ARIN 51 Public Policy and Members Meeting, Day 1 Transcript - Monday, 17 April 2023
Opening and Announcements
Hollis Kara: It’s 9:01. If we can get folks in the room, we’ll get started here in just a moment. Are we ready to go? We’re ready to go. Good morning, everyone. Welcome to Tampa and ARIN 51.
Before we get started, I’d like to walk through some introductions and some procedurals just to get everybody ready for the day.
My name is Hollis Kara, I’m ARIN’s Director of Communications and I’m really glad you’re joining us. Let’s get started.
First of all, I’d like to thank our elected volunteers who are critical to the work of ARIN and are a huge part of the ARIN meetings, starting with the Board of Trustees. All of these folks are here with us on site. They’ve got tags on their badges. Please seek them out if you would like to speak with them, and thank you to them for their time. If I could get just a teeny applause for my Board.
I like audience participation. So just stay ready, guys.
Next up, the Advisory Council. This team is responsible for shepherding policies through the policy process. They are 15 great and energetic folks, who are all here, also all have ribbons on their badges and also would love to speak to you. Thank you to our Advisory Council for being part of the meeting.
There you go.
And then last but not least, our NRO Number Council representatives: Kevin Blumberg and Nick Nugent are here with us in person. I’m assuming that Mr. Quesada is joining us online. They’re available if you have questions or would like to learn a little bit more about the Number Resource Organization and what they do in the region. If I could get applause for them too.
Alright. Everybody can relax a minute. We’re going to go through a few boring procedurals. Let’s talk about getting around the meeting. Let me go back. We’re going to start with – well, we’re hybrid. So good job us. Come on. Here we go.
For those on the Zoom, please note: Chat is for informal conversation. You are welcome to use it. Our virtual host will also be in chat dropping links to important resources. It’s a good thing to be keeping an eye on.
When we get to the discussion portions of the day, you’ll have two ways that you can engage in those microphone sessions. One is to drop a question in Q&A. We do ask that you lead with your name and affiliation so that we can make sure that’s read onto the record. Or you can raise your hand, and we’re happy to unmute your audio so that you can speak and we can hear you here live in the room. That’s always fun.
So, again, name and affiliation are important, and if you have a long comment, you can always just drop your name so we know you’re composing a question so we don’t close the microphone queues before we’ve gotten your comments into the transcript.
All right. We have our Virtual Help Desk, which is open until 9:30 this morning. It will be open from 8:30 to 9:30 tomorrow and Wednesday as well, and also available during lunch and on the breaks, if you need some assistance.
Craig Fager, our technical writer, will be in the Virtual Help Desk and he’s ready to help if you are having any trouble accessing the meeting or finding information.
In person: Please, please, please, you are more than welcome to log in to the Zoom so that you can talk to our virtual attendees, but I do ask that you have your computers muted and disconnected from audio when you do that because otherwise things are going to get to sound a little bit strange.
The navigation is all in one place. Everything that you need to get to is right on the ARIN 51 website, including our meeting materials, where you can see the presentations, if you’d like to pull them up locally on your screen to look at them rather than viewing them on the screens here in the room. Those are available, and the meeting materials will open in a new tab for you.
All right. And we’ve got a 50/50 split this meeting, which is pretty cool. We have 143 folks registered to participate virtually and 142 joining us here in person in Tampa. It’s nice to see that the hybrid meeting format is working and that we’re getting a lot of participation. Thank you for your support in that.
Just a few reminders, for chat and conversation in the room as well, to please keep it professional. When we are opening discussions at the microphones, to keep comments on topic and to please follow our Standards of Behavior. Those are linked throughout the meeting materials website.
You should have checked a box that you read them when you were filling out your registration. Maybe you didn’t. But anyway, they’re available on the website. And I do ask you refer to those and please behave in accordance.
And let’s see. When we open the microphones, the producers back on the riser and folks here on stage will coordinate the discussion to make sure that we’re giving ample time to both folks in the room and who are online.
We ask that you, whether you’re in the room or online, again, speak clearly, probably a little slower than I’m speaking now — more like that — and that you start with your name and affiliation, so we get that on the record.
We are recording. The livestream is available. You can view it on Zoom. It’s also available on YouTube. There’s a link on the Meeting Materials page. Slides will be available on the meeting materials page as well. And live transcript is also available if you prefer to read along.
I’d like to introduce my hybrid staff. I’ve got Beverly Hicks back on the riser working with our tech team, doing our hybrid and virtual production. We’ve got our meeting specialist, Melissa Goodwin, here, there, and everywhere making sure we’re all taken care of. I’m here on stage.
Proud for the first time to have Prabha Bhattarai joining us as a virtual host. She’s going to be in chat and there to help you. Craig Fager is at our Virtual Help Desk. And we‘ve got Ashley and John running communications here and there and everywhere.
Christina will be running around with a camera and making sure that we’re keeping our social media feeds updated. And Desmond Jackson is back in Virginia making sure our live stream stays doing what it does.
I’d like to stop for a second and, again, more audience participation, thank our sponsors. First off, Charter Communications, our network sponsor.
Thank you, Charter.
I’m going to pause here. Last time I said this name was too long and you guys added another word. I don’t know what’s going on. But thank you to IPv4.Global by Hilco Streambank, our bronze sponsor…
…and of course, Google, our webcast sponsor. Thank you.
One of the exciting things about this meeting is we’ve finally been able to bring our Fellows back with us in person. You will see they also have ribbons on their badges. If you’re a regular and you see a Fellow, please make them welcome.
Now, we did run a meeting orientation last Thursday to run through a lot of what I just walked through before. If you were on the meeting orientation, I apologize, you just sat through it twice. But thank you for that anyway. And I believe we are ready to draw our survey winner.
Beverly Hicks: We are. The winner is Lou DeVictoria.
Hollis Kara: Lou DeVictoria, okay, Lou, we will be in touch and you will be receiving a $100 Visa gift card via email. Thank you for playing.
Emergency evacuation: There are doors, and there is the outside. Follow directions once you get out there. Don’t walk out all the way into the mangroves. That would be bad. Hopefully, we won’t have any. But head toward the pool deck, I suppose.
Our agenda: I’m going to stop talking in just a moment and we’re going to have welcomes from a few other important folks before we get started and then we will head right into an update from NANOG, our Policy Implementation and Experience Report, Advisory Council docket, new Policy Development Process, AC Working Group updates.
And then after the first break this morning we will head into our first policy session. After the first policy session we will regroup and have lunch. Then we will be followed by our second policy block of the day.
We’ve got eight policies this meeting. We’re gonna get it all knocked out today. After the policy session, the second policy block, we will have a Government Affairs update, an update on ARIN’s work in the Caribbean and then one final break before we wrap up the day with an Engineering report and an Information Security report and an Open Microphone. It’s going to be a busy day. Stay frosty.
Tonight, we will be having our social at the Florida Aquarium. We’re all really excited. There are going to be some special guests for folks to meet. I encourage you to come on out. The social will be from 7:00 to 11:00 PM. Buses will depart starting at 6:45. We’ll run three buses to, and then we’ll have buses coming back starting at around 8:00 PM.
But please, we look forward to welcoming you to the social and hope that you will join us then.
All right. And with that, we’ve been through the formalities, procedurals. Whoops. There’s my microphone. I’d like to welcome our president and CEO, John Curran, up to the stage to offer a brief welcome.
Welcome From ARIN’S President and CEO and Board of Trustees Chair
John Curran: Thank you, Hollis, for opening us up. I’m John Curran. I’m the president and CEO of ARIN. I see familiar faces who already know me. I see some new faces. Welcome everyone, to ARIN 51 in Tampa.
We’re very pleased to have everyone join us. As Hollis indicated, I think we’ve done a successful balance of the hybrid format with both onsite participation and remote participation. I’m looking forward to continuing that. I think it’s the right way to do it so everyone has an option that suits what they want to do.
As you can see, we have a pretty full agenda. This is just one day. We have two more days of activity after this.
This is our spring meeting. It’s always a fairly full, packed event where we give updates on what we’re doing. We do a huge policy session. I’d like to ask everyone to participate. ARIN is guided by you.
While we do have an Advisory Council that listens and helps shape the policy and we do have the Board of Trustees that helps guide the organization in terms of strategy and direction, in order to do their job, they need to hear from you. So engage.
If you look at people’s badges, you’ll see some of the people have little stripes on them. If they have a stripe, they want to hear from you. Okay? They’re a member of the Board; they’re a member of the AC. They ran for office in order to listen to you and help guide the organization.
I look forward to this as your meeting. We’re just running it for you. I look forward to your involvement over the next two days. Feel free to find me. I will be about for the whole thing, and please enjoy ARIN 51 in Tampa. At this point, I’d like to bring up even more important person, Bill Sandiford, Chair, ARIN Board of Trustees.
Bill Sandiford: I think all of that was accurate except for the “more important” part.
Welcome, everybody. It’s nice to see everyone once again in Tampa. It’s been interesting over the last few meetings, as we’ve got back to in person again, the crowd just keeps building and building. As I try and look out into the sun of these lights that they have on stage, I see more and more faces back. So that’s good to see.
Not a lot to say here. Going to keep it relatively quick. Wanted to say on behalf of the Board of Trustees, welcome everybody. Looking forward to a few days of doing the things that we do here at ARIN, policy, keeping up to date on the other regions, that sort of stuff. And enjoy your time here.
And like John said, we welcome the participation, and we look forward to as much of that as possible. Welcome, everybody, and let’s get going.
Hollis Kara: Thank you, John and Bill. Next up I’d like to invite Daniel Schatte, our network sponsor from Charter — representative — to come up to the stage.
Those words weren’t in the right order, but I think you got what I meant. It happens. It’s early. I need more coffee.
Daniel Schatte: Good morning. Welcome to beautiful Tampa here. Just wanted to see everybody here today, both in person and virtually, and pretty much say we’re proud to sponsor the network here. We really like the new RPKI feature that just got released last week with auto-renewing ROAs.
And also looking forward to a lot of the v6 adoption that’s out there and I think a lot of us are pressing for.
Hollis Kara: Thank you, Daniel. All right. And now we get into presentations. I’d like to welcome Edward McNair, the executive director of NANOG, to the stage to tell us a little about what they’ve been up to.
Edward McNair: Good morning, everyone. For those of you who do not know me, I’m Edward McNair, and I’m the Executive Director of NANOG, as Hollis just mentioned.
I’m going to take a few minutes and give you an update on what we’re doing within our organization. Before I start just want to just emphasize how important the relationship is between NANOG and ARIN.
In a lot of the regions of the world, both the NANOG and ARIN function would be combined into a single entity. And we’re fortunate to have this tremendous partnership as we work together, us focusing on the technical side of things and — well, also ARIN on the technical side of things — but focusing on those other inner workings of how the Internet takes place. It’s a wonderful relationship, and I appreciate the opportunity to be here.
So just talk about a few things: NANOG governance; programs update; events updates; education and mentorship programs; diversity, equity, and inclusion programs; development update; and also community updates.
NANOG governance. This is our current Board structure. We’ve had some kind of shifts and minor changes. Leslie Daigle is our new Board Chair. Vincent is our Vice Chair. David Siegel is our Treasurer. And Cat is serving as our Secretary, is also the PC Chair.
And here is the NANOG staff. NANOG operates with a crew of eight individuals. The newest person to our team is Greg Newman. We’ve now brought our development process in-house. In a few minutes I’ll be talking about some of the development things that we do, but all those take place with one particular programmer making it all happen. We’re very fortunate that we have a gifted individual.
His side hobby is that he is a fine illustrator. When you can find a programmer who also has the rightside brains function, you’re kind of a lucky thing to grasp.
NANOG program. We’ve made some updates and changes to our program. Some things have taken place a couple years back, but I think it’s important to kind of reiterate.
We do rolling calls for submissions. Before we used to do — our submissions would roll at each event. Now we do them in advance. You can take and make a submission for a NANOG event a year from now.
In addition to having Shepherds, we’ve also added content reviewers to support the approval process. We have a moderator subcommittee that focuses on improving the submission process.
Scripts for our sessions. Before it was kind of free for all; now we have scripted sessions when people come up to make the whole event kind of flow smoother.
We’re doing extensive data analysis on our talks. It’s going to lay the foundation for a NANOG knowledge base. At some point in the not-too-distant future you’ll be able to go in, do a search on a particular topic related to YouTube videos and other content out there — speaker bios — It will all be connected to a centralized knowledge base. And we also just released a complete rewrite of our PC tool.
Now, in connecting with the program, an interesting thing about NANOG is that our programs have a second life. There are people who watch it in the room. And as soon as we release those videos online, people start to immediately just glob on and start to view them.
It’s kind of like we watch television content. Most of us don’t watch television in real time unless it’s sports or kind of a pertinent news story. Everyone comes in afterwards to kind of look at content.
Our YouTube channel has 21,000 subscribers. We have 2.7 million page views. We average 25,000 views per month, 3.5 hours of view time per month. We averaged 212 new subscribers each month.
The top video for 2022 was “Everything You Wanted to Know About Optical” with 15,000 views. And the top video ever, the tutorial “Everything You Always Wanted to Know About Optical Network,” with 172,000 views. A substantial kind of half-life or afterlife for our content.
Events updates. NANOG 87 was our most recent event in Atlanta. We had 710 people in physical attendance and 184 virtually. We had 45 event sponsors, 38 talks, plus six lightning talks.
Our NANOG College Immersion Program had four students that came in from CU Boulder. We are fortunate to have an all women team this time. These people are selected by an achievement venue within their own school organization. It’s a competition for them to be able to get to a NANOG event.
We introduced a new PC tool that allows participants — sorry, a new tool that will allow participants to be able to schedule tables for meeting, offsite meetings — sorry, side meetings within the NANOG conference.
For future events, we’ll be in Seattle next upcoming meeting in June; after that followed 89 in San Diego; NANOG 90 in Charlotte; and 91 in Kansas City, Missouri.
CaribNOG. We also participated in CaribNOG. We got a chance to — we sent a representative, Aaron Atac, who is part of our Outreach and Program Committee. The focus there was on enabling and collaborating to help with educational efforts within CaribNOG and our partners in the Caribbean.
Education and mentorship programs. We made a shift last year –- kind of just coming out of the pandemic actually — where we started to focus on education that is targeted and systematic. Our conferences are all educational, but it’s kind of a passive approach toward education.
We’re now looking at specific curriculum targeted in trying to help empower junior engineers and those looking to kind of bolster their careers with more information.
Our educational program focuses on vendor neutral courses. All courses are vetted by a committee of industry professionals, and the courses are designed to aid students, junior engineers, and career professionals to advance their careers.
We also put in line a mentorship program. To me, education and mentorship go hand in hand, one side to the other. And it’s key to building the Internet tomorrow and to engage those who aspire to build the Internet of tomorrow.
The mentees in our program have an opportunity to be guided by seasoned industry professionals. And mentors and mentees will be paired at NANOG conferences and also outside of those conferences as well.
Diversity, equity, and inclusion. This is a very important kind of thing within NANOG. And over the past years, we’ve worked as an organization, the Board, staff, and the community — to make NANOG itself a more inclusive environment.
It’s one thing to say we want to have more people with diverse backgrounds in NANOG, but you also have to create an environment so that when they’re there, they feel welcomed.
In part of those efforts, we have partnered with DEI specialists to have ombuds. Now at every NANOG meeting there’s an ombuds team. They’re there to make sure that NANOG is a safe and open and welcome environment.
That committee is created as part of the strategic plan with the NANOG Board and its DEI initiatives, and we also have a new committee to focus on that as well.
And, Tina, your Vice Chair, here, is also a very strong contributing member of that program.
Here are our NANOG ombuds.
Development updates. We’ve done a lot to putting some developmental change within our website. It’s now become the application that kind of runs our organization. One thing we’ve done recently is we’ve made some UI updates to our website to make things easier to follow, a little more accessible.
We’ve also expanded our top-level menu to make it easier to find things. And also, our top latest stories will appear on the righthand side of that.
We now have a focus of our featured content. As an organization, we create content. And that content is about community and community engagement. And you go to our home page, you’ll see the latest stories which appear up there. And, again, we’re releasing probably two to three pieces a month, again, which focuses on individuals in our community.
We’ve updated our meetings page, again, to give us more information, easier to access. We’re trying to keep as much information as we can above the fold without having clutter so things are easy and accessible.
Program tool updates. We did a complete rewrite of our PC tool. This is the dashboard that you land on which gives you critical information to help manage. It lets you know what talks you have to vote on, et cetera. And it’s personalized to the individual. Once you drill into the pages itself, you can sort content by color, pending, submitted, accepted, deferred.
You can easily search in and find what you’re looking for. Clicking on any item will expand it and give you more detail.
We’ve also created an agenda builder. Before, building our agenda was a day and a half process to get everything done, with spreadsheets and sitting down with paper and back and forth.
We now have a calendaring system that, on the righthand side, any talks that are scheduled will appear, and literally you just drag and drop them in place. You can move them around. You can actually even create content directly within the calendar function of our agenda builder.
Appointment Tool. As I mentioned before, we have created an appointment tool that allows people to have side meetings and to meet with one another.
When you register for a NANOG conference, you’re asked “do you want to be able to have — open yourself for meeting to others?” If you do so, a little blue icon calendar appears there. Once you see that icon, you can click on that, and it will then pop up, and you can just do a direct invite.
In your My Calendar area on the website, you can see whatever your incoming invites are. You’ll also see the sent invitations that you put out and the list of those. Once you click on the item, you’ll be able to get in and see more detail on that particular.
You can also have communication within the people that you have scheduled to meet with.
And then also you can go into your calendar view and you can click and drag and create an invite. As you start to search it, it will list anyone who has given permission to be open for an appointment and to be able to schedule them.
In addition, at this last meeting, we offered a tool where you could have a table to kind of rent for an hour. We’re making some modifications on that based upon user feedback because this was our alpha release of that.
The way with functioning is you would say “do you want a premium or do you want a standard table?” Once you’ve clicked on one, the next column will fill in, what date do you want it, then the time, and then you fill out your organizational details, and you would schedule your table.
So next development updates: completion of our UI, registration system updates, sponsor tool, badge printing on demand at the site, appointment tool 1.0 — because it’s now in beta release — virtual platform updates, interactive reporting, and exploring the possibility of enabling our software to be shared with other NOGs across the globe.
Community updates. We’re shifting to ranked choice voting. In this slide, actually, I looked at the content, it’s kind of behind a little bit. We are going to ranked choice voting. We have an Education Committee that’s focusing on delivering that system.
We even recently tested the PC when they did their elections for this year. They used our ranked choice voting system, and it worked flawlessly.
And we are going to — the final bits of it will be presented to the Board, and the Board will make sure that everything is working as it should be. And then the full community update will take place at that time.
Community. We have a community server that’s based on Discord It’s a place where we have affinity groups, which is a focus where we’re trying to again, in an effort of creating more community outside of our events. It’s broken down into various categories: network automation, women in tech, LGBTQ+, running, coffee, walking, whiskey connoisseurs, diversity in tech, and more.
The focus here is how do we keep the conversations going in between meetings and how do we keep conversations as we prep into and communication during events.
Community is very important to NANOG. It’s kind of the heart of what we are. And we’re trying to do everything we can to facilitate and make NANOG a warm and welcome place.
Any questions for me?
Hollis Kara: Did anyone have any questions for Edward? If so, feel free to approach the mics. No? Do we have anything virtual? Nope. Alright Edward, you’re free to go.
Alright. Thank you.
Next up, I’d like to welcome John Sweeting, ARIN’s Chief Customer Officer, to give the Policy Implementation and Experience Report. Come on up, John.
Policy Implementation and Experience Report
John Sweeting: Thank you, Hollis.
As Hollis said, I’m John Sweeting. I’m the Chief Customer Officer with ARIN. I’m excited about this conference. There’s going to be a lot of good things that are shared with you, the community. Please participate, as Mr. Curran asked, and pay attention.
I’m going to start off this with a Policy Implementation and Experience Report. These topics come mostly from our Registration Services Department that are gathering information from our customers. And they talk to a lot of our customers. They also do a lot of chat with our customers.
Our chat has been very successful. We implemented it during the pandemic. And it has continued to just grow. And it’s been very successful in helping with the phone calls.
Now, we still do the phone calls. A lot of times a chat will turn into a phone call because it gets a little bit too sticky for a chat.
Okay. So the policies I’m going to review, or that were reviewed, is in the NRPM, in the Number Resource Policy Manual 4.2 and 4.3, which are the allocations and assignments to ISPs and end users; 6.5.2, the initial allocations to LIRs, direct assignments from ARIN to end users.
You see a trend there, ISPs and end users, since we no longer do assignments, so there’s been some work by the Advisory Council to finesse that language out of the NRPM, the assignment language, and change everything over to allocations.
And I’m going to do a little bit on 8.3, Transfers Between Specified Recipients; and also the 8.4, Inter-RIR Transfers to Specified Recipients; and 8.5.6, Efficient Utilization of Previous Blocks.
Okay. So with the NRPM 4.2 and 4.3 — 4.2 is ISPs and 4.3 is end users — it talks about allocations and assignments. And so we have these separate policies that guide allocations and assignments, but we no longer do assignments.
So it’s been suggested by some of our community that maybe we don’t need separate policies for ISPs and end users. In other words, there’s one set of policies that govern anybody that comes to ARIN requesting IP address space.
And that those policies we just apply to both end users and ISPs. And there would be a set of criteria developed by the community that would say: Here’s what you need to show to get the number of IPs that you’re requesting.
Internet Service Providers, it says they receive space based on demonstrated customer growth. And end users get their space based on their immediate equipment numbering and employees as well.
So the similarities are they both qualify automatically for the minimum size of a /24. They both have a maximum of /22 from the Waiting List. They both require 50 percent projected utilization within 24 months. And they both require existing allocations to have 80 percent overall utilization and 50 percent of each block, each separate block, to be in use to actually receive additional addresses.
The policy differences are ISPs are required to create reassignment records for static reassignments of /29 or more to their downstream customers.
So the question for the community is, given that minor difference, does it make sense to consolidate 4.2 and 4.3 into a single IPv4 policy?
Okay. 6.5.2 and 6.5.8 out of the Number Resource Policy Manual, again, it’s ISPs and end users, the initial allocation to LIRs and the direct assignments from ARIN to end users, which establishes the requirements for IPv6.
That’s the big difference between these first two. Section 4 is for IPv4 and Section 6 is IPv6.
The similarities in the policies are they both can get initial IPv6 block by being able to qualify for IPv4. Current policy allows everyone to qualify for an initial IPv4 /24, and that means everyone qualifies for an initial IPv6 block.
So an end user qualifies for a subsequent allocation — the difference in the policy is that an end user qualifies for a subsequent allocation when their total utilization exceeds 75 percent across all their IPv6 allocations.
I’m not sure why they’d have a lot of IPv6 allocations, because we really try to work with people enough the first time they come in. But that’s the policy difference on that.
There’s also an ISP qualifies for a subsequent allocation if they meet any of the following criteria: 75 percent or more of their total IPv6 space; utilization of more than 90 percent at any serving site; and they’ve allocated more than 90 percent of their total address space to serving sites, with the block size allocated to each being justified on the criteria specified in Section 6.5.2.
And the smallest IPv6 block that can be issued to an end user is a /48 and to an ISP is a /40.
So, again, the question is, given the minor differences, does it make sense to consolidate these two policies into one policy and just say, hey, here’s the criteria for getting IPv6 from ARIN? Make it nice and simple.
All right, 8.3, Specified Recipient, and 8.4, Inter-RIR Specified Recipient. Both policies state: With the exception of Merger & Acquisition transfers under Section 8.2, the source entity must not have received a transfer, allocation, or assignment from ARIN for the past 12 months.
So some items for consideration. If an organization received an IPv4 block or Autonomous System Number via an 8.3/8.4 transfer, and then wishes to transfer those resources out, they will have qualified to receive the resource transfer; they will have paid the ARIN transfer processing fee that was newly installed this January 1st of this year; they will have paid the source organization and/or the facilitator, or at least we believe that happens most of the time; and they have agreed to pay the Source Transfer Request Fee.
