’t know he was expected. Really, we can’t get mad at Kevin.
Global Internet Number Registry System Update
John Curran: Good afternoon. I’m John Curran. I’m not a candidate for the Board of Trustees. But I am on it as virtue of being CEO of ARIN.
What I want to talk about is I want to talk about the development that’s happened in the Global Internet Number Registry System.
I talked about this earlier this week at NANOG. And I wasn’t planning on giving it here unless we had free time, but we seem to have ourselves some free time.
So I’m trying to think, do you guys have the presentation queued? Working on it. John, you’re working on it? We’re working on it, okay. Mr. Sweeting is getting my presentation up.
The topic has to do with the fact that we have one Global Internet Number Registry System, but it’s operated by five RIRs. In general, we don’t get involved in developments happening at other RIRs because, well, each RIR is a member-governed organization not-for-profit that’s operated by its members and their elected governing bodies.
And so we don’t really pay attention. We do pay attention to policies and a little bit of coordination, but in terms of the governance of each organization, we leave that to each area.
But we’ve had developments recently in the AFRINIC region that we probably want to bring the community up to date on. And the reason for that is because we have the potential of having an impact to the Global Number Registry System as a result of developments in AFRINIC and it would affect everyone.
So ARIN has been taking actions over the last few months, as have the other RIRs, to help avoid any issue. And so I want to talk about what the issue is, where we are, what we’ve been doing. So when people ask you what’s going on there, you can answer.
It’s not good enough to have a global registry system that just works in some of the regions. We need one that works in every region.
So they’re working on getting my presentation up. Beautiful. I did give this at NANOG. So it’s a repeat for some of you. But some of our attendees are just ARIN attendees. I see people nodding and shuffling.
I can sing in the meantime. No, let’s not do that. I could tell jokes but that’s almost as bad. All I know is like poor IPv4 address jokes. It’s a flurry of activity back there.
Remote participants stand by, we’re working on this.
There we go. Wonderful. I already said this. John Curran, Global Developments. Five RIRs. I think everyone in this room knows that. Nothing new there.
We don’t normally comment on disputes or related litigation occurring in another RIR. Not necessary. Each RIR handles its own affairs.
But in this case we’re going to provide some insight because we have been involved because this particular dispute has managed to spill over into areas that could affect the whole registry system.
So legal developments: There’s a legal case. Here’s how it started. In 2020, AFRINIC completed a registry audit.
One of their customers, they required more information of, a customer called Cloud Innovation.
After not getting enough information or information that didn’t explain the situation, they made the determination that resources weren’t being utilized for the purposes for which they were issued and would be revoked after suitable time to migrate the customers off.
Cloud Innovation, its principal Lu Heng, has a number of business entities, he disputed AFRINIC’s authority to do that and thought that that was not appropriate, and therefore went into litigation.
He engaged several legal actions in the courts of Mauritius to prevent the return of address blocks to AFRINIC.
Now, I said this before in another forum. There’s nothing wrong with parties going to court. It’s no good having agreements if the rights that you have under your agreements you can’t enforce in court, regardless of whether that’s ARIN or another RIR.
You all rely on the fact that the agreement means something. So, in general, if you think that your rights aren’t being protected and you can’t work them out and mediation doesn’t work, you should go to court. That’s nothing unusual there, and that’s not a circumstance we’d normally be talking to you about.
However, one of these motions froze AFRINIC’s bank accounts preventing payment of its staff, colocation, communications facilities, et cetera.
Now, that’s a whole nuther matter. When you start freezing an RIR and their bank account, you endanger operation of the global system because we need everything running. Reverse DNS likes servers. So does RPKI. There’s a number of things that just stopped working. Staff like to be able to answer the phones.
This is the type of action that could unilaterally affect the entire registry system. It’s at this point that ARIN got involved because clearly that was a case where we all had interest in having a stable registry system and this was working contrary to that.
After a number of legal activities, the freezing order was removed. AFRINIC was allowed to access its bank accounts.
There was then another one. An injunction was entered in court preventing AFRINIC from holding its annual elections.
Sort of the same related thing, the AFRINIC needs to have a governing body and they need to be able to have quorum and hold their elections. This led to a situation where, after the election, after the annual meeting, AFRINIC was unable to have quorum to hold a board meeting.
And that’s problematic because so many things in a corporation requires a Board to take an action. And they’re literally unable to do that as a result of this sort of injunction.
And recently a registered member of AFRINIC sought the appointment of Directors to the Board to solve that problem on a temporary basis based on a list of proposed candidates provided by the African Telecommunications Union.
It was Eddy Kayihura, the CEO of AFRINIC, who did that filing. So that’s the level of the developments we’re talking about, developments that could potentially impact the operation of an entire portion of the RIR system.
There’s also litigation related. There’s more than 40 claims. The majority of them are from Cloud Innovation.
When you look at that, look at just responding to that level of order, the freezing of the accounts, the resulting interference in operations, including the inability of the Board to meet, it ends up being a sort of systemic problem that’s not just about protecting rights in court. It really does look like a challenge to the successful operations of AFRINIC.
So as I said, when the injunction prevented elections, they had no quorum. They’re seeking court relief to do that. We’ve been involved. We’ve been involved in aiding AFRINIC in terms of responding to some of the suits, financially helping them with when you have a large number of legal suits, you need to have legal support.
There’s been suits personally filed against individuals regarding their statements. When communication was made to the members, it was deemed, in some cases, to be communication that Cloud Innovation took offense to and moved to do filings against that.
So we’ve had individual charges levied regarding slander and libel. So we’ve been involved in helping support AFRINIC through this, both individually as ARIN and collectively. The NRO has helped defray some costs because this doesn’t look like a normal activity. This actually does look like something, an attack on the registry system as a whole.
There’s an organization called NRS. There’s also an organization called the NRO. I guess I need to put them on the same slide. NRO is the Number Resource Organization, the five RIRs working together.
The NRS is the Number Resource Society. In no way affiliated with the NRO. The NRS is an organization that purports to want to improve the governance of Internet number resources and does appear to have an affiliation with Cloud Innovation.
There’s been a public campaign relations campaign by the NRS against AFRINIC’s CEO and against individuals who have provided support for AFRINIC, and this is unfortunate because it’s the type of thing that should be discussed openly in a community, not being done as a smear campaign.
