ARIN 52 Public Policy and Members Meeting, Day 1 Transcript - Thursday, 19 October 2023
Opening and Announcements
Hollis Kara: Welcome to ARIN 52. I’m Hollis Kara, I’m ARIN’s Director of Communications, at least today.
And I’m here to host the event and walk you through the day. We’ve got a lot planned. So let’s go through some opening announcements. Got a lot of things to go over and then we’ve got a very full agenda. So I appreciate everybody being here today.
All right. Phew, here we go. First of all, do I have all my Board in the room? Could I get my Board members to stand up, if they’re here. They didn’t know there was going to be a drill. Yeah, if I could get a round of applause.
Nancy Carter, John Curran, Peter Harrison, Hank Kilmer, Tina Morris, Bill Sandiford, and Rob Seastrom are the esteemed members of ARIN’s Board.
They do a ton of work for us. And I’d like to thank them all for all their hard work and for all their help in getting ready for this meeting and being part of it and taking care of the community in lots of ways, which they’ll talk about later.
I’d also like to thank, yep, here’s another drill, Advisory Council. Are you here? If you’re here, stand up. Wave your hands in the air. All right.
We’ll be here for a while if I read all the names so I’m going to trust everyone to do the reading. These folks are absolutely crucial to the policy process, and we can’t thank them enough for all their hard work.
You’re going to get to hear from a lot of them today as we head into the policy segments of the agenda a little bit later on. We’ll get to that.
I’d also like to thank — where did my slides go? There we go — our NRO Number Council representatives. I think they’re all here today. Do we have Kevin, Chris, and Nick? Yep, wave. And Kevin will be on the agenda a little bit later in the program — I think actually tomorrow — and he can fill you in exactly on what the NRO NC has been doing to support the ARIN community since the last meeting.
All right. So for those of you who attended orientation last week, thank you very much. Some of this will sound familiar. So please feel free to sing along. We’re going to talk a little bit real quick, for the benefit of our remote participants, how they can best navigate the meeting over the next day and a half.
And then we’ll talk a little bit more about how you folks here in the room can do the same.
So for those who are joining us on Zoom, please be aware, chat is for chat. And we love it when you guys are chatty, but if you want to have something read into the discussion or participate in Open Microphones or policy discussion periods, we’re going to need you to either raise your hand — and we’re happy to unmute your mic so you can speak directly and the room can hear from you — love it when folks choose that option.
Your other choice is to take advantage of question and answer, the Q&A little widget at the bottom. If you need time to type, you can always just drop in your name and we will know that you’re composing a larger question. You can drop those in at any point during the discussion or presentation and we’ll queue those for the end.
We have our Help Desk open, accessible through the website, and that’s there until 9:30 this morning. It’ll be there from 8:30 to 9:30 again tomorrow. Also available on breaks and lunch if you need assistance.
So in-person, you are welcome to join our virtual participants in Zoom if you would like to take advantage of the opportunity to chat with those attendees. We do ask that you make sure that your computer is muted and disconnected from audio if you do that.
We did change up the navigation on the ARIN 52 meeting website for this meeting. So you’ll notice we have a dropdown menu for our in-person attendees and for our virtual participants with content that’s specific to each of those audiences.
Just a little tip about how things are arranged since it looks a little different than last time. We thought it made it a little bit easier to find your way around. So you can see, we’ve got a lot of things that our in-person attendees need to know and a slightly shorter list for our virtual attendees, but the Help Desk and Event Hub are there for your use.
We have, I think, pretty close to record registration for this meeting. Hopefully we will have close to record participation. As of yesterday, about midday, we had 175 folks registered to be here, in person, and 173 virtual, which puts us over 350. So big round of applause to you guys for taking the time to participate.
Love to see those numbers going up.
For folks in the room, also a reminder, and virtual as well, when we get to the discussion periods, Beverly on the riser and I from the stage will help our moderators to manage the queues so that we can have opportunities to feed in questions from both in the room and online. We do ask that everyone state their name and affiliation each time you are recognized to participate, even if you’re coming back to the mic.
We do do a live transcript and post that asm part of a meeting report. So we do need to know who said what. Makes it cleaner.
And, yep, same thing for virtual — please put them in your comments. It will just make it a little faster for us to get those shared in the room as well, if you lead with your name and affiliation.
We do have — all of the slides for the meeting are posted on our meeting materials page. If you want to access those, they can sometimes, particularly for our virtual attendees, be a little bit easier to read than what you’re going to see through the Zoom.
Same thing, the live transcript is available if you prefer to follow along in that way. And we are recording and livestreaming today’s event. And all of that information and links are available on the ARIN 52 meeting materials page.
Wi-Fi, I hope everybody found the Wi-Fi. The NANOG Wi-Fi, it’s up through our meeting. So if you’ve been using that earlier this week, please do stay on it. It’s going to be a little bit better than the hotel Wi-Fi, and if you need to get on that, the login information is out, I believe, at the registration table.
With that, I’d like to thank our sponsors, our network sponsor, AT&T, if I could get a round of applause.
Our bronze sponsor, IPv4.Global by Hilco Streambank.
And our webcast sponsor, Google.
Thank you. All right. So I’d also like to welcome, we have a big class of Fellows for this meeting. We have 15, which is amazing. Some of them are here with us in person. Some are participating virtually. If you see them, please do introduce yourself and tell them a little bit about why you choose to participate in ARIN and why you’re glad they’re here, because we certainly are. So thank you to our Fellows.
And as I mentioned we did hold a Meeting Orientation last week, and we provided our attendees with an overview of all the stuff I just walked you through. They had an opportunity to complete a survey, and we drew a winner for the $100 Visa gift card. And, Beverly, do I have a winner, please?
Beverly Hicks: I don’t know how, but I always forget that I’m going to be here for that point. Our winner is one of our Fellows. Rebecca, you are our winner today.
Hollis Kara: Great. (Applause.)
Congratulations, Rebecca. We will get that gift card to you in email.
In the event of an emergency, please either shelter in place or meet outside on the Bay Terrace, which you’ve already seen, or you can head out the front doors. It’s pretty straightforward.
I will note that for those who are residents of California and who have a particular app that I’m not going to name because someone pointed out that some of you might just go and download it because I mentioned this, there’s actually going to be a test of an alert system a little bit later this morning.
So if people’s phones start going off, that’s what that’s about. Nothing is going on. It’s cool. It’s just a system test. So be ready.
Now, I’d like to talk a moment about our standards of behavior. Standards of behavior are really important to ARIN in the context of the meeting.
They are published on our website. They are published on our meeting registration site. And as you can see I’m going to have to shift because my vision ain’t what it used to be.
It’s important that everyone treats everyone in attendance with civility and courtesy and respect. Whether you’re interacting with someone online, virtually, or here on site that the comments are pertinent to the discussion and focused on the topic, and that we are really creating an environment where everyone feels comfortable to participate and that is focused on doing the work that we are here as a community to do.
So, again, ARIN is very committed to supporting a productive and safe environment at our events, particularly at our Public Policy Meetings. And to that end we are adding a new feature to this meeting. Please come and — we have dubbed him our Omsbuddy, Wade Hinton, so I’d like to welcome Wade up to the stage to tell you a little bit about himself and his role here at ARIN.
Wade Hinton: Good morning. Have you had coffee yet? Good morning. It’s great to be here with you.
I really appreciate the “Omsbuddy,” because my role here really is to get to know you, but to make sure that we’re doing exactly what Hollis mentioned, which is creating an experience where everyone feels respected, where you can create a space that your voice can be heard. And we’re following these standards that ARIN has invested in and, again, that all of you have agreed to.
Just a little bit about my background. I’m the CEO of Hinton & Company. We’re an organization that partners with organizations like ARIN around the country to help make sure that they’re creating spaces of belonging and appreciation for their workers, for their stakeholders, for those that they serve in the communities. So let’s make sure we do that, right, while we’re here during this time together.
I know many of you have — I’ve talked to some of you, you’ve been coming here for over a decade, which is great. But we also have some newcomers like myself. I’m naturally curious, so I’ll come to you and I’ll ask questions about you and get to know you a little bit more.
But also I’m just going to encourage you to also get around and meet some first-timers as well that might be participating.
Now, let’s just talk for a moment about what happens if indeed someone feels like they have not been appreciated, that they haven’t been respected, that somehow someone’s crossed a line.
Well, we created opportunities or at least an opportunity for you to contact me. And you can do it via email, but you can also just pull me aside.
I’m here on site all the time. So just make sure you pull me aside.
And know this, that when you actually come and talk to me about whatever issue it is or you email me, that everything is confidential. We want to make sure we preserve that confidence, that you feel safe enough to discuss whatever it is that you have with me.
So with that, thank you so much. I’m wishing everyone a fantastic conference, and I’ll see all of you around.
Hollis Kara: Thanks, Wade. We’re really happy to have you here. All right. And we’ll get his name badge updated appropriately a little bit later.
All right. So we started thinking about things that could go wrong because that’s what we like to do in our free time. And I just wanted to take a quick moment to talk about what happens if for some reason Zoom decides that it’s not going to participate in the meeting.
Again, for folks who are joining us online, if Zoom goes down, try to log in. If you’re not seeing it, please do head over to the livestream. We will make an announcement there and explain kind of what our plan is going forward.
And if for some reason you can’t get to Zoom or the livestream, please send prayers and look for an email and we’ll explain what’s going on and when the meeting will be able to resume.
So hopefully none of that is going to happen. If everybody could just knock wood for me, that would be great. Thank you.
Quick run-through of the agenda. So welcome address. That’s me. I’m almost done, I promise. Then we will welcome a representative of NANOG up to the stage to give an update.
We will have our keynote on advancing RPKI adoption, our Board of Trustees Report and Financial Report. Then we’ll take a break. And then things are going to get really hectic.
We will have our introduction for our elections, and then our video presentations of our candidate speeches for the Board and Advisory Council. After that, we’re going to let you have lunch. Please do eat well, caffeinate, because the afternoon is going to be all policy.
We will have our Policy Implementation and Experience Report after lunch, our Advisory Council Report, and then we’ll go into our first block of four policies.
We’ll take a breather, get some sunshine, hopefully, if the weather cooperates, and then come back in to finish out the day with our second policy session, a report on the 2023 customer survey results, a report on our ARIN Consultation and Suggestion Process, and an update on programs before concluding the day with an Open Microphone.
So it’s going to be busy. So strap in, get ready, we’re going to get rocking and rolling.
First off, I would like to invite our President and CEO, John Curran, up to say a few words of welcome.
Welcome From ARIN’S President and CEO and Board of Trustees Chair
John Curran: Thank you, Hollis.
Good morning, everyone. And welcome to San Diego. I see bright faces out there. Some I’m familiar with, some new ones.
This is the ARIN meeting, and some of you joined us earlier in the week because we do this in cooperation with NANOG, and I saw some of you then. And NANOG spends a lot of time talking about the technology that keeps the networks, the Internet running.
We spend our time talking about what keeps the registry running. ARIN, as a registry, is an important element of keeping the Internet operational, and this is going to be, the next two days is when you get to shape the policies by which we operate the registry and the mechanisms we use to run ARIN.
Now, people think this is done by the ARIN staff. It really isn’t. I need to emphasize this: While we try to keep things running, what we do and how we do it, how we operate the registry, is up to you. And so your participation is essential.
You look around and you see all these people and you wonder, well, they have it covered, I don’t have to do anything. When you remove the staff and when you remove the Board, the people left in the room is a smaller number. It’s actually a very key element here, and all of you need to participate.
And I don’t think that anyone should feel inhibited in any way. If you see a discussion and you have a question, feel free to step up and ask.
If you want to take a break, wait until we’re at the break time, ask your Fellow person or ask an Advisory Council member, what is this policy about? I don’t quite understand what happened. Everyone is welcome. We have open participation. And so this is really an essential part of making sure that the registry is your registry.
And so I welcome everyone to San Diego. I hope you have a very productive meeting. We have a lot of great policy discussions on the agenda.
And I’d actually like to welcome someone to the stage even more important than myself, our Chair, Mr. Bill Sandiford. Come on up, Bill. Bill is one of the elected Board of Trustees, and he’s the Chair of the Board of Trustees. And he’s the one who the Board provides oversight to ARIN’s governance and operations. All yours, Bill.
Bill Sandiford: Thanks, John. Morning, everyone. I’m going to keep my remarks real short so we can get underway.
I really think it’s nice to see the numbers of our meeting attendance. I think back to when we first got into in-person meetings again with our hybrid meeting back in Minneapolis and watching the attendance numbers grow over the last couple of years, both in person and remotely.
I can’t remember a time in my history with ARIN where we’ve had upwards of 350 attendees at one of our meetings. So that’s really nice to see.
We’ve got some exciting stuff. If policy is your kind of thing for you, planned over the next day and a half, the team has done an excellent job of putting together another great meeting for you like they always do, with a nice mix of policy, other things about the organization, a great social event this evening where I look forward to seeing all of you out and spending some time.
And on that note, I will pass the floor back to Hollis so we can get the show on the road here. And, everybody, welcome, and let’s have a great meeting.
Hollis Kara: Thanks, Bill. All right.
So next up will be our first presentation of the morning. Tina Morris, if you wouldn’t mind coming on up. Tina is wearing many hats at the ARIN meeting. And for the purposes of this presentation it is her hat as a member of the NANOG Board of Trustees.
Tina Morris: Thank you. So it’s actually my last year on the NANOG Board. So I feel very privileged to be here. NANOG Board has term limits that are a max of six years for any Board member, and this is my sixth year.
I know. It’s kind of sad, but I’m not going away from the community; I’m just going away from the Board.
So today I’m just here to give the update. Many of you attended the NANOG meeting earlier this week. There’s been a lot going on with the community and we just wanted to bring you up to speed. If you weren’t able to attend, a reminder, all the October meetings are paired with NANOG. If you’re already flying out you might want to attend a NANOG as well.
NANOG governance, how is it run? Well, first of all, we have an executive director. Our now-prior executive director, Edward McNair, has just stepped down. Edward was integral to transitioning NANOG, the look, the feel of NANOG, dealing with the virtual experience, making sure we kept going through the whole virtual experience. And then we were the first meeting to return post-COVID to in-person.
Edward’s been amazing. I don’t know if he’s here for the NANOG portion. I would have him stand up if he were — for the ARIN portion — sorry, too many hats — if he were here. But I suspect he’s already gone home.
If you have any contact with Edward, please say thank you. He’s been an amazing contributor to the group.
That leaves us with an executive director search. We’ve posted it on LinkedIn. We have an email alias set up. I’m personally staying onboard to help with the hiring process. We have a three-person team to do the hiring.
But really, although we’ve already received probably 150 résumés, they’re all over the spectrum, and some of them aren’t very well thought-out. They’ve left in “insert nonprofit org here” — those kind of applications. They’re not exactly the quality we want. There might be some really amazing nuggets in there, but I haven’t personally had a chance to sift through — it’s only been live this week.
If you know somebody that would be great for the NANOG community, please reach out to somebody from the NANOG Board or to this alias and introduce them so they rise to the top of that pile.
We’d really like to lean on our community to do this. And there will be an email coming out and a post to the NANOG Mailing List next week on exactly what we’re looking for, but you can look at the job description here and we’d really love to get recommendations from the community.
Our current Board of Directors — Leslie Daigle, Vincent Celindro, David Siegel, Michael Costello, Steve Feldman, myself Tina Morris, Cat Gurinsky is ex-officio because she’s PC chair — and we have election in process right now for two seats.
We have staff, amazing staff. And how the program is built: We have a running cycle of the program and we’re always looking for — we have subcommittees looking for keynotes, tutorials and tracks, lightning talks, moderators, data analysis, hackathon. We have subcommittees for all these things.
If you’re interested in participating, NANOG is purely volunteer run — we have those very few staff members — everything that you see in the content is because volunteers have stepped up and participated.
There is room for more people, more voices, more diversity in that perspective. So if you’ve attended a NANOG virtually or in person, all the content, by the way, is on YouTube. We have a YouTube channel. You can watch it afterwards.
You can go back look at an old talk, all that. If you want to be part of creating that, there’s room for you. Please, please reach out.
The life cycle of the talk, we have a consistent rolling process now where we can book up to three meetings out.
So if you’re, like, “I have a talk I want to present, but the data, the project won’t be done in February but maybe it will be ready for June,” you can submit it now.
We have a constant rolling process. There’s somebody there to help you curate the talk, get it ready for the stage, all of that. So please reach out. But this is an example of the event calendar for us.
As I mentioned, the YouTube channel. The YouTube channel has more subscribers than our Mailing List. It’s really an incredible platform. So if you speak at a NANOG, there’s a good chance that people will see your content even after the fact. So it’s a really great platform and some of the talks, there’s some stats here about how much of it is viewed. It’s a really, really important YouTube channel.
Events Update, our next four NANOGs are booked. Important note here — NANOG 90 was originally published a different date a week later. Our hotel actually canceled two weeks ago for NANOG 90, which a little bit — Hollis knows that kind of anxiety. They decided they’d rather do renovations than host a NANOG. And they just said, “Good luck, we found a hotel down the street, we think it will help you out but good luck.”
And so the only dates we could get were February 12th through 14th, and unfortunately, as anybody that’s football-related, you might recognize that means a lot of people are going to fly in on Super Bowl Sunday.
I have faith that at least one of our vendors will throw a Super Bowl party. So don’t let that stop you. And if Valentine’s Day is important to you, you can fly home in time to spend that evening with your loved one, but please still join us in Charlotte.
A new thing for NANOG is DEI Committee. We started hosting our first events in June of this year, and we have been partnering with ombuds support group much as ARIN is here to bring that to the meeting and have consultation. Our ombuds are available year-round for NANOG.