So related policies to that are address space distributed from the IPv4 Waiting List will not be eligible for transfer, except 8.2 transfer policies, for a period of 60 months.
And addresses from a reserved pool, 4.4 and 4.10 space -— so IX space, critical infrastructure space, and IPv6 deployment space -— are not eligible ever for transfer under 8.3 or 8.4.
So the question for the community: Is there still rationale for a 12-month waiting period before transfer?
Basically it’s asking if somebody comes to ARIN and they get approved for a 8.3 transfer of whatever amount of space, and they deploy that and they start using it, and within six months later they decide, “Oh, we bought too much, we don’t need all this, we’d like to transfer some out,” but they can’t, they have to wait another six months, but they’ve paid all these fees, they’ve jumped all these hurdles to get this space.
So the question is why should they have to wait another six months just to put that space back out into the community for use by somebody that needs it since they no longer have a need for it.
The 8.5.6, Efficient Utilization of Previous Blocks, so this one is interesting. We have had some comments into the Registration Services Department.
So organizations with direct assignments or allocations from ARIN must have efficiently utilized at least 50 percent of their cumulative IPv4 address blocks in order to receive additional IPv4 addresses via need-based transfer. We’re talking transfers here. It’s Section 8.
The policy history is before February 2017, transfers used the existing IPv4 policy requirement, 80 percent overall and 50 percent of each block.
Policy 2016-5, which was implemented in February of 2017, deprecated the requirement for 50 percent utilization for each block and lowered the overall utilization requirement from 80 percent to 50 percent.
So, what were the issues that were created by that change? So an organization at the 4X Large level can have a /8 or more unused and still qualify for more space.
This greatly impacts the transfer market. Smaller organizations with an immediate need for IPv4 are competing with large organizations that may not have an immediate need.
So you’ve got, on one hand, people can go out and buy a lot of space, not have an immediate need for it; on the other side, you have somebody that really needs to get space but maybe they can’t find space.
So then there’s the thought that more competition equals higher prices.
So questions for the community. Is this a feature of that policy change, or is it a bug? If it’s a bug, what’s the fix? Raise the utilization percentage from 50 percent maybe to 80 percent, back to where it was? Or tier the utilization percentage to increase as an organization’s aggregate holdings increases?
So, those are the four policies that we’re going to present here in this Policy Experience Report. Do we have any questions?
Hollis Kara: Microphones are open.
John Sweeting: And, by the way, it is very sunny up here, Bill.
Hollis Kara: It is very sunny.
Andrew Dul: Andrew Dul, ARIN AC. I want to talk about the difference between ISPs and end users or whatever we want to call them these days.
You had two points here, one about the v4 policies maybe should be merged because there’s not very many differences between the two. I personally would say that’s probably a benefit to merge them. However, with the v6, the policies are vastly different and were created vastly different on purpose.
And my question to you is: When you interact today with organizations who are asking for v6 or planning their v6 infrastructure, and there’s a question between whether or not they should be an end user or an ISP for IPv6, how are you walking them through that question with them?
John Sweeting: Mostly it’s if they provide Internet connectivity to anyone outside their organization, then they are an ISP.
Andrew Dul: Right. But it’s always their choice. Right? That’s the way it has been in the past because it’s kind of fee-based, right? Would you say so?
John Sweeting: I guess it is, we don’t, you know, so I guess the thing is if they want to use customers or external entities from outside their organization to justify the space, then they’re going to be reviewed as an ISP.
Andrew Dul: Okay.
John Sweeting: In other words, if you’re an end user, you’re not claiming customers; therefore, you can’t use customers as justification for why you need more space.
Andrew Dul: Right. The issue becomes with organizations that have always fallen in the middle ground, right, educational organizations, what’s an internal versus an external customer, right?
And I think we still need to preserve the idea that there are end users that have different needs than ISPs. And so I don’t believe that we can just merge them because it has fee implications for users, if everything just gets merged, because you have to have a larger allocation because the minimum is a 48 for an ISP and — sorry, for an end user, and it’s larger for an ISP.
So it’s not just a straightforward question about we could just make the text a lot easier if there was only one. There are multiple implications in the v6 world for merging those together.
Just want to highlight that in front of the audience and also thank you for the input on the current process between the two types of organizations.
John Sweeting: And thanks, Andrew. Realize, we’re presenting things that are brought to our attention or the staff sees. We’re not making any recommendations to change anything.
We’re saying, hey, does it make sense to change? And if it does, we have a great Advisory Council that will help to make those changes if it makes sense.
Andrew Dul: That’s my feedback to staff for their input.
John Sweeting: Thank you.
Hervé Clément: Good morning. Hervé Clément, Orange and from the RIPE region. Thank you for the presentation. It was very interesting.
I have a question or a remark about the 12 months you have to wait before transfer, with transfer, et cetera. So in the RIPE region, so there is something similar, but it’s 24 months before transferring after — so you had a transfer or an allocation, et cetera. And it was justified to avoid this IPv4 stockpiling or to avoid the question of new LIR because the only way to have new allocation IPv4 is to create, is to renew and to receive a /24. It’s only the /24, we saw the question of new members for that.
So my question is have you used the same reason or could be the same reason beyond the 12 months you have to wait before transfer or not?
John Sweeting: Go ahead, John. I think you heard it better than I did.
John Curran: Okay. So in the ARIN region, when they were discussing the 12 months, it was about making sure we didn’t have a situation where parties were putting in applications and they potentially knew that they were putting in an application that wasn’t completely accurate because they knew they were going to transfer it later.
In the RIPE region, your many parties get new address space when they become an LIR for the very first time.
My understanding is that in the RIPE region, without that 24-month constraint, you would have many organizations reforming as new organizations and getting address blocks. So I think it’s a different scenario.
Hervé Clément: Just to enlighten, to add an element to your community. But thank you very much.
John Sweeting: Thank you very much. And John’s right, part of this policy initially, I believe, was that it was to deter flipping : people going out and buying a bunch of space they didn’t really need and then transferring it a couple of months later to try to get some kind of profit. But now there’s a few more hurdles and it costs a little bit more to get that space.
So that’s why we’re presenting it out there.
Hollis Kara: John, we actually do have a virtual question if you would like to go to that before we go to Tina.
Beverly Hicks: Tom Bonar from TDS Telecom. When it comes to transfers or purchases of IPv4, I would think that it makes the most sense to use a tiered system than an overall utilization.
John Sweeting: Okay. Thank you. That was one of the options for the either raise the allocation up or use a tiered thing over the things. And he doesn’t believe that doing a tiered would be a good idea. That’s what I got from that. Correct?
Beverly Hicks: He said he thinks it would make the most sense to use the tiered.
John Sweeting: It would make more sense to use it or not?
Hollis Kara: Would.
John Sweeting: Would. Okay. Make more sense to use it. Thank you.
Tina Morris: Tina Morris, AWS. I wanted to talk about the 12-month hold on transferring addresses. Have you actually had the situation come to your attention, or is this just a scenario that people have asked about?
John Sweeting: No, people have requested to be able to transfer space earlier than the 12 months.
Tina Morris: I know they’ve requested it, but have you actually seen this, so where my question comes from is we put in the 12-month wait to prevent flipping. I’ve been approached by people waiting out exactly 12 months to the day for the purpose of flipping space. I think that does actually serve a purpose. It is a deterrent from that behavior.
The process of getting the budget to buy IP space is not trivial. People, in my experience, organizations do not buy more than they really need. They’re not like — it’s not an impulse purchase at the grocery store. This is something they’ve really thought about, they’re programming — and planning your network 12 months in advance is not that burdensome.
So I have only come in touch with people that want to do it for profit, is my experience. So I was curious if you’ve seen otherwise.
John Sweeting: We have a very, very wide range of customers.
Tina Morris: Of course.
John Sweeting: And there’s customers that come in and they think they’re going to grow their business very quickly. They’re small and they think they’re going to grow it quickly, and they get a little aggressive and they buy more space than they actually need to use right away. They put it out for that two years, then they run into difficulties and they need money to stay solvent.
And that’s a couple of the reasons I’ve heard from people that are trying to get the waivers. So there are real scenarios out there.
Tina Morris: I definitely don’t want to cause pain for organizations in that situation. But I’ve seen a great deal of the other, where they are able to take advantage, perhaps, of an organization that’s in distress, get space for a lower price, receive it, and they want to immediately flip it when they see prices go up to a certain level. The 12-month and the fees does deter that behavior. And I think that’s exactly what we want as a thing.
I would, of course, welcome something that would help an organization that was actually struggling.
John Sweeting: It could be a hardship policy, if they have to prove that they have a hardship and they need to transfer, something like that. Or they’re not going to use it. It’s up to the community to tell us how they want us to treat –
Tina Morris: I would prefer something that was more hardship related.
John Sweeting: Thank you, Tina.
Beverly Hicks: Nothing in the queue.
Mike Burns: Mike Burns, IPTrading. I put the 12-month Wait List into policy when I did a policy proposal, and it was implemented. It was strictly there as an anti-flip mechanism. John mentioned something about fraud. But it was only there to get my proposal passed, which it did. I’ve been against it from the outset. And I see no purpose.
John Sweeting: I remember.
Mike Burns: We wanted to stop flipping behavior and hoarding and speculation. That was ten years ago. IP address prices are dropping. Nobody is speculating in IP addresses right now. The Waiting List, the 12-month wait is a burden. It keeps addresses on the shelf that otherwise could be put to use.
It’s time for it to go, along with the justification requirement, which also has had no bad effects where it has been implemented in RIPE for many, many years.
So the question about changing the justification for larger holders, they should all go to zero. And so should the waiting period. Thanks.
John Sweeting: Thank you, Mike. Lee Howard.
Lee Howard: Lee Howard, IPv4.Global by Hilco Streambank. I wanted to add that we do indeed see people who have recently, within weeks, received allocations from the Waiting List. And not just addresses, by the way, also ASNs. There was a period where ARIN had some nice reclaimed ASNs and gave them out. We had people come and want to sell them.
And so it certainly does happen. And sometimes I think it looks like a windfall. They go, Oh, I need an ASN, but I didn’t need a three-digit ASN. I can sell this and go do something else in my network.
I do think the policy is still functioning as intended. Whether the community still wants that intention, let’s continue the conversation.
John Sweeting: So, a quick question, Lee. Is that a bad thing that somebody got lucky and won the lottery, got a three-digit AS because some happened to become available? And they didn’t care about it, and they wanted to, I guess, transfer it. Is that a bad thing?
Lee Howard: We kind of had to deal with the windfall problem when we originally created the transfer policy. It’s like, hey, here’s an asset. Here’s a set of numbers that you were given 30 years ago. All of a sudden they’re worth a million dollars. Wow, oh, Jed’s a millionaire.
So I’m willing to get over that one. What I’m really looking for is I think that I don’t really like to look at people who are simply trying to — the addresses, we want the addresses to be used. We want the Internet to work. That’s what we’re here for. That’s what we’re trying to do.
I want the addresses in the hands of somebody who is going to put them to use on a network. I’m not excited, despite my profession, I’m not excited about people trying to squeeze more money out of the trading of that asset. That’s not good for the Internet necessarily. That’s where I’m looking for the difference. Does that answer the question ?
John Sweeting: Absolutely. I just wanted to get that portion of it in case the AC has questions on why you think it’s not a good thing. Now they know.
Scott Johnson: Scott Johnson, SolarNetOne, AS 32639. The point I’d like to make here is that we can continue for a great many years to amend rules, quibble over methods and mechanisms to try to create a behavior in the user base to prevent these types of behaviors — the flipping and these types of things.
But I think the real solution is to start to look forward and say how many more years are we going to do this before we begin to more aggressively move away from a constrained resource in IPv4 to a resource which is fundamentally limitless, for our purposes, for a great many generations in IPv6. I believe that is our way forward. Thank you.
John Sweeting: Thank you, Scott. Totally agree with you. 90 percent of my time is spent on v4 issues.
Hollis Kara: John, we have one more question in virtual.
And just a reminder to our virtual participants: Please make sure you’re using the Q&A feature if you’d like a comment read into the discussion. And I’ll give you a few more moments to type if you have anything on this topic. Otherwise, after this next one, I think we’re going to close the microphones.
Beverly Hicks: John Bachtold, from CIRBN, asks: Can you explain the “more competition drives higher prices” statement.
John Sweeting: More competition. That was one of the bullets on — that was on the changing the qualifications for getting space, right?
So I guess it would be the thought there was that if there’s more people able to — if there was more people that could actually get into the marketplace to buy space that it might go up. That was kind of like a detriment to it, that it would — it could make prices rise rather than stay the same or fall.
I see Tina kind of saying that’s not the case. I kind of agree with her. But it was something we felt we should bring: Hey, if there was more competition out there, prices could go up.
Hollis Kara: Do we have anything else in the room or from the virtual audience? Not seeing anything. Bev, do you have anything?
Beverly Hicks: I have another possible typing. I’d love to give him just a few seconds.
Hollis Kara: Okay, we’ll pause just a moment.
Beverly Hicks: It actually looks like it has not come through. I think we’re clear.
Hollis Kara: I think we’re all done. Thank you, John.
John Sweeting: Thank you, everyone.
Hollis Kara: And, again, as we proceed, please, please, please, virtual attendees, we do want to hear from you. So the Q&A feature is your best way to type in a question, which Beverly, our producer, will read into the record, or to raise your hand if you would like to be unmuted and actually speak here live in the room.
Both options totally available to you. Please take advantage of them. Comments in chat will not be read into the room.
So thank you. All right. With that reminder, I’d like to invite Leif Sawyer, our Advisory Council chair, to come up and give us the Advisory Council Docket Report.
Advisory Council Docket Report
Leif Sawyer: Thanks, Hollis. Good morning, everyone. As Hollis said, I’m Leif Sawyer, GCI Communications in Alaska. Here’s our docket report: short but sweet because I see we’re pushing the schedule a little bit.
So we’ve got a quick little agenda here: Our activity since the last ARIN meeting, all of our proposals that are coming in new, existing policy statuses, and then follow up with any questions you might have.
All right. So since ARIN 50 we have sent the following policies to the Board of Trustees for review and adoption. And they’re all listed out here. Also, not a policy but it was also sent to the Board, it was our new Policy Development Process put together by our PDP Working Group over the last couple of years.
A lot of hard work went into that, and we’re really proud of that new document. So you’ll be hearing more about that later today.
I should read ahead on my slides. I know it’s coming up. The new Number Resource Policy Manual, published March 1st, contains all the adopted policies that we listed on the previous slide. That’s always online at ARIN.net/NRPM. I encourage all of you to bring that up because when we talk about the policies today, we’ll be referencing that a lot.
So new proposals since ARIN 50. We actually have a blank new slate. There’s nothing new. But if you’ve been thinking about anything, any ideas, we encourage you to submit because that’s what we are here for. We’re here to serve you and help shepherd those thoughts and policies through the process.
As far as the policy status overview, we have no current editorial policies on the docket. We do have one Draft Policy, 2022-12. That’s, as John Sweeting mentioned, the Direct Assignment Language Update.
Doug Camin will be presenting that later on this afternoon — this morning. They’re all this morning. No, that is this afternoon, after lunch.
Seven Recommended Draft Policies. A huge slate of Recommended Draft Policies. These can all go to the Board of Trustees for adoption if they pass community review and then through the process of the Advisory Council to move them forward.
And that’s really it for the docket update. If you have any questions, I’d be happy to take them on.
Hollis Kara: Microphones are open. Virtual participants are welcome to type in a question, and anybody in the room can approach the microphones, if you have questions for Leif.
Not seeing anything. We’ll give the typers a second to flex their fingers.
Leif Sawyer: Looking at Beverly.
Hollis Kara: Checking for Beverly. Beverly, do we have something?
Beverly Hicks: We do have something.
So it says from Tim Kevin, it says: We noticed that both RIPE and APNIC have policies related to members to apply for resources for clients. For example, RIPE’s sponsored resources.
Are there plans for ARIN? We have noticed that many individuals, users in North America who want to learn the Internet want to apply for resources such as an ASN but do not have a company. They are both RIPE and ARIN members and often meet individual users in North America. We have to sponsor them in RIPE.
Hollis Kara: Can I actually recommend that we save that one and come back to it later today for Open Microphone? Sounds like a great Open Mic question. Are you okay with that, Leif?
Leif Sawyer: Great.
Hollis Kara: Wonderful. With that, I think we can move on.
Leif Sawyer: Thank you.
Thanks, Leif. You know how Leif mentioned we’d be hearing about a new PDP? He was right, you would hear about it later, but not very much.
Amy Potter, from the Advisory Council, is on our Policy Development Process Working Group. And she’s going to come up and talk about the new Policy Development Process that was adopted by the Board earlier this year.
New Policy Development Process
Amy Potter: All right. Hi, all. So this is a working group which now no longer exists, but I’d like to start out by thanking the very hardworking members of our group: Andrew Dul, my co-chair; Alicia Trotman; and Kerrie Richards. Thank you, guys, very much for your hard work over the past two years.
We have been working on rewriting ARIN’s Policy Development Process, which is something I think of as the rules for making rules.
Part of what drove, I think, all of us to join this working group is that we view the PDP as a really essential aspect of ensuring that you as the community are able to participate in making policies in a meaningful way since you guys are the ones impacted by those policies. And so getting into the sort of minutia of the rules for making rules is how we go about protecting those rights.
With that in mind, when we were developing the new PDP part, what we were looking at is trying to make sure that the document was something that was really designed and structured according to the way that people actually use the PDP, which isn’t necessarily reading through it in one stint in a sort of academic process.
It’s more looking at what’s going on in a particular policy proposal at a given time and what are the criteria for moving forward, what are the actions available to you as members of the community, what’s the AC supposed to do, et cetera.
So we structured the new PDP by step in the Policy Development Process. Each step starts with a criteria required for moving forward, and then it’s broken down by different participant types, whether that’s members of the community, the Advisory Council, the Board, or ARIN staff. And it outlines the actions available to them, what’s required by them, what they can and cannot do.
And we’re really hoping that’s going to enable all of you as members of the community to participate effectively and know what your rights are at every given step in the process because your participation and feedback is how we make good policy.
So through the preface of that. So thank you to everyone that participated in the consultation process. Your feedback was very useful, and we incorporated quite a bit of that into the doc.
It went on to the Board for approval. And as is mentioned, it has been approved and will be — let’s see, approved in December, and I think it’s going to be implemented in May.
So there you go. Thank you to everyone who participated in that process.
Hollis Kara: Thanks, Amy. Are there any questions? Doesn’t look like it.
Thank you, Amy. Everybody can look forward to hearing a lot more about the new PDP following ARIN 51. We will be starting to post a lot more information as we lead up to the release of that document.
And there will be some new webinars coming in May as well to help folks learn about the differences in the new process. So we’re excited to get that out to you and also appreciative of the hard work of the AC working groups.
With that, I’d like to invite Chris Tacit to come up and tell us a little bit about what the Number Resource Policy Manual Working Group has been up to as well.
Number Resource Policy Manual Working Group
Chris Tacit: Thank you very much. Thank you. Wow, it is bright up here. So, first of all, I want to give you a little bit about — tell you a little bit about the composition.
I accidentally neglected to mention in that first bullet point that our former chair, Joe Provo, also retired from the AC. So, as a result, he’s no longer chair of this group. But we really appreciated his leadership and contributions.
And, of course, R.S. is now on the Board. So he had to leave this working group. But we’re very happy to have the addition of Brian Jones. And we’ve been busy. We’ve got Matthew Wilder and Kat Hunter, and it’s a very dynamic, vibrant group. We have some very good discussions.
We also transitioned from Sean to Eddie as the supporting staff person. We’re very grateful for Sean’s assistance throughout.
And Eddie’s jumped right in, seamlessly, and actually his experience in Registration Services has been very valuable to us. Some of the comments he’s able to make and answer questions that we have are actually very helpful to us as we try to move our work along.
Our past work focused largely on Section 2 of the NRPM. And that’s translated into a number of proposals, some of which you’ll see today discussed. And they’re winding their way through the PDP.
Matthew Wilder took a wonderful initiative and created a very handy spreadsheet tool for us to help us examine various parts of Section 4 of the NRPM. And that’s our next task. We’re trying to figure out which parts of Section 4 could be deleted without creating any harm and which can be clarified further.
So we’ve already had one meeting to start that process. And we’ll be continuing until we make our way through all the sections.
Once we’ve done that, it will be our intention to see how we can try to group some of the proposals in a way that makes some sense. We recognize some of the changes may be substantive. Some of them may be editorial.
In some cases, as I said, staff input is required and has been very helpful. We’ve had some support from John Sweeting’s group to answer some questions we had. And that’s extremely helpful.
We’re very keenly aware that we need to balance not having too many proposals going through at once and kind of exhausting the community’s attention and time they have to spend on this but at the same time not being run over by the omnibus.
So that’s going to be a big focus of our discussions once we get through analyzing the various parts of Section 4.
And that’s my report. So thank you very much. Are there any questions?
Hollis Kara: Thank you. Yes, if anyone has any questions for Chris, the microphones are open, as is the virtual queue.
I can’t tell if Bill has a question or if he’s just coming back to — no, no questions. I think you’re good, Chris. Thank you.
Try to beat the track star to the podium. Geez.
Next up, we’ve got our Policy Experience Working Group update from Alison Wood, who has persevered through a very tough travel day to join us today and we’re so glad she’s here.
Policy Experience Report Working Group
Alison Wood: Yay! Good morning, everybody. I made it here. My luggage made it just right before the start of the meeting. That’s awesome.
I am the chair of the Policy Experience Report Working Group, and I guess I should advance the slide.
I put myself through college partly as being an aerobics instructor, so I hate to do this to the rest of my working group, but if you guys could please stand up so the community can see who you are — you guys aren’t standing. Thank you very much.
If you could look around and see the other members of the working group, I’m sure that you will have input for them later today. Feel free to grab any of them.
We have a couple new members of the Advisory Council that decided to join this working group. I’m so proud of them. So super happy about that. But you can see all our names here. And you just saw them stand up.
Alright. The Policy Experience Report Working Group, you heard from Mr. Sweeting earlier on the current policy experience report, but it is our job to take that report and then devise any policy proposals out of what comes from those reports and present them to the community.
In 2022, we had seven policy proposals go through, so a huge amount of progress from this working group. I’m super proud of the work that we did last year.
Alight. What in the heck are we working on right now? Right now we are working on some IPv4 Wait List issues. This is one of them. I know this is near and dear to everyone’s heart, and I would love your input on this, on whether or not we should bring this forward as a potential policy proposal. Should IPv4 Wait List blocks be permanently — permanently ineligible for needs-based transfers ?
We are also working on whether an organization should be able to receive transfer space and still stay on the Wait List. Right? Because sometimes it takes a while to get some IP space off that Wait List. Should they be able to get a little bit of transfer space from the 8.3/8.4?
And I love this one. I’m going to talk about this one a little bit tomorrow in the virtual table topics during the lunch break, but should organizations be able to immediately lease out IPv4 space that they received from the Wait List?
You guys look so pumped to talk about this. I’m so excited. So tomorrow at lunch, we can talk about it. But feel free to come to the microphones or to grab one of those amazing people that stood up a couple minutes ago to talk about it.
It looks like, from what I heard this morning, we’re going to have a ton of work on our plates. Anything this morning that you heard from Mr. Sweeting that you want to talk about with any of us, I really encourage you to do so.
We are here for the community. We need the community input to move forward and do good things. Do you guys have any questions for me?
Hollis Kara: Microphones are open if anybody has questions for Alison.
Alison Wood: We could go through a quick step aerobics routine because I’m the last presenter before the break.
Hollis Kara: We could…?
Allison Wood: Nothing right?
Hollis Kara: Come on. Oh wait, here comes John.
Allison Wood: Woo! Thanks, Mr. Sweeting.