NRO public response. We actually did, at one point through the RIRs collectively, we actually did draft a letter and send it to the government of Mauritius. And we noted that all parties should be able to enforce their rights in court, but at the same time you have to make sure that AFRINIC, which is an inherently international operation serving many countries, is able to do its operations and should not be subject to being come under attack that could actually operationally suspend its activities based on a party that’s overseas and doing this coordinated sort of effort.
AFRINIC did seek a status as an international corporation, which wouldn’t actually change the ability to seek legal recourse in court in general but would make sure there’s a level of due diligence and a level of care in doing that.
It would just be notice that AFRINIC was operating in an international basis. And we asked the Mauritius government to be aware, you have an entity in your economy that serves many countries, not just Mauritius.
We also have done some communications. You can find blog posts January 2021 and August of ‘21, and then a message that the RIRs sent in support of AFRINIC in June of this year.
So we are again supporting AFRINIC. We hope they’ll be able to come to resolution on all these matters. We don’t in general comment. But this is something that’s above and beyond the normal sort of legal and mediation arbitration activities that each RIR goes through.
With that, I’ll say thank you and I’ll ask for any questions. We have time for one or two. We’re right back on time.
Rear microphone. Go ahead.
Dave Rodecker: Thank you for the introduction to this.
John Curran: Name and affiliation.
Dave Rodecker: Dave with WISP.net. I’m curious, what was the internal audit that started this process?
It almost seems like this is a good case for precedent because if similar audits were done by other RIRs to evaluate how people are using their Class A’s, for example, it might be of interest to see another means of recollecting some old IPs that aren’t in use. And is that what we’re looking at this one excitedly for?
John Curran: All the RIRs do various audits of their registry at a different extent. And in general that doesn’t really, it may cause us to find resources that are abandoned. But in general, when you do a registry audit, you are just making sure that all the transactions were processed properly.
And in this case, and make sure when you issue addresses, that they’re issued according to policy.
So a registry audit is something that’s a very routine thing. And often they’re worked out with all the customers. If you have an issue, need more documentation, you go get them. Obviously that wasn’t the case in the AFRINIC matter.
Tony Tauber: Hi, Tony Tauber, Comcast. Just out of curiosity, if you could describe it briefly, like what was the, what were the grounds for having the injunction against the Board elections?
John Curran: And I can go into the details. The AFRINIC website has some of the information online.
AFRINIC made some decisions in order to have its Board election about which officer seats would be up for election. And it was a technical matter of interpretation of the bylaws, about whether or not you could continue seats or not.
And again, that’s the sort of thing that I understand you want to have discussion with the community and you want to have discussion with the courts, but you don’t want to leave AFRINIC unable to operate. It’s really the leaving AFRINIC unable to operate that’s the problem.
Tony Tauber: Procedural type of thing.
John Curran: Right. Rear microphone.
Nick Nugent: Nick Nugent, Amazon Web Services. I was wondering, if you could just break down a little bit more the risk to the global RIR system by virtue of what’s happening?
Maybe even sort of a worst-case scenario. If they can’t administer their numbers, what happens technically in other regions, or is it more of, if it could happen there, it could happen to us?
John Curran: When you think about a service like RPKI and you want to go validate what you’ve received, the ROAs, if you can’t find the other repository because it’s gone offline, you can’t validate all of that; things time out.
Same with DNS. We delegate services; the root service delegated particular blocks to all of us.
In some cases, RIRs are serving blocks that are mixed /8s which have other parties in them. So your resolution chain may bounce around a bit. If an RIR goes offline, all the resolutions related to the blocks held, including ones that have been delegated in and out, fail. So you could have quite a few operational impacts.
Nick Nugent: Thanks. That’s helpful.
John Curran: At this point I’m done with questions. I’d like to thank you and look forward to going back to the Board candidates. Thank you.
Hollis Kara: Thank you, John, for helping with that interesting swerve into reality programming.
ARIN Election Candidate Forum: Board of Trustees
Hollis Kara: I’d like to rewind. Let’s try this again. If I can get my Board of Trustees candidates to come back up and join with me on stage along with our moderator, we’ll get ready to get started. And we’ll get our virtual candidate queued up as well, he’s been able to join us.
We’ll follow approximately the same kind of format as we did before. I’m going to hand off to Paul.
Paul Marshall: Welcome, everybody, to the Candidate Forum for the Board of Trustees. As Hollis said, we’ll follow a similar format and we’ll start with Bill for the first question. We’ll move our way down to Naseem, and then we’ll go virtual with Muhammad and then flip it around and switch it up a little bit for question three and four.
Question 1: In the ARIN region, do you feel that parties should be able to receive transfers of IPv4 address blocks if they only intend to use them to lease to others?
Paul Marshall: The first question: In the ARIN region, do you feel that parties should be able to receive transfers of IPv4 address blocks if they only intend to use them to lease to others?
William Sylvester: I actually feel that we need to deconstruct this question down and really understand what it means to say only intend to use them to lease. Because we could argue that many organizations lease or already have certain relationships with the way that they establish IP addresses.
And so within our industry, I think, the intent of this question was to say should we enable organizations to finance or otherwise provide financial abilities to have that as their primary purpose of business.
This goes back to the whole discussion, in the early days of the Internet, you had a physical path like copper, fiber and a virtual path that was IP addresses, and should that be required as what was the purpose of an ISP.
And what we found is we have an evolving market that’s evolved over the last 10 years. You have certain organizations that have large amounts of capital to be able to go and purchase numbers on an open market, and you have other organizations that could only afford to purchase numbers for certain products if they can pay for it on, say, a monthly, quarterly, or annual basis.
So within that, I would say that we want to provide fairness to all parties, all members, to be able to enable them to get the numbers they need to facilitate their business.
And as an organization that enables that, we should at least provide an ability to think outside the box and understand what that means in regards to how we keep the Internet growing and stable and secure.
Robert Seastrom: I think that this question is a little bit loaded in that this is a question that ultimately ought to be answered by the community and the members via the Policy Development Process.
As a Board candidate, I pledge to you, the members, to make sure that there are appropriate risk and governance guardrails around existing and future policy proposals. But let me talk about the elephant in the room here.
IP addresses are expensive. The free pool is empty. Are IP addresses just for organizations that can pay cash on the barrelhead? There is no pay-as-you-go method at this time.
And I think, when I talk to members, when I talk to people in the community who aren’t members, that that’s a problem that we’re going to have to solve if we want to serve our constituency well.