You can reach them at firstname.lastname@example.org. Our — that slide didn’t work. Well, I have a lovely picture on my screen of our ombuds so you can recognize them. But they have both now departed from NANOG anyway and gone home.
They do amazing consultation as the ombuds here at ARIN will. It doesn’t have to be an extreme case to embrace the ombuds. It can be a miscommunication. It can be a sensitivity thing. I feel like the community doesn’t realize they’re doing this or that.
It can be whatever you need it to be and it will be anonymous and relayed up to the proper people to take action. Oh, there they are. I don’t know why it didn’t work the first time. All right.
With the ombuds, the DEI Committee has created our definition of what DEI is to the NANOG community. That’s up on our DEI website for everybody to see. And we’ve been organizing events like the Women in Tech mixer that was female-only attendees to network and relate. We’re looking at bringing other mixers for other diversity groups to NANOG.
We also hosted a DEI talk followed with a DEI lunch that was, what’s the word I’m looking for, was facilitated. And that was a really, really impactful event. I think it was actually our best DEI events we’ve ever had at NANOG at this NANOG meeting.
We also had table topics on the tables. We had both fun and technical. The idea is just to build community, to get people into small groups where they talk and find their commonality, that it’s not just like, ”Hi, I’m such and such and this is where I work.”
We want you to know each other and make friends and build communities so you feel like this is a safe space to express yourself, to bring your technical problems, your registration problems, whatever problems you have, you have friends to help sort through them. And that’s what NANOG should be.
So, we are organizing all these events to bring people together in smaller groups. We had pickleball at NANOG this week. We had three days — four days actually, Sunday it started — Sunday through Wednesday we had pickleball for three hours every morning.
One of our members coached and brought new people in. And we have some great pictures of it that will be up on our website. It just got more and more people every morning. So you’ll see more of that coming from the DEI Committee.
And we also have a community forum where there’s groups to talk about different things. You can view the Mailing List there. It’s community.nanog.org. We have affinity groups there to help build communication around people with
like-minded things that they want to talk about, if you want to schedule a run, if you want to find out what the latest Women in Tech event is, go whiskey tasting, whatever, hopefully you can find people there. We’re trying to drive conversations there. It’s a little bit of a slow start but we’re trying.
All right. Development Updates. We have been updating our appointment tool. Once again, if you’re registered at NANOG, one of the aspects of NANOG is business development. People are also there to have meetings with critical people. So making yourself available on the appointment tool has been really important to our community.
And so we’re on version one. We’re finally out of beta. We were in beta for a long time, for last year, and we’re into version one. It’s becoming a really good tool. And interactive reporting of our statistics and public profile are all complete.
We are also having an election cycle here. NANOG is trying ranked-choice voting for one year. We’re going to do it as an experiment and take a report and see how it’s done. With ranked-choice voting, voting is open for the NANOG Board. There are two seats. With ranked-choice voting, you do not have to vote for all — you don’t have to rank all candidates. You can just rank the ones you support, which is an important element.
If you have a NANOG membership, you have the right to vote. If you need any information about any of the candidates, I know them all, and I’m very happy to talk to you.
And that’s pretty much it. That’s the intro to NANOG. If you have any questions, I’m happy to answer.
Hollis Kara: Not seeing any questions, so I think you’re good. Thank you, Tina.
All right. Moving right along. Next up, I’d like to welcome our keynote speaker to the stage. Steve Wallace, from Internet2, is going to come up and talk about the challenges of RPKI diffusion within the U.S. research and education community.
The Challenges of RPKI-ROA Diffusion Within the US Research and Education Community
Steve Wallace: Thank you, good morning, everyone. My role at Internet2 is to promote routing security and improve the routing security posture of our community.
During this presentation, I’m going to assume you know something about RPKI and creating ROAs. I’ll tell you the short version that I use in my elevator pitch. It’s the routing security magic button. All you do is fill out a web form with a few fields and you’ve created a ROA which provides your network with some mitigation against outages due to misconfiguration and mitigation against certain hijack attempts.
So it’s a magic button. I think there are only three fields now on the page to create it. Everybody should be doing it.
All right. Make sure I press the right button. So here we go.
So this is an interesting graph. This is the kind of data I look at to motivate me. I also share this data with our community to motivate them.
The top line is, in the global Internet, what percentage of routes have covering ROAs protecting them. And this graph represents a pretty short period of time. It’s only five months. But, you know, it’s pretty good. I think today it’s around 46 percent of the routes in the global table have covering ROAs.
This is a bit of a remarkable success story. If you look back five years, five years ago it was about 10 percent, and there’s been a 35 percent rate of growth every year for five years for this metric.
And, given what it is and the complexities for some parts of it, I think that’s remarkable. But when you look at the US research and education community, their adoption is far less. And so I’m going to talk about what do I mean by US research and education community, what are some of the barriers to that adoption, what are the things that we’re doing.
We’re hopeful. Things are getting better. So the bottom of the graph you see, depending on how you measure it, our community is — 15 to 18 percent of the prefixes are covered by ROAs. When I first started looking at this, unfortunately I didn’t keep the data in a way I could report on a long-term trend. But when I first started looking at this data a few years ago, it was around 4 percent.
So there’s been improvements. But it’s still far less than the global Internet. And it’s important to understand why that’s happening. Otherwise there’s going to be a long tail of people who don’t have ROAs.
So a fair amount of our community are MANRS participants. So they actually have agreed to be part of MANRS formally. Their ASNs are in the MANRS participant database. These are particular networks that are interested enough in routing security to investigate and sign up for MANRS. And even within that community the percentage of routes that have covering ROAs is better, but it’s not as good as the global Internet. And you wonder why it’s not 100 percent.
So why? A little bit about what R&E networking is. Internet2 is not-for-profit. One of the things we do is we operate a national research and education backbone, so we operate an NREN in the U.S. — the NREN in the US.
We don’t actually connect individual institutions. We don’t connect colleges or K-12 schools in districts. We interconnect state and regional networks. So in the U.S. there are 40-plus state and regional networks.
In California, there is an organization called CENIC that operates a network called CalREN. And that is one of these networks that serves those communities within California.
It’s important to note that each of those state networks can serve a slightly different mix of constituents. So some — I think in California they’re pretty permissive. I think K-12, higher ed, maybe local government, I’m not sure about healthcare — but that can vary state by state.
There are roughly 330 intensive research universities in the U.S. And all of them interconnect over Internet2. And in some ways they’re sort of the anchor institutions that motivated the development of the Internet2 network 25 years ago.
Internet2 doesn’t provide full transit. So all of these networks have full transit providers.
Internet2 provides — there has to be connectivity among people who connect to it, but all of them also have full transit providers. And we try to be driven by our community.
So Internet2’s backbone — so this is our fiber footprint. We’ve got about, I think, 20,000 miles of fiber. So it’s a pretty substantial network. And it’s looked mostly this way for about 25 years. It’s been around for a while.
The state and regional networks are also fiber-based. And I know this is an eye chart and a little bit of an old map. But it gives you a sense of the proliferation of the state networks that have their own fiber that interconnect varying types of organizations. But all of them, all the higher ed institutions, the total number of institutions when you start counting like K-12 schools and libraries and stuff, I think, is tens of thousands of organizations.
So Internet2 is an NREN but we’re just the NREN in the U.S. There are NRENs that serve regions all over the world. And I guess this is a complete eye chart. This is a rough picture showing the NRENs around the world and the interconnectivity among those NRENs.
While the Internet2-connected community lags the global Internet in its adoption of RPKI ROA — remember the routing security easy button where you only need to fill out a form to get the benefits — when you look at the global NREN community, they lag as well. This is a bit of a surprise for me. I don’t normally look at this data, and I put some data together in preparation for this talk.
And so if you look at the global NREN routing table, there are about 16,000 covering prefixes. There are a lot more prefixes but there are more specifics that are used for traffic-engineering reasons. If you aggregate them up to the covering prefixes there are about 16,000.
Just over 3.4 or 3,400 of those covering routes have ROAs, so it’s about a 20 percent ROA coverage. It’s a little bit better than the U.S. R&E community on its own, but again it’s less than half the adoption of the global Internet.
And so it’s good to understand the barriers of this easy button because this should be better and we need to make it better.
A little bit more about the organizations that connect Internet2. Internet2’s AS-Cone is just over 1,100 ASNs. Shout-out to CAIDA.org. CAIDA’s AS rank for the Internet2 network is No. 58. So theoretically of all 70,000 AS’s in the Internet, we rank 58 in terms of our scope of connectivity, if I understand that ranking correctly.
80 percent of the IP addresses or at least the prefixes in the Internet2 routing table — these are the IP addresses of people connected to Internet2 — are legacy resources. So we have a big pool of early adopters. And that starts to get at one of the barriers.
On average, there are about two IP address assignments per origin ASN. That’s another metric that tracks with lagging.
As recently as 2018 we had pretty low participation in IRR records. In other words, only about 60 percent of the routes in the Internet2 routing table were correctly represented in IRRs.
And then something really interesting happened. Google said, “On your settlement-free peerings, we’re only going to accept routes where we have good IRR information on those routes.”
So Internet2 provides access to Google properties and a lot of other cloud providers to our membership over settlement-free peerings. So we said, if you want to continue to access these sites through this high-speed network and not shift that traffic to your transit provider, you have to create these records.
And the coverage now is over 95 percent. So here’s a case where creating the IRR records themselves is no more difficult than creating a ROA. So why is this different? Why were we successful here but we’re still having difficulties with ROAs?
Well, there’re several reasons. There’s no ARIN agreement required. And we’re going to get back to the ARIN agreement in a bit.
Either the IP holder or some other network, usually their state network, can create the records. So you can share the responsibility of creating and maintaining these records. And in many cases the state networks essentially stepped up and said, okay, we’ve got small organizations or organizations unfamiliar with managing these records, and we’ll just do it for them. We’ll proxy register them.
There was some clear motivation. They were going to see traffic shift from their preferred path to their unpreferred path if they didn’t do this.
And if they made a mistake, if they created bad IRR entries, the consequences weren’t that great. So probably if you created a record that wasn’t correct, the traffic would shift the way you didn’t want it to but you’d still have access.
And so this is a recipe that worked, and I think it helped inform some of the challenges with ROA adoption.
Okay, so I argue that RPKI-ROV transfers some of the technical burden for routing security from the Internet service provider towards the IP address holder. And this works well for well-resourced IP address holders. And I think that’s why we see the level of success in global adoption of ROAs.
We also see pretty good success in network backbones supporting route origin validation. So Internet2 backbone does it. Many of the transit providers do.
And based on, not this week’s NANOG meeting but the previous meeting, I heard information that people had done an analysis and determined that if you create a ROA, your protection is pretty good. There’s enough people doing route origin validation that you’re really benefitting when you create a ROA.
But this doesn’t necessarily work well, this shift in responsibility, for K-12 school districts, community colleges, and even some universities don’t have the resources. They’re struggling to have the resources to do more basic things. So this is a real challenge. Again, unlike the IRR, where it was easy for another organization to do it on their behalf.
So when you look at who is responsible for these things for routing security control. So route filtering from customers, usually the transit network or the regional network. Publishing your policy via sort of the IRRs we think about today, that can be shared. The resource holder can do it or the transit network can do it.
I see the translation from Google slides to PowerPoint has made these checkmarks hard to register. Sorry about that.
But publishing your policy in an authenticated IRR, that shifts the responsibility to the holder of the addresses.
Creating a ROA shifts the responsibility.
And if we look forward to the future of routing security, you really want to get people in the RPKI door now. You want to get them creating ROAs, because hopefully they’re going to create ASPAs, and then hopefully they’re going to participate in BGPsec. That’s, at least the way I understand it, that’s the long-term goal. That’s where we get to really good routing security.
And RPKI, and using the RPKI eyes of the RIRs, is along that path.
This is some really good research from Cecilia and Deepak at the Georgia Institute of Technology. The top graph is for the ARIN region. I’ll try to explain this straightforwardly.
The AS size — so the blue line at the top of that graph — these are large AS’s. What do I mean by large AS’s? They originate lots of IP addresses. So they’re in the top 10 percent of the number of IP addresses or /24 equivalents that they have per AS.
The bottom one is the lower 10 percent. And the overall metric is the ROA adoption. And you see, over time, that not only is there difference, the larger networks are much more likely to have covering ROAs, but this gets worse over time.
And so I think it’s a combination of things.
It’s the size of the network, which implies the resources they have to do these things, and it’s the barrier that the agreement — and I’m not knocking the agreement — but it is a barrier for these organizations that were early adopters.
So 45 percent of the IP address allocations that we see the networks that connect to Internet2 are without an ARIN agreement. And I looked, ARIN now publishes — this is fantastic, by the way — starting this month ARIN now publishes a file that you can download that shows for every assignment, whether that assignment gets all of ARIN’s services — in other words, they have an agreement — or the basic set of ARIN services, meaning they don’t have an agreement.
So I downloaded that this morning and looked, and I believe 28 percent of all ARIN assignments don’t have agreements. So we’re not quite double that, but we’re at a higher rate. And I think it’s because this is a concentrated group of early adopters.
So ARIN has vastly improved the agreement and the process, but it still can be difficult. It still represents, in some cases, pretty significant friction. I’m going to talk more about that in a minute.
So one of the things that we did to try and provide good information to organizations that connect to Internet2 with respect to this is we published a Google spreadsheet and it listed 700 organizations that connect to Internet2 that have IP address space without an agreement.
We put some numbers in here about fees.
Many of you know there’s a sunset on the legacy fee discounts at the end of this year, and this has a pretty big impact Internet2-wide.
One way I described this is I say to an institution that doesn’t have an agreement, there are some security services that you should want now. And maybe you don’t see an urgent need for them now, but I think they will be standard of care in the not-too-distant future. And if you don’t act now and sign the agreement, then you lose out on these legacy fees.
And the difference, if you look at all these organizations, the difference between them signing the agreement this year versus waiting until after this year, is $2 million a year for all of Internet2.
And we created the spreadsheet that showed, that broke this down by state networks. So we let a state network know, your members in aggregate are looking at these two differences in these two scenarios.
And then for each institution we listed the addresses that weren’t under an agreement and what that institution’s fees, how they would change.
For some institutions, for a large university, the difference between paying 175 a year and 8,000 a year is not that big a deal. But for a number of institutions, that was actually attention-getting. So this was very helpful, has been very helpful. But it’s not been magic.
So despite our best efforts, as of three or four weeks ago, we’ve gotten 700 number down to 600.
So I want to talk more about the challenges of the agreement. Most of the institutions that Internet2 interconnects are public institutions, but there are private colleges. So when I have a conversation with a private college explaining these things — so let’s say we have a private college, they have some legacy address space without an agreement, and we’re making the case why there are benefits of having the agreement and the security services ARIN offers are really important.
And then we get to the agreement and I get to say — because I don’t speak for ARIN — I get to say, it’s my understanding ARIN won’t accept any changes to the agreement. And that is so cool that this is such a simple message to give to an organization because the other message is very complicated.
So if they’re a state institution, frequently state institutions have local law which requires them to have changes in the agreement.
And the way this used to play out — and ARIN has made so many improvements in this process — I really want to give them credit — the way this used to could play out is those state institutions would typically have an addendum they would staple to any agreement.
So they would have a purchasing department. Every time they signed a contract they would staple an addendum to the contract. And the addendum basically changed the agreement such that the agreement was consistent with their local law.
So we would see this happen. We would have an organization call us up and say, you know, we got the ARIN agreement and we stapled our addendum to this, and that’s just put this into a difficult situation.
That’s understandable why it did. ARIN was able to produce kind of step-by-step instructions for if you need changes, these are reasonable instructions. Here are things that we need from you. We need evidence that you’re a public institution, evidence that you need these changes. And then we’ll make them. And ARIN has the policy that they will accommodate those changes needed for that reason, and it’s been my experience that they do.
But that process creates quite a bit of friction. So there’s a component of the message, which is a technical component that you kind of deliver to the network engineers, here’s this security feature you can enable.
Then there’s the higher-level message that you have to convey to leadership of an organization because they’re going to have to allocate an attorney to do something.
Then when it turns into a back and forth with the attorney, that just makes it 10 times more difficult.
So I think that has been a challenge to doing this, and I think just an artifact that we’re early adopters and have a lot of legacy space and our community is full of public institutions.
I also want to share some myths about the ARIN agreement that we hear. And they are myths and they’re usually quickly dealt with.
So some think if they sign an agreement and they’re not making efficient use of their IP addresses, whatever that means, that ARIN will take them back.
Others believe that if they sign an agreement, they’ll be unable to monetize that IP address space through the transfer agreement. I think what makes this worse is I think it’s possible to sell your addresses without signing the agreement, and they know other members of the community who sold a /17 or something and still don’t have that under an agreement. So they think the agreement somehow prevents that.
The other one, which ARIN has made really easy to deal with, but it was not easy to deal with a year ago, is they say, it’s all covered; we have an ARIN agreement.
And this was pretty challenging to address. So in most cases, these schools have some addresses or AS numbers under an agreement. So they get an ARIN bill and they pay it. And through the ARIN portal they see all their resources, even the resources that aren’t covered by an agreement.
It was nearly impossible through the portal to tell whether something had an agreement or not. There was a trick you could use. You could try to create a route object, and if it wasn’t under an agreement you couldn’t.
But then ARIN added a nice feature that shows you very clearly what things are under agreement and what are not under agreement.
And then ARIN did something this week, which I think is fantastic — or this month, last week. So before this month, to find out if somebody had an agreement, they had to log in to the ARIN portal and look.