John Sweeting: I just have a quick comment on this one here, one of the reasons it hit there. One of the things that people came to us, at least two people came to us with…
Alison Wood: That is fantastic.
John Sweeting: They get space off the Waiting List, but they’ve waited for quite a while to get that. To meet their needs, they’ve gone out and leased space from providers that lease space. And they may have four, six months still left on that lease, and all of a sudden, they hit the bonanza, they get the Wait List space.
They can’t give that leased space back, so at least two have told us “We leased it only because we had to pay for the space, we were leasing for another six months and then we plan to give that back and use the leased space.”
That was one of the reasons why that was on our Policy Experience Report to the AC. Just wanted to share that with the community.
Alison Wood: Thank you very much, Mr. Sweeting.
Any other questions? Beverly?
Hollis Kara: Anyone else? Anything virtual? I think the queues are cleared. Thank you, Alison.
Allison Wood: Yes. Thanks.
Hollis Kara: We have reached a decision point. I’m going to down to the corner over here. We have about 15 minutes left. Break is in fact ready, but, John, would you like to pull a different presentation forward?
John Curran: We’ll break early.
Hollis Kara: We’re going to break early. Alright. Everybody needs to stretch their legs, get a little sunshine. We will be back at 11:00 AM for our first policy block. Please enjoy your break.
(Break from 10:14 AM to 11:00 AM.)
Hollis Kara: Welcome back from break. I hope everybody’s ready to get started with our first policy block of the day.
And to start , we did not get a chance to update this. Alicia, unfortunately, was not able to travel to be with us today. So, Anita Nikolich, if she’s in the room…
Anita Nikolich: Yep.
Hollis Kara: There you are, lost you in the lights — is going to come up and give our presentation on Recommended Draft Policy 2021-8.
Policy Block One
Recommended Draft Policy ARIN-2021-8
Anita Nikolich: Okay. So hopefully everybody has some coffee. And this is to refresh your memory on 2021-8. I’m going to put my glasses on since I can’t read this.
So this is a little history of the proposal. So the current text — I’ll kinda read it; I’m a fast talker, so I’ll read it quickly just to refresh your memory.
So the AC assessment. Based on community feedback, we motioned to move ARIN 2021-8: Deprecation of the ‘Autonomous System Originations’ Field to Recommended Draft, with the following change to language: Removal of ‘OriginAS’ fields from December 31st, 2024, to 24 months after Board adoption.
So the problem statements. In the last two decades, ARIN has developed multiple services which provide mechanisms for Internet number resource holders to publish information about their routing intentions.
The optional ‘OriginAS’ field was invented before RPKI existed in practice. And at that time, ARIN’s Internet Routing Registry followed a weak authorization model compared to what’s available in use today, such as RPKI. The ‘OriginAS’ data was an improvement compared to other mechanisms that were available at that time.
However, there are issues with the consumption of the data in the OriginAS field. Consuming the OriginAS field in a high-scale, automated pipeline is challenging.
The consumer needs to enter into a ‘Bulk Whois Data’ agreement with ARIN, download a multi-gig XML file, which is only generated once a day, parse it and then extract the OriginAS field. Querying objects one by one via HTTPS does not scale well.
So, policy statement. This evolved a little bit since it was first introduced in 2021, but the policy statement is to remove Section 3.5 ‘Autonomous System Originations’ of the NRPM out of the NRPM in its entirety, remove the ‘OriginAS’ field from the database. So kind of two things.
Staff and Legal Review from last October. Staff understanding: ARIN 2021-8 would remove the entirety of ARIN policy surrounding Autonomous System Originations, including guidelines for ARIN’s OriginAS data collection and publication.
As stated in previous staff and legal, the problem statement identifies issues with efficient access to OriginAS data, but the policy statement proposes elimination of the data altogether, rather than proposing potential solutions to the identified shortcomings.
Staff recommends careful consideration of impacted customers and their ability to find alternatives to information contained in the OriginAS field within the stated implemented timeframe —- implementation timeframe.
Staff understands this Draft Policy to have two implementation milestones; one, the removal of the policy language, and one for the removal of the field and all data contained in that field from ARIN databases.
Staff recommends the second be adjusted to two years from adoption rather than a fixed date that may need to be adjusted as the Draft Policy moves through the PDP.
Implementable as written? Yes. Impact includes removal of fields and database objects of scope. And no material legal issue.
The timeframe estimate. Three months for removal of the policy language. The second timeframe will be followed according to the text, if adopted, but not within fewer than nine months from adoption.
Requirements. Some customer education outreach with appropriate sunsetting lead times, staff training, updates to public documentation, and internal procedures and guidelines.
So community feedback. Since this was posted a couple times on PPML, some of the feedback helped us craft updated language. We posted some of the current community feedback. Most of it occurred after ARIN 49.
So a couple quotes from some people. It was split. I actually wrote down the pros and cons, but these are some of the feedbacks, on both sides.
“The retirement as a trusted source of data should happen since RPKI is a superior cryptographically secure placement. That said, for legacy space not covered by an LRSA it would be good to have a cryptographically secure source of truth via the ARIN RPKI hierarchy.”
Another quote, “I don’t see anything broken here. I just see the possibility of things breaking. This is what has me concerned, the fact that we cannot know what the fallout will be until it happens. I’m willing to take the chance.”
Finally, “The field is not well-formed from a data typing perspective; it’s just a text field. Additionally, when you have multiple sources of data, it is easy for those data sources to have different and conflicting data. I believe long term the best thing to do is to eliminate the OriginAS field in favor of more well-formed and authoritative data in ARIN’s authenticated IRR and in RPKI.”
So that was a summary of kinda pros and cons of the community. And that is it.
Looks like there’s some questions, maybe.
Hollis Kara: Okay. Sorry, y’all. My mic’s not working. Bill’s gonna come and lead Q&A. The queues are open, so please approach the microphones if you have questions.
For our virtual participants, a reminder: Please use Q&A to enter in any questions that you may have for our AC shepherds and as well as to take advantage of that hand raise if you prefer to be live in the room.
And with that, I’m going to…
Bill Sandiford: All right. Opening the microphones for this Recommended Draft Policy. If those that have comments to make can approach the mics, now would be the time to do so. Also, opening up for online. Not everybody all at once. Nothing online? All right. Front microphone.
Scott Johnson: Scott Johnson, solarnetone.org, AS 32639. Not directly attending to the topic at hand, but it seems to me that if we are intending to sunset the OriginAS, we should, as aggressively as possible, encourage the use of RPKI, even to the point of considering to make it a mandatory function to participate in the global routing system.
Bill Sandiford: Thank you. Still nothing online?
Hollis Kara: Nothing online.
Bill Sandiford: Give it another 10 to 15 seconds or so.
Hollis Kara: We do have a poll because this is a Recommended Draft Policy.
Bill Sandiford: All right. Seeing no others approaching the microphones and not being advised of any online, we’ll call the question as to whether or not people are in favor or not of moving the policy forward.
So all those in favor in the room, we’d ask to raise your hand. And if you’re online, use the mechanism available online as well.
Are we good? All right, and all those who are not in favor, please raise your hand or indicate online now. All right, thank you. We’ll wait one moment while the results are tabulated.
Michael Abejuela: Michael Abejuela, ARIN general counsel. For Recommended Draft Policy ARIN-2021-8: Deprecation of the ‘Autonomous System Originations’ Field, we had 83 in the room, 46 remote. For is 42. Against is 4.
Bill Sandiford: All right. Thank you, everyone, for your feedback. That information will be given to the Advisory Council to take into consideration. Thank you.
Hollis Kara: All right. There we go. Moving right along. Next up we have Kendrick Knowles, somewhere in the room, coming up. He’s one of our new Advisory Council members, and he’s gonna present today on Recommended Draft Policy 2022-2: Remove Barrier to BGP Uptake in ASN Policy. Come on up.
Recommended Draft Policy ARIN-2022-2
Kendrick Knowles: Good morning. Thank you very much. So I’ll be presenting on the Recommended Draft Policy: Remove Barrier to BGP Uptake in ASN Policy, myself along with co-shepherd Chris Tacit.
So we have some history on this. And the current text: This Draft Policy is fair, impartial, and technically sound. ARIN-2022-2 would rewrite ARIN’s Autonomous System Numbers, ASN, policy, reducing its overall size and specifying single-ASN issuance as the default action. The Draft Policy deals with the issuance and manually vetted request documentation requirements, which have no significant registry impact as a result of implementation.
So the problem statement: The current requirements for getting an ASN have resulted in confusion particularly for new entrants, who have their hands more than full with the mechanics of getting BGP up and running. The availability of 32-bit ASNs provides an opportunity for the removal of unnecessary constraints and processes for the allocation of ASNs.
ARIN does not provide guidance to the use of RFC1918 space if possible. And likewise ARIN should not require the use of private ASNs in preference to public ASNs.
So ARIN wouldn’t tell an organization: ‘Have you tried to use 192168?’ So ARIN probably shouldn’t tell an organization to use private ASN as well.
Further technical rationale: Four-octet ASNs were defined in May 2007 in RFC 4893. It has taken several years for routing equipment in general use to catch up, but today 32-bit ASNs are generally accepted and it is rare that an organization which has been issued a 32-bit ASN comes back to ARIN and says they need a 16-bit ASN instead.
So the austerity measure of requiring extensive documentation to get an ASN is left over from the days of 16 bit. It is no longer appropriate and we should align our conservation requirements with those found in other 32-bit spaces, total space being 4 billion.
So consider a /32 of IPv6 space is the default allocation that would be assigned to any ISP that requests it. Temporary assignment of a /32 of IPv4 space can be acquired on most residential ISPs by issuing a DHCP request.
So we propose making issuance of the first 32-bit ASN from any Org ID, or each site for organizations that have number resources under Multiple Discrete Networks policy, be pro forma upon request. If an Org’s technical people think they need a public ASN, they probably do.
So the policy statement: Replace the entirety of Section 5, which currently reads: ‘There are a limited number of available Autonomous System numbers; therefore, it is important to determine which sites require unique ASNs and which do not. If a unique ASN is not required for a given network design, one or more of the ASNs reserved for private use should be utilized.’ Those numbers are as stated there.
‘In order to be assigned an ASN, each requesting organization must provide ARIN with verification that it requires a unique routing policy, such as a plan: To originate announcement of IP numbers via an accepted protocol, such as BGP, from an ASN different than its upstream provider; to multihome a site with one or more Autonomous Systems; or to use an ASN to interconnect with other Autonomous Systems. ASNs are issued based on current need as set out in Section 5.’
So the policy statement, we replaced that with the following: ‘Any organization may be issued a single ASN upon request. Organizations that have space issued under a Multiple Discrete Networks policy may be issued one ASN per discrete network upon request.
‘Additional ASN requests should include proof of the requester’s need for the unique routing policy or other technical justification for the need for more than one ASN.’
So in regards to this, there has been no community feedback on the PPML or any other feedback of which the shepherds are aware since the current version of the policy was posted.
So staff understanding. ARIN-2022-2 would rewrite ARIN’s Autonomous System Number policy, reducing its overall size and specifying single-ASN issuance as the default action. The text is clear and understandable.
Implemented as written, yes. No impact on registry operations. The Draft Policy deals with issuance and manually vetted request documentation requirements, which have no significant registry impact as a result of the implementation.
No material legal issue. Implementation timeframe estimate, three months. Implementation requirements: staff training, updates to public documentation, updates to internal procedures and guidelines.
And that’s it. Any questions? Questions or comments?
Hollis Kara: All right. Bill, did you want to come up? And then the microphones are open. I mean maybe you could save yourself a trip. I’m not quite sure. Folks, come on, let’s approach the microphones, and if you virtual attendees would like to submit any questions or comments on this policy proposal, please start typing in Q&A.
Bill Sandiford: All right, microphones are open here in the room and remote participation is encouraged.
Doug Camin: Doug Camin, CCSI. Just a comment, I think that this makes a lot of sense as a change in the modernization. Thank you.
Bill Sandiford: Thank you. This side.
Scott Johnson: Scott Johnson, solarnetone.org, AS 32639. I’m in favor of the policy, but I think perhaps we should pay some consideration to topics addressed earlier, such as if we wish to prevent number flipping and similar types of activities, does this not lower the bar for someone to acquire an ASN and then acquire 4.10 space or other various and assorted space through different means?
I understand 4.10 can’t be transferred, but what effect would this have on that function of the governance of this?
Bill Sandiford: I see John Sweeting with his hand up.
John Sweeting: John Sweeting, ARIN. So Scott, so this is only lowers the bar for the initial AS number someone is requesting. 4.10 space, they can’t get 4.10 space with just a AS number. They have to get v6 along with that. And they need to be routing that v6 and have the purpose of routing it so they can use the 4.10 space to help with that deployment of the v6.
So there’s other safeguards in place. And if they wanted more than one AS number, they have to provide all the reasons why they want that. So there is a lot of vetting still done.
This is new people, they want to build a network, they want to build it with BGP in it; they need an AS number to do that.
Bill Sandiford: Thank you. Anyone remote?
Hollis Kara: We do have a question remote.
Bill Sandiford: All right. Go ahead.
Beverly Hicks: From Alan at Citizen Support: Per this change, are you saying that a company would have one ASN per IP allocation?
Bill Sandiford: I see John approaching the microphone, but I believe the answer is no.
John Sweeting: John Sweeting, ARIN. That’s no. They can get their first AS number saying they’re going to build a network and they need an AS number to build that network, and then if they wanted any other AS numbers, there would have to be a specific purpose for having that additional AS number.
Bill Sandiford: All right. Last call in the room and online. Please approach the microphones now or get your questions in online, or your comments.
Scott Johnson: Scott Johnson, solarnetone. Based on Mr. Sweeting’s comments, I support policy as written.
Bill Sandiford: Thank you, Scott.
All right. We’ll close it off there. Recommended Draft Policy…
Hollis Kara: Oh, Bill, sorry, I just —- one last minute.
Bill Sandiford: All right, let’s take them.
Hollis Kara: It’s easy. Go ahead, Bev.
Beverly Hicks: It’s an easy one. Joe Provo, Google: Support as written.
Bill Sandiford: Thanks, Joe.
All right. We will now ask our counters to get ready. And we will ask the question of those in the room and remote, those in favor of this Recommended Draft Policy, please raise your hand or indicate online now.
And Michael, I’m just gonna ask you to verbally say when you’re done because I can’t see you. For those of you out there, you can’t tell when you’re down at the floor level and you look at the lights at the back of the room, they don’t look that bright. But when you come up this extra two feet on the stage, we can’t see the back of the room.
Michael Abejuela: All good.
Bill Sandiford: All good? Okay. And those who are against, please indicate now.
Michael Abejuela: All good, Bill.
Bill Sandiford: All right, thank you. We’ll wait for the tabulation.
Michael Abejuela: Michael Abejuela, ARIN General Counsel. Recommended Draft Policy ARIN-2022-2: Remove Barrier to BGP Uptake in ASN Policy. We had 92 participants in the room, 52 remote. We have 51 for and 3 against.
Bill Sandiford: All right. Thank you very much for your feedback. This information will be handed to the Advisory Council for their deliberations. Thank you.
Hollis Kara: Thank you, Bill. Thank you, Kendrick.
Moving right along. And next up, Matt Wilder, where are you? There you are. Hey Matt. Okay, Matt’s going to come up and he’s going to present on Recommended Draft Policy 2022-3: Remove Officer Attestation Requirement for 8.5.5.
Recommended Draft Policy ARIN-2022-3
Matthew Wilder: After all the warnings I heard about the lights, thought I’d put on some shades.
All right. Good to be in Florida.
Okay, here to talk about RDP ARIN-2022-3: Remove Officer Attestation Requirement for 8.5.5.
I’m Matthew Wilder, and my co-shepherd is Gerry George. And here we go.
The proposal was initially put forward by the Policy Experience Report Working Group back in June of last year. And this was to address one of those issues that we heard about from John as far as what customers are dealing with in their dealings with ARIN and kind of an unnecessary headache.
It reached Draft Policy status just a couple of weeks later, and it was presented at ARIN 50 and subsequently moved to Recommended Draft Policy status.
A little more on the history here. So in August 2021, ARIN initiated a Consultation 2021.04 on Retiring the Officer Attestation Requirement. At the time, here are some of the text that read in that consultation.
So, first: ‘…the Officer Attestation process is no longer necessary for achievement of its original goals and should be retired.’
‘In light of the administrative burden to customers and undefined benefit, ARIN proposes dropping the Officer Attestation requirement.’
So the problem statement is quite simple. Requiring an officer attestation requires unnecessary resources and increases the time to complete IPv4 transfers.
Okay. If you were to look at 8.5.5 today, here’s what you will see. Organizations may qualify for the transfer of a large initial block or an additional block by providing documentation to ARIN which details the use of at least 50 percent of the requested IPv4 block size within 24 months. An officer of the organization shall attest to the documentation provided to ARIN.
Okay. So it’s just that last sentence that we’re going to be dropping in this policy. So that’s the red lined version where we’re striking that final statement. Everything else would remain in 8.5.5.
So, again, the proposed text is that first bullet point. And all we’ve done is removed that final sentence.
Timetable for implementation is immediate. This is the only remaining mention outside of Section 9 which makes good use of officer attestation in that particular case. And due to the cost of IPv4 addresses at this time, it’s safe to say that someone in authority in the organization that’s acquiring space is well aware of the transaction. And there’s no value in having them attest to the documentation provided.
Here’s some of the feedback we received from PPML. There were quite a few individuals who were concerned about ARIN’s ability to prosecute fraud in the case of someone making up data and not really having that officer attestation. The concern was if you get rid of this officer attestation, will that impact ARIN’s ability to prosecute fraud?
And we do have a Staff and Legal Review which addresses this, but the key point there, I’ll point out here, is that there is no loss in ability for ARIN to pursue those cases.
Another concern that was raised is that you might lose organizational awareness, and, you know, by bringing officer — it makes them aware of what’s happening in the world of IP insofar as IPv4 and IPv6 space.
We feel, as shepherds, this falls outside of the scope of the PDP and the principles of the NRPM. And maybe this could fall within the domain of ARIN outreach. There’s a lot that ARIN does in terms of reaching out to the community and making them more aware of IPv4 scarcity, IPv6, and maybe that fits within that.
Other community feedback. So there were several comments on PPML in support of this removal because it does have low value. The officer attestation is not really creating any value for ARIN or its members. And on the contrary, there is a high cost in that bureaucracy, administrative kind of step getting that officer attestation. So, many supported that.
Also, direct conversations with organizations that are affected by this have voiced their support because it’s somewhat of a nightmare trying to get someone four, five, six layers above you to get their signature. It’s hard getting their attention.
All right. Staff and Legal Review was taken place the 15th of August 2022. So ARIN-2022-3 would remove the officer attestation requirement for organizations qualifying for initial transfers larger than a /24, ARIN’s present minimum for IPv4 transfer size, or additional transfers.
For reference, this requirement became part of NRPM Section 8 in February 2017 allocation policy. The requirement was removed from operational practice for IP addresses and ASN allocations requested via Consultation 2021.04, Retiring the Officer Attestation Requirement.
This policy text is clear and understandable.
Implementable as written? Yes.
Impact on ARIN Registry operations and services: Minor updates within ARIN Online need to be made to remove attestation language.
Legal review, and this is the key point: No material legal issues. Removal of the officer attestation would not materially impact ARIN’s ability to pursue cases of fraud.
Implementation timeframe, six months.
Implementation requirements: updates to ARIN Online, staff training, updates to public documentation, and updates to internal procedures and guidelines.
Now to you, the community, for questions and comments.
Hollis Kara: Getting ready to open the microphones. Please approach if you have questions in the room. And if you’re a virtual participant, now is a good time to start typing in Question & Answer.
We’ll give Bill a moment to join us. Welcome.
Bill Sandiford: All right, we’ll start with the front center microphone.
Lily Botsyoe: Lily Edinam Botsyoe from the University of Cincinnati and ARIN 51 Fellow. So I would have had an issue also thinking about the legalities how to pursue fraud, but against the background that you gave, I support the removal.
Louis DeVictoria: Louis DeVictoria, Perimiter81 and also a Fellow as well. I do have a curious question, may not be exactly relevant at this stage, but how come a Point of Contact was never considered as somebody to attest to certain parameters instead of an officer where there was really no leverage against? Just more of a question and a curiosity, if that was ever thought of.
Bill Sandiford: I think John’s gonnajump up, but I think the answer is legality and accountability.
John Curran: John Curran, ARIN. When a individual attests in a personal capacity, your recourse is against the individual. When an officer of an organization attests, your recourse is against the organization.
Louis DeVictoria: Even if that POC is somebody attached to the organization?
John Curran: Uh huh.
Louis DeVictoria: Doesn’t matter?
John Curran: Officer or an organ — most organizations, your association with your organization, except in some very rare cases, unless you’re an officer, your association doesn’t specifically indebt the organization.
We actually, in our Registration Services Agreement, say you’re acting on behalf of the organization. The enforceability of that is uneven. That’s probably the right way to say it.
Louis DeVictoria: Thank you for the answer.
Bill Sandiford: Great question.
Hollis Kara: Bill, we do have a question on remote.
Bill Sandiford: Let’s go to the remote.
Beverly Hicks: Robert Hoppenfeld, Up in Two, LLC. The benefit is not undefined. Ensuring accountability will decrease fraud and error. If the issue is important enough, then the requesting company can make it a priority. Just because the cost is high does not mean that someone is tracking what is actually happening, especially in a larger organization.
It is not about prosecuting fraud but preventing it from happening in the first place. Current economic environments can change, so binding policy to the current economic status is a bad idea.
Bill Sandiford: Thank you. Front center microphone.
Amy Potter: Hi, Amy Potter, AWS. We buy IPs, we buy a lot of them. We go through this process quite a lot. There’s definitely awareness all the way up the chain given how expensive these addresses are.
I think actually a larger organization, given the size of those transfers, there’s probably greater awareness there than perhaps the smaller Orgs.
I support as written. I think it doesn’t make sense to have just one section of 8 that has this requirement while the rest doesn’t. I think that it would make for a much more efficient process for everyone involved to remove it.
Bill Sandiford: Thank you. Front center microphone and his hat.
Louie Lee: Louie Lee, Google Fiber, Google, and Louie’s hat. It’s an invitation, come find me, talk to me.
I want to let you know that in the few times that we’ve transferred addresses in, very large addresses, our senior management does know about it already and they approved it due to the costs, as Amy mentioned. So I do support the policy as written.
Bill Sandiford: Great, thank you. Anything else online?
Hollis Kara: We do have one more from our virtual queue.
Bill Sandiford: Let’s go there.
Beverly Hicks: Alan Rowley, Citizen Support, LLC. Support as written. I have personally had issues with this line in the past and support the line removal. Note, a POC would also work as they are if they’re an admin or higher, as that Point of Contact permission declares they are authorized.
Bill Sandiford: Thank you. Front microphone.
Mike Burns: Mike Burns, IPTrading. I support the policy as written. We have had difficulties with transfer delays trying to get these signatures.
I just wanted to confirm that officer definition. My understanding is that it includes listed corporate officers and C-level executives. Is that the policy still?
Bill Sandiford: John?
John Sweeting: John Sweeting, ARIN. That’s part of it. It’s basically we ask them: Are you able and recognized by your company to enter into a legal contract?
Mike Burns: How do you ask them that?
John Sweeting: We ask them on the ticket.
Mike Burns: On the ticket?
John Sweeting: Yes. Most people aren’t going to lie about that.
Mike Burns: No, but the title doesn’t matter? Manager, general manager, purchasing manager?
John Sweeting: No, if they’re legally able to enter into an agreement on behalf of their company.
Mike Burns: They just have to answer yes to that. Thank you.
Bill Sandiford: Last call. In the room and remote. Give you a few more seconds.
All right, hearing and seeing none, we’ll move to Recommended Draft Policy. Those in favor please raise your hands now. Or indicate accordingly online. Thank you. Andthose against, please raise your hands or indicate online.