And so, I ask the usual people and the unusual people, the people who have written policy proposals in the past, and the people who are thinking about writing policy proposals in this area in the future, to bring us some good ideas.
Bill Sandiford: Thanks, R.S. I think my answer to this question is wholly in line with what the first half your answer was, R.S. People look at me, say way to go, Sandiford, way to sit on the fence. But I believe as somebody who is on the Board and is a Board candidate, I believe that is the answer.
My opinion of whether or not IP addresses should be able to be leased or whether or not organizations should be able to receive transfers, if their sole intention is to lease, doesn’t really matter. It’s a question that needs to be taken up by the community and the members.
Policy needs to be made one way or the other. And our role as a Board is to ensure that the Policy Development Process gets followed. And that’s basically my answer.
I don’t have a personal preference. I like to see IP addresses get used. And we’ll leave the community and the members best to decide whether or not that’s the right way to go. It’s irrelevant to me as a Board member.
Hank Kilmer: I think you’re hearing similar answers here in that this is a loaded question, in some respects. And that IP addressing is expensive. And as a community, we need to figure out how to solve that.
If ARIN had a huge influx of money, it could buy up the address space out there and then fairly distribute it and we don’t need the wait list and things like that. But that’s not reality.
The reality is this does exist. And until there’s policy put together around it, guardrails for it to make it fair, and attention made at bringing down some of the costs to smaller organizations and things like that to get access, the more ubiquitous access for everybody, it’s going to be a challenge. So as a community we all need to work at that.
It’s not just transfers with the intent to lease. That’s across the board for this. You’ve heard in this whole meeting, there’s address space not being used, how do we encourage the reclamation of that or the use of that.
And that’s been a challenge for ARIN and the other registers, and it still is. And it’s getting bigger as a challenge in these days because of the length of the wait list and the problems and, quite frankly, the money involved. That’s my answer.
Ron da Silva: I think what’s interesting is these questions came from you. So the process that was used was, a number of questions were submitted and then priority was given to them and the surviving questions were the ones we’re addressing. This is one of them that is probably more policy directed.
That’s why I think what you’ve heard so far from everybody is the expectation as a Board member is the policy recommendations come from you.
And we would then look to see the AC ratify it and ensure the process is followed and the Board would then adjudicate it or implement it or ensure at least the CEO implements it.
I’m not going to depart from that. Certainly that’s the right structure and process. But this particular topic, I think, is maybe the intent behind it was to figure out are we prejudiced in this space? Do we prefer to allow a company whose business is a leasing company, or is this somehow trying to figure out, are you a broker, does that impact what your position on this might be as a Board member?
I don’t know. I don’t have any of those conflicts. And I would certainly look at this from a pretty objective position of, what does the community want? Does this disenfranchise different members of the community who have a different business case than others? Is it general consensus that we should go that way or not go that way? That’s how I would look at this.
Naseem Bawa: I think so far you’ve heard a lot of policy considerations. And I agree about the role of the Board. From a first principles perspective, what I think is really important is maintaining an accurate registry and being — I guess the transfer process ensures that there is an accurate registry. And the user is scrutinized to make sure that they meet whatever the standards are.
So if changing to a leasing scenario allows for those two things to happen, I think that leasing would enable small companies to afford an asset that they wouldn’t otherwise be able to do it.
But the appropriate processes need to be in place to ensure that the basic principles are followed.
Paul Marshall: Thanks, Naseem. We’ll move to our virtual candidate, Muhammad.
Muhammad Adeel Javaid: My response to this question is, lease should only be as possible to the extent which is some organization has an assignment and they don’t no longer need the assignment.
So if that organization is current with the fee, with the registry, it can do a procedure that we can establish through a policy at the registry. So it can be through a procedure, then transfer it to an organization that has an approved assignment of IP address and because of the scarcity of assignable address, it’s still waiting for such a location.
So this policy can also eliminate the warehousing of IP blocks and can also enable the organizations who rotate the IPs among the organizations that need it and they would be the corporate bodies or they would be the ISPs or some other organization.
So I think it should be permittable only to this extent. But only the transfer of IPv4 blocks, just for the purpose of leasing it, I don’t think that it is a good thing and should be discussed.
Paul Marshall: Thank you, Muhammad.
Question 2: No organization is perfect in its operations. How would you make ARIN’s operations, both the good and the bad, more transparent to membership?
Paul Marshall: We’ll move to the next question. Muhammad, we’ll start with you for this one.
The question is: No organization is perfect in its operations. How would you make ARIN’s operations, both the good and the bad, more transparent to membership?
Muhammad Adeel Javaid: Should I start?
Paul Marshall: Yes, please, Muhammad.
Muhammad Adeel Javaid: When it comes to the operations, we need to make the process of IPv4 block allocation clearer and more transparent, and we also need to enforce compliance to discuss IPv4 warehousing.
So IPv4 quota should be specified for operations and fair and transparent audit should be conducted for the enforcement of the quota and the release of unused IPv4 blocks for the ISPs.
And for this, ARIN should also focus on attributing to training and understanding the general capacity building and enhanced reach to the Internet around the world.
So to achieve this, we need to establish collaboration with our members, and we should motivate them that they should introduce those subjects that are part of ARIN’s mission into their training and capacity-building system and they should also educate their own staff, and we also need to motivate the Internet users and we also need to educate them so we can introduce all these initiatives.
And I hope that this will improve the operational efficiency and the credibility of it.
Paul Marshall: Thank you, Muhammad.
Naseem, we’ll move on to you and work our way down to Bill.
Naseem Bawa: I agree no organization is perfect. And I think this morning one of the speakers said some policies work and some don’t. And so you work through them and you try and make them better.
We also heard from the intellectual property bar this morning that the failure of registrations on reassignments created difficulty with them trying to figure out where the intellectual property, how they could enforce intellectual property rights.
So it’s not perfect, but I think that ARIN does a pretty good job in terms of engaging with its stakeholders and listening to them and putting a lot of information on the website. As a newcomer to the organization, I’ve learned a lot over the last few weeks.
And so I think generally, as long as the organization is willing to listen to its stakeholders and continue to improve, I think that’s what they can do. Perfection is not something that’s easy to achieve.
Ron da Silva: In preparation for this, I looked at what communications ARIN provides today to its membership. I think there’s several things that are good to look to when trying to understand how is the organization operating, what metrics may make sense to provide some sort of context on effectiveness.