Now, ARIN has worked with Internet2 to help us understand who in our community doesn’t have the agreements. And that’s been very valuable because we can reach out to those people with a high degree of certainty and be able to tell them the status of those agreements and what that means.
Now that ARIN is publishing that information, I think there’s an opportunity for other service providers, other NRENs in the ARIN region, maybe Internet service providers to use that information to inform their outreach to their customers.
So, bravo, ARIN. That’s fantastic.
Other barriers to adoption. There’s not a natural champion for this. So routing security isn’t a component of an organization’s standard of cybersecurity care. I think it’s important to change that, and I see some of that change happening.
And I think that will be a tipping point when that happens, when there are enough people, enough CISOs get in a room and they’re talking about routing security. But that’s not happened yet.
We also see some confusion. There are a range of security stuff related to the network. And some networks within our community outsource those functions, and they assume that routing security is included in that set of things they’re outsourcing. For example, they might outsource DDoS detection and mitigation.
So when you talk to them about the subject they sort of naturally think, no, we’re good; that’s already taken care of.
There’s a lack of urgency. It was really nice with Google’s policy on settlement-free peerings. There was a little urgency. We had a deadline.
Google slid and let the deadline extend. But that was really nice. We were telling people, okay, it’s a reasonable thing for us to need to do as a community.
And if we don’t do it, you’re going to see traffic shift. Again, ARIN’s sunsetting of the legacy fees has been helpful. I’m a little concerned — ARIN has let us know that if people get the request in to cover this address space by the end of the year, because the process can take a while, they will honor that for those fees.
But we’re going to lose some momentum starting next year. It is helpful, again, some of the larger institutions, it’s not a big deal, but we have a lot of institutions where that’s a nice extra push. I’d like to say, regardless, routing security is why you should do this.
And it’s helpful to say, well, and you’re going to save some money and when you look in aggregate, it’s a pretty big number.
I think leadership is not hearing the message. I think this is getting better about routing security. Again, it’s just not the standard of care I think it should be.
What does Internet2 do? Lots of messaging.
Education. We offer webinars. We do office hours, and we try to do them a couple times a month. And that’s been pretty successful. We also offer to meet with any institution.
And, again, I’m really fortunate that Internet2 has essentially a full-time position that is 90 percent outreach to help the community improve their routing security. I think that’s somewhat unique.
I really enjoy the work, so it works well for me, too.
So there’s a message that I wish that all networks would use when talking to the customers: Is your customer network, University A, is your Internet connection critical infrastructure? And it just is.
There’s like nothing more important, maybe electricity, to the modern world and especially to higher ed, than Internet connections. If the Internet isn’t working the university is hobbled, maybe shut down for a while.
Is your Internet connection critical infrastructure? Oh, it is. That’s good to hear. You know, we have some special things in place to protect critical infrastructure. But we can’t protect your network unless you create this record. You know the easy button, the three fields on the ARIN web form? Unless you do that, we’re limited in what we can do to protect your network.
And, oh, by the way, there are things coming in the coming years that will rely on that same infrastructure where you’re probably just going to have to fill out a little bit of a form on ARIN’s website — will start enhancing what we’re able to do to help you.
I think transit providers, that’s a good message. We’re doing route origin validation, but it doesn’t help you unless you press the easy button.
I also think outsourcing routing security — so I talked about the things that worked well for IRR, and one of them was the address holder didn’t have to do it. Somebody else could do it for them. And there are weaknesses in that model, and I think authenticated IRRs are the direction to go.
And ARIN has the ability to, for an organization — this should say routing POC, not route POC — for an organization to delegate or empower another party to maintain their ROAs and IRR entries.
And we see some of that. So there are a couple of state networks where the network provider, the state network provider has said, okay, it’s diffusion. You don’t want to do your ROAs, you’re nervous about them, or it’s just not something you want to deal with, here is a handle that’s held by our organization, the state network, and if you designate that as your routing POC, we can create and maintain those records for you.
Now, I think in terms of the capabilities and functionality, that works really well. I think there is a little bit of — it’s complicated in the sense that these terms are terms of art, routing POC, that the process is not the most streamlined process, it’s not the most obvious process, especially with the organizations that could use this the most.
And I wish, maybe there’s in the future there would be some onboarding process where an Internet service provider who wanted to take this on could make that part of it easier for the customer.
And we need to think about how to reduce barriers to this, especially for organizations that aren’t well resourced to do this.
So we are seeing improvements. I talked earlier, when I first started looking at this, ROA coverage was about 4 percent. Now it’s about 15 to 18 percent. Definitely increasing routing security; you have to give hats off to MANRS. I think they’ve done an excellent job making that something people are aware of.
I’m worried about other sectors. Internet2 is kind of a unique thing. We’re not-for-profit; we’re trying to facilitate things for this constituency, helping them with their routing security posture. But I don’t see this in other sectors.
Maybe it’s there. Sometimes I think maybe the ISACs ought to take this on for different sectors. But Internet2, interconnecting these organizations that have their own resources that aren’t very big, that’s not a common problem. That’s not an unusual problem.
There are a lot of small organizations that have their own resource in other sectors. And we think that this, a centralized effort — centralized around things they already have affinity with — maybe the ISACs or other trade groups or whatever, something — would be helpful and we’re concerned that we don’t really see that.
We see this problem, and it’s a pretty big problem and we’re working on it, we see improvements. We look around and we’re not sure that’s happening elsewhere.
So thank you for your time. And if you have any questions now or let me know later.
Hollis Kara: Absolutely. Folks, microphones are open. If you would like to approach, if anyone has a question for Steve.
I’d just like to thank you, Steve, for coming up and talking about this. It has been a great experience over the last year working with you to help advance the conversation at Internet2.
But with that, I’d actually like to start with the microphone over on the side.
Mike Burns: Mike Burns, IPTrading. On the barriers to creating ROAs by third parties, one of the barriers I’ve found is that all of the address blocks owned by the ORG have to be given the capability of ROAs by a third party.
You can’t just say, I’m going to take this block and allow a third-party to do ROAs on it.
Steve Wallace: That’s a good point, and maybe if there were more sophistication in the role, that might help.
For many of our institutions, they have just a couple blocks. So I tend to think of it — I know that doesn’t represent everyone.
Mike Burns: Right. The application is people who have large blocks but are leasing some of them out. And the lessors want to automatically create the RPKI.
Steve Wallace: Yep.
Hollis Kara: Thank you. We’re going to come over to the other side.
Edward Lewis: Ed Lewis, ICANN. At NANOG earlier in the week, I don’t know if you were there, there were three talks that covered similar in numbers, and they’re all consistent, which is good news.
In looking at this, seeing the 10 percent number of adoption by the U.S. R&E environment, I’m wondering — right away I thought, there’s all the legacies that are ineligible, you covered that really well. What would the number be if you only looked at those that were eligible to get ROAs issued?
I’d be curious. You may not have the number off the top of your head, but that would be a curious measurement of adoption.
Steve Wallace: I did this a while back. And I really kicked myself for not redoing it.
Because this is the obvious question, right? It’s not as good as — it’s still behind. It’s better. But it’s still behind.
And I forget the delta. The delta may be less now because we’ve seen quite a good improvement in the last year, and it’s been a while. But that’s a good question. And it’s a big chunk. It’s not all of it.
Edward Lewis: And the other question about the numbers is, I’m doing a similar thing in the DNS area, so I want to talk to you more about it offline. But I found there’s a difference between IP address holders and the AS number holder in some cases, which may not be the same in your area, but for the DNS area it can be vastly different.
Consistency in how we’re measuring the IP ranges versus AS number would be very helpful in adoption.
Steve Wallace: Yes. Thank you.
Hollis Kara: All right. We’ll come over to this side of the room.
Owen DeLong: Owen DeLong, man of many hats. A little bit of a counterpoint. I don’t view RPKI as particularly routing security because the general advice out there is not to use the max prefix length field. And if you don’t use that, really what you’re providing is a cryptographically signed hint as to what to prepend to a forged announcement.
It’s great for preventing fat fingers, but in terms of a deliberate attack, you launch a more specific with a proper pre-penned and, voila, you pass ROV.
Steve Wallace: So I try to be careful when I talked about what it offered, certain kinds of attacks. Its greatest value is probably misconfigurations.
But I see it as an entry point into using the RPKI for other things going forward, including BGPsec. And so I’d like to get people started. But it’s a good point. If you forge the origin, you defeat a ROA.
Hollis Kara: Great. We’ll keep our in-room pickleball going and head across.
Kevin Blumberg: Kevin Blumberg, The Wire. Routing security is like backups — nobody deals with them until they get hit, and then they deal with it. It’s a scare tactic.
The reality is today we’ve moved from routing security as the key benefit of RPKI to basic connectivity. If you want to connect into a cloud provider directly, you don’t have RPKI, have a nice day, you cannot connect to us. We need that turned on or you’re not connecting.
There are transit providers who are now starting to do the same thing, DDoS mitigation providers that are doing the same thing. It is becoming a basic connectivity requirement.
That messaging is, I think — we’ve reached that point in the messaging where it’s not, this is a nice add-on for routing security. It’s a, this is what you need now to be on the Internet in 2024 and beyond.
Steve Wallace: I couldn’t agree with you more. One of the things we talk about is if you want to bring your IP address space to the cloud and have them reannounce it, you’ve got to have ROAs.
And I think if it were a reasonable thing for Internet2 to do, to say we would like everyone to have ROAs, we would like to do that. But right now that’s not a reasonable thing for us to say. But I agree.
Kevin Blumberg: If it’s purely a security issue, the hats that are wearing it aren’t seeing the value in it, where if you actually want to be on the Internet you need this. It may be that part.
The nice thing is you’ve got a lot of MANRS participants. And MANRS is the agreed norms. And maybe they can help bring up what they would consider to be a norm when it comes to this.
Steve Wallace: Yes, it would be nice if MANRS was a little stronger on RPKI, I agree.
Hollis Kara: In the interests of time, I am closing the microphones, but we’re going to finish with our gentlemen in the queue on this side.
Robert Seastrom: Rob Seastrom, I’m on the ARIN Board of Trustees. I work for Capital One and do stuff with ClueTrust, and I’m speaking strictly on my own behalf here, none of my employers or other affiliations.
I saw a lot of interesting ideas in your presentation. And so I wanted to stand up here for a few seconds and talk about something that does not get a lot of love at these meetings, which is the ACSP, the ARIN Consultation and Suggestion Process.
For many minor tweaks, that’s the proper venue to bring them forward to ARIN to make changes.
I think that Mike’s comment about, well, you should have more fine-grained, whether it’s putting a routing POC on a number resource as opposed to an Org — that might even be possible today, I don’t know. But at that level of sort of thing is rich ground for the ACSP.
Steve Wallace: So I appreciate that. And I’ve used that process and ARIN has actually done things. So, yes, ARIN has a nice, formal — that’s one of the things I really like about ARIN, and I don’t see it in other organizations in which I participate, is that these things have mechanisms to make requests. So thank you for —
Robert Seastrom: Please bring more. I see some good stuff there. Thank you.
Hollis Kara: Thank you. All right.
John Brown: Quick comment. First of all, let me introduce myself. John Brown, CISSP and working for Team Cymru. You earlier said in the slide about the CISO at an organization doesn’t necessarily see this as their purview. As a former ISC-squared CISSP instructor, I would disagree with that assert from the CISO.
I’m looking at the eight domains for the CISSP certification, and I can think of at least three domains within that certification and process that a CISSP would care about RPKI and ROAs at the administrative senior management level.
So I think personally it is within the domain of the CISO and an organization’s security posture.
Steve Wallace: That’s great to hear. And I hope that becomes a more common in practice. I mean, I’m just sharing my experience, which is not necessarily representative.
John Brown: I thought I’d throw that out, and it might be an evangelistic area to go, talk to ISC-squared, help them push that better into their curriculum as part of their continuing ed stuff for CISSP.
Steve Wallace: That’s a good idea. I will do that.
Hollis Kara: Thank you. And thank you, Steve.
All right. You guys are kicking this morning. I like it. Next up, I’d like to welcome Bill Sandiford, our chair, up to the stage, to give the Board of Trustees Report.
Board of Trustees Report
Bill Sandiford: Hello again, everyone.
We’re trying something new this meeting around. You’ll note in previous meetings, when we had sort of our Board reports and other type of stuff, we did it in the morning of the second day while everyone was recovering from the social the night before. And the room was a little bit thin and people are a little bit hiding behind their sunglasses and stuff.
We decided we’d take all this exciting stuff, or not so exciting stuff as the case might be, in my report, and as exciting as it might be in Nancy’s finance report after me, and stick it right at the front of you on the first day.
So let us know what you think of that format change when you’re giving us feedback on the meeting.
So, as Hollis mentioned, I’m Bill Sandiford.
I’m the current Chair of the Board of Trustees. The purpose of this presentation is just to give you a little bit of an idea of what we’ve been up to since our last meeting and take any questions that you might have.
One of the things that we take care of in the Board is looking after some of the financial matters. We handle some of the standard legal stuff that needs to be done, like the IRS forms and the 990s.
We handle the approval of the funding for our grant program, most recently, and we undertook a process for the over last little while to harmonize the ASN fees and that was approved and implemented by the Board.
In terms of our fiduciary responsibilities to the organization, we do the standard routine stuff every month like adopt meetings from previous Board minutes. Every year we take a look at our election processes and our various things related to the election. And we update and adopt those changes based on feedback and improvements from the community.We’ve done that.
We format a guidance letter that goes to the nominating committee, identifying skills gaps and other things that we’re looking for in candidates based on terms that are expiring or gaps that have been identified in our own skills as a Board as we reflect upon ourselves.
We put that in the guidance letter. We send that to NomCom and say, hey, while you’re out there recruiting candidates and reviewing the ones that come in, these are the kinds of things that we think we’re looking for and it would be helpful for you to find.
We take a look at things like the questions that are going to be asked for nominees when it comes, when those come in for the Board and for the Advisory Council elections.
We take a look at our ongoing training requirements. One thing that we do have in our budget is a small allocation of funds for Board and other development training in the organization so that we can ensure we’re on top of our game while representing your interests in the organization.
And then the big one for us this year, which many of you are aware of, is the team and the staff put together an excellent overhaul to the ARIN facilitators, the previous ARIN facilitators program or list. And came out with a new ARIN Qualified Facilitator program, which was successfully implemented. And happy to see that there’s a bunch of approved facilitators — what’s our current number, John, of approved Qualified Facilitators? Eight organizations which have gone through that process.
And I’m sure there’s others that are in the works. So that was another major thing that we undertook over the last year.
As most of you know, one thing that the Board does as the final step of the process of ratifying policies that have been developed by you, the community, and sending them onwards to the staff for implementation. I’m not going to go through every single one of them here. Most of you are already intimately familiar with them, seeing that they were policies that were developed by you.
But there was a bunch of them that have recently been ratified and are making their way or already have made their way into implementation.
And as far as things from the last meeting, that’s it for me in this presentation. But I’d be welcome to take any questions or comments from you with regards to this report or, quite frankly, anything else as it relates to the Board of Trustees. Thank you.
Hollis Kara: Please feel free to approach the microphones if you have questions for Bill or start typing if you are attending virtually.
Mike Burns: Mike Burns, IPTrading.
Recently in RIPE, they had a process where they were determining whether RIPE staff members could participate in the PPML and policy discussions. What’s the situation at ARIN?
Bill Sandiford: I’ll let John take that one because he can probably handle it more eloquently than me.
John Curran: ARIN has a public Policy Development Process that actually, one of the things that we did last year was update that. And the ARIN PDP contains a sentence that says that anyone is welcome to participate in the ARIN Policy Development Process, except for ARIN Board and staff who have specific roles in the process and therefore cannot participate as a general participant.
And the staff helps the community develop and facilitate the advancement of policies, work with the AC, work with the community. And the Board is involved in reviewing that the process was followed and ratifying the recommendations of the ARIN AC.
We’ve always held that the policy should be set by the community, and therefore it’s not appropriate for ARIN staff or the ARIN Board to have a general purpose role.
The AC actually runs the process, and so they also deal with that. But their role is both advocate and presenting and that’s recognized — you vote them for that role.
We can change the Policy Development Process to allow ARIN staff to participate. And if the community were to do that, as the CEO, I would allow ARIN staff to participate. But unless you change the process, I won’t.
Regarding the Board, the Board can at any time say, we are changing the rules and we wish to participate. But they have not done that yet. It’s self-imposed from the Board. And it’s the community’s control on whether the staff does it.
Right now, both have prescribed roles that mean they’re not general participants. Did that help?
Mike Burns: Yes, that helped.
Bill Sandiford: Great question, thanks, Mike.
Any other questions or comments? All right. Before I pass the magic wand here off to Nancy, just one quick announcement I wanted to make.
As most of you know, in addition to the Board and the Advisory Council, we have another body of volunteers in our organization, which is the ASO AC or the NRO NC as they’re also called. And part of the formulating of that body, there’s three individuals, two which are elected for three-year terms and then one seat which is appointed for a three-year term.
And this year, it’s the year where individuals applied to be appointed rather than elected.
And as of yesterday, that process has come to conclusion. And we would like to congratulate Kevin Blumberg. Kevin, if you could stand up. I’m sure you’re in the room somewhere.
Kevin’s at the back there. Kevin has been successfully appointed to hold another three-year term. The feedback that we get from our colleagues on the ASO AC on Kevin’s participation and his performance over the last few years and his previous appointments has been outstanding. So we’re excited to have him continue in that role.