All right, we’ll wait for the tabulation.
Michael Abejuela: Michael Abejuela, ARIN General Counsel. Recommended Draft Policy ARIN-2022-3: Remove Officer Attestation Requirement for 8.5.5. 90 in the room, 51 remote. We have 55 for and 4 against.
Bill Sandiford: All right. Thank you. This information will be passed for the Advisory Council as feedback. Thanks.
Hollis Kara: Thank you, Bill and Matthew.
(Applause.) All right. And we’re moving on to our final policy of this block. Come on up, Alison. Alison Wood is coming on up to present on RDP 2022-4.
Recommended Draft Policy ARIN-2022-4
Alison Wood: I don’t know how I get so lucky to be the last one before lunch, too. I’m gonna try to be quick so that you guys have plenty of time to come to the microphone on this.
This is ARIN Policy 2022-4. This is a cleanup of Sections 2.1 and 2.2.
Thank you to my amazing co-chair, Amy Potter, on this one.
OK, all right, so this one came about from the NRPM Clean-up Working Group that you heard about this morning.
I have a couple of these policies. This is the first one. And so we’re focusing on consistency of the terminology in the NRPM.
All right. So this is pretty straightforward. So in Section 2.1, we want to change the text that is currently “IP address space” and define it as “Internet number resource.”
And in Section 2.2, we want to change the text that says “address space” and define it as “number resources.” All right. And so that just is inclusive of all the types of Internet number resources administered by the types of entities defined in those sections.
All right. So this is an easy one to implement. So we can do it immediately. The staff understands this. And it did not come to you just as a purely editorial change because it changes multiple definitions in nongrammatical ways. It’s a pretty cool way of saying that.
All right. So same thing I just said in legal review, that it was not purely editorial. So we have reviewed it and brought it forth to you as the community.
I only received one email on the PPML. That came back from someone that had previously worked on NRPM cleanup, and he felt that it was editorial.
All right. So I’d love your feedback, but I’d also like to know if you support this policy as written. Man, that was so fast. Thanks.
Hollis Kara: All right. Microphones are open. And don’t worry, you guys, you’re not getting out of here early.
Alison Wood: I tried, I tried so hard. That was record speed.
Hollis Kara: Appreciate it. If folks have questions, feel free to approach the mics, and virtual attendees, if you could start typing.
Bill Sandiford: All right. Microphones are open.
Alison Wood: You guys I was so fast so you’d have all this time. Thank you, Louie’s hat.
Bill Sandiford: Front microphone.
Louie Lee: Louie Lee, Louie’s hat, Google Fiber. I don’t believe it’s a editorial only because it expands the scope of what it’s referring to; specifically, not only IP addresses but ASN and anything else in the future that we might cover. Unless those sections are specifically understood to be IPs, then it makes sense. So I support.
However, I want to make sure that there is a definition written somewhere what number resources, just for anybody that’s searching for it, what does number resources mean. Just have it included in the glossary, too, so that it includes IPs and AS numbers, for now.
Alison Wood: Got it. Thank you.
Bill Sandiford: Front microphone.
Lee Howard: Lee Howard, IPv4.Global by Hilco Streambank. I have long thought that Section 2 was kind of a superfluous section of the policy manual anyway. But when I went and read closely, I noticed that 2.1 says: ‘An Internet Registry is an organization that’s responsible for distributing IP address space to its members’ and so on.
Internet Registries, LIRs, generally don’t assign ASNs, right? I think. So we’re actually potentially changing the definition of what an LIR is. It’s sort of by heredity in the manual.
Now, an RIR does several things. And the primary role of RIRs is to manage and distribute Internet address space. Okay, I have no beef with that.
I just think we want to take — I’d like the AC to take one more look at 2.1 and look at the inheritance of the Internet Registry, see whether that’s inconsistent.
Alison Wood: Okay, thank you.
Bill Sandiford: Anything online?
Hollis Kara: I don’t have anything in the virtual queue.
Lee Howard: Andrew just suggested to me that an LIR is above an IR — well, no, it says an — it doesn’t say RIR; it says ‘an Internet Registry.’ XIR. Star IR.
Unidentified Speaker: LIR.
Bill Sandiford: Andrew, come to a mic.
Lee Howard: Maybe the AC has just done this review for me. Thanks.
Andrew Dul: Andrew Dul, ARIN AC. Section 2.1 is Internet Registry, the top level. Next level is 2.2, Regional Internet Registry. And 2.4 is Local Internet Registry.
We are not modifying 2.4, Local Internet Registry. And that one does not include Autonomous Systems in it currently.
Lee Howard: Yes, having now reread 2.4, I agree with Andrew. He’s right, and so therefore my concern is withdrawn.
Alison Wood: All right, and Lee do you support it?.
Bill Sandiford: All right, anything online?
Hollis Kara: There are no questions in the virtual queue.
Bill Sandiford: All right, last call in the room and online. I see a hand waving, I think.
Beverly Hicks: Yes. Just as we said there were no questions: Alan Rowley, Citizen Support. Support if a definition of number resources is given possible as a direct link.
Bill Sandiford: Okay.
Alison Wood: Thank you.
Bill Sandiford: All right. We’ll get our counting team ready. Those in favor of Recommended Draft Policy 2022-4, please raise your hand or indicate accordingly online.
And those who are opposed. All right. Wait for the tabulation.
Michael Abejuela: Michael Abejuela, ARIN General Counsel. Recommended Draft Policy ARIN-2022-4: Clean-up of NRPM Sections 2.1 and 2.2. In the room 92, remote 49. We have 46 for and 3 against.
Bill Sandiford: All right. I thank everybody for your participation. The results will be passed to the AC for their consideration.
Hollis Kara: All right. Thank you, Bill and Alison.
That brings us to the end of our first policy block. However, sometimes when we have— our crystal ball doesn’t allow us to predict times as accurately as we would like upon occasion.
And so we’ll bring forward a staff presentation to fill a gap before a break. And I want to thank Amanda Gauldin, our Community Programs Manager, for stepping in and jumping ahead to give an update on ARIN programs.
Community Programs Update
Amanda Gauldin: Yay, so now I get to be the one keeping you from lunch. Like Hollis said, my name is Amanda Gauldin, and I’m the Community Programs Manager at ARIN. It is a pleasure to speak with you today about the programs and outreach that we do at ARIN.
And I’ll start with the Fellowship Program. You’ve heard a little bit about it so far. And hopefully it’s familiar to you. It’s not brand new. We’ve been doing this program since 2009, took a little pause in 2020, and then a little pivot the past two years to be a fully virtual program.
There’s an application process and a committee to determine who the selected applicants will be.
Then, upon selection, these Fellows join two 90-minute sessions to learn more about ARIN, the Policy Development Process, and more about Internet number resource policy and what’s going to be discussed during the upcoming ARIN meeting, like where we’re at right now.
Additionally, Fellows are paired in groups with an ARIN Advisory Council member mentor for smaller breakout-room discussions on a variety of topics.
So the past two years, like I said, the past four meetings, we’ve had a total of 41 Fellows. And I won’t read all the names, but a huge thank you to all those names up on the screen.
This program is a team effort with help along the way from so many ARIN staff and then so many of ARIN’s leadership as well participating.
We also did last year a Virtual Fellowship Program Summit to bring the Virtual Fellows together again for some additional educational content.
And, again, I won’t read every name here, but I did want to take a moment and share our program photo for each of these cohorts.
So here’s our ARIN 47 Virtual Fellows, and then our ARIN 48 Virtual Fellows, ARIN 49 Virtual Fellows, and then ARIN 50 Virtual Fellows.
And finally, drum roll, welcome to our first hybrid class of Fellows for ARIN 51. You’ve seen this picture already. Yes, thank you.
It’s so great to have them here in person with us. Nine of the 11 Fellows are able to be here in Tampa, and then the other two watching online. And these Fellows, again, participated in these two 90-minute sessions and had an assigned mentor in those breakout rooms.
And it’s so great to be in a scenario now where we can offer the benefits of both an enhanced virtual educational platform and the in-person meeting experience.
And so if you haven’t yet, please make sure and introduce yourself to these Fellows. They’re wearing ribbons, and they’re really excited to be here and get to know you guys as a member of the Internet community.
And I need to give a special shout out to our mentors here for this program.
You’ve heard from and seen Doug and Matthew up here on stage. And then Alicia wasn’t able to join us in person, but she’s here online as well. And they have a day job, they’re on the AC, and then they’re also participating in this program helping me, helping the Fellows.
They help give context on the complexities of these policies and answer questions the Fellows have throughout the program. So it’s great to have them along the way. So thank you, guys, again.
And switching gears a little bit now, I’m going to talk about the ARIN Community Grant Program. This program began in 2019. And ARIN provides financial grants in support of initiatives that improve the overall Internet industry and Internet user environment. And so far we have funded 18 projects.
So we’re very happy tomorrow to have the opportunity during the meeting to hear from our three 2022 grant program recipients, get an update on their project accomplishments so far.
And then in September they will have a final report that’s due, and that will be posted on our blog. So you can check back to get a summary of the entirety of their project.
And then on Monday, April 24, the 2023 grant program application site will open, and we welcome your project application that fits in one of the categories that’s noted here.
The application link will be emailed out on the ARIN-announce mailing list and available on the ARIN website as well. And there’s a lot more information on the ARIN website about the grant program and the application process. So you can definitely check that out.
And then lastly I’ll touch on ARIN outreach. We had a very busy 2022 with nearly 20 events that included a speaking presentation or an ARIN help desk or both. And so I thought it would be fun to put together a compilation of the logos here to represent most of the places we were at, from the Caribbean all the way up to Canada, including Hawaii, and then from California to Miami, we were there.
Some of the goals behind all of that participation includes building awareness of ARIN and our mission, being active participants in the Internet community, and providing education on the services we provide our customers.
And Hollis will touch on this a little bit more in her Communications update, but we streamlined and focused the presentation efforts for 2022 and now into 2023 with presentations at the ready for topics like network autonomy, IPv6, RPKI, and then general organizational updates given regularly at industry meetings across the globe.
And I mentioned the ARIN help desk really at most of the events that we go to. There’s also one set up here for ARIN 51. And, again, it’s a team effort to staff these as we go all across the country. But it’s a wonderful way again to connect directly with the ARIN customer and answer their specific questions about resources, security, their ARIN Online accounts or transfers.
And 2023 is off to a great start already with 10 events completed and many more to go.
So thank you for hearing my presentation. It’s great to be a part of this community. And if you have any questions or want to hear more about those programs, too, I’m happy to talk with you out in the hall. Thank you.
Hollis Kara: Thanks, Amanda. All right. Don’t run away. Don’t run away. Amanda, come back, come back.
Does anybody have any questions, comments, feedback for Amanda before she scurries off? I guess she wants to go to lunch. I know everybody’s ready.
Do we have anything? Virtual? Anyone in person? No? Well, I’d like to thank Amanda for all that she’s taken on —- oh, come on. Yeah, yeah, yeah. Get up here.
Lily Botsyoe: Lily Edinam Botsyoe, ARIN 51 Fellow. So the quick question is about the grant. You mentioned open soon. Where would we find it if the information were to be ready?
Amanda Gauldin: Yeah, so the ARIN Grant Program website right now is up to date with a ton of information. We lay out all of the application questions for you so can you see them in advance. And then all that’s going to change on the 24th is there will be a link to apply now.
Lily Botsyoe: Right, thank you.
Hollis Kara: Good question. One more coming.
Doug Camin: Doug Camin, CCSI and ARIN Advisory Council member. I just wanted to thank you, Amanda, and all your staff for all the hard work you’ve put into the Fellows program. Ithas been great as a first-year person here just getting into it, so I just wanted to give you that shoutout.
Amanda Gauldin: Thank you.
Hollis Kara: Awesome. Anyone else?
Moira Johnson: Hi, my name is Moira Johnson. I’m with SolarNetOne. I just wanted to say thank you for making a safe space for people to learn and grow.
Amanda Gauldin: Yeah, thank you.
Hollis Kara: All right. Thanks Amanda, I think we’re done.
Amanda Gauldin: Yep? Thank you.
Hollis Kara: Awesome. Just a couple quick housekeeping details as we break for lunch. All right. The lunch is going to be served where breakfast was on the Audubon Promenade. There’s a potential that it could be a little bit drizzly, so we’ve moved a few tables inside. Feel free to take advantage of those. There are table topics marked for our in-person attendees today. We’ll be running those table topics virtually tomorrow.
So if you see a topic that you’d like to talk about, there will be a sign on the table, feel free to take a seat, and there will be either staff member or a member of the Advisory Council there to talk about that topic over lunch.
And just as a reminder, the meeting room is not secured over break. So we do suggest that you take your personal items with you.
And with that, the meeting will resume at 1:30. For those of you who are joining us virtually, you can just leave your Zoom window open right through lunch, or you can cancel out and rejoin using the link in the email you received this morning.
And we will see you back at 1:30. Thank you, everyone.
(Lunch break from 11:56 AM to 1:30 PM.)
Hollis Kara: If everybody is ready, we can get started with the second policy block of the day. Everybody ready to rock and roll? More or less?
First up, I’ve got Gus Reese to talk about Recommended Draft Policy 20225: Cleanup of NRPM Section 2.11.
Policy Block II
Recommended Draft Policy ARIN-2022-5
Gus Reese: All right. Welcome back, everybody. First day here at the ARIN 51 meeting. I’m here to present the ARIN-2022-5: Cleanup of the NRPM Section 2.11.
Thank you for Alison. I was originally the coshepherd, but I’ve been promoted for the presentation.
This proposal came to us in June of 2022. It was adopted as a Draft Policy in July of 2022 and subsequently moved to a Revised and then a Recommended Draft Policy in March of this year.
This policy continues the work that the ARIN AC Number Resource Policy Manual Working Group undertook to conduct editorial reviews of the NRPM. It relates specifically to Section 2.11 on community networks. And the focus of the proposal is to ensure that the intended meaning of the text is clear.
And here’s the policy statement: Change the text “A community network is deployed, operated and governed by its users” to “A community network is one that is deployed, operated and governed by its users” in the first line.
And: Change the text “to the user community it services” from “to the community it services” in the second line.
The timetable for implementation is immediate. This intended to replace part of Prop-305. And the proposal was drafted in the course of editorial reviews of Section 2.11.
Some of the changes proposed may not be considered purely editorial in nature. So this proposal is not being presented as strictly editorial.
It went to Staff and Legal in February of this year. And the understanding is it makes minor clarifications to the NRPM Section 2.11 Community Network. And it just offers some grammatical clarity with no substantive impact on policy.
The intent with the second proposed edit appears to have been to insert “user” in front of “community.” And the staff made this adjustment.
The staff recommended that this be confirmed with the shepherds and it was: “to the user community it services” to “to the community it services” instead of — or, in addition, changing it to “to the user community it services” from “the user community it services.”
And remaining the text is clear and understandable.
Is it implementable as written? Yes. The impact on ARIN Registry services is none. Legal impact: No material legal issues here.
Implementation timeframe estimate is three months. And the implementation requirements: staff training, updates to documentation, and updates to internal procedures and guidelines there.
This is the full new text of the 2.11 Community Networks: “A community network is one that is deployed, operated and governed by its users, for the purpose of providing free or low-cost connectivity to the user community it services. Users of the network or other volunteers must play a primary role in the governance of the organization, whereas other functions may be handled by either paid staff or volunteers.”
The PPML feedback — the one response we got, thank you — it was in support of it and it felt that the change was editorial in nature there.
And that is it for 2.11.
Hollis Kara: All right. You guys know the drill. Microphones are open. If you have questions in the room, feel free to queue up. If you are participating virtually, please start typing.
Bill Sandiford: All right. Microphones open. In the room and online participation is welcomed.
As they say, if we feed them, they won’t say much?
Hollis Kara: I think everybody is absolutely thrilled with this proposal. That’s my takeaway.
Bill Sandiford: Last call, both in the room and remotely, for any comments. I think it was just the excellence of the presentation.
Gus Reese: Thank you.
Bill Sandiford: Seeing and hearing none, we’ll move to the show of support. So we’ll ask all those in favor of 2022-5 to raise their hands and indicate accordingly online.
And those who are opposed?
All right. Waiting for the tabulation.
Michael Abejuela: Mike Abejuela, ARIN General Counsel. Recommended Draft Policy ARIN-2022-5: Cleanup of NRPM Section 2.11. In the room, 80; remote, 44. We have 42 for and zero against.
Bill Sandiford: Thank you very much, everyone. The results will be passed to the Advisory Council as feedback. Thank you.
Hollis Kara: Thank You.Let’s see where we go. Next up, Chris Tacit, coming up to present ARIN-2022-8: Streamlining Section 11 Policy Language.
Recommended Draft Policy ARIN-2022-8
Chris Tacit: Hello again, everybody. So this is a more substantial revision to a section of the NRPM, and basically the intent here is to clarify it as much as possible and reduce unnecessary wording.
I’m told by my co-shepherd, Andrew, that we managed to reduce the wording by about 40 percent.
I’d like to thank him, by the way, for all his help and collaboration with this also.
We wanted to make sure that the policy is clear and to be usable in the manner that it was intended. It’s a policy that tends to have limited use, not by the whole community but more by people engaged in academic and experimental activities.
We were actually grateful to get some good input from people in the academic sector, which was very helpful.
It’s very hard to digest, make this digestible, in a few slides because there was a wholesale change to the whole section.
I’m not going to try and read it all here. I’m hoping that all of you who are interested in this policy have done your homework and have actually read this.
In order to assist with the digestion of this proposal, a PDF markup was posted that shows the changes made to this. You’ll see though, that it is significantly streamlined.
If you look at the new section, 11.1, it’s considerably streamlined compared to the old one. And it also eliminated the need for what used to be 11.2 and 11.3.
11.4, also a little bit clearer, especially as to the timing of the duration of the allocations. Wanted to make sure that it’s clear that when the resources are no longer needed for the activity, that they would be returned, or at the latest, at the end of the one year period for when the allocation normally takes place.
Typically the allocations are single allocations, but there can be multiple number resources allocated to conduct an activity that qualifies. That’s the intent.
There were some general guidelines. We didn’t really tinker too much, I don’t think, with this, because these were just some general requirements that we wanted to preserve, although we tweaked the language a little bit.
There’s an overall prohibition on commercial use that can allow for immediate claw back by ARIN if that is discovered.
As you can see, as a result of the streamlining, we’ve managed to eliminate a number of sections within the broader Section 11.
Community feedback. We had quite a bit at the outset, and there were various suggestions for clarifications that we think we did incorporate.
We may not have incorporated all of them exactly using the words that individuals proposed because we had to come up with something that we thought would capture the ideas but accommodate multiple points of view and the need for overall clarity and cohesiveness.
Then there was a dialogue, and here I think is where some of the academic people jumped in, thankfully, with regards to how the policy is being used or should be used and so on.
After the most recent set of changes, on March 15th, there was no more feedback on PPML or to us as shepherds, I don’t think, individually either.
The staff review. Initially we went through two or three stages of this, and really staff’s comments were fairly minor. They recommended just some slight wording changes, all of which we’ve adopted. So I’m not going to dwell on those.
No legal concerns, and it’s implementable with some minor staff support required to do that.
That is the presentation. And I’ll be happy to take questions once the chair comes up to guide us through that process.
Hollis Kara: Here we go again, folks. The microphones are open. That includes the virtual ones.
Bill Sandiford: Microphones are open.
I don’t see anyone in the room. Anything remote?
Hollis Kara: Not so far.
Bill Sandiford: Last call in the room and remote. Hearing and seeing none, we’ll call all those in favor of RDP ARIN-2022-8, please raise your hand, those in favor.
And those opposed.
Wait for the tabulation.
Michael Abejuela: Michael Abejuela, ARIN General Counsel. Recommended Draft Policy ARIN-2022-8: Streamlining Section 11 Policy Language. We have 83 in the room, 47 remote. We have 43 for, zero against.
Bill Sandiford: Thank you very much, everyone, for your feedback. It will be passed along to the AC for their consideration. Thank you.
Hollis Kara: Thank you. And next up we have Alison Wood back again, this time to talk about Recommended Draft Policy 2022-11: Cleanup of NRPM Introduction of Section 2.17.
Recommended Draft Policy ARIN-2022-11
Alison Wood: Last time for me, you guys. So this policy, I just want to say before we get started, all policies that come to us have to be fair and impartial, technically sound and have community support.
This policy has had a lot of activity on the PPML lately, so my goal here is to find out whether you support this policy as written.
Thank you to my cochair, Chris Woodfield, on this one.
This is a cleanup of NRPM Section 2.17. And pretty specific. So we use the term “Internet number resources” throughout the NRPM, and it’s not really defined anywhere.
Here’s the policy statement. So this is another one that we can implement immediately based on, kind of, how our ARIN Advisory Council meeting goes here in a couple of days.
I just want you guys to read what the definition will be, so: “Internet number resources are unique identifiers within the Internet Numbers Registry System [as described in RFC 7020] and this includes ranges of contiguous IP addresses and ASNs.”
That’s our definition of Internet number resources. And that’s the whole gist of this policy proposal, is this definition right here. Okay.
Easy enough to implement. No huge issues here. However, there was a ton of feedback on PPML. It seems the community was quite concerned about this definition. So, that’s why it’s important that I know from you if you support this as written.
Some people thought it was just purely editorial, no big deal. Others were a little concerned about the technical wording of this. Others suggested we go back and revisit everything in Section 2. A potential rewrite.
That was really quick and easy. But remember we need it to be technically sound, fair and impartial, and I need to know, as a community, if you support the definition that we have for Internet number resources.
Bill Sandiford: Thanks, Alison.
Alison Wood: Look at you guys. Everybody got it out on the Mailing List?
Bill Sandiford: Microphones are open, online and remote. We welcome your comments. Front microphone.
Chris Tacit: Thank you. Chris Tacit, Tacit Law. I’m also on the AC, but I’m speaking purely in my private capacity.
I think that one of the objectives of trying to simplify things in the NRPM is to preserve the ideas and to introduce clarity.
Sometimes, because it is a technical manual, we will have to use technical references in definitions. I think that’s necessary and, in fact, it’s a good thing because, to the extent that those technical concepts and terms are already understood within the technical community, then I think it’s useful not to try and paraphrase things in a way that may introduce ambiguity.
And I think this drafting is elegant, it’s succinct, and it uses technical wording where necessary, but not more than that. So I’m in full support of the policy. Thank you.
Alison Wood: Thanks, Chris.
Bill Sandiford: Center microphone again.
Matthew Wilder: Matthew Wilder, ARIN AC, Telus. Which affiliation to use here? I guess as part of the NRPM Working Group, we brought this proposal forward initially. The text has changed since we wrote it initially.
Alison Wood: Very much.
Matthew Wilder: But I support as written. I think it adds clarity. I think it’s useful.
Alison Wood: Thank you.
Bill Sandiford: Any comments online?
Hollis Kara: Yes, we do.
Bill Sandiford: Let’s take that one.
Beverly Hicks: Joe Provo, Google, speaking for myself, support as written.
Bill Sandiford: Thank you, Joe.
Lee Howard: Lee Howard, IPv4.Global by Hilco Streambank. The text that we’re discussing today is the text that was in the slide, or is it the current version that’s online?
Alison Wood: 2.17 and… Hang on Lee. Did I go by it already?
(Alison Wood reviews slides.)
Hollis Kara: You all just got a sneak preview of the next presentation. It’s all good, Alison. Take your time. We’ve got time.
Lee Howard: Maybe I was confused when looking at it because there was the version you also showed the staff suggested version, right?
Alison Wood: I did which is what we’re going with. It’s the Staff and Legal suggestion is what we’re moving forward with for the verbiage on it.
Lee Howard: For those online who couldn’t hear Alison because she was talking, do you want to say it again?
Alison Wood: Oh, thank you, yeah. So the verbiage that we have from the Staff and Legal slide is the one we are moving forward with.
Lee Howard: Thank you.