Annually, the strategic plan is published. Membership gets that. There are quarterly reports that the CEO and the senior team provides to the Board. And there’s an annual report that goes out. So these are definitely things to look to.
And in those, right now it reads mostly like activity reports. Here are the things that are happening, here’s what we’ve accomplished, here’s what we achieved, here’s what we think we’re going to achieve next. It’s not really providing a objective metric to those things. It’s really just a reporting of these things.
So perhaps that’s the first place to look. And this would be something for the Board to take up with the CEO on what kind of metrics can be created around various activities and objectives and then finding a way to maybe integrate that into the existing communication channels.
I guess one other is just the regular blog update. When there are out-of-sequence or out-of-cycle communications, you see that happen on a regular basis, at least monthly there’s something coming up through the blog. So the vehicles are there. Perhaps there’s some layering of metrics to put on top of it. That would definitely be something that the Board could do in concert with the CEO. Thanks.
Hank Kilmer: I actually did a lot of what you just said in terms of looking what’s out there. And as a member organization, there is a lot of data out there.
And one of the things, when you run operational organizations, is constant review of what you’re doing and what your policy is and what metrics make sense, what’s helpful, what’s useful, both shows the good and the bad but also the trends and things like that.
And so a constant review of that. But one of the other important aspects that you just touched on is you can layer this stuff into the tool sets that you already have and into your methodology for dealing with things. And so each iteration gets more data without it being a big burden and cost.
One of the things running an organization, you’ve got to be aware you can ask for all the data in the world. It may be expensive or difficult to get to. So taking a regular approach of reviewing and looking both at the method of operation and how things are being done and adding more and more sort of each cycle is a very good way to get more transparency, more data out there for everybody.
But one of the other things I would ask is, is there data that you all would want to see that isn’t out there? Because you can also target to get data.
But I think I would love to see a regular process of deeper and deeper, more interesting data. There’s already a lot out there, though.
Bill Sandiford: When I was reading this question, when it was presented to us, I was caught at sort of the generality of question, where it talks about ARIN’s operations. And there’s many types of operations in an organization like ARIN.
There’s the business operations, the financial operations, the technical operations. And I think the answer can be different for all of them, and the question didn’t really specify on any particular one.
So I tried to come up with an answer that I thought might be applicable across the board. I think the answer is that the organization’s position on transparency, regardless of financial, technical, et cetera, should be to be transparent in all cases except for when doing so is harmful to the organization.
So if there’s data or information that we have, whether it be a technical nature or financial nature or anything else, and the disclosure of such isn’t harmful to the organization in terms of its cybersecurity, in terms of its HR recruiting efforts, or whatever that case might be, I think that the answer is to choose transparency whenever possible.
Robert Seastrom: Thank you, Bill. It will come as no surprise that my response echoes my other colleagues up here.
We collect data that’s we think is going to be important. We publish it on a cadence that we think is appropriate. I think it’s important to close the loop on that and make sure that it is what the members think is important and that we are fully covering what’s expected to be collected, what’s expected to be published.
Publishing to the maximum extent that we can without causing risk to the organization by divulging things that we oughtn’t and on an appropriate cadence.
But there’s a second layer to this, which is making sure that the information is easily findable and making sure that there are easy ways to find where we put things even when it’s not quite clear what it’s called.
We shouldn’t be falling back on Google. We have should have centralized repositories for all of this data that we collect and publish and make sure that it is easily available to all stakeholders who might want to look at it. And that’s as important a part of the transparency as what we collect and publish.
William Sylvester: So as I look at this, the thing that comes to mind the most is really the adage of garbage in, garbage out. If we’re not getting the right data to put into this reporting that’s made available for the community, then what we’re going to get out of it is not going to be something that’s going to be useful.
ARIN already provides an incredible amount of data as we’ve been discussing. And within that data that’s provided, I think they do a pretty good job overall. But within that, it would be helpful from an organization and definitely from a Board perspective to make sure that we have the frameworks in place for appropriate goal setting, targets, key indicators, to make sure that the information that’s going into these reports is both the information relevant to the organization and relevant to the community.
And all of these should have feedback loops because transparency without accurate data isn’t really transparency. And so with that, I would say we should be transparent where we can. We should be transparent where the legalities and confidentiality or other harmful things to the organization prohibit us from being transparent.
And those should only be not transparent when it’s truly vital to the organization to do so. Secrecy has no purpose here and especially in a community bottom-up organization, I think it’s very important to have transparency throughout all aspects of operations from finance, technical, legal.
You know, we saw a presentation right before for this that was incredible from a transparency perspective because many organizations would wait until something else happened. And so with that, I think it’s just important to maintain that commitment to the community to always be transparent.
Paul Marshall: Thanks, Bill.
Question 3: Roughly six percent of ARIN’s budget for 2022 is earmarked for travel meetings. During the pandemic we have learned not all interactions could be replaced virtually; however, many, many could. Given the pandemic virtual experiences what strategy should ARIN have on evaluating what travel brings good value for cost to the organization and community?
Paul Marshall: Okay. Our next question, and I think for the order of this one, we’ll start with Bill this time and move down to the other Bill, and then we’ll switch over to Hank and finish up on screen.
With that, Bill, Bill Sandiford.
Bill Sandiford: I go Bill. He goes Billy.
Paul Marshall: We’ll call you Billy for the duration.
Roughly six percent of ARIN’s budget for 2022 is earmarked for travel meetings. During the pandemic we have learned not all interactions could be replaced virtually; however, many, many could. Given the pandemic virtual experiences what strategy should ARIN have on evaluating what travel brings good value for cost to the organization and community?
Bill Sandiford: This is a great question. I thought a lot about this. I think the answer is that different interactions that we have with people sometimes require different ways in that we have those interactions. We had to learn very quickly in the pandemic ways to have all of our interactions virtually.
And we were able to learn that some of those worked well and they were types of interactions that could continue once the pandemic came to an end.
And we realized that some of those didn’t. There’s just sometimes when you need to be face-to-face. You need that more intimate interaction with people in terms of reading their expressions, reading the way the conversation’s going.
And, quite frankly, we can sometimes just get more out of the social interactions with people and whatnot that leads to better meetings.
So in terms of a strategy for evaluating, you know, we need to look carefully at all the different types of things that we do. Look at the experiences that we had throughout the pandemic as to what worked and what didn’t work and put policies in place to allow for a virtual experience in the areas where it worked and continue differently in areas where it didn’t.