We’d also like to take the opportunity to thank others that put their name forward for this position, namely Kate Gerry and Lou DeVictoria, thank you very much for putting your name forward. It’s much appreciated, and it’s volunteers like yourselves that step forward for our community to make our community what it is.
Thank you for that.
Congratulations, Kevin. And with that, I pass you to one of the most exciting parts of every ARIN, which is Nancy Carter and the “Funance” Committee.
Hollis Kara: Come on up, Nancy.
Nancy Carter: Those are bright lights.
Thank you. I just want to start by saying that I work for CANARIE. That’s my day job — the National Research and Education Network in Canada. And I appreciate all of the presentation, Steve, and I’ll take some great tidbits back to our team when I go back home. Thank you.
So, good morning. Great to see all of you here in sunny San Diego, and welcome to those of you online.
It’s now the moment you’ve all been waiting for, but Bill already stole my thunder, the ARIN Treasurer’s Report. It’s the highlight, as we know. And isn’t it great that they changed the schedule so that you didn’t have to wait until tomorrow for this presentation?
I think it’s fantastic.
I should have been in marketing. (Laughter.)
So it’s important for me to acknowledge — wait a minute, wait — it’s important for me to acknowledge that I could not serve as treasurer without the help of my colleagues on the Board of Trustees and the dedication of the ARIN staff. The Financial Services Department, in particular, demonstrates a continued commitment to evolving financial services at ARIN and to creating meaningful reports and presentations for me.
Thank you to Brian and the entire FSD team. They’re the team that makes my job as treasurer super easy and they make me look good.
In addition, I’m grateful for the ongoing support from Alyssa, who keeps the “Fun-ance” Committee and me on track.
Today I’m going to update you on the activities of the Finance Committee since last April. I’ll review the 2023 results, including the financial position, highlights of the investment portfolio, the operating results, and then, finally, we’ll look at the net assets.
So as you can see, the CFO and I continue to keep the Finance Committee super busy. We’ve met five times since I reported to you in April in Tampa.
We’ve provided oversight of the financial results of the organization. We’ve monitored our investment results in conjunction with our investment advisors. We met with the auditors and tax advisors. We reviewed policies and budgets. And, most recently, we’ve been working on the 2024 budget.
We continue to rely on the work and the professionalism of our investment advisors and our audit firm and we remain pleased with their performance.
Their dedication to our results and compliance requirements and their capacity to communicate effectively with the Finance Committee has been very much appreciated by the members of the FinCom.
So, as some of you know, it’s my favorite time of the year — budget time. Who doesn’t love budget time? Management presented the 2024 budget to the Finance Committee, and we recommended its approval to the Board at our meeting this week.
Finally, we reviewed and discussed the IETF endowment contribution.
I’m going to move to the financial position next. So this slide, which is a huge eye chart, shows ARIN’s financial position as of the end of August.
If we look at the August balances and compare them to the 2022 year-end balance, you can see that the largest changes to assets are in the cash and investment accounts. The decrease in cash is caused by the transfer of funds to the investment accounts.
And I’ll speak more about that as we move through the next few slides.
The significant increase in investments is caused by the transfer of funds just mentioned and earnings on the investments during the year. The increase in other assets is caused by increases in accounts receivable, prepaid assets, and deposits.
And if we look at liabilities, the largest change is an increase in deferred revenues. Deferred revenue represents billed amounts that will be recognized as revenue over the next 12 months.
So this increase is caused by an increase in billed amounts over the last 12 months. The increase in accounts payable and accrued expenses is caused by changes in accrued salaries and other amounts payable to service providers and Internet industry organizations.
The decrease in the operating lease liability was expected as we made scheduled payments on our lease agreements.
And finally, the increase in net assets is the net result of an operating surplus of $600,000 and investment earnings of $1.7 million.
So I turn your attention to the ARIN investments. This slide shares the good news about the increase in investments during 2023. The combined value of our operating reserve fund and the long-term reserve fund is $36.9 million at the end of August.
That’s an increase of almost five and a half million dollars since the end of 2022.
The operating reserve fund has seen more activity than usual in 2023. To take advantage of higher interest rates, we’ve moved a total of $3.75 million from the operating bank account to our operating reserve investment account. The funds in the operating investment account are now earning more than 4 percent while funds in the bank account continue to earn less than 1 percent.
The long-term reserve fund had a balance of $29.2 million at the end of August, and this is an increase of $1.6 million, or 5.7 percent. The chart on the right gives you an idea of how ARIN’s diversified portfolio compares against some of the major market indices.
So move on to operating results, as this slide shows, while 2023 revenues and operating expenses have increased over 2022 amounts, they are consistent with 2023 budgeted amounts. So we can take a quick look at revenues and expenses separately.
Here we see the total revenues to the end of August 2023 compared to 2022 and to the budget for this year. Total revenues are almost $18.8 million.
This is less than 1 percent under budget but represents a 17 percent increase over August 2022 revenues.
The annual fees for registration renewals are ARIN’s main source of funding. These revenues are $16.6 million, which is 88 percent of our total revenue.
The fee harmonization program that began in January of 2022 is the factor causing the difference between the August 2023 and August 2022 revenue amounts.
Another item to highlight on this slide is the year-over-year increase in network transfer revenues. This increase is caused by the new recipient transfer processing fee.
Since the annual renewal fees represent the majority of ARIN revenues, we thought we would share a comparison of annual revenue run rates for these fees as of August 2023 and August 2022.
Activities since August of 2022 has resulted in a 2.3 percent increase in total RSP customers and in a one and a half percent increase in annual RSP billings.
So we’ll continue talking about the statement of activities but switch the conversation to operating expenses.
Total operating expenses are $18.2 million through August. Like revenues, ARIN’s operating expenses are tracking close to budget but are more than the 2022 operating expenses. The increase in operating expenses is driven by the increase in personnel costs. The 2023 budget included additional head count for ARIN, which accounts for the year-over-year increase in salary and benefit expenses.
There are a couple of items driving a year-over-year increase in engineering operating expenses. So, first, we’ve seen an increase in software costs because of vendor policy changes for not-for-profit companies where we were offered discounts previously and are not anymore.
Additionally, engineering operating expenses increased due to the accounting policy change implemented in December of 2022.
A couple of other items to note. Internet industry support and outreach is under budget as of August 2023, but there are plans for additional outreach events for the fourth quarter.
Also, general office expenses are under budget due to the continuation of ARIN’s hybrid work policy, which continues to see most of the company’s employees working from home.
Because salaries and benefits drive changes in ARIN’s operating expenses, here’s the chart showing the recent changes to the ARIN employee head count, something I talked about on the last slide.
Finally, we’ll take a look at ARIN’s net assets and liquidity. The results from revenues, operating expenses and investment earnings work together to make the overall net change to the ARIN net assets amount.
Through August, net assets have increased a healthy $2.3 million and the number of months of expenses covered by these net assets remains at 11.
But net assets is different from financial liquidity. The ARIN financial liquidity position is represented by available cash and investments. The combined amount of ARIN’s cash and investments has grown to $37.7 million.
All this means that ARIN remains in a healthy financial position and has a very favorable liquidity position.
Thank you so much. I’m happy to answer any questions.
Hollis Kara: Great. Anyone has any questions for Nancy, please feel free to approach the microphones or for virtual participants to begin typing in Q&A. All right. Kevin, you made the race to the front first. It’s all you.
Kevin Blumberg: Kevin Blumberg, The Wire. Those looked unbelievably healthy, those numbers, and that’s wonderful to see. One of the things that I noticed was 17 percent growth in revenue related to registration, 17 percent growth in expenses related to employee but more head count. Sort of makes sense.
The one thing that wasn’t really here was some of the risks. You’ve had some phenomenal returns on investment in terms of your portfolio in the reserve funds, et cetera. There’s been some great growth in terms of transfer fees, things like that.
All of this is based on growth. The budget’s grown, revenue’s grown. What happens when that’s not the case? Is it we charge more to the subscribers to keep that growth continuing? Is there any sort of risk examples that you have modeled that could show the community the types of things that you could or couldn’t do depending on the budget trajectory long term?
Nancy Carter: Kevin, great question and I’ll start with an answer, and then… I see John has his hand up. But certainly that’s something that we look at through the budgeting cycle. Very definitely looking at what kinds of things can we afford to do and can’t we afford to do, and how we would manage to pay for those things.
So definitely looking at priorities and risks. So I’ll hand it over to John now.
John Curran: So it’s actually a great question. A few things that’s happened. One is that we have sizable investment reserves. At this point more than one year operating expense in investment reserves.
And the Finance Committee actually looked at that, and we, working with the investment consultant and the managers under the consultant, have dialed back our portfolio to a more conservative mix to target a lower return, but to make sure that therefore the portfolio is much more stable in terms of economic swings because we have the ability to do that. We’re not relying on the growth in any way.
The other thing they did is the Finance Committee directed me several years ago and the Board confirmed that ARIN’s expenses and revenues ought to align independent of any gains on the investment reserve. It used to be we had a several million dollars a year that was allowing us to fill the gap between revenues and expenses. And they said, “No, no, we want to have revenues and expenses align and treat the investment separately.”
So as part of doing that, we did do some changes, some of the restructuring and fees. And we’ve added staff in order to adjust for things that people wanted, things that, like, we now have a formal information security program and a CISO. We now have a sizable investment in the RPKI and the routing tools.
We now have a substantial investment in terms of Qualified Facilitated Program, which isn’t a passive listing but it’s an active listing that involves vetting those organizations.
So we’re kind of at a stable point in terms of staff and capabilities. And one of the things we’ve put in front of the Board is a stable, no-growth scenario that doesn’t involve substantial changes.
Obviously we can update the services and update things, but doesn’t involve substantial new functionality for ARIN or new departments, that involves us operating completely within the operating budget. Doesn’t involve substantial change to fees.
And to show that we can actually run ARIN at a steady state, we’re actually on a cusp changing from the growing phase to steady. And I think we’ve put that in front of the Board and they have it. We’re going to be talking a little bit about that.
The challenge, of course, is, whether I like it or not, ARIN is about 70 percent employee expenses. And that also involves benefits and compensation to handle cost of living for everyone.
So whatever we do, we do have to see a 4 to 5 percent increase just to stay where we are. And we’ll be talking about next year, when we talk about fees and budgeting, how we handle that.
We don’t want to continually adjust the fees; we want people to be able to predict what they are. But at the same time just to maintain the current services, we’re going to need to have a structure for that.
So we’re thinking about ARIN the steady state nongrowing entity ourselves, and I think we’re actually in very good shape that way.
Kevin Blumberg: Thank you.
Hollis Kara: Thank you. All right, coming across the room to Dan.
Dan Alexander: Dan Alexander, Comcast. Hey, Nancy. I also share Kevin’s concerns for the rising expenses, and I actually was going to come up and ask about the operating deficit, but happily you have taken care of that.
And I’d just point out this is the first time in eight years that ARIN has eliminated an operating deficit. And I just say nicely done. Thank you.
Nancy Carter: Thank you, Dan.
Andrew Dul: Andrew Dul, 8 Continents Networks. Thank you, Nancy, for your report. Illuminating as always.
I wanted to ask about the IETF endowment line that was in the beginning. Is that going to be discussed elsewhere? Or would you like to comment on the number possibly being proposed for ARIN to contribute to that?
Nancy Carter: I’m happy to comment on that, but I see John has his hand up, so I’ll turn it over to John.
John Curran: So as people may know. In 2016, ARIN pledged $2 million to the IETF. At that time it was the Open Internet Fund — the Open Internet Endowment, which the IETF and ISOC formed jointly.
We pledged $2 million and gave $1 million, as did a number of the other organizations in the ecosystem, the other RIRs.
The IETF has since restructured. The IETF has evolved from being effectively operated as a department of ISOC to being a separate affiliate known as the IETF LLC.
The endowment has changed from the open Internet endowment to IETF endowment. And ISOC actually signed an agreement with IETF. People may not know it, but the IETF meeting fees don’t cover the cost of running IETF. IETF operates at a deficit because of the cost of doing the standards and the RFCs and the publication.
And so, the ISOC and IETF recently signed an agreement where ISOC pledges to cover that gap for several years, but the goal is to have an independent organization that’s financially stable.
ISOC also pledged to match two for one any contributions to the IETF endowment up to $12 million and then one-for-one for the next $6 million.
We’ve pledged $2 million. We gave $1 million in 2016. We’ve never given the second half. At the time we did our first contribution, we said we would do the second half when there was a matching program and more organizations involved.
Well, there’s now a matching program. I’ve gone to the FinCom and the Board and said it might be time for us to work with other organizations to do a contribution. And, in fact, we’ve been given the go-ahead that if we can find other organizations that are willing to stand up and help support this, that we’ll make that second half of that contribution.
That’s something we expect to see happen next year because it takes a little time. But we want to honor the pledge we made to the IETF. So it’s in the budget because the Board has said do it. The requirement of the matching program is met and now I’m just looking for other organizations to help build momentum towards contribution.
Hollis Kara: Thank you. I think we have one final question from our virtual attendees.
Beverly Hicks: Yes. And you should be able to unmute yourself now. Mr. Savoie? Okay, maybe not.
Hollis Kara: Okay. I guess it was an errant hand. With that, thank you, Nancy.
Nancy Carter: Thank you.
Hollis Kara: All right, everybody. That brings us up on our first break of the morning. We are actually running a little bit behind schedule, which is okay. We’re still good.
But I’m going to give you until 11 for the break. So you’ll have a little bit more time. I would ask, before you depart the room for the break if I could have my Fellows come up front. We wanted to get a group picture.
But otherwise we’ll see everyone back here at 11 when we will launch into ARIN elections.
Hollis Kara: All right. Get folks in the hall and we can get going with elections. Get ready. John is going to slow roll into our election introduction. And here we go.
John Sweeting: We’ll slow roll this while everybody starts to come back in. People in the room, if you could settle down a little bit? That way, the people outside will know they have to come in.
I’m John Sweeting, Chief Customer Officer. I’ll give you a little bit of information — probably more than you need, but all that we have — on the 2023 ARIN Elections.
All right. So there’s five simple steps to get you ready for the ARIN Elections. You need to get to know the candidates, join the General Members Mailing List — we’re currently up to about, I think, a little bit over 120 General Members that have joined that list and are participating.
That list is mainly there to talk about the ARIN governance issues and items, but we would like it to be used more for the candidates to introduce themselves to the General Members who are the voting members of ARIN.
You can view or make Statements of Support for all the candidates. You can watch the candidate speeches, which we’re going to play right after this. And then you can cast your vote this afternoon once the election has been opened, which I believe is soon. 12:00 PM Pacific time.
Hollis Kara: It’ll be 3:00 PM Eastern, 12:00 PM Pacific, so polls will be opening soon.
John Sweeting: Elections will be opening soon at 12:00 PM Pacific time.
For the 2023 Board of Trustees candidates, we have 11, it looks like. With their qualifications, you can look through them. Hopefully you’ve already looked through them and read their Statements of Support and everything. You’ll see their speeches here soon.
And then there’s the Advisory Council candidates, which there appears to be 14 of them. So for the Board, there’s four open seats, three that are full term and one that is a one-year term.
For the Advisory Council, there’s seven open seats, five which will be full three-year terms and two that are one-year terms.
NRO NC, it was an appointment year. As we already know, Kevin Blumberg was appointed to continue on.
So, again, get to know your candidates.
There’s a voting guide. It’s available at ARIN.net/elections. There’s also an ARIN Help Desk outside. If you have any questions, go out and see Jason. He can answer any questions that you might have.
General Members Mailing List, subscribe or view the archives at ARIN.net/MailingLists. And then those Statements of Support are available at ARIN-elections.net. You can make Statements of Support or you can just go and read them for all the candidates.
Casting your organization’s vote, who can vote. Organizations must have been a General Member in Good Standing with a designated Voting Contact as of 4 September. A little bit different from previous years.
We looked at this, and the Board looked at it, and said, hey, you know, we haven’t allowed people to change their Voting Contacts in years past. And if somebody left the organization between that 4 September date or whatever date it was — it was 45 days before the election — if they happened to lose their Voting Contact in that time, they would not be able to vote.
So this year they made a change, and Voting Contacts were allowed to be updated all the way through seven days prior to the election, which was last Thursday. Last Thursday, when that time came, we went through and we updated the Voting Contact list, validated it with the numbers, and then uploaded it to eBallot, who is our election software provider.
So accessing your ballot after 3:00 PM Eastern, noon Pacific time today, eligible Voting Contacts should log in to your ARIN Online. You’ll see a “Vote Now” link. And you click on that and you’ll be able to cast your ballots for the Board of Trustees and Advisory Council.
If you try to do that today and you have any issues, Jason is sitting outside here at the Election Help Desk, and he’ll be there through the entirety of this meeting through tomorrow.
This is a sample ballot. This is what the ballot’s going to look like. It’s going to have their pictures, their name and their qualification. The full ballot for all elections will be presented to you at one time on the same screen. You can choose up to four candidates for the Board and seven candidates for the AC.
You don’t have to choose four and seven, but you can choose up to. You can choose a candidate for each one of the open seats. Your prerogative.
Once you’ve done that, you’ll get to review your choices. If necessary, if you may happen to click on the wrong one — oh, that’s not who I wanted — you can go back, edit that selection, agree to the participant consent and submit your vote.
You will receive a confirmation that your vote was received and was cast, and you may print the receipt on that.
You’ll also receive a confirmation email at the address indicated. You don’t really need to print that receipt because you’ll have it in your email and you don’t have to kill any trees trying to keep a paper receipt.
So, again, reminders, voting opens today, 19 October 2023, 3:00 PM Eastern, noon Pacific. Voting closes 27 October 2023, 7:00 PM Eastern, or 4:00 PM Pacific. Statements of Support and candidate bios are available at ARIN-elections.net.