Alison Wood: Thanks, Lee.
Hollis Kara: We do have one more question coming in from the virtual queue.
Bill Sandiford: Let’s go with that one.
Beverly Hicks: Alan Rowley, Citizen Support. Support as written.
Bill Sandiford: Thank you very much. Front microphone.
Dustin Moses: Dustin Moses, ARIN 51 Fellow. I’m from Intermax. I feel this adds a lot of clarity to the number resources that previously hasn’t been defined. It’s been stricken in a couple other places, including Section 11. And it’s now defined under the technical definitions. So, I feel it’s in the right place, and I support as written.
Alison Wood: Thank you.
Andrew Dul: Andrew Dul, ARIN AC. I’m now confused as to which text we’re using. So the slide that you showed previously did not have any parentheticals included.
And I’m looking at what’s posted on the ARIN website, “Current Text (21 March 2023).” And at the top there is a motion that was made and some text underneath that, and then below there’s also a policy statement that is different than what appears to be the text above.
Alison Wood: Okay. Andrew, I will review what’s on the website, but can you forward to the legal? The definition that we discussed in the previous ARIN meeting was the legal definition that came from the Staff and Legal Review.
Andrew Dul: Which text are we considering adopting?
Alison Wood: Which definition?
Andrew Dul: Which definition are we considering adopting? Because it was different than the slide you just showed. If I understand correctly now.
Alison Wood: Wonderful. This is the text we got back from Staff and Legal that we discussed in our previous ARIN meeting, and this is the text we’re moving forward with. And I’ll check the website and see why it wasn’t updated.
Andrew Dul: Your slide was then incorrect as well.
Alison Wood: I’m sorry. There’s two screens in front of us that are different.
Andrew Dul: Okay. I see that one. There’s this text, and you also had a slide that had “Policy Statement” and “2.17” on it that has different text.
Alison Wood: So it is this text. This is the one we’re moving forward with. I’ll check the slides. This one has been through some — several, actually, several definitions that have been changed over the course of this policy. But this is the one that we’re moving forward with.
Andrew Dul: Okay. So now I want to know why the text was not updated on the website.
Alison Wood: I don’t know. I’ll find out, though. Thanks, Andrew.
Bill Sandiford: Any other questions? Any other comments? Online, remote, microphones closing shortly. Anything online?
Louis DeVictoria: Louis DeVictoria, Perimeter 81 and a Fellow. Is this just to support the previous revisions to 2.1 and 2.2 earlier today to those definitions to have an explicit definition of sorts?
Alison Wood: This is separate from that. We had a working group that did review and found that this definition and a few others were missing, and so this is separate from what we did discuss this morning.
Louis DeVictoria: Thank you.
Bill Sandiford: Hearing and seeing no others, we will call the question as to ARIN-2022-11. All those in favor, please indicate now by raising your hand or appropriately online.
And those opposed.
We’ll wait for the tabulation.
Michael Abejuela: Michael Abejuela, ARIN general counsel. Recommended Draft Policy ARIN-2022-11: Cleanup of NRPM, Introduction of Section 2.17. We had 85 in the room, 48 remote. We have 45 for and zero against.
Bill Sandiford: Thank you, everybody. This information will be passed to the AC for their consideration. Thank you.
Hollis Kara: Thank you, Bill and Alison.
We’re on to our last policy for the day. Gotta catch back up to where we are in the world. There we go. There we go!
Doug Camin will come up and talk about ARIN-2022-12: Direct Assignment Language Update. And this one is our only nonrecommended policy. So it could be, but it’s not yet.
Draft Policy ARIN-2022-12
Doug Camin: Hi, everybody. I’m Doug Camin, co-shepherd with Leif Sawyer on ARIN Draft Policy 2022-12, which focuses on updating “direct assignment” language.
Just a little history here. This policy was first received as a proposal from the Policy Experience work group to the Advisory Council last year at ARIN 50. The problem statement itself was presented for community input. And today I’ll share the most recent draft language suggestions.
This proposal attempts to address this problem statement. In essence, ARIN no longer makes direct assignments, and the language in the NRPM should be updated to reflect that.
Making this change touched a lot of areas in NRPM, so we’re going to show them in two different ways today. While there’s a lot of moving parts, they’re generally small changes in any one location.
To summarize those changes, they fall into three broad categories: first, ensuring organizations covered do not change as a result of the updated descriptions; second, reorganizing Section 4.2.2 for clarity; third, changing references to “direct assignment” and “direct allocation” with a suitable description while not trying to create a new term of art or change the meaning of who the language applies to.
The first part here, we’re just going to show these as like “from,” “to,” and “results.” And I’ll pause on each one to give everybody a few seconds to kind of absorb what’s there.
Section 3.6.3 changes. This is a removal of “direct assignment” and “direct allocation” language and replacing it with the term “allocation or AS number registered with ARIN” to ensure that the organization covered remains the same.
Next, Section 4.2.2 changes. This change reorganizes this section for the purposes of clarity by adding subheadings as appropriate.
This one here is over two slides. This one here is the before, and then this is the after with the subheadings.
Next, Section 4.3.2 changes. This is the first of several places where “direct allocations” or “direct assignments” changes. Removing “direct assignments” alone, it changes the meaning of the text.
So, the draft — the draft language we’ve included language referring to “IPv4 allocations registered with ARIN” to ensure that the same organizations remain covered.
This here is Section 6.5.8 on the left. This section title would change from “Direct Assignment” to “End-user Allocations.”
And then on the right, Section 8.5.4, again removing “direct assignment” language and “direct assignment” and “allocation” for the term “IPv4 allocations registered with ARIN” to ensure that the same organizations are covered.
Next, Section 8.5.6. Similar to the prior slide, this one updates “direct assignment” with the term “IPv4 allocations registered with ARIN” to ensure that the same organizations are covered.
And then now going to do the same changes again but do them as a redline format. I’ll pause on each one. I don’t need to give the second description. I’ll pause on each one for a few seconds to take in the red lines.
So this is Section 3.6.3.
Next is 4.2.2. This one is actually over a couple of slides. 4.2.2, part 2. 4.2.2, part 3.
And then 4.3.2.
6.5.8, this is the heading change.
Section 8.5.4, 8.5.6.
That’s all of them. And I’m open for questions or comments.
Hollis Kara: With that, microphones are open. Wait for Bill to get up here to do his thing.
Bill Sandiford: We’ll start with the front left.
Louis DeVictoria: Louis DeVictoria, Perimeter 81. I might be very particular here, but it’s fun. 3.6.3, maybe in light of some of the recent discussions we just had, maybe that would be changed to “Internet number resources” instead of the “direct assignment or ASN.” Maybe a little more cohesive, just a thought.
Bill Sandiford: Thank you. I thought we might get through the whole day without hearing it but let’s have it.
Kevin Blumberg: Kevin Blumberg, The Wire. For those in the room, you can have your drink now. Yes, it’s a long-running inside joke.
So I said I wasn’t going to come up here unless there was actually something that had an impact to day-to-day operations. And there is two parts to this.
The first part is you used the word “with,” “registered with ARIN.” Well, technically, if you’ve been SWIPed some space that’s registered with ARIN and is now a radical change if you want to go back to the text and look.
I think that is the key to this cleanup — is it should not be harmful. And a simple change with a simple word like “with” is now potentially, depending on staff’s interpretation of it, a radical departure from the way it was.
So I would urge you to be very, very careful with a cleanup to not introduce new issues, is the first part.
Second part. This is a meta issue, as in, for years, and go back to institutional knowledge for the people, this is their first meeting — where we have been told “Thou shall not affect the billing structure and the billing structure, thou shall not affect the policy.” They are separate beasts.
Well, now we’re going and we’re completely changing our policy because of the billing structure, where I would be very cautious because what happens in two years when the Board or the organization decides to change the billing structure again.
I don’t know how to solve that problem. I think this was a much needed thing, don’t get me wrong, but I don’t know if the impact to the way we’ve worked where there was this separation is really being taken into account.
If the organization wants to say we will not be reimplementing this particular for the next five years, ten years, or whatever, then great, we can go make these policy changes.
But if they plan to reintroduce it or they have no plan and they could reintroduce it, then why are we making these changes? There’s no point to it now, but then removing it has no point either. So something to consider.
Bill Sandiford: Okay. Thank you. Anything online?
Hollis Kara: Nothing so far.
Bill Sandiford: All right. Front center microphone.
Chris Tacit: Thank you. Chris Tacit, Tacit Law, speaking on my own behalf again. I agree with Kevin’s first point fully.
On the second point, I think the Board is going to ultimately review this policy. So if the Board finds it to be nonharmonious with its forward-looking intent on governing the organization, I will provide the appropriate feedback at that time.
But I don’t think we should not provide the policy to the Board because it is a good simplification and any further changes may not necessarily require, even if the fee structure differs for categories of delegations, it may not necessarily require a change in policy. Thank you.
Bill Sandiford: Great. Thank you. Center microphone again.
Andrew Dul: Andrew Dul, ARIN AC, 8 Continents Networks. I support this work as we’re doing it. I think we’ve made some good progress here. And it’s time to have the staff weigh in on the text proposed and then pivot and adjust as necessary.
Bill Sandiford: Right side?
Kevin Blumberg: An update to that, a little bit more nuanced. Maybe the issue is we’re being too technical and we have an opportunity to fix that. So instead of using terms like “allocations” and “assignments” that we know may change, there could be a new technical term five years, ten years from now.
Use the word “issued,” get rid of the technical jargon from it, because that is then more generic and could apply to an assignment or allocation down the road.
Maybe a fresh look at this, because this is a large change, a fresh look. Again, not introducing new issues, but maybe taking some of these technical hurdles that you have there so that there’s less of a reliance between the billings and the fee structure, the services structure and the policy. Thank you.
Bill Sandiford: Thanks, Kevin.
Just a quick check, anything online?
Hollis Kara: So far none.
Bill Sandiford: Center microphone.
Louie Lee: Louie Lee, Google Fiber. I suspected the “registered with” language came from covering addresses that were transferred into ARIN also, not just issued by ARIN.
So perhaps “issued or transferred” might be the words you need. I’m not interested in further wordsmithing here, but just something to think about.
Bill Sandiford: Thanks, Louie.
Last call for microphones in the room and online.
All right. Hearing and seeing none, thank you, everyone, for your feedback. The AC will take it under consideration. Thank you.
Hollis Kara: Thank you. All right. That brings us to the end of our second policy block. We’re going to move ahead into other presentations. Lots of interesting information coming up. So please continue to pay attention.
All right. And he’s already up here. I gave you time to walk. We’ve got Einar Bohlin. He’s our vice president of Government Affairs, and he’s going to talk about what the Government Affairs team has been doing. Take it away, Einar.
Government Affairs Update
Einar Bohlin: Thank you, Hollis. Hollis said this was going to be interesting information. And I hope to not let you down.
My name is Einar Bohlin. I’m the VP of Government Affairs at ARIN. This is a lot less intimidating than I thought it would be. Because it’s true, I can’t see you.
So this is the report of the department. These are my slides. That’s me. Here’s the agenda. We’ll take a look at the composition of the department, our areas of focus. We’ll look at what we did and where we engaged last year, and we’ll take a look at what we’ve seen this year and what’s coming up in 2023.
So I told you who I was. Also in the department is Nate Davis, Senior Government Affairs Analyst; Leslie Nobile, Senior Director, Trust and Public Safety; and Bevil Wooding, Director of Caribbean Affairs.
We’re all here. We’re sitting today back there, last row in this column here. So, please, anytime, come back. Talk to us. Seek us out if you want more information about what we’ve presented here at this meeting.
I’m presenting now. Bevil is scheduled after me. Leslie is up tomorrow. And if we have time, we might hear a talk from Nate as well.
These are our areas of focus. This text is from the strategic direction that the Board approved earlier this year. It’s very similar to the text on the screen here as to what we had last year. But this is really important. This is what the strategic direction for the department is.
The document’s a little bit bigger than this, of course, because it covers the entire ARIN organization. But these portions really speak to what we do in Internet governance. We protect the multistakeholder approach to the Internet technical coordination and Internet number registry system by seeking to improve accuracy and trust in the system and by engaging with governments to inform them of your community perspectives.
And we also do outreach and support to our members in the Caribbean to strengthen resiliency of the Internet infrastructure there, to have good government relations and engagement in all those parts of the service region, and to have our services well known in that region.
My talk today is high level for the department, focuses on the second bullet in the first page —- or the first column.
Like I said, Leslie will speak more to improving accuracy and trust, and Bevil will talk about the Caribbean in his talk.
So 2022. A year ago, we were in Nashville, and I presented on Monday or Tuesday. And because of the war in the Ukraine, I commented that this thing called the — it was then known as the Alliance for the Future of the Internet, seemed to be on hold because of the war.
But actually, they were working hard on it, and they released the document on the Friday after the ARIN meeting. And this document is something I’ll go into in a bit more detail on another slide.
The second item here is the FCC request for information on secure routing. ARIN contributed, I think, three times, in the initial contribution and two follow-ups to this. Basically the FCC wants to know what the state of secure routing is, or routing in general, is it secure, is it insecure? And it really spoke to ARIN’s activities around RPKI. So that was the focus of our contributions. The designation in parentheses is an FCC designation for the request for information that you can use to search online for all the contributions to this item.
On the ARIN website, we actually have a designated place for contributions to governments and SDOs in the Internet Governance pages.
The third line here is the Cyber Incident Reporting for Critical Infrastructure Act. You might hear somebody say CIRCIA, that seems to be being used. This was passed as law last year in 2022. It’s in the rulemaking stage right now. There’s an organization called the Cybersecurity and Infrastructure Security Agency, and they’re tasked with implementing this law. It stems from the ransomware attacks that happened in 2020 and 2021. And the Biden administration said we’ve got to do something about this. Congress took it up and actually passed a law. President Biden signed it.
And right now, CISA is figuring out how to make this work. And that’s called the rulemaking. They were given 18 months to come up with the rules on how to do this. And so for the timing, we’ll look to see a draft of CISA’s implementation this summer. There will be a comment period, and then CISA will produce final rules for how this will be implemented.
For Canada, in ‘22, last year we looked at online harms, and we also looked at cyber reporting. There was a bill, and I think it was just picked up and worked on, perhaps, last week in the House in Canada.
Fortunately, for us, we have several experts on legislation and government activities in Canada. One of them is Lynne Hamilton. She’s here today somewhere — thank you — hiding in the corner. If we have any questions specifically about Canada, Lynne is a fabulous resource.
Turning to the ITU. Last year there were several conferences, but the biggest one, at the end of the year, was the Plenipotentiary meeting, which was a treaty conference.
One of the things that happens there is they look to get rid of old resolutions, amend current ones and create new ones. And the new ones are really the focus. And there were more than two, but the ones that I wanted to make you aware of were a resolution on AI and a resolution on telecom/ICTs in mitigating pandemics.
So these end up being the strategic direction for the ITU, for the Secretariat, for the members, for the work that’s done at the ITU. We’ll have to see —- AI was very contentious —- and we’ll have to see what comes from that.
We already know that there are many ongoing work items on AI. There’s AI for health, AI for network management, AI for natural disaster management and mitigation, AI for many different things. But with this resolution, at the highest level of the ITU, the scope of AI discussions and study and standards development is bound to increase.
The other thing to point out that happened in the Plenipotentiary meeting were the elections. I have a slide on that. I also have a slide coming up on an item from 2018 to illustrate what happens when a Plenipot meeting creates a new resolution, what kinds of things can you see from that.
So back to the Declaration. As I mentioned, this was originally called the Alliance for the Future of the Internet. But the participating member states thought “Alliance” was too strong. They changed it to “Declaration.” They announced it that week on Friday, after the ARIN meeting.
And what really strikes me here is how much this two and a half page document highlighted the multistakeholder Internet governance process.
The overarching principle of the Declaration was to codify a set of principles about the Internet that democratic countries can rally behind: open, free, global, interoperable, reliable, secure, and to ensure principles of human rights and fundamental freedoms.
As you can imagine, not every country in the world has signed on to this declaration. In fact, 61 of 193 UN members have signed on to this.
Another thing that jumped out at me was this language about the multistakeholder system of Internet governance, specifically managing technical protocols and other related standards and protocols. And that just spoke to me. That, to me, felt like IETF, IANA and the RIRs.
And so with the timing of this document, last year, leading up to Plenipot, it was a real rallying document for the next slide, which was the elections.
So last year, and for two years leading up to the elections, there were two candidates for Secretary General, Ms. Doreen Bogdan-Martin, the ultimate winner; from the USA; and a gentleman from Russia named Rashid Ismailov.
The first year of campaigning, 2021, I wouldn’t have guessed who would have won. It was a pretty close race. Unfortunately, for the Russian gentleman, the war in Ukraine dashed his hopes. It obliterated it. That election was 139 in favor for Ms. Doreen Bogdan Martin and 25 for the gentleman from Russia.
But he still got 25 votes. He got Russia, Belorussia, North Korea. I’m just guessing, because the voting is anonymous, but he did get 25 votes, which is natural because the UN isn’t some unanimous organization, of course. But the Russians got so clobbered, they didn’t get any people elected at the Plenipot meeting.
The Deputy SecGen is also from Europe, in a bit of an upset, and the board of directors are from Uruguay, Japan and Zimbabwe. And even the gentleman from Japan was a bit of an upset. It was really a sweep by the Secretary General’s platform, which is connect the unconnected, versus the Russian’s platform, which was give the ITU more control of the Internet.
All right. Going back to 2018. This was the most contentious resolution at that meeting. Plenipot 2018, it was OTT. It was so contentious, they allowed OTT to be expanded to Over the Top, but the meeting refused to define what OTT was.
They wanted that to be part of the future study: We need to figure out what OTT is, what it means to us, how we can make use of it. All those different kinds of things.
And so from 2018 to today, there are two study groups that I want to point out that are working on OTT. The first one is ITU-T Study Group 3. This is a T sector group that’s focus is regulatory and policy activities of telecommunications.
And in one of their documents, they’ve defined OTT. This doesn’t mean it’s a definition for the entire ITU. The way the ITU works is that you have to get broader support for such a thing. But this is a definition for this, in this particular piece of work.
And OTT is “An application accessed and delivered over the public Internet that may be a direct technical/functional substitute for traditional international telecommunication services.”
The genesis for this is Voice over IP. That’s the first OTT that the ITU was looking at. And the purpose to study Voice over IP as an OTT is to figure out how to generate revenue. And so the ultimate goal for this study group and this OTT work is some sort of taxation, some way to make revenue from taxing OTTs.
And, of course, with this definition, I said the genesis was Voice over IP, but this could be huge. This could cover so many different things that we as Internet people just think normally are at the higher part of the OSI model.
So something to keep an eye on. We, in the Government Affairs Department, we don’t actively go to Study Group 3 meetings, but we’re very interested in this and keeping an eye on it.
Study Group 2 at the ITU is naming, numbering, addressing, and identifiers. And we do actively engage in this group. Part of its mandate is IPv6, and IPv6 does occasionally pop up. But they’re looking at OTTs in a different way, and it’s pretty interesting.
It turns out, in the US, you get a mobile phone, you get a number, and that number starts to become your identity for — of course, for phone calls, but for Voice over IP calls, for digital financial services, for authentication purposes. And so your phone number is a really important thing to you as a person.
The US has pretty good telephone number portability laws. So if you change your provider, you can hopefully keep your phone number and keep your identity.
That’s not the case in many other parts of the world, which are mostly mobile and are getting competition. So people are switching mobile providers, and they’re losing part of their identity. And not only are they losing part of their identity, they’re giving it to the recipient of their phone number.
And this is a real issue for real people. And so this group is going to do — is doing case studies. Might issue some guidelines for telecom regulatory authorities on how to deal with these problems.
- The biggest thing so far for 2023 is that the Biden administration came out with the Cybersecurity Strategy, and a part of this 30-page document is Section 4.1, Secure the Technical Foundation of the Internet. And it calls out these specific things: BGP vulnerabilities — easy for me to say — unencrypted DNS requests, and the slow adoption of IPv6.
I understand that many government agencies are working to come up with ways to not only work, well, to work on the entire cybersecurity strategy but also to look at these individual items and look for solutions.
And so we have to be very careful to see what the US government comes out with regarding these things because, of course, BGP vulnerabilities looks like RPKI, and v6 is definitely in our swim lane.
The next item here was something that happened in February. The United Nations Educational, Scientific and Cultural Organization held a conference, UNESCO. Something I thought might designate a building as historical, put a plaque on; it’s got the word “scientific” in it.
They held a conference on “Internet for Trust” to generate guidance for regulators for how to regulate digital platforms. I think this is pretty interesting. It just shows the extent to which the Internet has permeated every part of every industry everywhere. And it’s only natural for organizations to want to get a piece of the regulatory pie. But, honestly, I did not have UNESCO on my radar at the beginning of this year.
The OECD, the Organisation for Economic Cooperation and Development, is based in Paris. This organization grew out of the Marshall Project program from World War II, to rebuild Europe after World War II. It’s chockfull of economists and analysts, and their job is to study — part of their job is to study how ITC/Telecoms affects economies and provide government regulators with advice.
A couple years ago they did two really decent documents, one on routing and one on how the DNS works. They’re, I think, about 40 pages apiece, and they’re very nice, concise, clear documents on how DNS and routing work.
They’re changing their focus to cybersecurity this year at the request of the governments that are OECD members. They’re looking at cybersecurity, not to make recommendations, but to see what governments have implemented and what those implementations are doing to their economies.
So then they’ll have that information. They’ll be able to present it, give it to the governments, other members of OECD, and those governments can look and choose and pick and figure out what works for their neighbor, what doesn’t seem to work, what are unintended consequences, that type of thing. They do pretty good work.
The UN continues to work on cyberwarfare and cybercrime treaties. Those are going to take years.
Something I forgot to put on here, which is in ‘23 but it’s kicking off right now, is a thing called the Global Digital Compact. So next year, the UN is going to host the Summit for the Future of the Internet.
This is — I heard laughter. Thank you. The Summit for the Future of the Internet is like that earlier thing I talked about, the Declaration for the Future of the Internet, but the UN’s going to try to get all 193 member states to agree on principles for the Internet for the future.
I haven’t attended any of these meetings so far. But I had a thought the other day, which was… A principle? Like, what could everyone agree on? And I thought maybe —- I’m not going to submit this, but we ought to think about letting the Internet continue to exist. I think that would be one you might get 193 to agree on. But there’s no guarantee.
In any case, that work is going to continue. It just kicked off this year. As a matter of fact, on this thing called the GDC, the Global Digital Compact, the Caribbean Telecommunications Union is hosting a meeting on -— a Zoom meeting on Wednesday to discuss the GDC. That’s going to be done by Nigel Cassimire.
And speaking of CTU, I’d like to give a shoutout to Rodney Taylor attending this meeting from CTU, right up front. Thank you, Rodney.
Moving on, the ITU this year has a big conference on radio. It’s the Radiocommunication Conference, every four years. It’s a treaty conference. It’s four or five weeks. People tell me it’s grueling.
We’re not an R Sector member. We don’t ordinarily pay that much attention to the R Sector work. Their focus is on radio frequency and orbital spectrum, which is a pretty —- that’s a growing business for the ITU, the orbital spectrum management. There’s an element of radio communication we’ll look to keep an eye on; that’s Internet services provided over satellite.
And then the EU and cybersecurity. The European Union. All right, in 2016 they came out with the GDPR, the General Data Protection Regulation. The biggest part of that is, of course, protecting citizens’ privacy.
It, from its very beginning, crossed out of the EU. GDPR, if GDPR had stayed in the EU, we wouldn’t know what it was. But GDPR has tended to — because it applies to any European citizen, it applies to businesses that do business in EU, and so its reach is greater.
There’s a thing called NIS, which is the Network and Information Systems directive. NIS1 was the EU telling governments: Tell us what’s critical infrastructure and how you protect it. And we’re going to collect that information and figure out what critical infrastructure is and how it should be protected.