Robert Seastrom: I did a little bit of research, and the number that everybody’s wondering about for context here is 8.5, which is the percent of our 2019 budget that was dedicated to travel and meetings.
About five percent for travel and about three and a half percent for meetings. We had our hand forced for doing virtual, all virtual meetings.
And we found out it was better than nothing but not as good as in person. Yet having a really good hybrid story increases our constituency. Not everybody can afford to travel to an ARIN meeting. Not everybody can get the time to come to an ARIN meeting. But these are people whose input and participation we value nevertheless.
When I look around this room, I see a whole bunch of people that I saw at the social last night.
You don’t get that in virtual environments. When I look around this room, I see somewhere around a quarter or a third that I actually have in my phone. You don’t get that magically overnight and it doesn’t happen over Zoom.
So when we think about our duty to the newcomers to this community, the new members in this community, the people who are building up those relationships, we want to be very careful to not let the fact that I can pick up my phone and text or call many people who have been around this community for a long time cloud our judgment as far as what constitutes good value for the cost, for the organization, and for the community.
William Sylvester: I don’t think anybody debates the value of hybrid or a virtual type of experiences. I know we all experienced different ways that we dealt with being apart.
But with the question of what is the strategy that ARIN should have in evaluating travel, I think that what we really need to be thinking about is how ARIN brings value through travel, and whether it’s members of the community, the staff, you should always have a purpose.
The strategy should be that travel enables a purpose and that purpose is the purpose that forwards the needs of our community, forwards the needs of interacting with other communities. And ultimately, we get value through that execution.
In the sense of needless travel just to travel, every organization is going through difficult times. We’re hearing of economic troubles globally. We’re hearing of organizations, large organizations putting on hiring freezes. And we expect that travel budgets are going to be one of those things that are going to be attacked.
And so with that, that’s where you need a logic and you need a framework where you check boxes and you have diligence, and that diligence is important to make sure that we’re doing what’s necessary to be financially responsible but also meeting the goals and needs of the organization.
Paul Marshall: Hank, over to you.
Hank Kilmer: You’re hearing a lot of the same stuff in that we’ve learned that some stuff works well over virtual, but there’s huge value in the hallway conversations or the patio conversations and the social conversations that happen and there’s that relationship building that’s very difficult to happen virtually.
So I think that we’re all in agreement with that. I think the world learned that. So in evaluation of which makes sense on what the goal is for ARIN is something that we need to put frameworks around and make a good judgment call for.
But I would also point out that one of ARIN’s challenges is and always has been getting more and more community involvement and to more and more reaches of its constituency.
And so the more availability that people have to participate with the hybrid, with virtual, with other things, the better.
But it’s a two-fold answer in that we need to put some smart policies around the evaluation, but we also need to keep driving for more community involvement and how best to do that with our outreach and things like that that we’ve done is something that we need to — it’s a constant work effort that we need to stay focus on.
Ron da Silva: I did some homework on this as well in preparation of the question. Looking back at the budgets for the last few years, it’s pretty consistently around six percent. The budget goes towards travel and meetings.
I did see it around five percent in 2021. No surprise there. But if you break it down further, about two percent of that six percent goes towards facilities like this, parties like last night. So it’s the meeting component of it. And there’s real expenses to hosting a meeting.
And then the other four percent is the travel component of it. If you think about that being split in half, there aren’t the details there, but I’m now speculating based on my experience in other environments, but if you take about half of that, that’s really funding staff to be here to support the meeting. That’s the executive team to be here to provide updates on what’s happening throughout ARIN.
That’s having the Board members travel to the meetings. It’s having the AC members travel to the meetings. It’s a big expense associated with the meetings and having people come to the meetings.
The remaining two percent is probably the question where I would focus this. And that’s additional activities that ARIN has outside of the two meetings a year. And certainly one thing that COVID has done for, I think a lot of people in society, we have this view in the Internet sector we’ve been doing Zoom all the time, what’s the big deal.
The rest of the world is now realizing, oh, there are things that can be done via Zoom or whatever other video conferencing platform you want to use and I don’t actually have to go.
So target areas to think about, and this is really a dialogue to have with the CEO. Are there expensive international trips where there’s a two-hour meeting? Is it justified to drop $20,000 on going there when it could probably be a Zoom activity?
If it’s a bigger trip with a lot more detail than just a two-hour meeting, then maybe you have a different lens. But I think that’s really the area to focus and the dialogue between the Board and CEO can identify new criteria on what the best way is to implement them.
Naseem Bawa: So having worked virtually from home for over 20 years, I’m a big proponent of online or virtual meetings. But I also recognize that in person is important. And having traveled over a million miles on Air Canada, I’ve definitely used that as well.
I think depending on the purpose of the meeting, depending on whether you’re going in there to build trust, because people’s body language, you know, just getting to know people culturally, for example, going to Latin America, extremely warm people; they want to get to know you. They want to understand. They want to have a meal with you.
So I think policies around what is the purpose of the meeting and who is going to be attending, is building a rapport important or have you already met the people that you’re meeting with?
Those types of things have to be considered before spending 10,000 dollars for a two-hour meeting. Sometimes it may be necessary, but many times it’s not. But I think establishing policies and recognizing that there is real value and efficiencies in getting work done online.
Paul Marshall: Thanks, Naseem.
We’ll move to our virtual candidate, Muhammad, and can we get a reset on the timer.
Muhammad Adeel Javaid: Yes, so I’m participating virtual. So to say yeah, the virtual experiences, depending on the nature of the meeting and the nature of the thing. So I think it could be something that is hybrid.
I agree that COVID-19 has made us more productive in our boards, they’re more strong and productive, and I was doing research by McKinsey, and they also stated that COVID-19, during COVID-19, the performance of people, it increased many folds.
But I think participating virtually or in the virtual meetings, it can also do other favors other than host optimization, it can also reduce the carbon footprint.
But I think if there is some kind of event that is a day long or two days long, then I think there should be some — and they should be — there must be in-person attendance of participants, but if it’s going to be even a half-day meeting, then I don’t think the in-person will be a beneficial thing. It should be something hybrid.
And it can reduce over time and other than spending the whole day, so we can just sum it up and we can complete our virtual meeting in a few hours. So yeah, this is my response.