Election headquarters, that’s at the ARIN.net/elections. It’s got all the information you really need. You can get to all your Statements of Support. Those Statements of Support will be available until the voting closes.
Election calendar and all process documentation is also there and step-by-step instructions on voting. And, again, if you have any questions, we have Jason outside at the Election Help Desk.
And that’s what this says. So there you go.
Email to send any questions to is elections@ARIN.net or you can go see Jason outside this room at the Elections Help Desk. Thank you very much.
Questions, comments or I’m going to turn it over to Hollis to start playing your candidate speeches.
Hollis Kara: Thanks. So where do people find Jason, John?
John Sweeting: At the Help Desk outside.
Hollis Kara: He’s out there. Good, everybody clear. Jason’s out there.
We’re doing things a little different this year. In the past we had a mix of in-person and recorded presentations of speeches. Last year, I think, we brought everybody to the meeting and did everything in person. This year, we flipped the script entirely and asked all of our candidates to prerecord speeches so that it’s all on an even level.
You’ll notice many of the candidates are, in fact, here on site. So feel free to connect with them later at the social if you wish to talk to them about their candidacy. But all the speeches have been prerecorded.
So there you go. We’re going to start off with viewing the speeches for our candidates for the Board of Trustees. Are we ready?
Board of Trustees
Announcer: Our first candidate for the ARIN Board of Trustees is Dan Alexander.
Dan Alexander: Hello. I am Dan Alexander, and I’m excited to be a candidate in this year’s Board election. I stepped away from ARIN for a short time to focus on some other things. I got recharged, and I took on a new role as Director of Engineering at Comcast, and I’m very fortunate to be managing an amazing group there. I also get to add that to more than 20 years of engineering experience.
I think this experience has helped me understand many points of view, which I think is an important requirement for serving on the Board of Trustees.
In addition to the fiduciary roles and the duty of care that all Board members must focus on, need to understand that some want more services from ARIN, some want less involvement.
Operators may want more focus on the IRR and RPKI, while others just want to make transfers easier. Need to appreciate these different requirements along with the risks and implications, along with the different opinions of the Board members, in order to form a more effective strategic plan for ARIN.
Also need to understand how these implications fit into a long-term budget. And, of course, this always has to be done with a focus on transparency with the community.
I have years of network operator experience working for an ISP. I continue to work through v4 scarcity. I’ve deployed v6 and continue to deploy v6. I regularly deal with budgets, strategic plans and risk management in my day job, and I’ve been able to apply that as well in the past, having previously served on the Board of Trustees.
I’ve served several terms on the ARIN Advisory Council and worked through a number of policy topics, along with serving as the Chair of that group for a number of years. I feel my experience makes me uniquely qualified for a position on the Board. So I ask for your vote and any Statements of Support you might be able to provide so I can continue to serve the community. Thank you all and take care.
Announcer: Our next Board of Trustees candidate is Nancy Carter.
Nancy Carter: Hello, everyone. As I hope you all already know I’m Nancy Carter, and I’m happy to be running for re-election to the Board of Trustees. I want to start by thanking ARIN for the decision to prerecord these videos as a way of ensuring equity for all candidates.
During my past two terms on the Board, I’ve enjoyed working with, interacting with, and getting to know all of you. Our interactions have demonstrated a common commitment to ARIN and its success.
It’s a joy to work with such an inclusive, inspired, and informed community. As you can tell when you read my bio, I come from the research and education sector. I have both a finance and legal background, and I’m currently VP, Legal and Corporate Governance for CANARIE. I’ve been fortunate enough to have undergone governance, EDI and ESD training, which supports my work as a trustee, and I enjoy taking on new challenges and helping organizations adapt to new opportunities.
I love technology and what can be achieved by it, yet I’m quite possibly not the most technical candidate for the Board of Trustees. What I do bring to the Board is important financial, legal and governance expertise.
Having a diverse set of skills, perspectives, backgrounds, and voices on the Board is critical to ARIN in its role of supporting the operation and growth of the Internet.
For the past three years, I’ve again served as ARIN’s Treasurer; and after serving on the Governance Working Group, I now co-chair the newly formed Governance Committee.
Over that time, the Board worked with management to evolve the governance model, including the election processes for the Board and Advisory Council, driven by feedback from you, the community. To establish a Risk and Cybersecurity Committee for ARIN, to make significant accounting and financial system improvements, and to engage a new investment advisor and a new auditor, which has enhanced our ability to deliver on our fiduciary responsibilities. My six years on the Board have flown by.
I’d like to thank ARIN staff and management for continuing to undertake new initiatives that further ARIN’s mission and purpose, and strengthen the organization. In the face of significant risks to our quality of life because of growing cybersecurity threats, ARIN’s role could not be more relevant.
The same is true for the organization that I work for, where we’re working with our community to deploy ARIN-supported initiatives such as RPKI.
As a Board member, I will work to ensure that ARIN remains secure and support ARIN’s strategic evolution to further secure the Internet. I will also initiate discussions on sustainability and our social and environmental impact.
The other candidates, you and I, are all involved with ARIN to support its purpose and to ensure its continued value and relevance to society. My not-for-profit financial, governance and legal experience is directly relevant to ARIN’s mission today and into the future. I remain extremely grateful for the community’s confidence in having reelected me for a second term. I believe my first six years on the Board demonstrated my commitment to you and to ARIN, and I look forward to continuing to work with the ARIN community.
I hope that I can count on your vote when the voting period opens later today. Thank you.
Announcer: The next candidate for the ARIN Board of Trustees is Jack Cathey.
Jack Cathey: Hi. My name is Jack Cathey.
I’m the owner and President of Megawatt Communications. We’re a fiber at the home and business small ISP located here in Tennessee. My interest in being elected to the ARIN Board of Trustees is to provide representation to represent small ISPs such as ourselves and also the Rural Broadband Initiative of America.
Getting more Americans connected to the Internet is a huge passion of mine, and it’s a great focus that I think we should focus on as we move forward. I sure would appreciate your vote in the upcoming election. Thank you for your vote.
Announcer: Our next Board candidate is Philip Duclos.
Philip Duclos: Hello, my name is Philip Duclos, and I am a candidate for the position of Trustee for the ARIN in 2023.
I am a Legacy Resource holder and General Member of the ARIN and have worked on the development side of networking for many years.
I have a good understanding of Internet working and that gives me a technical understanding of the ARIN and its mission.
While I think a solid technical background is helpful, it is my volunteer work for several nonprofit organizations over more than 15 years that has given me the experience and skills to be an effective leader for the ARIN. Skills like budgeting, defining goals for the organization, assessing direction, and building consensus with others inside and outside the organization on plans to meet those goals.
As for the ARIN’s future, I think I should listen to what our members say and work with the Advisory Council and others on plans to enact those changes. I think that the ARIN will face challenges in dealing with regional governments as well as with the other Regional Internet Registries on plans for the future, and I think it is critical to preserve the community-based management of the number resources that is the ARIN’s mission.
I believe my skills will help me to provide service to ARIN’s members and the larger Internet community. I look forward to these challenges and thank you for your support.
Announcer: Next candidate for the ARIN Board is Andrew Dul.
Andrew Dul: Hello, I’m Andrew Dul, and this year I’m running for the ARIN Board of Trustees.
First off, I want to say it has been a pleasure to serve the ARIN community on the Advisory Council for the past few years.
The past years have been challenging for as we have navigated work during the pandemic and are now working to continue on with new expectations about work and collaboration.
For those of you who may not know me, let me briefly provide you an introduction. I’ve been involved in the ARIN community with various aspects for a number of years, including serving two different periods on the Advisory Council. I have broad professional and personal experiences that I believe will make me an effective member of ARIN’s Board of Trustees.
In my regular work today, I work with companies to help them manage their Internet infrastructure, including evaluating the security and risk of their products and services.
I have practical fiduciary board experience coupled with academic work in board governance and risk management that I trust will help make positive impact while serving on ARIN’s Board.
Turning to ARIN today. I believe every member of ARIN and, to a larger extent, the Internet community served by ARIN, should be heard and represented somehow in the fulfilling of ARIN’s mission.
Today, ARIN has over 17,000 members, and while ARIN has made good strides over the past few years trying to bring new voices to the active community, including Caribbean outreach, there’s more work to be done. But some of this work will mean change and sometimes change is hard.
While some of us are fond of email mailing lists, this is not necessarily how everyone in the community today feels comfortable contributing and collaborating.
Our Public Policy input needs to be easily heard from a group of individuals who separately but together represent the Internet community that ARIN serves.
We as a community have work to do here, as from my perspective our input is not as broad as it should be, and as a Board member, I would hope to continue to champion this work to increase both the number of active participants and the diversity of those participants.
The active Internet community should represent the whole regional Internet community that ARIN serves. Over the years, ARIN has grown to be the organization it is today with expenditures around 25 million. While much of this growth has been good and in line with community expectations, it is always appropriate to consider if ARIN is stewarding the fees that it receives from its members in a way that meets the member’s needs. Also just because ARIN has been doing something doesn’t mean it should continue to do it.
Sunsetting older, now duplicative services, should be a regular part of the service management process. Measuring effectiveness of our activities should also be an important part of evaluating services and activities, and something I think we could probably do a bit better.
As a member of ARIN’s Board, I hope to be a positive voice for being fiscally responsible with ARIN’s assets the members have entrusted to us. I encourage every member to vote. And if you aren’t the voting contact, talk to your voting contact about voting.
Elections are an important part of the feedback that ARIN receives every year about the direction and mission of ARIN. Finally, I thank you in advance for your vote and trust that you would put in me representing you on the ARIN Board of Trustees. Thank you and good day.
Announcer: Our next candidate for the ARIN Board of Trustees is Khaled Koubaa.
Khaled Koubaa: Greetings to the esteemed ARIN community, I am honored to address you as a candidate for the Board of Trustees of ARIN.
With a profound dedication to advancing the Internet landscape, and a wealth of experience spanning over two decades, I believe I am a strong fit for this crucial role.
ARIN’s mission to ensure a robust and sustainable Internet ecosystem resonates deeply with me. Having been deeply involved in Internet governance through various leadership positions in globally important entities such as ICANN and the Internet Society, I understand the complex challenges and opportunities that arise in the evolving digital realm.
I firmly believe that ARIN’s strategic direction must not only maintain the highest technical standards, but also actively foster inclusivity, innovation, and equitable access for all stakeholders.
What sets me apart in my belief is my unique vantage point. With a multicultural background spanning North Africa, France, and the United Arab Emirates, I bring a global perspective to the ARIN Board. Having held significant leadership roles at Meta and Google, I have had the privilege of representing some of the most influential tech companies in the world.
These experiences have provided me with a deep understanding of the challenges and aspirations of ARIN members in the technology industry.
Furthermore, my time on the board of AFRINIC, a sister organization to ARIN, as you know, has provided me with insight into the unique dynamics of regional internet governance and the vital role that ARIN plays within this context.
I am well versed in collaborating with diverse stakeholders, forging strong partnerships, and driving policies that support the growth and sustainability of the Internet. I am a bridge between the technical and policy dimensions of the Internet.
My expertise in Internet governance, public policy, and technical standards allows me to navigate complex discussions while ensuring that ARIN’s interests are well represented.
Moreover, my experience in fostering collaboration among various stakeholders positions me to actively contribute to ARIN’s multistakeholder approach.
As a resident of Virginia, not far from ARIN’s headquarters, I’m committed to supporting ARIN’s mission from the heart of its operations. Together, we can ensure that ARIN continues to thrive as a driving force in shaping the future of the Internet. I am ready and eager to bring my expertise and background, perspectives, and unwavering commitment to help guide ARIN on its path of excellence.
Thank you for considering me as a candidate.
I look forward to the opportunity to serve the ARIN community and contribute to the continued success of this vital organization. Thank you.
Announcer: The next candidate for the ARIN Board is Tina Morris.
Tina Morris: Hi. I’m Tina Morris. I’m a senior leader at AWS. I’m a current ARIN Trustee.
I’m currently serving as Vice Chair of the Board. I’m a member of the ARIN Finance Committee and the Risk and Cybersecurity Committee. I’m also wrapping up my last term on the NANOG Board of Directors. The ARIN Board of Trustees needs to be prepared to problem solve for the organization and have a global view of the RIR ecosystem.
I believe my role at AWS, leading IPv4 acquisition and our internal IP numbers registry, gives me a unique perspective that prepares me to advise on a number of issues our community faces. Like the impacts associated with leasing and how the increasing price of IPv4 attracts more fraud and bad actors.
In addition, my experience both as an ARIN volunteer and as a customer, consuming services from all RIRs, gives me a holistic view into the RIR ecosystem.
I look for issues that impact our peer RIRs and bring lessons learned back to the ARIN Board so we can prevent the same issues from impacting the ARIN community.
I want to thank you for your time to listen to all the speeches and taking your participation in the voting process seriously.
This is a very important time for ARIN and the entire RIR ecosystem. With four seats open on the Board of Trustees, we need to carefully consider who will best lead us through the many challenges ahead, as they will represent the ARIN community’s interests and wishes. I’m passionate about this community and doing the right thing for the organizations and people it impacts.
I would like the opportunity to serve another term. I’m currently attending NANOG and ARIN this week. Please find me to say hello or ask me any questions I may not have covered here. If you’re virtual, you can reach me via my email. It’s listed on the Board of Trustees page.
Thank you for your time, and please remember to vote for Tina Morris. Thank you.
Announcer: Our next Board candidate is William Sylvester.
William Sylvester: Hi, I’m William Sylvester, and I’m here to ask for your support and vote. For over 30 years, I have dedicated my career to the Internet, working in networking, DNS, and IP numbers.
Today I continue to support the Internet community working to keep the Internet secure and growing while as we build IPv6 adoption. I care about good governance, with a balanced environment for all members, where we have a community with reasonable fees and a responsible budget, while providing stable and secure services for all ARIN members.
A community that values fairness and equality. I believe in openness and transparency. These are the values I believe make an effective Board member. Together, we shall continue to build stable services like RPKI, and continue to maintain existing ARIN services for all members.
We need to be diligent as we work together sustaining the RIR system. I have the demonstrated leadership that, if elected, I will work closely with Fellow Board members to listen and collaborate while we guide ARIN today, laying the groundwork for the future. Please vote for me.
Announcer: Next we will hear from Christian Tacit, a candidate for the ARIN Board of Trustees.
Chris Tacit: My name is Chris Tacit, and I am seeking election to the ARIN Board of Trustees.
I am the founder of Tacit Law, a boutique Canadian law firm. Our practice areas include information technology, Internet and communications law, as well as corporate governance. I have been involved in ARIN since 2010, initially for a work file and then as a matter of personal interest. I have been a member of the ARIN Advisory Council since 2014 and have participated in authoring, shepherding, and contributing to the development of numerous policies. During the last few years, I have been involved in the NRPM Working Group.
During my time with ARIN, I have also served on the AUP, Nominating and Grant Selection Committees. I have also been a mentor in the Fellowship Program for many of the years that I have been involved with ARIN. Since I believe in term limits, it’s time for me to move on from the AC, but I believe that I still have lots to contribute to ARIN as a trustee. I have significant corporate and Internet governance experience. This includes serving as a director of three Canadian Internet Exchanges, two of which I have chaired, the Internet Society Canada Chapter, the Ottawa Humane Society, which I have chaired, and the Children’s Hospital of Eastern Ontario.
My education and experience in engineering, business, law, and governance provide me with a valuable multi-disciplinary perspective for discharging my duties as an ARIN Trustee. If elected, I will continue working diligently for the benefit of the ARIN community and will do so in a thoughtful and collegial manner with my Fellow Trustees.
My primary focus as a Trustee will be on ensuring that: (1) ARIN looks to the future to meet the evolving needs of its members and the broader community; (2) the governance framework of ARIN continues to be strengthened to avoid any possibility of capture by specific interest groups; and (3) ARIN continues to maintain and enhance its relevance and leadership in Internet governance both within its service region and globally.
Please help me to continue contributing to the ARIN community by voting for me in this election, but in any event, please vote to ensure that your voice is heard when it comes to the selection of those members of the community you entrust to govern the organization. Thank you.
Announcer: Our final candidate for the ARIN Board of Trustees is David Zumwalt.
David Zumwalt: Hello, ARIN community. My name is David Zumwalt, and I’m a candidate in the upcoming election to ARIN’s Board of Trustees. I presently serve as President and CEO of WISPA, Broadband Without Boundaries, the industry association for ISPs in the United States who are actively investing and working hard to bridge the digital divide in their communities.
I previously served as Chief Operating Officer for a mid-sized ISP with several thousand residential, enterprise, academic, and government subscribers.
Before that, I leveraged subsea optical fiber capacity in leading an economic development initiative, to attract network-connected businesses to a region previously dependent on a predominately tourism-based economy, which in turn drove workforce development investments and diversified the tax base.
I also founded and expanded a software and engineering services company that supported the planning, implementation, and operation of cellular and PCS networks worldwide.
I have been active in technology accelerator programs, and venture capital. I’ve also served on a variety of commercial and nonprofit boards.
My career experience might convince you that I’ve been active in and around the Internet industry, but doesn’t explain my interest in ARIN’s Board of Trustees or why I’m asking for your vote.
I’m asking for your vote because telecommunications, and particularly broadband, have been at the heart of who I am and what I’ve done throughout my professional life. I’m asking for your vote because I see ARIN as having a crucial role in facilitating everything the Internet makes possible, and especially the innovations that lie ahead.