NIS2 is the EU turning that back around and telling the EU member states what critical infrastructure is and how to protect it.
There are 27 members of the EU. They adopted NIS2. The EU adopted NIS2. And here is Article 28 in NIS2. I’m just going to read it.
“For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall require TLD name registries and entities providing domain name registration services to collect and maintain accurate and complete domain name registration data…”.
So the next step, the way the EU works is, the text of NIS2 goes to every member state, and it’s expected that they will pass that as national legislation.
And then there’s understanding what this means and implementation. So we’re a while away from understanding what this is. I will lean — I will seek to lean on our friends from RIPE NCC to help figure out which way this is going to go and what comes of this.
Finally, a couple years ago, I put some data in about the US GDP. In 2018, it was 21 trillion; 10 percent of that was accounted for by the tech sector.
Internet peak traffic growth was 30 percent per year, about every year, 2016 through 2019. And in 2020 it jumped up to 47 percent. Yeah, I gave this in 2021 at ARIN 48. I think that was on a Zoom.
So I decided to go ahead and look for some newer figures, and I couldn’t get the exact places where I got the original information. So it’s not comparing apples and oranges. It’s more like comparing apples and apples.
But in 2021, the US GDP was 23.3 trillion, and the tech sector accounted for 1.8 trillion. Internet traffic growth last year was a return to normal.
So I did a little more research. I’m not an economist, but I did a little more research to figure why the GDP went up but the tech sector accounted for less. One seemingly telling indicator was network operators were asked what their expectations for revenue was going to be in ‘23, and about 20 percent said higher; 60 percent said the same; and 20 percent said lower. So there’s just something going on about the revenue of the industry.
And there’s many people here that might have a lot more insight into that than myself. So, happy to be educated.
Takeaway slide: We are working to strengthen relationships with governments and Internet industry organizations to make sure your interests are understood and taken into consideration.
And then my final, final takeaway is thank you all that here and remote for participating in the ARIN multistakeholder Internet governance process. The people here and remote are, honestly, more devoted to ARIN than other members. And I really appreciate, the team appreciates your participation here today and tomorrow. Thank you.
Hollis Kara: Thank you. Before Einar leaves the stage, any questions about the information in his presentation?
Beverly Hicks: While not an official question, there was a question. Einar, do you know where some of those papers that you referenced were located? If there was an easy way for people to get to them.
Hollis Kara: You referenced a lot of reports in your slide. Do we have a central location where folks could find those links, or could we create that for them?
Einar Bohlin: The question is about links to all the various things? I have them in the notes of the document. I don’t know if that goes with it when it gets published, but I’d be happy to pull them all out and add an appendix to the end of my presentation. I’ll add a slide when I publish this.
Hollis Kara: We’ll add a slide to the deck online so there’s a resources reference.
Beverly Hicks: Thank you so much.
Hollis Kara: Thank you.
All right. Go ahead, say it. You know you want to.
Kevin Blumberg: Kevin Blumberg, The Wire.
Hollis Kara: There you go.
Kevin Blumberg: I am light sensitive.
Hollis Kara: I’m not controlling that.
Kevin Blumberg: I understand. So I’ll just — yeah. Einar, for the last slide, you were asking why the numbers may look different. A couple of inputs for you that may be useful.
One, there are a number of organizations that have moved their replacement of equipment timelines from four years to five, or six years, even. They found that during COVID, things kept on running and they really could extend out those timelines. And that has a huge impact, obviously, to the costs that are involved in running large networks.
So it may be as simple as COVID showed us that we can run things longer, hotter, whatever, and they’re doing that.
The second part is, the one interesting thing about the Internet is, historically, there’s been these huge jumps when we went from 10 gig to 100 gig Internet connect ports. It was a significant cost increase. Instead of a 10X price increase, it was a 500X price increase for that 100 gig port.
With the newer technologies, it’s a much, much simpler jump. So going from 100 gig to 400 gig as an example was a slight incremental increase rather than an exponential increase.
So it may also play into the maturity of our industry as a whole where we don’t need to spend as much to do more. Just useful pieces, hopefully, for you. I don’t think the numbers are radically different beyond that.
Einar Bohlin: Thank you, Kevin. Thanks for those two data points. Appreciate it.
Hollis Kara: Center mic.
Louie Lee: Hi, Louie Lee, Google Fiber, Louie’s hat, Louie’s sunglasses.
Can we go back to the slide with the NIS, the request for NIS2, more accuracy in the database, so the domain name registration data.
Is that the parallel effort to when we saw the request to get our registry data, quote/unquote, accurate, for some version of the definition of “accurate,” meaning who it’s registered to versus who is behind the service behind the IP address? Was that related at all?
Hollis Kara: I think Mr. Curran has an answer to that one.
John Curran: Okay. So we got feedback back from ICANN.
Einar Bohlin: Mic for John Curran, please.
John Curran: There we go. Not that I really need this, but okay. So a few years ago, we got a request from ICANN, the office of the CTO. They were doing an IANA accuracy project to try to figure out the accuracy of all the registration data.
And that spread over into the number registry, and they asked us what’s our metrics, how do we have technical health indicators that the number registry is healthy? Unrelated to this.
What this is, is very interesting. Again, the EU passed something a little while ago called GDPR. You might have heard of it. Have you met my friends cookies that show up at the bottom of every website? One coincidence of that is GDPR, when it was introduced, everyone gets to accept the cookies because you were sharing information, you had to consent.
When that happened, in the domain namespace, there was a discussion of whether GDPR meant you couldn’t collect any personal information at all. Or did you collect it but not publish it in the public Whois?
And this is now coming —- NIS is coming from the —- this is about information security and public security, and this is coming from that side of the European Union and the European Council. And it’s saying no, you need to have accurate information; don’t give up collecting it. Have it, collect it, but treat it according to GDPR. And it’s explicitly saying security of cyberspace requires having this data.
Now, how this actually gets implemented is interesting. ICANN is in the process of having a whole mediated access through RDAP to the registry, and that’s how accrediting law enforcement and getting access. That’s one way of doing it.
But this is a statement that actually says in the process of keeping security, national security, public safety, things like that, you need to have this identifier information. You don’t stop collecting it; you instead must maintain accurate and complete information but still following the requirements of GDPR when it comes to distribution access. Got it?
Louie Lee: Thank you, yes.
Einar Bohlin: Thank you John.
Rodney Taylor: Rodney Taylor, Secretary General, Caribbean Telecommunications Union. Thanks for your presentation. And also I should say publicly thanks to ARIN for its outreach to the Caribbean and its support over the years in building capacity and supporting regional initiatives like CaribNOG and CTU’s ICT Week.
Specifically with respect to your comments on the GDC, the Global Digital Compact, I think what the UN is trying to do, my take, is that they’re trying to have a tangible outcome from the Internet Governance Forum that’s coming out of the World Summit on the Information Society.
And I’m just wondering, in the absence of this digital compact, which I know will be an extremely difficult thing to get all UN countries to agree, like you said, maybe we can just agree that the Internet should continue to exist.
But beyond that, what do you see as sort of the logical way forward for the UN IGF in the absence of a global compact? Thanks.
Einar Bohlin: Thank you, Rodney. Yes, there’s a connection to IGF. However, furthermore to that, the WSIS and the review of IGF is 2025. So this Global Digital Compact and the summit, the work that’s being done this year, will culminate, according to their timeline, next year, ‘24. But there is some connection, perhaps. We’ll have to keep an eye on that. Thank you.
Hollis Kara: Thank you. All right, Einar.
Einar Bohlin: Thank you.
Hollis Kara: Next up, I’ve got Bevil Wooding, Director of Caribbean Affairs, who’s going to talk a little more, specifically, about ARIN’s activities in the Caribbean.
ARIN in the Caribbean
Bevil Wooding: Good afternoon, everyone, and for those of you online, this is our Caribbean update. But by way first of a quick background: how many know that there are actually 20, two zero, countries in the Caribbean that are in the ARIN service region?
I wanted to start with that number because they’re in the ARIN service region, they’re not somewhere else. And these territories actually represent part of our ARIN community.
And for a long time, they weren’t present in these discussions. They weren’t contributing in any meaningful way to the Policy Development Process.
And when ARIN began its outreach to the Caribbean, it had to start from scratch in terms of creating awareness of the organization, creating awareness of the role of our Policy Development Process, and also linking the needs of this community stakeholder group to the wider needs of the organization.
And so, this update today is going to be a look at how we have done in terms of that, connecting the part of the ARIN service region that was disconnected to the journey that we’re taking going forward.
And I can say this, before we get into that, it’s going very well so far, but there’s still a lot to be done.
ARIN has played, as Rodney Taylor just said, from the CTU, ARIN has played a very important role in helping Caribbean territories to understand what number resources and network resilience really means and why ARIN matters.
But we’re looking at a region in which there is a lot of diversity. So, there isn’t one Caribbean strategy in terms of everyone having the same needs. We have French speaking territories in the Caribbean. We have countries with very high GDPs or very high economic or strong economic backing and those that are still coming out of the backlash of a pandemic that essentially devastated their economies.
In that context, our return to outreach activities and in-person meetings over the last 12 months has been very, very interesting.
I want to set it in the context in which the ARIN organization, not just the Government Affairs department where the Caribbean outreach is housed, has been responsible for listening to, reaching out to and servicing the needs of the Caribbean.
We facilitate, of course, the core ARIN business, which is number resource allocation, development of autonomous networks, and encouraging organizations to adopt RPKI and IPv6. That is the core of our outreach to the technical community in the Caribbean.
We also have two very important other branches that represent a lot of what Einar was referring to, and that is you’re dealing with a region in which, for many of us, it might just seem to be sun, sea and sand, and tourism and good stuff, but there are some very real social and economic issues that shape how governments look at the Internet.
And what we have found is that we can’t make the assumption that everyone or every territory or every government in the region has the same view about the need for an open and secure and resilient Internet.
We have a very, very important part to play in shaping how they see not just our role but the role of the Internet as part of development.
Our focus is in these three areas, and I want to delve into these areas in this presentation, this update presentation: outreach — which many of you may be aware of — engagement, and insights.
And for outreach, we have been strengthening our ties in the Caribbean by targeting three main groups: the technical community, through our collaboration with CaribNOG, or the Caribbean Network Operators Group; we have been strengthening our relationship with the governments through our collaboration with the Caribbean Telecommunications Union, the CTU; and we’ve also been doing direct outreach to the justice sector, and that is law enforcement, judiciary, and lawyers or legal community.
And those would be the three main streams of our Caribbean outreach. A big part of it involves helping the region to shape public policy that is beneficial to a stable and secure and robust Internet.
But another part of it is also making them more aware of how decisions that appear to be local, or even regional, connect to larger trends and patterns that are taking place on a global Internet.
And so that involves us sharing ARIN community positions at national and regional fora. I want to come again to this issue of ARIN community positions because the ARIN community is ARIN North America and ARIN in these 20 territories.
What we are effectively engaged in is pulling a wider set of our stakeholder community to get a sense of what our priorities are as the ARIN community and to get a sense of where the points of emphasis need to be.
Some of our key programs would involve the two meetings per year that we do with CaribNOG. We also add to those CaribNOG meetings a specific ARIN Technical Community Forum.
We have had, since the start of the pandemic and we’re continuing it now this year, the ARIN/CTU/LACNIC Internet Public Policy Forum, where we look specifically at some of the government issues that relate to the Internet and help provide a forum for them to discuss and share what they see as points of priority and interest.
And we also have the reactivation this year of the Justice and Public Safety Forum where we link officials from North America with their counterparts in the Caribbean to discuss security matters relative to the Internet.
We’re seeing a resumption of the in-person meetings for this. But we’re also seeing a greater — what I would say — a greater appreciation of the need to collaborate across territories to ensure that people have the best view of what’s really taking place.
I can add to the outreach, one of the interesting things that the pandemic did, of course, in shutting down in-person meetings, is we lost a lot of our human contacts in some of the governments in the region. Governments changed through elections, through reshufflings of cabinets and so on.
A big part of what the last 12 months has represented is going back out to form new connections and new ties with governments throughout the region.
That has been compounded by this simple and unfortunate reality, which is the region also lost its interregional carrier. One day trips now take one week. Low-cost trips are not so low cost anymore. Getting around the region to reconnect and to reestablish relationships and to deepen relationships is now much more challenging than it ever was.
We’ve been discussing with CaribNOG, with CTU and with the Caribbean Agency for Justice Solutions, ways of better coordinating meetings so that, instead of having a number of meetings covering individual topics, we can have one week where we spend time dealing with different groups in one place, tackling different issues.
And that’s just one of the things that had to change as a result of this still significant fallout from the pandemic.
A good example of that took place in Grenada just last month where we had the Grenada ICT Week. This was our first in person meeting for 2023, and it involved three different events, essentially, inside of one week: an event for government officials, one for the technical community, and another for the business community.
In fact, we have the executive director of the Grenada Chamber of Industry and Commerce making her first ARIN meeting. That’s Petipha Lewis, in the scarlet red scarf on my left, your right.
And the meeting was, in short, very successful in creating a new level of awareness as to what we are about and why we need to do it.
The meeting also represented the first time we ever had a prime minister speak at an ARIN event in the Caribbean. And the Prime Minister of Grenada, this is Dickon Mitchell in the center image, gave the featured address, encouraging the business community and the technical community to be more active in contributing to these regional and international organizations that are concerned about the Internet.
It was a really good time, but it was also an excellent new model for how we can proceed going forward in terms of our Caribbean outreach.
One of the comments that Rodney made coming out of that event was just a recognition that the role that ARIN is playing — and by ARIN, not just the organization, the ARIN community — in facilitating this kind of dialogue is actually critical to Internet development in the region.
I think it’s important for us to recognize that these aren’t just events taking place in some exotic time. This is actually a critical part of the necessary growth and development for ARIN itself as it seeks to more effectively service its entire region.
So let’s talk a bit now about engagement. We had, just for the start of this year, as I said, things are getting back into in person meetings, and things are cranking up in a very real way. John Curran and I were in London for the Commonwealth Telecommunications Organisation ministerial briefing.
You might say “Why is ARIN at a Commonwealth event? Isn’t Commonwealth the UK, African countries and so on?” Yes, it is, but it’s also several Caribbean territories.
We had ministerial level representation at that meeting, and we were both able to not just speak in terms of the presentations but also meet and discuss what is happening and what and how ARIN needs to position itself in terms of better supporting government ministers in the Caribbean as they wrestle with all of these things that Einar spoke about.
Lots of organizations are talking about the pending doom, the rise of AI, the fall of the multistakeholder process, the need to regulate. And in these conversations, very often the decision-makers don’t have the full picture to make an informed decision about where their government should stand one way or the other.
Our presence in these fora are key to helping them understand what some of the different angles and thoughts are around some of these big issues that are hitting their agenda.
We were present at that CTO meeting in London. We also will be participating in the upcoming CTU statutory meeting, again speaking to government officials as well as regulators. And we plan, in the coming months, to continue our country visits as best we can and continue working with the other Internet organizations in the Caribbean to ensure that things are in sync.
This is — I’m just putting some comments up here from some of the stakeholders that we have been engaging with. And this is Richard Wall from the Caribbean Agency for Justice Solutions, just affirming the role that we’re playing in facilitating a new type of discussion amongst lawyers and judiciary in the region.
And the reason this is important is when there are cases that involve the Internet, whether they are disputes over domains or number resources or just abuse online, the role that we have played as part of the public safety and law enforcement group is bringing those actors together so that there is much less hassle in dealing with the United States, in particular, where most of these Internet countries are registered.
In helping them solve these day-to-day issues, we’re helping them understand the role that the bottom-up process plays and the role that the Internet organizations play inside of the global Internet.
Our last section would be insights. And I just wanted to share some of the things that we are seeing in our outreach to the Caribbean.
There are two major themes that have emerged from the Technical Forum that we’ve had so far. As Einar said, the Government Affairs department is actually very much invested in understanding trends that are taking place.
And those trends, when we see things or patterns emerging, particularly in developed markets or developed regions, they actually can play a very disruptive role in how we structure and how we continue to operate in terms of the ARIN community but also in terms of the wider Internet.
You can get a government saying, “Well, let’s regulate or let’s impose some task or tariff.” And if there isn’t enough information provided, you can find governments basically withdrawing from the RIR process or asking to have their own national internet registry, simply because they don’t know.
The two themes that we see from our Technical Forum are, one, the outsized role that governments play in influencing the peace of Internet infrastructure relative to their counterparts in North America.
In other words, for most of the Caribbean territories, if the government doesn’t step in and say we need an Internet exchange point or we need to roll out the next generation of network connectivity or we need to move to IPv6, chances are it will not happen.
Unlike a discussion in North America concerning how do we move to IPv6 or how do we move to RPKI or some such thing, where the private sector is quite capable of taking care of it, in the region you need an informed set of public sector officials to make sure that development and growth and infrastructure strengthening takes place at a pace that’s actually beneficial to the global Internet. So, there is this outsized role of government.
The second theme is the priority of facilitating knowledge sharing and technical skill building. Again, skill building and access to technical training may be something that we take for granted in North America, but in the Caribbean, it is not as easy to come across opportunities for developing the kinds of understanding and technical competencies needed to maintain and secure networks.
Good case in point, in fact, would be what’s happening now in Guadeloupe as a result of a recent visit by Macron to support Ukraine, to support the war in Ukraine. And now the ISPs in Guadeloupe are being faced with denial-of-service attacks that they cannot respond to. And they’re calling on ARIN, because who else are they going to call upon, to see is there anyone or any person or anybody that you can put us on to.
Those are the kinds of calls that we get from our members in the region for things that in the North American context would simply be, get a CERT to do it or find an expert or peer consultant to get it done.
And so what it means for us is that, as we look at these trends, how governments are perceiving the Internet, how technical community members or network operators are trying to upskill their staff to deal with some of these new threats, we recognize that the role, not just of GAD but of ARIN itself, in supporting these members and their needs, is going to be a fundamental part of how we evolve.
These are the three trends that we’re watching. The increasing spotlight that’s coming on Internet infrastructure. The heightened government focus on the functions and operations of Internet organizations like ARIN. So, people are asking, “Why can’t we get all of this stuff done in the ITU or in the UN? Why do we need to go to another meeting to deal with these things?” And we have to have answers for those questions.
And then, of course, which I think is common across the entire ARIN service region, the growing impact of cybersecurity and cyberattacks, creating a distress not just within governments but in wider society.
We’re looking at these three areas as we continue our outreach to the Caribbean. And that focus is reflected in our upcoming meetings, which is what I want to leave you with.
We have three very important meetings coming up. The CTU Public Policy Meeting, where we’ll be holding, I think, our fifth CTU/LACNIC/ARIN Public Policy forum. This is on the 16th of May. It’s going to be an in-person meeting in Port of Spain, Trinidad, the headquarters for the CTU. We’ll also have, of course, online facilities for those who can’t make it.
And on the 6th of July, we’ll be having, in St. George’s, Grenada, our justice forum in collaboration with the CAJS, the Caribbean Agency for Justice Solutions.
And then in September we go to Castries, Saint Lucia, for the 26th CaribNOG meeting, and I think it’s the seventh ARIN Caribbean Forum Technical meeting as part of Saint Lucia Internet Week.
There you have it, your Caribbean update. This is what has been happening, and this is what we’re doing to ensure that our ARIN community remains one coherent and synchronized community in the Caribbean and in North America. Thank you.
Hollis Kara: Thank you, Bevil. Did anyone have any questions for Bevil? Microphones are open. Nothing from the remote? Okay. You covered it.
Before we head to break, I’d like to welcome John Curran back to the stage.
John Curran: (Chuckles) You get a guest speaker. No, you’re getting me actually.
I wanted to pick up a topic that came up earlier and answer it because it sort of came up again here.
Someone asked about ARIN and who we serve, that we serve organizations and not individuals. That’s caused some people — if you want to go get an AS number, for example — we tell you you have to be an organization. You have to be a business name for us to work with you. And that’s caused some people to go to another, like they’ve gone to RIPE, for example.
This isn’t a random decision on ARIN’s part. It has to do with the fact that we run a public registry. Okay? And we want to respect everyone’s privacy.
And your name and your phone number and all of that, you know, you can create an alias for your email, and you can get a different phone number, but if your name is associated with the resource block, it’s going to be showing up as an organization. And we don’t know if you want that.
We actually, we treat the registry as a public visible entity. We tell people you have to be an organization. You have to be willing to hold your name out there. And everyone should be able to see who’s got number resources. You might have a problem with an AS number and an IP address block, and so you need to be able to know who it is.
So, if it’s a public registry, we need to make sure that only entities that are holding themselves out to contact the public are listed in it.
This means if you’re an individual, yeah, you probably need to go do a DBA. Don’t need to set up a whole business, but you need to spend the 5 or 100 or 150, depending on what state you are, to register a name that you want held out for the public. Then come to us. Fine, we’ll deal with you. Okay?
You don’t need to be a company, but you do need to have a name that you’re using publicly, and that requires either an organization or a DBA. And it’s because we’re not going to use your name in the registry, otherwise, because it’s your private name, okay? And if we’re going to have respect for your privacy and it’s a public registry, well, that’s something you need to fix first.
So, people ask about that. This isn’t a random item. This is a very conscious decision on ARIN’s part that the public registry should be put in with names that are public entity names. And you need to be one to participate in the registry.
If you have any questions about that, you can find me at the break or lunch or whatever, at social. But it’s by design. I don’t actually see how we can operate the Internet number registry system without that as a baseline.
Thank you very much. Someone asked it and we deferred it. I wanted to pick it up and answer it. And now I’ll turn it back to Hollis to take us to break.
Hollis Kara: Do I have my break slide? Oh. Shoot. Jumped ahead. We are ready to go to break. We are breaking a little bit late. It is 3:10. I’d like to honor that 30 minutes, if folks don’t mind running a little bit past 4:25 this afternoon, if we stick to schedule.
So if folks could be back in the room at 3:40. Please enjoy your break. Get a little bit of sunshine. And we will be back to wrap up the day after that. Thank you.
(Break from 3:10 PM to 3:45 PM.)
Hollis Kara: (inaudible) …we start. I’ve got a weird thing happening with the confidence monitor down here. Do you think we can? I’ve just got one little slide on it.
Beverly Hicks: Working on it.
Hollis Kara: Okay.
Beverly Hicks: Can you tell me what’s weird?
Hollis Kara: Weird as in I’ve only got one small slide and then a big space that says, ‘no notes.’ It’s just sized wrong. And I don’t want Mark to have to stand on the podium to see. I mean, it would be entertaining, but…
There we go! Phew. I fixed it for you Mark.
We’re going to start off the last section of the day with Mark Kosters, our chief technology officer, who’s going to give an Engineering report. Is he here? Where’s Mark? Oh, gosh. You snuck in. Dude, don’t do that to me.
Mark Kosters: Thank you for coming back in after that wonderful snack. So, one of the things that we have within Engineering in this hybrid situation is we have weekly meetings that begin at 2:00 PM every Wednesday.
And, actually, people are really prompt to those meetings. And I’ll tell you why. We tell dad jokes if people are late.
So, I have a dad joke for y’all. Someone asked if I was moving to Florida permanently. You know what my response was? No, I’m only here “Tampararily.”
Hollis Kara: Dad joke for a dad joke, Mark. You started this. Why did the ROA cross the road?
Mark Kosters: I know the answer to this one.
Hollis Kara: Okay, but they don’t.
Mark Kosters: Why?
Hollis Kara: Because its route was authorized. Thank you.
(Groans and Laughter.)
Mark Kosters: Do we have any more from the floor?
Hollis Kara: (Jokingly) Nooo…
Mark Kosters. Anyways, this is why Engineering — because we had the same groans within Engineering. And so our meetings were always promptly started at 2:00. And we also had full attendance.
So now you see why, because otherwise you have really horrible dad jokes. And I’m actually not so good at it. This is actually — this joke actually came from Garth Dubin, who leads up development for Engineering. He came up with it this morning. I thought it was really good. And some of the other ones were not quite as nice. I figured, hey, why not, let’s go ahead and use it, see what happens.