Paul Marshall: Thanks, Muhammad.
Question 4: How should ARIN treat facilitators/brokers, should they be treated as important customers or just unavoidable parties involved in some transactions?
Paul Marshall: Okay. That brings us to our final question. I think we’ll start with Hank this time and move down to Naseem and bring it over here and Bill Sandiford can answer and finish with Muhammad.
The question is: How should ARIN treat facilitators/brokers, should they be treated as important customers or just unavoidable parties involved in some transactions?
Hank Kilmer: Again, this is another question, it’s interesting that it comes from the members. Because if members want policy around it, they can propose it.
But my opinion, step one is to recognize that transactions happen. And they’re happening. And good facilitators, I’ll put that word out there, good facilitators, are there for trust in the transaction. They’re there to help the transaction go smoothly for the parties involved.
So a good facilitator will need a good relationship with ARIN, for the ARIN region and the other RIRs for their region. And so it benefits the facilitator.
I’m flipping this around. It benefits the facilitator, if they want to be a good facilitator, to have a good relationship with ARIN and work with ARIN, within ARIN’s guidelines, with the documentation that ARIN requires and to make everything go smoothly.
So I think ARIN’s policies are pretty clean for these types of transactions. I don’t think ARIN needs to necessarily treat the facilitators any differently, but having a good working relationship with them can help make these transactions go smoother.
Ron da Silva: I think the unavoidable is an interesting keyword here. They are avoidable. You can actually transact and transfer without using a broker in the middle.
But notwithstanding Hank’s comments about adding a layer of trust and protection in the transaction, I think that has a lot of value. But I think the question is really asking about, should there be some qualification on brokers?
Today, there’s a listing service. As a broker you can put your name on ARIN’s website. And thus if somebody is looking to buy or sell IPv4 addresses, they could go to ARIN’s website, go, look, there are a few choices, let me call them up, see which one I like.
Should ARIN be in the process of putting some sort of value judgment on them? I don’t know. That’s kind of a slippery slope. There’s really one aspect of the question. Another aspect, should they have a broader relationship than just being an entity listed on the website perhaps.
And perhaps the way to do that is there’s this new premium support feature for members who have resources. Maybe there’s a variation of that, that can be offered to related parties who maybe don’t have resources. Certainly if it’s a broker or a facilitator that has resources that’s available to them today, they can be a premium support member.
But some brokers don’t necessarily take possession of the assets in the transaction. They just help connect the dots and the assets flow from the buyer to the seller. Or seller to the buyer, rather. Through escrow.
So maybe there’s some value in having a premium support option for those entities transacting in that space. Those are my thoughts.
Naseem Bawa: Picking up on what’s already talked about, I think good facilitators can help ARIN in terms of making sure that people understand what the processes are and how to smoothly affect the transaction.
So I don’t think that ARIN should shun them in any way or treat them in any manner that’s negative.
But I think if they’re helping people to get through the process and smoothly transact the business, it might be more efficient for ARIN to have those good facilitators involved rather than not having them involved.
Paul Marshall: Thank you.
Bill Sandiford: I’ll break this question down into a few parts. I’ll start with the last part, and I’m going to say that without a doubt, our facilitators/brokers in our community are not just unavoidable parties involved in some transactions. As Ron noted, they are very avoidable.
If you have resources that you don’t need anymore, and you feel you can take them to market on your own, you can do that. If you need resources and you feel that you can find them on your own, you have ways to do that.
But let’s be clear, there’s a lot of inactive or dead space out there on the Internet. There are facilitators in this room, on this stage, in fact, who have done an incredible job of going out, finding some of these spaces, in linking those who need to be able to use this space with those that have it — in some cases, without even knowing they have it — and get that space in use on the Internet.
So I think our facilitators/brokers are a very important part of our ecosystem. Avoidable if you want.
How should ARIN treat them? I think ARIN should treat them just like every other customer that ARIN has. ARIN should take their calls, guide them through the processes if they need help. Ensure that policies and procedures are followed and do what it takes to get these transfers done when all the policy implications of those transfers are met.
And I like the fact that we have facilitators and brokers in our ecosystem. And I also like the fact that if you don’t need them or want them, you don’t have to use them.
Robert Seastrom: I don’t like the choices that I have here of important customers or unavoidable parties.
This word is overused, but I’m going to use it anyway. The facilitators are our partners. They do an important job. They do multiple important jobs. Bill just talked about some of them. Finding unused space or underutilized space. But that’s not where the value stops. There is education. There is expectation calibration.
No matter how transparent or good we make our policies, no matter how obvious we make it for how to navigate them, not everybody who has to interact with ARIN is an ISP or a hyper-scaler for whom navigating the ARIN process means that, oh, it must be a day that ends in Y.
Doing that is a benefit that accrues directly to ARIN. We would need more FTEs in Registration Services if we had to hold people’s hands through the process.
Having facilitators in this ecosystem saves us money, so we should treat them as partners.
I wasn’t trying to suck up to you.
William Sylvester: As the sole facilitator, I think, on the stage, not all facilitators are created equal. Let’s start there.
As a facilitator on the Board, I think that it’s important to note that for policies to come to the Board it’s very important to know about being open and transparent and recusing from certain of those issues.
But that being said, within this, facilitators already have a relationship with ARIN. And that’s through the Facilitator List. There’s a process that undertakes there.
One can argue that we should consider other things to do with that list because sometimes that list provides a certain level of trust, certain parties think that ARIN endorses certain facilitators, which is not the case.
We should look at programs, and I think there are already programs being considered to evaluate a minimum set of standards that should be met as an organization so that organizations can have greater levels of trust or at least be better bound to abide by community policies and ARIN policies.
Others have already talked about the benefits of facilitators. But within that, I think partners is a good word because there is a symbiotic relationship that goes on with both vetting custody of blocks, finding blocks, chasing down different parties that exist out there.
And in the end, facilitators are a very important part of the ecosystem that helps to raise this. But as others have pointed out, we don’t have a system that requires it. There’s no regulatory framework or other things that enforce that. And that’s a very healthy thing to provide choice for all parties out there.
But the idea of the PSP program that was already mentioned is a fantastic way to, I think, better embrace facilitators, perhaps, in a different role than a customer but definitely an important role within the ecosystem.
Paul Marshall: Great. Muhammad, over to you.