I’m asking for your vote because I keep my commitments, take stewardship seriously, have technical curiosity, and think long term. I’d be honored to receive your vote.
But more importantly, I’d like to thank you for your consideration and everything you’re doing to create our exciting Internet-enabled future.
Hollis Kara: I’d like to thank the Board candidates for their speeches. I’d also like to give a special shout-out to my virtual guest host who has been handling the introductions and who will proceed to do so for the Advisory Council, and to the captioning team for providing the closed captioning on the videos to make them more accessible to the viewers. So thank you, everyone.
Now I think we’re probably ready to move ahead to the Advisory Council speeches.
Advisory Council Candidates
Announcer: Our first candidate speech for the ARIN Advisory Council comes from Douglas Camin.
Doug Camin: Hello, ARIN community. My name is Doug Camin, and I am asking for your support to continue service as a member of the Advisory Council in this year’s elections. For the last year, I have had the privilege of serving as a member of the ARIN Advisory Council.
My time on the council has given me the opportunity to quickly learn much about the workings of number resource policy and how the Policy Development Process works.
As a member of the Advisory Council and ARIN community, I also feel a strong responsibility to help where I can. This year, I have stepped up to help in the following ways: I volunteered to serve as a mentor for ARIN Fellows at ARIN 51 and ARIN 52, helping new people become more familiar with the work of ARIN and the community.
I’ve stepped into a role on the Policy Experience workgroup, a committee on the Advisory Council that translates your experiences into appropriate policy change.
I’ve supported ARIN staff when ARIN on the Road came to my town, helping to get the word out about what’s available.
I’ve attended NANOGs to connect with the larger community representing the Advisory Council, as well as take in the fantastic programming offered.
And I continue to work as policy shepherd for the complex 2022-12 policy, recently taking over as the lead shepherd. My professional background is varied, but focused on technology delivery. Through my roles, I have used ARIN’s services and led CIO trade organizations where ARIN services are commonly used.
Professionally, I currently serve as the Chief Information Technology Officer for a large mental and behavioral health nonprofit based in Rochester, New York.
Prior to that role I spent almost a decade as CIO of different counties in New York state. I hold the CISSP cybersecurity leadership certification, which is the top certification for IT security leaders in the industry.
In addition, I serve on the board of one of the largest credit unions in the U.S., making me intimately familiar with member-driven organizations. Collectively, I am confident this deep background gives me a unique, valuable, and helpful viewpoint, and makes me exceptionally well prepared to continue to serve the ARIN community as an impartial policy shepherd.
On a personal note, I have found the experience of participating in the ARIN community to be rewarding and professionally challenging. I came to ARIN knowing little about its community-driven Policy Development Process, but was quickly welcomed by members of the community and found people who I have built not just professional relationships but friendships with.
The ARIN community is one of the most unique and wonderful communities I have participated in, and I would be honored to have your support to continue serving another term as a member of the Advisory Council. Thank you.
Announcer: The next candidate speech for the ARIN Advisory Council comes from Anthony Delacruz.
Anthony Delacruz: I’m Anthony Delacruz and I would appreciate your support and vote this year for the ARIN Advisory Council.
I am currently a senior lead engineer working for Lumen, which many folks know through the various names and mergers over the years as CenturyLink, Level 3, Qwest and many others.
My current role, I’m the most senior member of our IT administration team that evaluates needs requests, assigns space for customers or internal efforts and helps to chase abuse issues as well as subpoenas.
I’m a technical guy in the routers and servers daily working on BGP issues, RIR, RPKI, and DNS. I also provide support for our policy and regulatory teams and quite a bit of time with our sales engineering folks.
I like to joke that I’m more IPv6 than RPKI evangelist, being more involved in leading portions of those, as well as the rollouts. And I try to push along these efforts one customer at a time as well.
I have nearly stamped my entire ARIN bingo card for transfers and ticket types, so I’m very familiar with the services and function of ARIN. I also have accounts with the other five registries and have worked to obtain resources or interacted with them on tickets, though we’ll be reducing that number as we complete several upcoming divestitures.
Most of my career has been from the large ISP perspective, so I feel I can well represent that, as every year I help at least 40 or more customers that have had resources pulled back due to missing bills or need assistance to get started with ARIN to obtain resources. So I know what is needed from both ends of the spectrum.
The past few years I’ve worked with ARIN staff on some registry issues regarding space abuse. And the last several quarters of the Premier Support Plan meetings, I’ve been encouraged to get more involved and very much like the additional interaction with staff.
I feel that with my 29 years of network experience, I can assist the community with keeping the NRPM relevant and evolving it for future needs that serve the multistakeholder model of running the greatest invention for our humanity, the shared Internet.
Feel free to chat at the social or any time if you would like to learn more about me and my experiences, or if there is anything I can do to help you as a customer with our services.
Announcer: Our next candidate for the ARIN AC is Matthew Gamble.
Announcer: Matthew Gamble’s affiliations include being the vice chair of the Internet Society, Canada chapter and a board member of CIRA, the Canadian Internet Registration Authority. Matthew has over 25 years of professional experience in the Internet industry and a consistent dedication to the principles of openness and accessibility.
He believes he is uniquely positioned to provide significant contributions to the ARIN Advisory Council. Over the course of his career, he’s held multiple roles within the Internet industry that have cultivated a comprehensive understanding of the digital landscape. His extensive technical knowledge and practical experience in network design and administration, IP addressing and routing, DNS services, and cybersecurity, aligns well with ARIN’s role as a Regional Internet Registry.
He’s also been directly involved in policies and strategies affecting Internet governance and understands the complexities and implications of these decisions. He’s seen firsthand how ARIN’s policies affect a wide variety of stakeholders and that has given him a keen sense of the balance that must be struck to ensure the fair distribution of Internet resources.
In joining the ARIN Advisory Council, he intends to bring his multidimensional perspective to the table. He understands the critical need to ensure the Internet’s efficient and stable operation while also recognizing the importance of equitable access and openness. And he’s accustomed to collaborating with diverse stakeholders and finding common ground, a skill that will be crucial in making policy recommendations that affect a broad community. He’s confident that his years of experience, deep industry knowledge and commitment to not-for-profit governance will bring a fresh and valuable perspective to the ARIN Advisory Council.
If elected, he looks forward to the opportunity to further contribute to the stability and integrity of Internet operations in our region.
Matthew’s full biography, questionnaire responses, and Statements of Support from the community are available at ARIN-elections.net.
Announcer: Next we will hear from Advisory Council candidate Elizabeth Goodson.
Elizabeth Goodson: Hi, I’m Elizabeth Goodson, and I’m a candidate for the Advisory Council. I’ve been in the telecom industry for 17 years, starting with my first job out of college taking DSL tech support calls for a regional phone company. From there, I worked my way up to higher level operations roles, then to engineering, and finally to architecture. I’ve been with companies of various sizes, and, as is common in telecom, been through many mergers and acquisitions. Currently, I’m a principal architect at Crown Castle, focusing on our national data network architecture. My team is responsible for developing and publishing all design standards for how our network is built, from the backbone to the edge to the customer services.
We’re also responsible for all IP routing and IP allocation policies for the network and services. I work with engineering, product, sales, and other teams within the organization to ensure that designs and policies meet our business needs.
As a member of ARIN, our organization is significantly impacted by the number resource policy. I’ve navigated the processes for IPv4 address acquisition and M&A resource transfers. I also ensure that our organization’s processes comply with ARIN requirements when reassigning address resources to our customers.
I’m often asked about these processes, such as why we require customers to demonstrate need for addresses or why we must update the WHOIS for an address. I explain why these steps are both best practices for a better Internet and requirements for us as custodians of these resources.
I bring the perspective of ISPs that are smaller or midsize and growing, and dealing with the constraints of scarce IPv4 resources and the impacts on our businesses.
Additionally, from working with a large base of enterprise customers, I hear the technical concerns they have working with us to meet ARIN policy requirements, as well as issues they’re encountering while adding IPv6 to their networks and RPKI to their address space.
On the Advisory Council, I can speak to the needs of these organizations while developing policy proposals; and advocate for these policies with these audiences. I hope you’ll consider voting for me.
Announcer: We’ll now hear from Dean Hardy as a candidate for ARIN AC.
Dean Hardy: Hi. My name is Dean Hardy. I was born and raised in Calgary, Alberta, Canada and currently reside here in Winnipeg, Manitoba. I’m the President of The Anera Group, an Internet consulting company. My passion is planning, engineering and building carrier-grade IP networks delivered over wireless, DOCSIS, fiber-to-the-home — and even fiber-to-the-farm — technologies, offering Internet, video, and voice to rural and underserved communities throughout western Canada.
I’ve been in the telecom industry for over 30 years, including 15 in senior leadership roles.
I’m familiar with all sizes of ISPs and the challenges each have in deploying IP-based networks. Throughout my career, I’ve been involved with ARIN as an admin member in dealing with the transition and adoption of IPv6 both from a carrier standpoint as well as the vendor community.
As an advocate of IPv6 and the strategy to use in transitioning from v4, I am now looking to dedicate my time and experience and be a part of the ARIN Advisory Council. I would really appreciate your vote.
Outside of my work, my wife and I both have a personal passion for golf and we hit the links every chance we get. I have three amazing kids. My oldest is a nurse. My middle child is a media specialist and my youngest is completing final year of college.
Thanks for your time, and again I would really appreciate your vote for a position on the ARIN Advisory Council. Thank you.
Announcer: Our next speech comes from Advisory Council candidate Roy Hoover.
Roy Hoover: Hi, my name is Roy Hoover. I’m a candidate for an open seat on the ARIN Advisory Council. I spent the first 35 years of my career working in technology in the education space.
For a majority of that time, I managed a consortium network that connected public and private schools together for resource sharing and Internet access.
In those 20 years, that network grew from a frame relay network with four megabits of Internet service to a dark fiber network with a 200 gigabit core, 20 gigabit hand-offs to schools and 20 gigabits of dual-homed Internet. And it’s still growing.
In 2001, I applied for and received a direct assignment of IPv4 addresses for use by the consortium members. This move to provider-independent IP addresses resulted in significant financial savings for schools and a huge reduction in network disruptions during ISP transitions throughout the years.
In 2016, we received a direct assignment of v6 addresses as part of an IPv6 implementation plan.
That rollout plan included training for the technology staff at the member schools, a multi-tenant IPAM tool to allow schools to manage their own addresses, and implementation assistance to help them begin deploying IPv6 in their respective school networks.
The global transition from IPv4 to IPv6 must not be allowed to stall. We must find ways to encourage all parties to move to IPv6 and make that path as easy as possible for them. ARIN policies should encourage native IPv6 deployment whenever possible.
As a member-based organization, ARIN’s first duty is to listen to its members. Policy development should strive to meet the needs that members express. Sometimes, long-term improvements require a more visionary approach to policy development. In cases like that, selling the vision to the members may be required. Oftentimes, this is the case when short-term inconvenience and expense are required in order for long-term improvements to be realized.
I believe that my experience leading a consortium provides a great base to build upon for ARIN Advisory Council participation.
I’m experienced at listening to members and meeting their needs. I also have experience using data to develop a vision for what will be required for long-term success — sharing that vision with members, getting buy-in and successfully implementing it. That process works for consortia networks that have outgrown their current transport medium and need dark fiber to continue serving students. And it can work for a global network that has outgrown its current Layer 3 protocol and needs to replace it with a new one. Thank you for considering me for a seat on the ARIN Advisory Council.
Announcer: Rob Johnstone is our next candidate for the ARIN Advisory Council.
Rob Johnstone: Rob Johnstone’s affiliations include Stroud Media and Planet Networks. His background includes having founded a fixed wireless service provider, or WISP, that turned into a fiber ISP, and more than 20 years in network and ISP operations.
Rob has a good understanding of the ARIN process and standards and feels his management and entrepreneurial experience will be useful in the role of working on the ARIN Advisory Council, especially with his understanding of ISP operations.
Rob’s full biography, questionnaire responses, as well as Statements of Support from the community, are available at ARIN-elections.net.
Announcer: Now we will hear from ARIN AC candidate Dustin Moses.
Dustin Moses: Hi, my name is Dustin Moses and I’m pleased to be on the ballot for the ARIN AC Council this year.
I’ve been in the industry for about 11 years, and I’m currently the lead network engineer for a regional ISP based out of north Idaho. In that capacity, I’ve worked with large ISPs, small ISPs, WISPs, enterprises, collocations, and exchanges.
This background gives me a good grasp of the many uses of Internet number resources, and a general understanding of the importance of good policy. I was also lucky enough to complete a Fellowship with ARIN at ARIN 51, where I got an inside scoop on ARIN staff and processes.
This was a good foundation for me to continue to the Advisory Council, which I’m running for today.
One important thing to note is that the Internet needs to be accessible to all, and proper governance is important to keeping that accessibility. My hope, if I’m elected, is to leverage all points of view and help advise for fair and consistent Internet policy that doesn’t impact accessibility, privacy, transparency, or accountability.
For some specifics, I do believe that some clarification is required when it comes to IPv4 legacy resources and potentially regarding leased resources, as well as IPv6 stewardship in whole.
I appreciate the NomCom chapter for considering me as a qualified candidate, and I hope that the ARIN community will consider me for election. Thank you for your time.
Announcer: Next, please welcome Kaitlyn Pellak as our next Advisory Council candidate.
Kaitlyn Pellak: Hi, my name is Kaitlyn Pellak, and I’m a technical business developer who acquires IP address resources for Amazon Web Services. Managing the procurement of critical network resources for the largest cloud provider in the world gives me insight into how policies that are drafted and revised by the ARIN Advisory Council play out in the real world, especially as they pertain to IPv4 addresses and the secondary transfer market. My career in the Internet numbers world began when I led a team of Internet registry researchers at a company called Addrex. In my time at Addrex I studied both ARIN policy and the policies of RIRs all around the world, and I also devoted a large portion of my time to diving deep into the different RIR databases themselves so that I could understand their similarities and differences.
I really needed to become an expert on all things RIR-related, and this especially pertained to, at the time, legacy IPv4 addresses, not only to be successful in my role but also to be successful in educating my team, as I led a team of about 20 people.
In between my role at Addrex and my current position with Amazon, I also spent a year and a half working for a nonprofit. It was an education-focused nonprofit, and I was in their membership and engagement division.
In my role there, I was able to help write and review policy that directly impacted the nonprofit’s memberships. I was responsible for, you know, soliciting engagement with our products and services. I had to be a champion for our membership.
So I really got the feel for how important that is to a community and to a nonprofit like ARIN.
I really have a deep appreciation for how the membership can shape things and how we really need to try to take a big-picture view to make sure that everybody is getting their needs met.
And, yeah, this is just a very basic summary about who I am and what I do. I hope that you will vote for me as a candidate for the ARIN Advisory Council. And I thank you in advance for your vote.
Announcer: Our next ARIN AC candidate is Leif Sawyer.
Leif Sawyer: Hello, friends, neighbors, and far-aways. My name is Leif Sawyer. If you whip your words around that comes out as “Safe Lawyer” for you pronunciation geeks out there, but I’m not a lawyer.
I’m a born-and-bred Alaskan. I’ve been here over 50 years. I’ve spent the last 28 years with the same company, 25 years in networking and about seven years in security and architecture.
And I’m completing my third term on the AC. I spent the last three years as the chair of the Advisory Council.
Now, elections mean transitions and this is a big election year. We have six seats up — five full term and a single-year term seat. And we’re losing four non-returning AC members with nearly 40 years of combined experience this year, nearly 60 years of experience, including the last year.
And, so, as we pass the baton around, I’ve looked and laid the foundation for my successor, but I want to stick around for that transition to ensure a seamless hand-off.
What’s next? More meetings, more policies to work on, the Chair election, and the face-to-face onboarding in January, and of course keeping the momentum up as we say goodbye to long-term friends and colleagues.
So there are a lot of good candidates this cycle. We have three returning AC members, of which I am one of them; a few others from the community that I’ve gotten to know; and then a few that I’m looking forward to getting to know.
And elections aren’t about perfection; it’s about getting you closer to your — to the community’s desired goals. So come out, get to know the candidates — us.
Stop us and talk to us. That’s why we’re here. But most importantly, vote. Thank you.
Announcer: Next, we will hear from AC candidate Daniel Schatte.
Daniel Schatte: Hello, everyone. My name is Daniel Schatte. I am a Vice President of Network Operations at Charter Communications. I met some of you at the previous ARIN conferences, and I would like to share a bit of my background before going into why I would be an ideal fit for the Advisory Council. I hold both an undergraduate and master’s degree in information technology along with a master’s in business administration. I have over 16 years of networking experience, in which 10 of those years was with Time Warner Cable, which was acquired by Charter Communications. And I have been there ever since.
In my current role, I drive network and IP standards, including designs for Charter’s core and backbone operations. Importantly, and for the purposes of this community, the role includes the IP address management and policy for all business units within the company. It’s how we justify assigning out IP address space, IP deployment practices, and numbering policies for the various internal groups.
This position is exciting for me because I am passionate about the Internet being the connectivity backbone for everyone, and there is governance behind it that is needed to allow connectivity to remain in place. This governance is quite relevant with all that is happening in the world today. And I want to be a part of that governance to help mold and shape it.
You should vote for me, because, first off, my technical background in where I have been building networks for over a decade and a half, down to the addressing, protocols and other technologies that surround the ecosystem that’s the Internet today.
This includes driving the adoption of RPKI for our internal assets, as well as having RPKI set up for our external peering partners. That includes automation of ROAs and detection of anomalies that could be found with improper advertisements. Second is my ability to create and negotiate on policies that can be adopted throughout technical and non-technical teams.