Okay. Let’s go ahead and go on with the agenda. What we’re going to talk about today, we’re going to slightly pivot the Engineering talk. The Engineering talks have always been basically the same, but we’re going to start pivoting.
And some the pivots that we’re going to move from. There’s a lot of the services that Engineering used to talk about are going to be talked about by, like, Brad Gorman, who is going to be talking tomorrow morning at, I believe, 9:15, talking about RPKI.
And there’s going to be another talk that’s done Wednesday by Joe Westover, and he’s going to be talking about some other things that engineers are going to be doing.
We have all these things that are going to be done by others. And what we don’t want to do is bore you by saying the same things.
I’m being creative in talking about new things. So, that’s what we’re going to do today. We’re going to go through the services that Engineering supports, the statistics that we have, the software releases and improvements, and challenges, and what’s next.
And so, some of these things are similar, but yet they’re different.
Core Services. Here are the things that ARIN does. ARIN Online. Who here has used ARIN Online? Okay, great, thank you. We also have a RESTful provisioning API. Who’s actually used that? Okay, fewer, but that’s good. That’s good.
We have email templates. Who is brave enough to raise their hand on that one?
Okay. Still out there. Awesome. Awesome. Maybe someday we’ll get rid of them. We’ll see.
We have RPKI that we manage. And that is one of the things that’s actually sort of predominant within the operation side, making sure that runs all the time.
We have our IRR that runs as well; that we’ve done a lot of work with it, and it’s running quite well itself.
We have our DNS system. And this is one of the things that David Huberman said back in the day when he worked at ARIN. He said this is probably the most important day-to-day thing that ARIN does.
And now it’s in third place. Maybe fourth place. We’ll see. John?
John Curran: Can we rewind back the email templates? Can I ask (inaudible).
Unidentified Speaker: Dad joke?
John Curran: Can I ask the same question? Who recently or still uses email templates? I see one. Okay. Go ahead. If you, like, signal, like scratch your ear. Okay. I just want to let you know.
Unidentified Speaker: Modify.
John Curran: We have APIs, and they’re your friend. And the email template system is not your friend and not our friend. And so, I just wanted to see how many people might be impacted if it was shut down someday.
Kevin Blumberg: I might want to ask the question also a little differently. Who here has registered any v4 SWIP space and needed to use an email template?
John Curran: Who needs to use?
Kevin Blumberg: Who just stopped registering v4 SWIP because of whatever reason and have just stopped using either system?
John Curran: That’s a different question. I’m not actually.. That question that’s an important question, but that’s not the one I’m looking for. People need to understand the email template system is a maintenance issue. Okay?
Everyone in this room is paying for your templates. Okay? Folks, when you see these guys at the break, collect your bill.
It’s not a problem, but just think about your future planning, because I’m thinking about ARIN’s future planning.
Okay. Thank you, Mark.
Mark Kosters: Thank you, John. Thank you for being more forceful than I was.
Okay. So, let’s go on. We talked about DNS and how it was important to ARIN in its day-to-day operations. And, frankly, RPKI has really overshadowed it.
And we have directory services. This is also very important to the community. And I’m going to show you slides on how important it is to the community.
We have three versions of doing really the same thing. We have Whois, which works off of Port 43. And most clients, most operating systems have clients that support Port 43.
We have Whois-RWS, which is our sort of predecessor to RDAP.
And then we have RDAP. So, RDAP is actually going to be becoming more and more predominant. And we’re going to see more about this in the near future as, I believe, that the domain registries are going to be actually mandating the use of RDAP over Whois.
This is coming to a theater near you. And there are going to be clients out there — I’m sure there’s going to be more than the current clients out there. There’s going to be more of these things made available, so that people can start using it as opposed to things off of Port 43.
We have email. We have hostmaster. Things that go to hostmaster still, there’s a few templates, obviously. And there’s also a lot of correspondence that goes on and tons of spam. Oh, my gosh. The amount of spam that we get is unbelievable.
Same thing goes for billing. There’s a lot of questions ferreted in between all the spam that we receive.
Other services. Email lists. We all use the email lists at ARIN.
There’s the ARIN website, making sure it’s up and available, which involves really two parts: ARIN Online, well, the ARIN part, the static content; as well as the vault, which is sort of the content that has been sort of ferreted away for historical reasons.
We have our OT&E, our Operational Test and Evaluation Environment. This is something that’s very important to the community. And, in fact, it’s sort of escalated our use here as we have a lot of people that actually do not only their testing, but they actually run their own internal thing. They like to see us keep the OT&E up all the time. This is something else that we’ve actually reset the expectations for.
And then our FTP services, which, frankly, a lot of the later sort of Linux distributions and so on don’t have FTP clients anymore.
But that’s still available at ARIN, and it serves a very important purpose. And that purpose is well, it’s available over web protocols as well, but it has a number of very critical reports that are done on a daily basis that the community actually uses.
For example, one of the things that we have is extended statistics. And that shows what space has been allocated by ARIN and how much is actually still in reserve.
These things are actually used as tooling by the community to see how we’re doing.
Internal support. We have our ARIN Online, our staff interface. We call it the management app. We have infrastructure tools that we have internally.
We have security and performance monitoring that we do. In fact, we have weekly meetings where we see how well the applications are doing, how well the environments are doing, and how well we’re doing from a security perspective and to see if there’s any issues.
We have cloud-based tools. Yes, ARIN does participate in the cloud. And we do have a couple of instances available.
We have email. Not only the hostmaster and billing email, but we also support corporate email for ARIN.
Various environments. One time, it’s kind of funny, one of the engineers said “Why do we need all these various environments? Why don’t we just have development and production? That’s it.”
Well, that doesn’t quite work right when you want to put out correct code. We have various environments that we have. And we have a lot of them. We have development. We have daily testing and regression. We have release branches, we have staging and all kinds of different environments that we have to support.
And of course, the last thing is analytics. We look at this stuff and we look at our trends to see whether or not we have anything that we need to look at and actually proactively fix or create new additional hardware or whatever to actually sustain additional loads.
Let’s go on and look at statistics and see how we’re doing. This is the number of ARIN Online accounts. And what’s amazing to me is not so much that, oh, wow, 205,000 accounts.
It’s pretty significant in terms of it’s fairly sort of static, right? It’s not growing, but it’s not shrinking. These are new accounts that have actually come in that have actually come out as part of ARIN Online.
It’s amazing how this sort of — its really growth that occurs, but it’s very consistent growth.
Now, here’s the slide I always like to show. And every time this comes out, and I should probably do a history on this, things keep moving to the right in terms of people that log in. And it makes sense, right? If you log in a couple times a year, you’re going to start moving into these new camps. Right?
You’ll start moving in. Well, the first time I logged in for the year, that’s it. Next year, I come in, I did a couple times, so I’m in the two-to-five camp. Next time I go in, it’s the six-to-ten camp, and so on. And, of course, the one that keeps on growing is the one that’s 16+.
And the thing that amuses me is that — we see it, we have a count, of course, of all the people that log in. The person who takes the cake is one who’s logged in 8.8 million times.
That is amazing. Did they forget that they logged in and have to log in again? It’s like that — it’s 155,000 first dates. I’m not exactly sure what it is. I thought that was interesting.
Now let’s talk about 2FA adoption. One of the things we’ve had available over a period of time is we’ve had 2FA. And you look up there and you say “Well, this is kind of interesting. I see that TOTP is pretty high up there. And FIDO2 is up there as well. SMS is about 30 percent of the total.”
And this is since the inception of 2FA that we put out. And phone call, you say, “Why do you have phone calls on there? It’s zero percent.” There’s actually 12 voice users. And we had to turn it off, sadly, because hackers found a way to abuse the system. And it was getting pretty — it was quite blatant. We tried to fix it. We did our best.
And someone got a lot of phone calls in Haiti. There was someone that was abusing the system. And as soon as we thought we fixed it, we went out and rolled out the code, within ten minutes that person was actually at work again. And this is all doing new account inception and actually trying to take advantage of this voice system.
So, we disabled it. We talked to John Sweeting and said, “Hey, what do you think we should do?” And we went ahead and disabled it.
Here’s another one that’s interesting. And since we made 2FA mandatory, you would say, well, it’s TOTP people are just going to use that, or maybe they’ll use FIDO2 because it’s really clearly more secure. But what’s interesting here is that there’s really a 50 percent — it’s 50/50 — between TOTP and SMS. Is that surprising?
To me, it’s not really too surprising. I don’t know how many of you go to banks, and you ask them about 2FA, and they say, “Oh, yeah, yeah, we have that. It’s the greatest thing. This is the latest thing ever, since we created automated banking back in the day. We allow 2FA using SMS.” And that’s the only thing they offer.
We’re actually ahead of the game using TOTP, and of course with FIDO2. But I thought it was interesting to see what the ratio is here.
Provisioning transactions. Even though there’s still people using templates out there, it’s going less and less and less. And here’s a good graph that shows it.
The green is up to the right, and that is the RESTful API. And the stuff that’s red is kind of flat and, if anything, kind of sort of staying the same. But it gives you an idea where we stand with templates.
So, like John said, it’s operational costs for us to maintain it. It would be nice to actually retire it someday.
Whois and Whois-RWS. Whois has been around forever. And what I’d like to do is show this spike in that we are seeing numbers that we haven’t seen before. And don’t know why, but the number keeps going up for people that are asking for things that were Port 43.
Same thing goes with Whois-RWS. It’s going up, too. Of course, it was conceived back in 2010 and it was — people had to write custom code to it or use the website or whatever to use that particular service. But that’s also increasing as well.
There’s various reasons. And I’ve talked about this in the past ARIN meetings about the service and about the abuse that we’ve seen.
RDAP, it’s increasing. It’s increasing as well. And what I’m doing here is showing the v4 versus v6 sort of breakout.
And you can see that v6 is really staying the same, about 4 percent. And it’s about what we’re seeing on our website as well, the ratio of v4 versus v6. It gives you an idea of what our traffic distribution is like.
DNS, this is a new slide. Wow. Here you see our daily averages. One of the things that you see on the top is sort of the distribution, where you have PTR records, which makes sense since it’s reversed. And basically, that’s a request saying, “Hey, I have this IP address; can you give me the name associated with it?” That’s called a PTR request.
You can see that’s a pretty predominant feature. And there’s daily diurnal patterns that are going on here. And pretty common. Looks pretty normal.
In the overall query rate, if you look across all the managed /8s that we have within DNS, you can see that it’s also fairly common. And what I took is a normal week here. What I haven’t shown is what happens when we’re under some sort of independent — I should say — we’re a third party to a DDoS attack.
And, yes, we see those because people query us. And since this is DNSSEC-enabled, it comes back with much larger responses, and it hits some poor third victim, third-party victim, that’s out there utilizing our services.
When that occurs, it basically goes off the charts. And occasionally we get paged, but actually the system can actually handle it.
Releases and improvements. Okay. We have a secure routing enhancements, the new ARIN Online dashboard for IRR and RPKI. Brad’s going to talk about that more tomorrow.
And we have had a new scalable method of updating our repositories so that we can do it much quicker now. We were capped at five minutes before. But we can go much faster now with a larger number of repositories if we wanted to.
2FA, added FIDO2. And of course, when 2FA became mandatory, we put that system in place.
API key security enhancements. We not only made it longer, but we handled it differently based on SOC 2 compliance, that I’m talking about next. We’ve passed our SOC 2 Type 1 audit. I’m stealing a little thunder from Christian, who is going to be talking about this more in detail after me, but that was a big initiative that we have underway since last year.
We put in a new third-party payment processor vendor, and we’re getting a lot more flexibility out of that now.
We have a new architecture coming out for our public facing services. We call it affectionately within Engineering as PFS. PFS is basically most, if not all, the services you use — Whois, RPKI, DNS — they’re all in our PFS sites. And we have three and a half of them around basically the US and one in the Caribbean — the half is in the Caribbean.
Ongoing is we have a reduction of technical debt, which is always something that Engineering is dealing with. No matter what organization you have or are a part of, technical debt is a part of the game that we have to continually be a part of solving.
We’ve had lots of end-of-life replacements that we’ve put in. We’ve been working on Kubernetes and moving to Kubernetes within Engineering and making a gradual change to that effect.
We’re rolling out new hardware for PFS sites. This could be much faster than the hardware we’re running now.
And our third-party audit was completed last year, and we’re soon going to be doing one for 2023. Again, Christian is going be talking about that some more.
Challenges and what’s next. Brute force login attacks. I talked about this at ARIN 49. Actually, ARIN 48, I talked about Whois and the abuse that we saw there.
Last meeting, at ARIN 50, I talked about SOC 2 preparation and how that was sort of changing engineering’s focus and how we did it. Now we have prioritization things that we need to look at. We have to look at, okay, we have all these things that people want us to do. We only have so many resources. What are the things we’re going to do and how are we going to make these happen?
That’s part of our job is actually dealing with prioritization. But I’m sharing with you some of these challenges and what they are.
ARIN Online enhancements, things that you’re going to find as a community. Internal tools that are used by staff and things that they need to make things more effective from their perspective, which in turn helps you, as things can get rolled around faster.
And, of course, technical debt. This is something where we’ve been dealing with and we will continue to deal with, but we have tremendous amount of technical debt within ARIN over the years that we continually work on.
What’s next? Technical debt. We’re going to try to bring it down further. We have PFS site improvements. We have a new reengineered site solution that we’re going to be putting out. It’s happening as we speak.
We have ongoing support for SOC 2 Type 2 compliance. Multisite logging and monitoring so that as we move from disaster recovery site to disaster recovery site, we can actually do this in a very fast manner, which we can’t do as well right now.
Both IRR and RPKI enhancements. And Brad will talk more about those. I don’t want to steal his thunder. And the Vault integration. There’s going to be changes going on with the Vault that’s going to happen over a period time, much the guy in the white jacket, Jesse, out there, please talk to him about that.
If you have a chance, ask him about things — that questions that he wants to bring to you to see what your responses could be and help him sort of make that, the Vault, a better place to be.
There we go. I think that was it. That was it. I think that was it. It decided to go kind of crazy on me. And that was it.
Hollis Kara: All right. Microphones are open if anyone has any questions for Mark.
Kevin Blumberg: Kevin Blumberg, The Wire. Thank you. One thing, or, I guess, two. The first is has ARIN looked at what is not secure in terms of email templates got brought up as they’re legacy and all of that, but ultimately they’re not secure.
And when you’re running an authoritative database, maybe that’s a better way to look at it, what is not secure? FTP? Sorry, it’s not secure. So, it can have man-in-the-middle attacks, et cetera, with those.
Maybe looking at what is not secure may be a way of cleaning up over time those legacy systems in terms of how you address them.
The second part was TOTP versus SMS, 50/50. Very easy. Path of least resistance. It’s way easier just to put in your phone number.
Now, as somebody who cares a little bit about security, I want that turned off on my account and never to be able to be used. I consider it to be a legacy. And you’ve heard that, I think, in the things, a legacy system. I don’t want any legacy MFA inside of my account.
And making it easy for people I get was your first step, but it’s not giving a good sense.
The second thing was RPKI, really important. Canada. 24hour telco outage. No SMS. No way for me to log in and fix an RPKI record to have a backup because that was screwed up. SMS is a problem just waiting to happen.
And, so, yes, you’ve given them an easy path. I don’t think most people are thinking of the ramifications about using those kinds of technologies.
Mark Kosters: Fair enough. Thank you for those points, Kevin.
One of the things — I’ll hit sort of the former point sort of more forcefully, and that is dealing with things like FTP. And so, one of the things that’s important to note is that things that are on a FTP site are read-only.
You can pull it down. You can use it. It’s not really something in fact, there’s very little, if anything, in there that you can maliciously change things that would affect ARIN. Now, it may change someone else, but it won’t affect ARIN in the sense that, hey, I’ve changed my — I’ve been able to affect the provisioning services and change a record.
That part is, yes, I’d love to see FTP go away, much like I’d like to see templates go away. But it’s available and actually people still use it and actually use it quite a bit.
Kevin Blumberg: Deprecation of services is a long-term track. People are aware that something is being deprecated and turned off over many years.
The part about FTP is not that someone will maliciously put something onto it. It’s that someone can maliciously act and report back information that is untrue by spoofing because you have no identity verification because it is completely unencrypted.
Mark Kosters: That’s very true. And no way of validating that, I agree.
Hollis Kara: We do have one comment from the virtual queue.
Beverly Hicks: This virtual queue comment is actually missing a name and their affiliation. Hopefully they will get it to me by the time I finished it. It says: I greatly appreciate your APIs, as I found them relatively easy to use to program with. It allowed me to build a mass SWIP program to make sure our customers are assigned and reported.
And that’s from Tom Bonar from TDS Telecom.
Mark Kosters: Great, thank you.
Kat Hunter: Hi Mark.
Mark Kosters: Hi Kat.
Kat Hunter: Kat Hunter, Comcast, ARIN AC. We could always talk afterwards if you don’t have an answer, and you probably know what I’m going to ask. Where is modify on the ARIN Online in terms of a roadmap?
It’s the only thing that’s left from the templates that I am unable to do. So, I still have to do them in the templates. But I’m doing all of the new adds and deletes on the website. I just can’t change an address.
Mark Kosters: Yes, so we have a couple things to help you out that have not been put on the roadmap yet. So, this is useful. Thank you. I appreciate that.
Roman Tatarnikov: Hello, Mark. Roman Tatarnikov with IntLos, a consulting company. I just wanted to follow up on the FTP. Yes, FTP is insecure. But it’s possible to secure it by turning on STARTTLS essentially; that’s the extension.
So, we can still provide FTP service, but making sure that everything is transmitted is getting encrypted. That’s it. Thank you.
Mark Kosters: Thank you.
Alison Wood: Alison Wood, State of Oregon. Mark, could you disclose the tool you used on page 12 to provide the DNS reports? We thought that was fantastic and would love to use it in our environment.
Mark Kosters: Sure. Jeffers, help me out here.
(Inaudible cross talk)
Hollis Kara: Find Jeffers at the social, Alison. He’ll hook you up.
Mark Kosters: I’ll sort of — it’s using Grafana as sort of the main reporting engine. And we feed it all kinds of information that sort of ingests it in Grafana. It just comes out with really pretty graphs.
And those graphs are the things we use for our weekly sort of analysis. And that’s the example of one that we look at and say, okay, how are we doing? And I look at that on a weekly basis.
Alison Wood: These are great. Thank you.
Mark Kosters: You’re welcome.
Hollis Kara: Any more questions for Mark? Virtual queue is clear. I think you’re good, sir.
Mark Kosters: Thank you.
Hollis Kara: Thank you.
We’ve talked about this one a bit over the last few meetings, but this is the first time I think you’re going to get tohear it straight from the horse’s mouth, so to speak.
I’d like to welcome Christian Johnson, our chief information security officer, to talk about what’s going on with information security at ARIN.
Information Security at ARIN
Christian Johnson: Apparently, I am the horse’s mouth. Ok. Good afternoon. I apologize for being the only thing that stands between you and the end of the day. I don’t know what’s worse, standing between you and the end of the day or the Open Mic, because I’ve been in a couple of these meetings, and I know how you love those Open Mics.
I am the chief information security officer at ARIN. Let’s see. I’m going to give you a rundown very briefly, a quick contextual piece. Sorry, I’m so used to looking over my shoulder at these things. This is too easy. You made it too easy.
I’m going to give a quick contextual overview at the very beginning. I will sort of ask for forgiveness instead of permission here. Most of the other presentations are done annually or, I should say, in some cases semiannually. You guys have never had a dedicated briefing about what we’re doing at ARIN [for Information Security].
Don’t worry, I’m still going to use my presentation. I’m not going to go completely rogue on us. But I am going to cover some things in maybe more of a broad brush, not specific numbers, but talk about the overall initiatives that we’re engaged in so you can get more of a broad picture of what we’ve been doing.
I’m going to give a security year in review, it’s a little bit more than a year; talk about some of the compliance initiatives that we’ve been involved in; and talk about our communicating with the community about what we’re doing with security at ARIN.
I’m not even going to go in the order of these. One of the things I want to do is there are people who are security people in this room. There are people who are not security people in this room.
I have watched the community grow and morph and change. One of the things that we do great in security is we just randomly change the name of things.
So, let’s just call it if I say “information security” or “data” or “cyber” or “computer,” it’s all — let’s just say it’s the same thing for the sake of this conversation.
They all have very nuanced meanings, and I’m not going to be getting into that here. If I need to, I’ll let you know.
For a security person, I will say this. There are two things that we want the most in the world. One is that we want the organization that we work for to think that security is important.
That’s the first thing. That’s — in some organizations — that’s something that we actually have to work for. And, frankly, I feel completely blessed to be brought into ARIN as an organization.
I want to talk about this. It was important enough that somebody said, hey, we actually want you to come in and work here and work on security things and be a dedicated asset towards that.
I’m, one, very thankful for that. To be able to walk in have that already existing here is really special for a security person.
But the second thing is having the resources to get the job done. Okay? And one of the things I’m going to talk about here goes to the top item, and that is security.
As with a lot of organizations, it’s shared across the organization. There’s not just one core team within ARIN who has security as a job and they just do it and they’re the only people who are doing it.
I see people in the time I’ve been here working across teams. I’ve seen people, whether it’s in Registration Services or in HR or within Engineering, I’ve seen people come together and talk bout security in constructive ways, making constructive recommendations that have positive impacts on the organizations, both today and in the past.
This isn’t new just because I’m here. Security has existed at ARIN for a long time. It’s just that you now have me here to give a separate presentation on it.
And I say that. If you look at any one of the other departmental presentations, like Mark, he was talking about what we’ve been doing for the SOC 2 compliance initiatives. You’ve got RPKI discussions and routing security. Security is sprinkled through all of the presentations.
I’ll say all of that. I’ve tried to limit some of the stuff that I’m going to talk about to things that aren’t covered elsewhere, but I may have additional plugs here and there to talk about it.
Security year in review. This is a bit of catchup, like I said, this is talking about a year and a half, almost two years of the time I’ve been here. These are some of the things we’ve been able to accomplish.
One is we went through all of the things that we do for security policies, whether implemented technically, whether it’s in a firewall or it’s the way we meter certain processes within HR or things like that. We actually documented them.
And it seems like a relatively benign process from the outside, but one of the things that that allows is for you to see it in a more subjective way.
As a part of that process, we went through and we made enhancements to a lot of the things we do in ARIN, both from the technical side as well as from the personnel side, the organizational side, business processes, et cetera.
And we’ve made a lot of improvements that might seem to be relatively small from the outside, but I think long term they’re going to have really substantial positive impacts.
We’ve been able to more formalize our InfoSec training, phishing awareness program. We’ve been fielding new phishing defense tools. The number one vector year over year for malicious activity — and we can argue about this all day long but — statistically it’s phishing attacks, whether it’s a BEC that’s happening or whether or not it’s somebody who is stealing credentials or some other malware being injected.
Phishing is the number one vector. And so, we’ve taken that to heart, and we’re looking at the number one vector and standing up and bolstering our defenses to help protect against those things.
Mark talked about the annual security audit. We’re going to be pivoting that in the years going forward. Traditionally that’s been our big milestone annual security event of the year, was to go through and do this very thorough audit of the organization.
It included phishing of the organization and testing. And we now have that phishing being done separately. What used to be done once a year is now being done on a monthly basis within ARIN testing the employees, testing the staff, providing security training annually.
The annual security audit is going to become more of a penetration test in the true sense, and that’s going to benefit both our SOC 2 that I’m going to talk about, it’s going to talk about our PCI and the requirements for PCI compliance.
I’m also going to talk about — I’m not going to get into two-factor authentication enhancements. Judging by the last conversation, I think we’re up to speed on our two-factor stuff.
Website updates. I will steal a little bit here, sorry, Hollis. We have updated our website. I will show how we’ve been trying to improve our — not improve our communications — communicate to you on the improvements that we’ve been making over the last couple of years just so everybody’s aware of that instead of having to wait six months until I get up here and say something.