Muhammad Adeel Javaid: I will say that as far as the mission and the use of ARIN, they’re the most important thing. So the facilitator and brokers – I think they should adhere to the values and mission of ARIN. And if they uphold all those values, that also include preserving the public good. So I think their role would be beneficial.
But in the past, unfortunately, there have been some things that the brokers emerged to resell IPv4 addresses and began participating in effort to amend ARIN policies to allow the sale of IPv4 address space.
So I think the IPv4 addresses, so they must be held in good faith and in common. So they’re not property that could be sold.
So we should allow the sale of IPv4 address allocation. But only if the buyer demonstrates the most need for the address space.
So ARIN can deal with IPv4 address space custody by maintaining control of IPv4 transfer and it should definitely be under the purview of ARIN and it should not compromise the ARIN’s values and missions and the public good.
Paul Marshall: Thanks, Muhammad.
That concludes our Candidate Forum for the Board of Trustees.
I see that there’s an any questions? I’m not sure if there’s a Q&A format. So thank you, everyone, for your participation.
Hollis Kara: Apologies. The template defaults to the question andnd thank you; there really wasn’t a question option there.
But thank you. We’re getting ready to wrap up the day. I’d like to turn it over to John Curran and Bill Sandiford to run Open Microphone.
John Curran: Okay. Thank you, Bill.
So this is the Open Microphone session where we have the opportunity for anyone who wants to ask questions of ARIN before we end for the day. This can be on anything we presented earlier. Questions that didn’t get addressed, something that might not have come up. Now is your time. We do two of these. One at the end of each day.
Don’t want to keep you from relaxation and the social tonight. But at the same time, if you have a question, now’s the time. The microphones are open.
Bill Sandiford: Rear microphone.
Kevin Blumberg: Kevin Blumberg, The Wire. Apologies on not being available. I was grabbing some medication.
We have a wonderful robust Policy Development Process. We have a wonderful robust ACSP that gets pulled out for suggestions every once in a while.
And I think one of the things that I sort of see missing today that may be beneficial for ARIN is some more working groups that are public, that are accessible.
The example I’ll give you that we’ve had a lot of discussion at NANOG and today about IRR and RPKI. I think that a more open forum to discuss those things, not just in meetings related to policy or not just an ACSP related to specific services, but to have a push towards helping the community and having all the stakeholders available to promote and get the message out related to those things would be beneficial to the community.
John Curran: May I respond?
Bill Sandiford: Sure.
John Curran: In terms of the format, do you see it as being an ongoing working group that meets at ARIN meetings and online, or do you see it as something that we would do a special session for two hours, everyone here who wants to talk about the topic?
Kevin Blumberg: I think in this particular case, the virtual aspect would be needed for most of the time, but I think allowing, just like you do, like you have already with DNS OARC, as an example, tied to a meeting, having that one time, maybe it is one time, and you try it, and see how it goes or whatever may be. There obviously has to be a reason to meet. That has to occur.
But I think that we are so focused on the policy and our own internal services as a community we need to get more stakeholders and there seems to be a division with myself as an exchange operator has a very different view of what I see RPKI in five years.
Service providers see it very differently. We need to get in a room together and we are the community that can allow for that.
John Curran: One more question for follow up. You don’t see it as something that might be as a NANOG panel and follow-on discussion in the halls?
Kevin Blumberg: Interestingly, you’re the ones who are doing IRR and you’re the ones who are doing RPKI. And no, I think this is actually the right forum for this. I think we push stuff too far too many times over to that side, but we’re actually the shepherds and stewards in care of those things.
John Curran: If you could send me a suggestion or format.
Bill Sandiford: I was going to say the ASCP.
John Curran: Very much so. Thank you.
Kevin Blumberg: I wanted to bring it out as an open forum concept.
Bill Sandiford: Front microphone.
Warren Kumari: Warren Kumari. So thank you very much for the summary of what all is happening in AFRINIC. As somebody who lives in the ARIN region, how scared should I be and what can I do to help? What do you think?
John Curran: How scared should you be? Okay. There’s always chronic end cases for all of us. And we’re obviously
Bill Sandiford: I was going to say don’t be dramatic, John.
John Curran: Let’s try to avoid those. I think that AFRINIC and the AFRINIC community are working hard to address their issues. I think the RIRs are, both at the executive level and the engineering level, doing what we can to help. I think that I’d like to say collectively, between all of that, I think the matter’s in hand. I would be remiss if I didn’t bring it before this group, though, and raise the possibility that we could see a sudden shift. And that’s really what I’m doing.
I would guess right now that the most important thing is to just be aware of it and watch communications because if something were to change and become operational, it could require work on all of our parts to address.
Bill Sandiford: I think a lawyer once told me that the court of justice should be called the court of injustice because you just never know what the courts are going to do once you get there.
Andrew Dul: Andrew Dul, 8 Continents. ARIN AC. This actually dovetails nicely into Kevin’s working group idea. Although I didn’t come up here to talk about building a working group.
Earlier today we talked about some of the issues around the current database and who has access to it and Bulk Whois and being able to query the database 7,000 times a second versus other things and all the workarounds that go around.
And I will be likely echoing one of my former AC colleagues who once had a policy called The Purpose and Scope of Whois.
And I think 15 years later we really don’t wholly understand what it is other than it’s something we need. And it seems like maybe it’s about time that we actually open up that chapter and have some conversations about where we think the database should publish, how it should be published, what should be published and what should be the terms around it.
And I would happily join in the discussion on a working group or encourage the Board to review the terms and conditions of the Bulk Whois and the query Whois to see if those types of things could be changed and updated given where we are today and our current environment.
John Curran: Okay. Acknowledged.
Bill Sandiford: All right. Anything from the Open Microphone online? Any remote participants?
Reminder to those online, you’re more than welcome to participate in the Open Microphone.
Not seeing anybody else approaching the microphones maybe one. Just a quick warning that microphones will be closing soon. Get in queue now if you want to speak. And we’ll go to the rear microphone.
Dave Rodecker: Dave Rodecker, WISP.net. I have two points and more observations or suggestions. In the Candidate Forum, it was good to hear everything. I read through the bios. I particularly took note of what’s the motivation of the people running. They all have a background.
And reading, like, the conflict of interest section was a little bit more telling. I only found like two people, William and Robert, that filled that in. Not that people have a conflict of interest, but they have some skin in the game. They have some reason to be here. And that might influence what they’re here for.