The words placed within the policies can be strict or loose, depending on how the wordsmithing is done and have consequences throughout those who must abide by the policy. There is a communication aspect of the policy in which the negotiations are needed to take place between stakeholders on the meaning of the policy that is going to be enforced.
I would apply the attention to detail that I use for standards and policies in my day-to-day role to that of what is the best policies for ARIN and how it interacts with ICANN and the other RIRs across the globe.
These polices, if crafted incorrectly, could have consequences on how ARIN is able to interact across organizations to provide the seamless experience that people have come to expect.
The one thing that I will not do, is drive a personal agenda on what I would want the policy to be. What needs to be driven here is the global policy and taking the step back for understand how these policies impact the community here along with the ecosystem across the globe.
In conclusion, I ask for your vote for the ARIN Advisory Council. And I would be happy to chat with anyone after this if you have any questions.
Announcer: We will now hear from Ibrahim Seremet, a candidate for the Advisory Council.
Ibrahim Seremet: Ibrahim — or Ibro — Seremet’s affiliation is being a senior director of architecture and infrastructure at Verisign. Before that, he was the director of technology at Iron Mountain.
His background includes more than 20 years working in the industry. He believes that his experiences in being a part of the community for a long time make him well suited to be an effective Advisory Council member. This includes presenting at conferences, as well as many internal presentations and workgroups. With his current employer, his role as leading the team that is responsible for interacting with all the Regional Internet Registries.
He has experience with ARIN policy matters through his current role at Verisign, which entails reviewing all policies that are proposed and what effect they may have on the company. He’s also participated in policy discussions and looks forward to doing it again in the near future. He has experience attending ARIN meetings and looks forward to further engagement from the community.
One of his highlighted areas of interest is RPKI and the potential impacts on critical infrastructure.
He looks forward to the opportunity to bring his personality and reputation into the community in assisting the Advisory Council with carrying out its duties.
Ibro’s full biography, questionnaire responses, as well as Statements of Support from the community are available at ARIN-elections.net.
Announcer: The next speech is from Jason Weil, candidate for the ARIN Advisory Council.
Jason Weil: Thank you to the ARIN staff supporting the elections and the ARIN community for taking the time to listen to my introduction. As to my background, I have been involved in the world of IPv4, IPv6 and routing (think AS numbers), and as part of the ARIN community for over two decades starting back at my time working in network operations, engineering and architecture at Cox Communications, and then subsequently at Time Warner Cable and Charter Communications.
At Time Warner Cable, one of my roles was serving as the engineering liaison to our regulatory and legal affairs teams, including providing educational background and recommendations to the Federal Communications Commission and Congressional staffers who were proposing policies and bills that would directly impact those of us operating large networks, which I feel has direct carryover benefits to the ARIN AC.
After leaving the ISP world, I spent some time with the Oracle Cloud infrastructure team where one of my duties was creating a plan and system for the purchase of IPv4 address space to support cloud operations. This experience opened my eyes to the whole world of address transfers, brokers, etc., which has received significant policy development attention over the past five years.
I spent a significant portion of my career working on developing and deploying IPv6 in large ISPs. Part of this development and deployment was impacted by ARIN policies around IPv6 allocation, usage, and transition.
The ARIN policies that I participated in developing during this period were an important part of my career. An example of this is standards that I was working on in the IETF for how IPv6 was deployed in ISPs and their customers’ home networks. With IPv6, home networks receive a very large prefix of address space compared to the single IPv4 address space per home in v4.
It was imperative that the IPv6 allocation policies in ARIN matched what was being developed and tested at the IETF and in service providers. One aspect of the IPv4 runout was the need for IPv4 address space that was neither private (think RFC 1918) nor designed to be publicly routed. I was co-author of the RFC 6598 that provided a /10 of shared IPv4 address space that has seen wide-scale adoption worldwide. The Policy Development Process is all about building consensus for new ideas or changes to current policies. An idea may make all the sense in the world to one organization in its environment, but may not be applicable or worse, cause major issues in another organization’s environment.
Only by following the proposed changes and participating in the discussion can we reach consensus on a proposal that is useful to some or most of the community while not negatively impacting and impairing other members of the community.
If you would like more details on my background and interest in participating in the ARIN AC, please take a few moments to look at my biography posted on the ARIN Elections website and feel free to reach out to me.
Announcer: Finally we hear from ARIN Advisory Council candidate Matthew Wilder.
Matthew Wilder: Hi, my name is Matthew Wilder, and I’m an engineer with the Canadian ISP Telus where I’m responsible for IP address management and IPv6 strategy.
It has been a privilege serving the community for a full term as a member of the Advisory Council. I believe that my collaborative style has been conducive to multistakeholder Policy Development Process at work within the ARIN community. My role overseeing IP address strategy at Telus provides me a foundation to understand the array of consideration that need to be taken into account within policy development.
Moreover my experience within IPv6 and RPKI also allows me to share insights with members of the community, whether through policy meetings or panels or blogs or even the hallway conversations that occur.
It would be my pleasure to continue to serve the community as a member of the Advisory Council for a second term. The Advisory Council is going to be losing a few of our very talented members. And I want to contribute to the continuity of the Advisory Council as we prepare to welcome new members as a result of this election. My goal is to help the Advisory Council continue to effectively steward the Policy Development Process on behalf of ARIN, its members, and the community as a whole.
Please consider supporting my candidacy with your vote. I sincerely hope to serve the community as a member of the Advisory Council for a second term.
Hollis Kara: All right. That concludes our AC candidate speeches. Thank you to all the candidates.
Couple of quick things before we break for lunch. First of all, thank you all for sitting through that. I know this is a slightly different format. It was very important to us to provide this information to the community in an equitable format.
And also it is a requirement that this information be shared at the ARIN meeting. So thank you for your patience with the videos.
Also quick check-in with the candidates that are in house, are you all doing okay? I know that had to be somewhat disturbing. I saw some chaos happening in the back.
All right. Everybody’s good. We’re going to make it through. You all can commiserate at the social later this evening.
So we’re coming up on our break for lunch. Folks that are here in person, please join us on the Bay Terrace. We do have one table topic available, if you would like to sit with Chris and have a chat. He’ll be at the label table, which rhymes.
We’ll resume at 1:30. Virtual attendees, feel free to leave the Zoom open through lunch, and it will come back when we come back into the room. The room is not secured during the break, so please take your valuables with you. And thank you, again, for your participation this morning. See you back at 1:30.
(Recess taken at 12:05)
Hollis Kara: If folks would like to take their seats, we’ll be getting started here in just a moment. We’ve got lots of policy to talk about this afternoon. So come on in. Waiting for the “go live” from the production side. Are we ready to go? We are. All right everybody, welcome back. I hope you enjoyed the break.
We’re going to kick off the afternoon — well afternoon for us, whatever time it is for you, if you’re online — with our Policy Implementation Experience Report with John Sweeting.
Policy Implementation and Experience Report
John Sweeting: Thank you, Hollis. Welcome back after lunch, everybody. We’re getting ready to start our exciting policy session here at ARIN. Most of the afternoon is going to be policy, policy, policy.
And I’m going to start it off with a Policy Implementation Experience Report.
Again, I’m John Sweeting. Everybody knows that. Okay. Let’s go.
All right. So we’re going to talk about these policies listed here: NRPM, Number Resource Policy Manual, Section 4.1.8, which is the ARIN Waitlist; NRPM 4.10, Dedicated IPv4 Block to Facilitate IPv6 Deployment. And in conjunction with that, the 4.5, Multiple Discrete Networks. And then we’re going to finish up with a policy that’s been implemented, ARIN Policy 2022-2, Remove Barrier to BGP Uptake in the ASN Policy, and that’s NRPM Section 5, AS numbers.
So there’s basically three policies that cover getting direct allocations of IPv4 from ARIN. There’s 4.4, which is your critical infrastructure, Internet exchanges policy, which I’m not going to talk about today. Then there’s 4.1.8, which is the ARIN Waitlist. And there’s 4.10, which is the IPv4 /24 to help with IPv6 transition.
Right now I’m going to start off with the 4.1.8 ARIN Waitlist. Quick history of that. It was passed January 12, 2011, implemented in the initial Waitlist policy. There was no restrictions on the block size or the quantity of IPv4 addresses an organization already possessed.
Basically, it was the AC thinking, “Hey, when we run out of space but then we get space back we need to have a way to continue to give that out.” So the Waitlist policy was implemented. And it went along fine for a while.
But then when people started, actually when we started to have to issue from the Waitlist, about a year or so after that, we found out that while all these people are getting /16s, /17s, /15s, they’re waiting 12 months and they’re transferring them. It was like, “Whoa, I just walked into a million dollars just by getting — tricking into getting a /16, holding it 12 months and flipping it.”
So the Board, when notified, they suspended it immediately and sent it back to the AC to review with the community and figure out, “Hey, how do we fix this problem?”
So it went back and forth a little bit. The AC did a great job coming up with a new policy that was implemented and which said there’s a cap, the most you can get at one time off the list is a /22. And if you hold more than a /20 of space you are not eligible to get any space off the Waitlist any longer. And they instituted a 60-month holding period on transfers.
So that’s been working pretty good. We did have a lot of space that we had to clean up, and we got all that done. And we were filling a lot of Waitlists. We were keeping the Waitlist pretty much, like we were filling the whole Waitlist every quarter for a couple of years.
But then that space all dried up, and all we’re getting today is that space back, which organizations have gone away and they stopped paying, and we recover that space through revocation for nonpayment. It’s getting less and less.
And there is, every once in a while there is a return. Somebody will return, usually a /24, /23, and so that’s basically the only way we get space today.
We get about 150 requests every quarter from people to be added to the Waitlist for either a /24, /23, or /22. Typically the last Waitlist we filled was September 29, we did our issuance to the Waitlist, and there was 29 organizations that got space. So you could see that was a net of plus 121 to the list.
So as of October 11, there was 705 pending requests. I think I talked about this a little bit at NANOG. R.S. got up and asked some questions, gave some stats. And I said, “Yeah, I’m going to go deeper into that at the ARIN meeting.” So we’re going a little deeper into that now.
So a new request added today is anticipated to face an extensive waiting period of more than three years.
So the question to put to the community is, “Hey, is it time to adjust the policy or is it doing what you’re expecting it to do?”
We don’t know, but we’ve been asked to present this and let you know what is going on so you can think about that. And if there are adjustments you want to make to the policy, then we can tell you how to do that.
Okay so quick Waitlist models. So as you can see, these are the actual — the first column is the actual amounts that were filled over the last four quarters. The next column is if it had been a /23 as the maximum — it says minimum but I think it’s maximum, anyway — if you could only get a /23 — if you could only apply for /23 and not /22, then that shows you.
So over the last four quarters we filled 268 with the /22. If that had been a /23 we would have been able to have filled 405. And if it had been a /24, then it would have been 703 organizations that would have gotten space.
So the reduction in wait time at a /23 is 33 percent reduction with 51 percent more requests filled than a /24, 62 percent reduction wait time with 162 percent more requests filled.
So some options for community discussion are possibly lowering the maximum size to reduce the wait time. But you could also lower maximum holdings to further reduce wait time, and by that we’re talking, instead of saying organizations with a /20 — organizations with more than a /20 can’t get it. If you change that to a /21, then approximately 8 percent of the applicants that are on the list today would not have been eligible, and on down to, you see, down to a /24, then 25 percent of the applicants would become ineligible.
The one thing I do want to point out here is that you have to be careful with the grandfathering, whatever you want to do with this, because we had had a little bit of an issue with the implementation when we changed the policy the last time. So that would all have to be considered in that policy.
Further discussion points: What’s the purpose of the Waitlist? What does the community want to get from the Waitlist? Is it to have space for people to come in, new startups? Or is it the same as the IPv6 transition space policy? Or does it serve some other purpose?
If it’s the same as the v6 transition space policy then maybe we should consider merging those two policies together and having one policy.
Or you could align it. You could say, “Hey, you can’t get on the Waitlist if you don’t have IPv6 and you don’t have it deployed.”
Or if it’s a different purpose, such as providing IPv4 entry for new organizations, should it be limited to a maximum for that purpose, such as one
/24 per organization and a one-time opportunity, or maybe a max, you could get a /24 every six months for up to a /22 or something?
All points for community discussion on the Waitlist policy. So, basic question, should the Waitlist policy be modified to either decrease wait time or adjust the eligibility? And should the Waitlist policy be somehow merged with the IPv6 transition policy?
Next, we’re going to talk about the 4.10, Dedicated IPv4 Block to Facilitate IPv6 Deployment, and how 4.5, Multiple Discrete Networks, affects that and how it’s been used over the last couple of years with requests.
Policy clarification, a large, growing number of organizations are requesting multiple /22s from the 4.10 reserve pool to provide services in geographically distanced data centers. They’re saying, “Hey, I’ve got a server in Dallas. I’ve got a server in Los Angeles. I’ve got a server in New York. I want to have three /24s because I have multiple discrete networks.”
Right now, ARIN staff, we look at it and we say, “Well, that’s not really multiple discrete networks. You just have servers dispersed in multiple data centers that you want to give services out of. And, yeah, we’re not going to give you space to do that.”
We’ve been denying those because it’s not really compelling criteria as suggested in the 4.5. So, 4.5 actually says an organization must provide compelling criteria to justify the creation of discrete networks. Examples of such networks may be driven by: regulatory restrictions; significant geographic distance or diversity between networks; and/or the existence of autonomous, multi-homed discrete networks.
Basically we are not recognizing a server and a data center as a multiple discrete network or having two different servers in two different data centers as being two multiple discrete networks.
Right now, due to the volume and the complexity of these requests, I personally review all 4.10 requests that are asking for more than a /24 or that are asking for — we get requests in asking for they want a /21 because they got servers in eight different data centers and they want a /21 right off the bat.
Normally, unless they can show that they actually really have multiple discrete networks, that is turned down. They’re offered the one that they should be getting under the policy today.
So questions for the community is: Is a policy clarification necessary for 4.10 and 4.5? Or is ARIN making the correct decision for these types of requests? And if clarification is needed, how should the definition of multiple discrete networks in Section 4.5 be improved? And should there be a maximum number of /24s available under 4.10. And of course this also goes back to should the 4.10 space policy be merged in with the Waitlist policy.
Last, I just want to talk about the implemented policy, Removing Barrier to BGP Uptake in AS Numbers, policy Section 5, AS numbers. And basically this was just to say, this was adopted by the Board on 18 July, implemented 13 September. And it establishes that the single-ASN issue — if you come in and ask for an ASN and you don’t have an ASN and you tell us that you need an ASN for your network, you’re going to get an ASN for your network.
If you come in for a second, third, fourth, fifth, whatever, there will be justification required. But for that first initial ASN number, if you tell ARIN you have a requirement for an AS number, you put the ticket in, you will get that AS number.
Okay, then I have a voting announcement that we added to the end of this thing. Should have probably been my election speech this morning or my election presentation — I didn’t give a speech, sorry. I know you’re all looking for that, but no.
Voting announcement is we just want to advise everybody that as in the past, voting cannot be done through a v6-only connection. Our election software vendor does not support v6. No election vendors out there — no election vendors out there support v6, election software vendors support v6.
We did use BigPulse for quite a while. It did not support v6. So when we changed providers of that solution, we looked for somebody that would do that, and this was just two years ago. And there’s still nobody out there that does that.
We do have a request into our vendor to do that, however they have not developed that yet, and we have a renewal of our contract next year. And that will be one of the things high on our list of requests for them. So with that, are there any questions or comments?
Hollis Kara: All right, microphones are open. Please feel free to approach the microphones or start typing.
John Sweeting: Our good friend Mike Burns.
And right behind him Kevin Blumberg.
Mike Burns: Mike Burns, IPTrading. I have a question about the justification requirements for 4.10 blocks. They’re designated for transitional support. So must they be used in a way that directly connects IPv4? Do they have to be on a NAT-PT box? Do they have to be used in a way that’s directly facilitating the transition?
John Sweeting: Yes, the policy specifically says it has to be a net translation box, 6to4, CGN, some kind of pool that allows the v4 to v6 translation.
Dual stack is only for — you can dual stack critical infrastructure, I believe the policy says, such as your DNS servers. You can use some of it for that. But other than that you can’t use it to dual stack customers.
Mike Burns: I understand …
John Sweeting: It can’t be a one-to-one connection to your customer. It has to be a pool of the v4 being used to translate.
Mike Burns: Considering that, is it really a problem that we have these multiple discrete networks getting multiple /24s if they’re all going to be used directly for transition in pools?
John Sweeting: But the compelling criteria for doing that is, why wouldn’t you just use the same provider that then would just service — put the request for the service to the right data center?
Mike Burns: Possibly, but they are actually using the blocks for the intended purpose. It’s true that they’re getting the blocks inexpensively.
John Sweeting: Most of them aren’t, really.
Most of them when they get more than a /24, we find them on leasing sites, and they’re routed or they actually admit they’re using dual — the ones that are actually really using it, they come back. They fight. They give me file configs. They let me look into their boxes that are doing the translation — and they get approved.
But for the most part when we tell them that’s not what the purpose is they say, “Okay, I didn’t realize that.”
Mike Burns: So there might be an underlying problem of abuse with people just getting these blocks and not actually using them as intended? Obviously if they’re leasing them, that’s an issue.
I would just like to state my support for a policy, a Waitlist policy, a single /24, one time to each entrant, new entrants preferred. Thanks.
John Sweeting: A quick stat on the 4.10 space. There’s a little over 14,000 /24s left in that pool, just for information, which is about 90 percent, 88 percent, 90 percent of the pool that was reserved for it.
Kevin Blumberg: Kevin Blumberg, The Wire.