We’ve also worked very closely with the Board of Trustees to stand up a Risk & Cybersecurity Committee where we’re able to have dedicated conversations to the Board about the risks that impact the organization as well as what we’re doing.
And we’ve done quite a bit of tailoring of the reporting based on their input to help provide them the metrics that the Board feels is important for us to report back to them to make actionable decisions and recommendations.
Mark talked about technical debt. We’ve been making substantial progress there. And the compliance program, it’s a nice little hook there at the bottom that’s going to take us into the next slide.
What we’re looking at here is I have three, essentially, frameworks. So, frameworks/standards I’m not going to split hairs on this. Frameworks are for those who don’t deal in this all of the time. They’re essentially a collection of best practices that are — that have a name, they have a label, they have a standard script that you follow when you’re implementing security controls.
It’s as simple as that, if you think about it. I have these three up here for a very particular reasons. One is NIST. This is the National Institute of Standards and Technology. They fall under the US Department of Commerce. And within the United States government, NIST has for years and years been charged with developing [security] standards and special publications On how the United States government should apply security. Minus the Department of Defense; they do their own thing. But NIST, for the rest of the government, they develop the standards by which the government is expected to comply.
So historically speaking, the NIST Cybersecurity Framework — this is their newest and greatest they’re actually working on an update to that now, a 2.0. That is their official cybersecurity framework that they develop and endorse.
The cybersecurity framework was essentially used to create the security controls that ARIN has had in place and implemented over time.
It’s important. This isn’t necessarily a framework that you would go out and get a third party to come in and audit you for. One could do it, but it doesn’t necessarily mean as much [commercially] as some of the other industry standard compliance frameworks.
That leads into SOC 2. There’s a conversation globally about ISO. You’ve probably heard about the ISO Compliance Framework, perhaps. That’s a global standard.
SOC 2, which was created by the American Institute of CPAs, they have a very stringent and deliberate method they go through. They created a SOC 1 that was all about financial controls. And they made a lot of money doing those audits, and they thought, you know what, we could probably do one for computer security too. And they did. It’s SOC 2. It’s one of their compliance models.
So, effectively, SOC 2 is displacing ISO within the North American region. And I know historically I’ve seen some of the input that’s come from the user community about improvements that we’ve wanted to see within ARIN, and one of them was we wanted to see SOC 2 compliance of ARIN products and services. And so that was the official framework that we went after.
I’m going to talk about what exactly we’re doing there. I want you to be aware up front that that focuses on North America, which is our region, of course, and allows us to focus more than some other compliance models like ISO. It allows us to focus on the specific product or specific service.
Now, PCI DSS is a little bit different. It’s a different animal altogether. For those of you who aren’t aware, PCI, Payment Card Industry. I have to put it in there or I always forget what all the letters mean. Payment Card Industry Data Security Standard. It is a framework, even though it’s called a standard. It is a security compliance framework. It applies to any company that accepts payment card transactions. And obviously we do that as well.
With the transfer that we had, Mark mentioned it earlier with the transfer over to the new payment card vendor, we have been working with them to get our PCI DSS compliance.
And I will talk a little bit about that here in a second as well, because while these frameworks are very interesting, they’re not all exactly the same.
There is no one framework to rule them all. You can’t do this one big one, and it covers all the smaller ones. You have to do these individually. You have to have — to be able to claim that you’re SOC 2 compliant, you have to do a SOC 2 audit.
Mark was saying Type 1 and Type 2. For those who don’t know, the Type 1 is where you start. The Type 1 is sort of a snapshot. It’s a picture in time. It says that you have all of these controls, that they exist within your organization.
And very simply a Type 2 is they monitor you for some period of time, and they say yay, verily, all of those controls work the way they’re designed to, the security works the way it’s supposed to.
So we completed our Type 1. So, yay, ARIN. We completed our Type 1 SOC 2 as of this last fall. And we’re working on Type 2. I’ll talk more about that.
We’re also working on the PCI.
This is our SOC 2 roadmap. And I apologize in advance to the Board because you’ve seen several different SOC 2 roadmaps. I tried to visualize this a little bit differently for all the folks who weren’t getting monthly and quarterly briefings on this.
We started off by scoping and planning for this. This started a year and a half ago when I first came on board. It was one of the first things that we started to talk about, was how would we do this and what would be included in the scope of the audit.
We went through this last year, our readiness assessment. We brought in an auditor, a certified auditor who came in and did our audit process. They were fantastic. We have a great relationship with them now. Very happy to be working with them. And we were provided our Type 1 report, which we received in December of this last year.
Now, next steps for that, as I said, is the sort of continuous monitoring that we are doing towards Type 2, which is ongoing this year. We will complete our Type 2 period at the end of month, September 2023.
Our first audit period is ten months. It’s a little unique because we were trying to align to the end of the third calendar quarter just to make it easier, to avoid ARIN meetings during the month of October and all the end of year stuff.
And so, in future years what we’ll have is a 12-month process, and we’ll recertify every year on that same schedule.
With the SOC 2 roadmap, that looks at organizational security and RPKI. And what I mean by that, organizational security, it might be looking at our HR processes for how we onboard and offboard staff.
Do we have physical security controls at the data centers? Are our data centers SOC 2 certified, for example?
So, that’s organizational security. The RPKI part of that is very specific to the RPKI delivery service, if you will. And I’m using those words to sort of be descriptive, not necessarily to be very deliberate about how I’m describing it.
It’s about RPKI. It’s not, maybe I should say, about ARIN Online. It’s not about the database behind it.So, We’re certifying RPKI’s delivery system.
Separately from that, though, when we talk about PCI, the process itself, one, is different. If you’re not familiar with PCI, one, you can be thankful that you’re not familiar with all these frameworks as much as I am.
PCI is different in that there are multiple levels of PCI that you can be aligned to, depending on what type of vendor you are. It’s as simple as that. They measure it by how many transactions you have or total dollar value of your transactions.
So compared to, like, Amazon, right, who does a couple more dollar transactions than us per year — couple more — they have this very stringent requirement, and they have just a laundry list of things that they have to do to be able to achieve their compliance.
For us, we’re on the lower end of the spectrum. So, what we’re required to do, per our vendor is, we do an annual security questionnaire. And, frankly, I would say 95 percent of the questions that show up on our security questionnaire are things that were identical or comparable to what we were doing for our SOC 2 work. It made it very easy to go through and verify what we were doing for the PCI work.
Separate from that, we have to do quarterly scanning under PCI, both internal scanning but more importantly external scanning which requires, under PCI, that you use a PCI-certified vendor.
So that’s a little unique, that you can’t just use what we were already using and saying that, yes, here are the results. You actually have to use a PCI scanner, which we did on the external side. Found no issues. It was fantastic. We flew right through it.
The penetration testing is a separate requirement. And that’s why we’re sort of pivoting that annual audit to focus on that because of the other pieces sort of being subsumed by other activities. That’s still a requirement that we need for PCI, and we continue to work on that.
In the case of PCI, the scope of that, again, is a lot of organizational security things that are required, but that is going to actually certify ARIN Online.
And while it’s, again, not a one for one in terms of security, you will at least be able to look at our products. You’ll be able to look at our website and see that we are at least certified. We’ve been able to prove that we’re certified for both RPKI and for ARIN Online.
As we continue to implement enhancements both to things, services, products within ARIN we’re going to continue updating the ARIN security page as we’ve been doing.
We have made a couple of changes because we wanted to start bringing in the security compliance work that we’ve been doing. So, you can see this is effectively a snapshot of what you would see today. You can see we have our SOC 2 compliance badge on there. Once we are compliant with PCI, we’ll be able to put that on there.
We do have some language on there that describes our SOC 2 certification. So, you can see that. Obviously, we have more detailed information. There’s only a little bit there.
When we’re doing these things, we will continue to publish blog posts. We’ll put out releases to the community so that you’re aware of what we’re doing with regards to security because it is important.
I know that it’s important to the rest of the community and want to make sure you know what’s going on, as users, so that you can feel confident in the security of the products and the services.
So, with that, I will stop. It’s the end of the day. But I’m going to open it up to questions. If you have any questions boy, I love to talk about security.
I’m here. I will certainly answer questions now, but I certainly want to say I want to invite you to, if you have anything that you can think of, if you don’t want to go to an open mic, you can always track me down and ask me. I’m available. Love to talk about security.
I may not always have the answer that you want to hear, but I try to not make security as we were joking about having walk-on theme songs as we did this, and we kind of thought that there might be a conflict between who will get “The Imperial March.” I personally think I should have “The Imperial March,” as security. I think that I should.
I try to sort of stay away from that within security. I want to be approachable and I want security to be approachable because I feel like it is to the benefit of the organization that everyone within ARIN, everyone within the community is invested in our secure operation. Thanks.
Hollis Kara: Thank you, Christian.
Do we have questions?
Kevin Blumberg: Question and a statement. Kevin Blumberg, The Wire. Statement: Thank you, thank you, thank you. We’ve been asking for security for years. And having something dedicated now, more than just dedicated, actually showing movement in this area is really appreciated. So, thank you.
I don’t need to know how all the sausage — when it comes to things are done. That level of specificity really isn’t important. What’s important is that you are actually doing things.
So, two questions related to that. First is I think you were very specific in how you limited where you were doing it, mentioned RPKI. You excluded ARIN Online.
Do you have a roadmap for where you’re going to have sort of an all-encompassing… don’t need it now, but I’d love to see sort of that roadmap on that.
And the second part is in the operations from Mark Kosters they talked about technical debt. Historically we have seen technical debt include systems that were unsupported, unpatchable, unmaintainable. That obviously doesn’t equate to security.
So, at some point I’m hoping that there’s a convergence of those two where I guess the technical debt is dealt with so security isn’t an issue.
So, looking forward to seeing where technical debt isn’t listed as a, at least, security consideration.
Christian Johnson: Absolutely. Thank you. Thank you for both of those questions. I’ll answer the second one first and say that Mark and I have pretty regular conversations about technical debt. And it’s a regular conversation that we have internally, also with the Risk & Cybersecurity Committee as well.
And we’re absolutely moving in that direction. We definitely want to see the systems that are unsupportable be replaced, phased out, moved out of the system so that we can eliminate those gaps. And we’re moving in that direction for sure.
And to the first… let me back up even a little more. Thank you for your comments. I love being able to be here. And I will make sure that I try not to describe too much sausage making in the future. Hopefully, I didn’t do too much of that today. I did want to give a bit of an overview for sure.
And to the first question that you had, which was relative to the specificity of the compliance, which, yes, absolutely we do have a plan going forward — in short — for what we intend to do, which products and services and how we are going to apply those.
What we didn’t want to do up front is we didn’t want to try to tackle a bear. And we could very easily have done that by saying we’re going to try and take on some process that we had not done before, and do it for the biggest product that we have, and that ARIN Online, trying to do a SOC 2 certification of ARIN Online out of the gate. That, after not a whole lot of conversations, that didn’t seem like a prudent course to take.
So RPKI was definitely the first step that we wanted to take. ARIN Online is definitely something that we’re talking about very actively for the SOC 2 certification.
But obviously the fact that we were able to turn around and align another framework to that in the short term — and that being PCI — to be able to certify ARIN Online itself separately seemed like an immeasurable value to at least say that that is certified by one framework even though it may not be the same one in the short term that RPKI is certified with.
Hopefully, I answered your question there.
Any other questions?
John Curran: No, but I’d like to add, so something you need to know is the Board has a huge focus on our technical debt. And we have a Risk & Cybersecurity Committee of the Board which we meet with, I’d say quarterly, but it’s actually monthly now. Quarterly we provide a report.
Peter Harrison runs the committee, and Christian and I are the two staff support for that. We provide a report quarterly of the tech debt to the Board, showing the retirement of systems. So, they can see a waterfall of systems that are yellow and red, moving slowly to green.
And that’s actually what led — those initiatives led to things like the retirement of the unauthenticated IRR was part of reducing that. We’re trying to get more green and less yellow and red.
Our payment cart processing change is another one. But it’s a huge focus for risk management for the organization.
And so, we don’t spend a lot of time talking about what still is on that chart because I don’t feel like giving a target to people of where to aim. But it’s a major attention for us. That’s all I’ll say.
Gustavo Ortega: Just brief a comment. Gustavo Ortega with Georgia [Tech], also a fellow. So I just wanted to say, in your introductions, you mentioned that information security and other concepts you’re putting all of them under the same basket.
So as a cybersecurity advocate in my company also we have a large base, customer base. It’s understandable, and I do agree with that position. We have millions of clients and we cannot adopt a position that basically looks at each individual, so we have to look at it at holistically and not a specific use case.
So, I do agree with that posture, but sometimes we do need to look at certain specifics and make priorities, and I think you are doing it for the sake of the whole community.
Christian Johnson: Thank you very much. Yeah, I said it really in the context of for today and talking through security, but those are very good points to make.
There are obvious nuances between those specific areas within security. And, yeah, we try to address it holistically as we’re going through systems and looking at these frameworks, for sure.
Any other questions?
Hollis Kara: Alright. Thank you very much, Christian.
Christian Johnson: Thank you very much. Thanks.
Hollis Kara: I would like to welcome Bill and John back to the stage to wrap up our day with an Open Microphone.
Bill Sandiford: All right. Open Microphone. Come ask any questions. It’s almost like an ask me anything — anything relevant, Kevin.
Kevin Blumberg: Tough one. So, I love getting ARIN emails. And thankfully they have diminished over time. I don’t get any more of the “We’re closed because of inclement weather” or “Our phone is down for 15 minutes” emails. Thank you for stopping those.
But I still get a lot of email from ARIN. And for me, who is very involved in the community, that’s great. For many of the people that I help and work with, it’s really annoying. I almost need an opt-out button of some kind because, quite frankly, it has nothing to do with the services that I or my customers need.
I need a bill. I need to know if the service is changing. The rest of it is really marketing fluff at that point, disguised as updates to the community or whatever the case may be.
I’m not saying that everybody doesn’t want to get it. But many of the requests that come out are not part of the — either it’s not part of the specific service I need or you’re going to drown out people because they just don’t know what all of the stuff is and it’s not relevant to them for getting the basic services of what they do.
John Curran: Can you tell me which Mailing Lists you think are the problem?
Bill Sandiford: I was going to say the same thing. Can you give an example?
Kevin Blumberg: I was looking at Announce, as an example. I can unsubscribe from Announce, but then some of the important things I do miss out on.
I think that there is… I got the impression that some of the emails that were going out were being sent to all members. No?
John Curran: No. Literally, there are a few things that we do send more widespread, but we’ve dramatically like, for example, I found myself, like, what do you mean we didn’t post information about the upcoming ARIN meeting to PPML?
We have people on PPML who aren’t on our other Mailing Lists who didn’t know there was a meeting this week. I guess that’s okay because they weren’t subject to, but then we’re talking about policies, so we better at least tell them that.
So we’ve begun to sort the mail, and it doesn’t go to multiple mailing addresses. I sometimes cross post it out of fear that someone is missing an important announcement. But if you’ve got a list you think there’s a message that shouldn’t have gone, Kevin, send me a copy of it.
Kevin Blumberg: My question is what would somebody who is not subscribed to anything get?
John Curran: Who doesn’t subscribe to anything at all?
Kevin Blumberg: Nothing, they’ve signed up, they’re a customer,they have their space, all of that. They want to get their bill.
John Curran: They get ARIN Announce. But there’s not much on ARIN Announce. We do tell people about the meetings because here’s the problem. People who subscribe to ARIN and say, oh, all I got was an AS number or an address block.
That’s great, you think you have commercial service, you’ve subscribed, you’re paying your bill, everything’s great. Except you don’t.
You’re a member of a community whether you like it or not. And when you say, well, I don’t want to be, I just want to get the service, well, presently, in some of those services, we may be your only choice.
So you can say you want a relationship, okay, but, in fact, because there’s no alternative, these people need to know they’re part of a community. And if they want a voice in the change, they need to know it up front. We can’t react to them afterwards.
Kevin Blumberg: So the point that I’m making still holds true, what gets sent to ARIN Announce? 10 to 15 emails a month is more than what many companies send from a services point of view. You’re going to lose people in the volume. Be very careful. You’ve lowered it a lot. Very thankful. Please continue to lower it to the essentials.
John Curran: We’re trying to minimize the cross posting. John, do you want to say more?
John Sweeting: John Sweeting, ARIN. I think Hollis is checking. I don’t believe we send ARIN Announce to everybody unless they’ve subscribed to ARIN Announce.
Hollis Kara: We no longer have any list that — we used to have some automatic subscriptions that have been where people registered. We stopped doing that because it was privacy and all of that.
So really ARIN Announce is by subscription only. We encourage folks to subscribe, but it’s not an automatic thing.
John Sweeting: So, they will get their bill. They will get their POC validations. Other than that, they may get things when we target certain organizations that need to know some of –
John Curran: Right, if we target a particular subset of the community for service change announcements, which we’ve done on occasion. But if we’re not auto-subscribing people to ARIN Announce anymore, it’s possible these people have no, very little, information from us, Kevin.
John Sweeting: And there’s the General Member Mailing List we have. We have only, like, 150 people that have signed up. But we try to send everything that’s important to that. So if you’re a General Member, you can unsubscribe from just about everything else except for PPML.
Kevin Blumberg: Hollis, question. Approximately when did you stop auto-s ubscribing people, give or take? Because that may answer my -—
John Sweeting: Approximately two and a half years ago.
Hollis Kara: Honestly, everything since COVID is a little bit of a blur. I think it was before the pandemic started.
Kevin Blumberg: Understood. The simple answer, if you’re unhappy with this because they were created years ago, unsubscribe from Announce. You’ll get your normal stuff.
John Curran: You’ll get the billing if there’s a service-targeted announcement, like, if you’re using a service we’re phasing out, we will send you a targeted message for it.
Kevin Blumberg: Thank you.
Gordon Swaby: Good afternoon. I’m Gordon Swaby, a Fellow here from Jamaica. So I’m very happy to have been a part of this meeting. I was also very encouraged to see some of the policy changes, especially I think that first one with the ASNs, making it a default.
I remember when we were beginning our own journey in Jamaica at an IXP, that was an interesting back and forth. I think it was Leslie Nobile at the time when we were trying to sort those things out.
So I think it would be good for us. It would be encouraged, help to build greater resilience across the Caribbean. So we’re looking to further engagement in that regard.
And also, I liked the presentation and the focus that ARIN has given to the Caribbean, even with Bevil being director and also the platforms he spoke about — policy, technical and even that justice component.
One of the things that I think would be good for us, especially for our region, is to see if ARIN could have even more outreach to some of the law schools so we can start to get some of those young people engaged early to understand how things really function in the real world.
These are a few pieces. Thanks much.
John Curran: That’s a good idea.
Hollis Kara: John and Bill, we do have a remote contribution.
Bill Sandiford: Let’s go ahead, do that one.
Beverly Hicks: Joe Provo from Google, speaking for myself. Mr. Curran had a short comment before the break regarding individuals versus organizations.
The last I reviewed, ARIN is a sole RIR that does not directly service individuals. I actually was going to file an ACSP to examine this stance. Given JC’s comments, while a conscious decision, is it one that is reconsidered with any frequency? And is there any point in filing that ACSP?
John Curran: That’s an excellent question. I think the other RIRs are free to reconsider their decision whenever they want. Does that answer your question? No.
To be clear. Look, it’s a public registry. We actually have an MoU with the other RIRs that says it’s a public registry. The NRO MoU has an addendum called the Internet Number Registry System Addendum Joint Project Agreement. It says it’s a public registry.
It’s fairly challenging to have a public registry that we’re all replicating and sharing and referencing and have personal information in it unless it’s very explicit.
Now, in most places, the way you do that is you hold yourself out for business.
So it’s unclear how that gets done in most places except by doing an LLC or a DBA. There’s a number of ways of doing it.
You put an admin or tech contact in that database, you have to get that person’s consent before you do it. Now, this is just respect for privacy. It’s also compliant with a number of policies both inside and outside the US.
But if you want to have the ability to look up who has a resource, you’re going to have to make sure that information is public.
So, we can review it. But I first need to see a model that works someplace else before I can replicate it and we haven’t seen that yet.
Bill Sandiford: Over to this side here.
Gerry George: Gerry George, DigiSolv and ARIN AC. I want to sort of highlight and compliment ARIN on the Caribbean outreach, the increase in outreach we’re seeing in the Caribbean. And I think Bevil made some comments on that way. We’re coming from the Dark Ages where there was very little Caribbean participation, representation and so on, to now we’re seeing quite a bit of movement, which is very encouraging.
Something I would like to see continue is engagement with decisionmakers, government personnel, business owners and so on, because, for the most part, a lot of the Caribbean IP resources are issued by the Internet Service Providers and not companies themselves applying for that. And to a large part, it is based on a lack of knowledge.
Now, a lot of that education will depend on us, the community, as the members. But it would also need to have a lot of support coming from ARIN so that we can have those types of engagements with the relevant resources.
I remember back in, I think about 2017, 2018, we had the ARIN in the Caribbean events, and they were very nice because they were short, focused, and relatively easy to host.
I remember I spoke to Bevil one time. I was actually sitting at the airport on my way back home. Had a call from him. And within the space of a day or two, I said, yes, we’re going to host ARIN in the Caribbean. And we pulled it together very, very easily.
I don’t know if COVID killed that, but it would be good to see a return to those types of events throughout the region, because there’s a lot of need to focus events on the non-technical, on the non-technical community, even though we still do have a significant dearth of engagement and involvement within our own technical community.
So, once again, kudos to ARIN for the increased Caribbean participation. Kudos to some of the activities that we’ve been having. Bevil and Rodney, CTU has really hyped up whatever is happening. And thanks again.
Bill Sandiford: Thank you.
John Curran: We actually planned on expanding our outreach. And in 2020, we began looking at a targeted program to look at key staff, government officials, bringing them together in various parts of the region because they need to know.
We got underway in the planning, and this virus thing came and we set it on hold. But actually, very recently, we’re looking at picking that back up and resuming. So very much thinking the same lines. Thank you.
Bill Sandiford: All right. Last call for the queues for the Open Mic. Is there anything more online?
Hollis Kara: Nothing online.
Bill Sandiford: Going once. Going twice. All right. I’m going to wrap that up, then. Thank you.
John Curran: Back to Hollis.
Closing Announcements and Adjournment
Hollis Kara: All right, just a few last things. First of all, thank you to everyone for joining us today. Really happy to have you here. It’s been a great day.
I’d like to thank our sponsors, if I could get a round of applause — wait till then — Charter Communications, IPv4.Global by Hilco Streambank — yeah, I did say that right — and Google. Okay, now.
Really briefly, because I neglected to do it this morning, if I could get my Board and AC to stand up. I’d like to get a round of applause for them for all their hard work to make ARIN a success. Seek them out at the social tonight. Tell them thank you.
All right. We’ll have our social event at 7:00 PM this evening at the Florida Aquarium. There will be transportation, buses from here starting at 6:45. Three buses out. We’ll have return buses starting at 8:00.
Let me explain for a second, because we didn’t know until we got here exactly how this was going to work. And if you came in the driveway, which I think you had to, you know it’s a pretty tight turnaround so they can’t fit the big buses in there.
So when you go out the front doors this evening, we will try to have staff there to assist you. Past the groovy plant wall there’s a sidewalk that turns down between the garage and the hotel. There’s a pathway, some funky plants. Just past that is kind of a back parking lot and a big, scary-looking, white tent. Don’t go in the tent, but that’s where the buses go. That’s where you go.
We look forward to a great evening at the aquarium. And again, thank you for all your participation today. We’ll be back here tomorrow. Breakfast at 8:00. Meeting starts at 9:00. And we’ll have our virtual table topics at lunch for our participants.
And with that, Day 1 is a wrap. Thank you for your time. Get some sunshine.
(Meeting adjourned at 4:57 PM.)