And so suggestion about the open and transparency aspect could be a correlation is every candidate that is putting their hat in the ring has probably some piece of data within the ARIN organization that they could unfold.
So I’m referring to like the top-level piece of data of an ASN. So what ASNs as a broker have I been associated with, or which ASNs am I logged in to have.
I think that transparency would be informative to maybe distinguish different candidates from each other.
John Curran: To be clear, transparency on the resources that the brokers manage?
David Rodecker: The candidates have.
John Curran: The candidates on stage. Okay.
David Rodecker: What they’re associated to, their companies, who they work for.
John Curran: The linkage between who they work for, their affiliation and the resources of that organization?
David Rodecker: That’s right.
John Curran: Understood. For members who are actually elected to the Board, we do a detailed nondisclosure every January that gets into that level of detail for every member of the Board.
The onus is not just on them to self-declare but the Board to self-police in cases where a conflict may not have been raised, any Board member has enough knowledge to raise it about another. But in terms, you want that potentially on the candidate level.
Bill Sandiford: Could you step to the microphone. It’s not picking up as good.
David Rodecker: I don’t mean to be too loud. This might seem to be somewhat of an unpopular view.
But I observed that IPv4s are only being shuffled back for nonpayment. And I had the perception that some organizations were hopeful to let go of theirs, but obviously with the domain brokering and the cost and benefit of IPs that’s not the case.
It would be refreshing to see some policies put forth to requiring or to stigmafy the IP squatting for a general term of it and perhaps even putting some policies that discourage it or allow for other people who have legitimate uses to actually bring cases, not to ARIN, but in their own jurisdiction against entities that they fear are doing those practices.
John Curran: So I want to describe a little bit about what we’ve done to get space back.
First, in the 2000s, more than a decade ago, more than two decades well, a decade ago we actually reached out to all the address holders and reminded them about IPv6, and we actually went out to people with large unused address blocks and said these address blocks are unused; they were assigned to you back in the dawn of time, maybe you don’t need them. And actually several of them were returned.
We actually had multiple /8s returned and ARIN’s free pool was extended substantially as a result of efforts like DOD, Stanford, BBN, Interop, all returned /8s so that the free pool could last more years.
Not a trivial process to do, particularly because we had to inform them that we thought these would have value in the future. And we did.
So we did sweep many people and advise them that if they weren’t using addresses, they could return them. We ended up in a transfer policy which actually created,as you note here, a very viable market where people can value the rights to their entry in the registry.
And that’s caused people who have address space that don’t have a lot of use for it to look at how much they do need and potentially liberate the rest. So that’s also worked.
Now we don’t go back to people who aren’t using their addresses who could monetize them and say monetize them or we’ll take them. There’s no policy for that.
In fact, there’s actually language in our agreements that prohibit us from taking exactly that action on unused resources. But lack of utilization does not create a basis for reclamation by ARIN.
Having said that, we still have people returning address blocks now and then. There’s a conversation where someone comes in, says I have it, I don’t need it, take it back, please. We go, whoa, whoa, there’s a value to this. They go, no, no, just take it back.
That’s also an amusing conversation. We do end up with address space that comes back because of nonpayment. But we also have address space that comes back because it’s been misused.
If you end up doing something such that you violate our policies and our agreements such that we end up telling you that, you can end up with ARIN reclaiming your address space. It’s fairly rare. Very common, not very common. But it does happen.
And we go to court over such things, and we’ve universally won. So we bring address space back that way. There’s actually a wide number of feeds. The biggest one is nonpayment, but there are other sources coming in.
Bill Sandiford: I think you touched, John, on what I was going to say. When you asked the question at first, you mentioned the nonpayment. When John gave his, John Sweeting gave his presentation this morning, he did speak to an overwhelming number of the addresses that are returned do come from nonpayment.
But there are all these other different methods. Where I think I’m sensing a little bit of the sentiment of your question is about ARIN taking action.
Am I catching it that right; you’re thinking maybe ARIN should be taking action more?
David Rodecker: You just clarified that nonuse is not a reason
Bill Sandiford: Right, but nonuse is not the only places where ARIN takes action. The Micfo case is a perfect example where ARIN took great action where it determined there was outright fraud that took place and a large number of resources were returned.
The organization does take things like that very seriously. Nonpayment is not the only reason why addresses are coming back. And the executive team and the legal team is very diligent when they are adamant to us at the Board level, when something has been done wrong, they will go after it.
John Curran: If you’re aware of someone who has obtained IP address space either issued by us or a transfer through misrepresentation, please report it to the Internet Number Fraud Resource. There’s a reporting link. When you report it, we investigate.
Many of those actually turn out the right information was provided and the party’s valid. But if they did actually obtain the resources in fraud, in contravention of policy, we’ll correct it.
David Rodecker: Thank you for that answer. My sentiment was kind of trying to erode the idea that IP squatting is, it sounds like an okay thing to do.
John Curran: I guess the good news is, as the market value increases, that creates a natural incentive for recovery of unused space.
Bill Sandiford: Good questions, though. Thank you.
Checking online. Anything come in from online at all?
Hollis Kara: Nothing in the queue.
Bill Sandiford: All right. I’m not seeing anybody else in queues here. We’ll consider the Open Microphone session closed. Thank you, everybody.
John Curran: Thank you, everyone.
Hollis Kara: All right. We are wrapping up the day. I’d like to thank everyone for their participation and patience. It’s been a long day.
I’d like to thank our sponsors, Zayo, Google, and IPv4.Global Hilco Streambank. You guys need a shorter name. I’m sorry. Applause, please. (Applause) It’s a mouthful.
All right. So here we go. Next up, please, I hope you’ll join us, folks that are here with us in Hollywood, this evening at Madam Tussaud’s, down around the corner, from 7 to 11 p.m. It’s a quick and easy walk. Put it in your map.
Do not turn left and go to the Hollywood Wax Museum. That ain’t it. Madam Tussaud’s is other direction. Again, please join us back here tomorrow. We’ll be starting at 8 a.m. with breakfast in Salon 4 through 6.
Our meeting will start promptly at 9 a.m. right back here and we’ll be back online. Don’t forget that if you’re eligible to vote in this year’s election, you’re a voting contact, you can log into your ARIN Online account and cast your ballot now anytime up through 7 p.m. Eastern next Friday.
And that is the end of day one of ARIN 50. Thank you, everyone.
[Meeting adjourned at 4:45 PM]