4.10 was not meant to be a buffet. It was meant to help bootstrap critical infrastructure, transitional. And if the community wants to tighten that up, the MDN is completely opposite to what that intended purpose was.
It was there as a lifeline to organizations who could only get v6 and give them a little bit of v4 to help them with their critical infrastructure and transition needs.
So I think what you’re doing in terms of putting the brakes on some of the more aspirational uses of the space is appropriate.
So from a staff point of view, yes, please continue to do that. From a community point of view, tightening this up a little bit and being a little bit more restrictive probably is appropriate at this point now that we’ve heard from you.
In regards to the Waitlist, yes, /24, that makes perfect sense. That’s the only thing that you need to change. I don’t think we need to change the total allocation sizes or anything like that.
It adds a level of complexity we don’t need again after having dealt with that the last time around.
But a /24 makes perfect sense. It would have really cleared it out. And it actually addresses my bigger concern, which is toward staff. How can somebody, where there’s a three-year waiting list, say, “I have an immediate need for this space?” It is absolutely ridiculous to be able to say that with a straight face.
So if we’re now up to a three-plus-year wait, how can anybody joining the waiting list saying, “I have immediate need for the space?”
John Sweeting: I can tell you the answer we get is, “Yeah we’re leasing space until we can get this space because we can’t afford to buy it. So we’re going to lease space until we can get it. And that’s pretty legit.
That’s the main — whenever we ask them, “Well, how do you know what you’re going to need in three years?” It’s, “Well, Because I’m leasing that space now.”
Kevin Blumberg: Right, “I’m leasing a car today. In five years I’d like you to give me a free car because I don’t want to buy my next car” is probably the same explanation.
I could turn around and say I’m going to sell my space and I’d like to you give me space because I’d like to make money off of — a monetary reason is probably not the appropriate reason for a Waitlist.
But the point still holds.
It’s very tenuous when you have multiple, multiple years that a legitimate reason is able to be given. If giving out /24s once allows the pool to be utilized, the Waitlists get diminished very quickly, wonderful. Otherwise put it into 4.4, put it into 4.10 and close off the Waiting List completely would be my suggestion. Thank you.
John Sweeting: Owen.
Owen DeLong: Owen DeLong, DeLong Consulting. I will say that the staff discretion on 4.10, I think they’re doing the right thing.
I will also say that there are legitimate organizations that legitimately have MDNs that need multiple blocks, and that staff has been qualifying those organizations. I happen to work for one of them.
And so when we’re talking about tightening this up in policy, we should be careful how we approach that so that we don’t exclude legitimate needs.
John Sweeting: Correct. And there are, as I said, there are some that actually provide all the justification and proof that we require and they do get approved.
But very few out of a hundred, probably two.
You can just look at how often Multiple Discrete Network Policy was ever used prior to that, right? Maybe we’d see one request every six months. Now all of a sudden we’re seeing 10 in a week.
Chris Woodfield: Chris Woodfield, DriveNets, ARIN AC. On one of your earlier slides you mentioned the possibility of tightening up the requirement to limit allocations to organizations who have deployed v6 already.
John Sweeting: Right.
Chris Woodfield: Or were deploying v6. I’m really curious how we plan on defining ”Have you deployed IPv6?” in NRPM policy.
John Sweeting: You’re the community. Tell us what we need to check to make sure somebody — if you say that they have to have it deployed, we’ve had these policies where they just have to have IPv6 and they have IPv6 and they get it.
It’s really not up to us to make that determination. The community tells us.
Chris Woodfield: I could very much see that discussion going well into the weeds when it comes to that question of, how do you define “deployed”?
John Sweeting: I think the point there, I’ve had discussions with people at ARIN and the AC, like, hey, we’ve got this 4.10 space and we’ve got a Waitlist.
Do we need to have both of them?
Or should we have one way for people to come in and request space, what’s left of the IPv4 space from ARIN? And that also gives us the release valve for any space we recover and just have that one policy that’s all encompassing that says, here, if you want to get it from ARIN and you’re not going to pay for it, you can’t get it off the transfer market, but you need it, and here’s the justification you have to provide to get it.
And instead of having these three little pools or different ways to get it, here’s the one way we want you to give this out, ARIN.
Hollis Kara: One quick last thing and then we need to move on.
Kevin Blumberg: Kevin Blumberg, The Wire.
Quick question. Confirm, 4.4 already has a valve that takes precedent over the Waitlist in terms of getting space, correct?
John Sweeting: Correct.
Kevin Blumberg: So 4.10 could have the same thing?
John Sweeting: It does have that. But I can tell you, predictions from what we’ve given out of the 4.10 pool, it will be 30-plus years before we would give out these 14,000 /24s that are on there.
Kevin Blumberg: No what I’m saying is, in 4.4, if the pool depletes, it gets precedence over any returns.
John Sweeting: Oh, I see what you’re saying.
Kevin Blumberg: In 4.10 there is no…
John Sweeting: Yes there is. It’s both pools. I think the policy is if either one of those pools goes below 33 percent of what the original pool was, then space return goes into that pool until it’s back up over 33 percent.
Kevin Blumberg: So they will always take precedence over the general Waitlist, is what…
John Sweeting: Yeah, but I’m just saying 4.10, it’ll be 30 years before they would be even close to being depleted.
Kevin Blumberg: Unless you don’t care about MDNs getting whatever they want.
John Sweeting: That’s just not right for the people that are on the Waitlist doing it the right way, right? Somebody comes in and gets a /21 for MDN for servers at eight different data centers, and you have somebody that’s been on the Waitlist for two years looking for a /24, just to deploy their services.
Anyway, anybody else? Any other questions?
Hollis Kara: I don’t see any online.
John Sweeting: Nothing online?
Hollis Kara: Nothing online. I think you’re good.
John Sweeting: Awesome. Thank you very much. My last presentation. You won’t see me again.
Hollis Kara: All right. Now typically we make sure we start our policy blocks right on time, but because of the order of operations we’re going to fit in one last presentation before we start the policy discussions. And I’d like to invite Leif Sawyer up to give the Advisory Council Report and On-docket presentation.
Advisory Council Report and On-Docket
Leif Sawyer: Good afternoon, everybody. As they say, I’m Leif Sawyer, current chair. And this is the Advisory Council Report and Docket Report.
So, meet your AC. I hope everybody’s had a chance to introduce themselves to our Advisory Council. It’s a great team. I couldn’t be prouder to be their chair at this point.
So, y’all, you see your names on here. Stand up, let everybody say hi.
That’s 15 of us on the Advisory Council from all over the region — Canada, the continental — not continental, but contiguous United States — Alaska and the Caribbean.
My vice chair, Kat Hunter, out there, as well, making sure that all policies are assigned out and taking up slack where I am falling behind.
Our general terms are for three years. We have five, at least, elected every year, and lots of policy that we go through. So besides Advisory Council shepherding, we also have working groups and other volunteer opportunities.
In the background all of the staff members make it so we can do our jobs. So thank you, all staff.
So a quick rundown on our AC activity here.
Anyway, you saw this earlier. We’ve sent a whole bunch of policies to the Board for review and have been implemented. That’s a lot of work that we’ve been doing. And just a couple more here. New Number Resource Policy Manual, thanks to that working group. Published earlier this year.
And seven proposals received since ARIN 51.
All of these have been advanced to Draft Policy. You’ll be hearing them today, which makes for a total of eight draft policies, carrying over one from last year.
So our working groups, quick review here. The NRPM Working Group, Chris Tacit, Matt Wilder, and Brian Jones are streamlining your Number Resource Policy Manual given your feedback. So we thank you for everything that you’re giving us and allowing them to do the hard work of making the NRPM much more legible and easier to follow.
They’ve worked on four policies. They’ve got more in the queue. And you’ll hear more as we go through the policy block this afternoon.
The Policy Experience Working Group Report.
This is a big one. There’s a lot of response from the community back to how the policies are working for them as they come to ARIN staff for help.
And they are bringing forward policies as well. We had a big one come through. They’ve been feeding policies into the other working group as needed. A very productive year.
And, of course, the Policy Development Process Working Group. These four people worked really hard to get a new PDP out. It was published on May 1. I just want to give you guys another round of applause — Andrew, Amy, Kerrie, Alicia, Kat, and Eddie. You guys put out some tremendous work.
So a little AC by the numbers. Again, over the years we’ve had a lot of AC members. Fifteen members seated at any one time. Changeover, five seats per year. There are no term limits at this time. You’ll see how that follows through here in the next few slides. And this is all volunteer.
So the representation across the years has been a majority of men. If you look at it across the community we see that here in attendance. We saw that at NANOG.
But in 2020 we sort of hit a threshold. We actually had a little over 50 percent were female-identified, which was great. We had equal representation. But we’ve sort of lost some of those here over the last couple of years. And looking at our projections for next year it’s going to be, again, a little male-heavy. But not an issue. It’s just an interesting statistic. Of course, we don’t know what those future seats will bring.
What it does bring is a lot of new people and it drops off a lot of seated experience.
So over the years, each year we’ve had a different number of incumbents versus new people so that the bottom bars are the new seats. And that graph shows the number of years of experience that is lost.
So as you see in 2015 — that’s when I started, so I started graphing there — we lost about 23 years of aggregate experience over those four people — two people that were seated then.
Peaking up in over 35 years of experience in 2017. And, again, in 2023, we’re losing 23, or 33, 35 — I can’t read that slide. I should know these numbers better. We’re losing a lot of experience. That’s the takeaway.
And to break that down again, we have some aggregate numbers across the top, how many years of experience in aggregate we have seated.
So when I started, 156, and we are down to about 56 years of aggregate experience starting next year.
And the red line shows the delta in between each years. It’s an interesting statistic, right? That’s a lot of experience that we’re losing and have lost in the past.
So this graph kind of shows it in a slightly different way, right, the average number of years of experience per seat on the Advisory Council. And the top number shows the highest ranking, the person with the most years of experience.
So 2015, a person with 18 years of experience versus the average of seven.
This year, we’re at 13 years of experience, with an average of six. And next year it will be down to 10 years of experience — if I am reelected, that will be me. But the average drops down to four, which is just barely over a single term.
And for me that’s a little concerning, but it’s not critical. I think we’re well set to pass the torch if need be, and we won’t be completely in the deep water in terms of experience, but it is something to keep an eye on in the future.
And last but not least I have some so-longs and farewells to my friends and family. Andrew, Amy, Chris, and Anita, I don’t know what to say.
Thank you. Really, thank you for all your hard work. Thank you for your collegial relationships and your friendships. Two of you, you know, you’re running for the Board, so I hope we get to see you some more. Two of you are running off to different things. And I hope you keep coming back. Don’t let us scare you off.
If you have any questions or comments, I’d love to hear them now.
Hollis Kara: All right. Microphones are open. What? Who is this?
Kevin Blumberg: Yeah, no, big surprise. Kevin Blumberg, The Wire.
I will double down on the thankless job that it can be and raise support for all of the people that have put in their time and are leaving us. So once more.
It is a lot of work. Two things with your slide. The first is, I appreciate the diversity of gender as a slide. As a DMR in an election cycle, diversity of experience and expertise would be very helpful to come from the Advisory Council.
Seeing that there is a lack of X or Y or Z in terms of their technical and business backgrounds would be very helpful for future.
Secondly, while I appreciate the cumulative years of support and the decline and all those concerns, that is a perfect situation to take advantage of the community and to utilize subject matter experts in particular areas that you may feel is lacking.
Having fresh, young opinion is a very good thing. And there are easy ways of supporting a younger Advisory Council in terms of experience, in terms of getting your mandates done. Thank you.
Leif Sawyer: Absolutely. Thank you, Kevin.
And I was trying to allude to that here when I mentioned that we have enough experience to carry on a whole, almost whole fresh-faced crowd. I’m not worried about that. It’s got great hands. But, yes, absolutely. Thank you.
Any more, yes, right over here on the left.
Dustin Moses: Dustin Moses, Intermax Networks and an ARIN AC candidate. I just want to thank the ARIN AC for all the work they’ve done. It’s kind of — last year I was a — last meeting I was a Fellow and got some really grateful insights with the Mentors of the Advisory Council.
And that really inspired me to push into the direction to try to be part of that Advisory Council and kind of help bring, you know, fill in some of this gap with members leaving, and hopefully bring a little bit of new perspective.
But I have great respect for the ARIN AC that’s departing. There’s a bunch of ARIN AC members that are there now that are fantastic, and I strongly believe that it’s in great hands.
And so I just want to thank you guys very much.
Leif Sawyer: Thank you. Anything else?
Hollis Kara: I think we’re good. Thank you, Leif.
Policy Block One
Hollis Kara: All right, and now it’s the moment we’ve all been waiting for.
Policy block one.
Here we go. We’re going to start off with ARIN Policy 2022-12, Direct Assignment Language Update. And I’m looking for Doug Camin. He’s on his way. He’s waving, he’s walking. Take your time, Doug. No rush. We’re good.
Draft Policy 2022-12: Direct Assignment Language Update
Doug Camin: Good afternoon, everyone. I am Doug Camin. And along with Leif Sawyer, we are the policy shepherds for Draft Policy 2022-12 that focuses on updating the direct assignment language in the NRPM.
So this Draft Policy was submitted to address this problem statement, which, in short, is to remove deprecated references around assignment and allocation and align it with current ARIN practices.
This policy originated from the Policy Experience Report Workgroup and was most recently updated 29 September of this year.
This policy touches a wide area of the NRPM. I’ll cover the changes in sections over the next few slides, and I’ll pause on each one to allow you a chance to read through them.
So first up, Section 2.5. This section updates the definitions used in NRPM for allocation and assignment to reflect current practice.
And then Section 2.6, changing “received assignments” to “issued.”
Next, Section 2.8, changing “allocated or assigned” to “issued.”
Next, Section 3.6.3, changing the text of paragraph one as follows — I’ll just note, in this result, I have included the whole paragraph because it does provide some missing context regarding reassignments to end-user customers.
And moving on, next is Section 4.2.2, replacing the text as follows. This one’s over two slides. So this is the before. And this is the after.
Next, Section 4.3.2. Changing paragraph 1 text as follows.
And Section 6.5.8, changing the section title.
Section 8.5.4, changing the section text. And lastly, Section 8.5.6, changing section text as follows.
So, this is the update history. This policy has seen several revisions since being presented at ARIN 51 in Tampa.
And it did undergo a Staff and Legal Review that was completed on 21 September. The review includes several suggested changes for clarity, which were reviewed by the shepherds and incorporated into the most recent revision as of 29 September. So a couple slides for that.
Next is a community feedback review. This policy has been discussed on PPML at multiple different intervals. Members of the community have indicated support for the need for the policy and general support for it as written.
That feedback resulted in several of the revisions that were made. The most recent revisions included updates around allocation and assignment, which has generated specific community feedback around the best approach to take, with some community members suggesting the creation of a new definition term, which resulted in significant additional discussion.
So with that, I would like to take a moment to thank the multiple members of the community for their input on this policy. It’s a complicated proposal and it requires careful consideration.
The input from the community has been instrumental in properly shaping the policy and particularly updating the early draft text for clarity and brevity.
So again, thank you for your input. And with that, the question I have for the community today is, are there additional revisions necessary before moving this to Recommended Draft status?
Hollis Kara: All right, microphones are open. And I see our chair headed to the stage to moderate the conversation. So please approach the queues. And if you are joining us virtually, please begin typing, if you have questions or comments on this Policy Proposal.
Bill Sandiford: All right, we’ll start off over at the front microphone.
Owen DeLong: Owen DeLong, DeLong Consulting, vocal policy advocate.
There are a few places in this proposal that still appear to change from organizations without a direct assignment or direct allocation or what have you, whatever we’re going to call it this week, to organizations without any IP addresses.
That is not only a change in terminology, that is a significant shift in policy.
Several organizations, many organizations, have addresses from a source other than an RIR that may still be wanting to apply for their first assignment or allocation or whatever you want to call it from an RIR. And I don’t think they should be precluded from doing so. So I think we need to still fix that.
Doug Camin: Thank you.
Mohibul Mahmud: Hi, it’s Mohibul here. I work for Microsoft, and I’m an ARIN Fellow. So first time, ARIN meeting.
Bill Sandiford: Welcome.
Mohibul Mahmud: So I have a question. So what is the reasoning behind changing the definition of allocation and assignments in Section 2.5? And how does it affect ARIN’s operations and interactions with the organizations or the ISPs?
Doug Camin: So probably two parts. John, do you want to take one?
John Sweeting: John Curran’s pointing at me I guess I’ll take it. There’s no change in definitions of allocations. Direct allocations is how ARIN has given out space to ISPs forever.
The only thing that changed is two years ago, when we did the fee harmonization and we made end-users and ISPs totally equal on services that they are provided, we changed everything to allocations so that they were able to have the same services as ISPs.
So end-users, they can reassign their space within their organization if they wish to. The difference we use for figuring out if they qualify under ISP or end-user policy is if they have to use customers to justify their allocation, then they’re an ISP. If they only use their internal employees or assets, then they’re an end-user.
But allocation has always been the same term. We’re not changing the definition of allocation; we’re just replacing assignment with allocation because we no longer do direct assignments.
Mohibul Mahmud: I have a follow-up question. As a sister organization, will be considered as their customer?
John Sweeting: Could you repeat the question?
Bill Sandiford: The question is if they have sister organizations, is that considered a customer.
John Sweeting: A sister organization, so it’s a separate Org ID?
If it’s a subsidiary and — you can do it because you have an allocation. So you can reassign space to a subsidiary.
Mohibul Mahmud: Okay. Thank you.
Bill Sandiford: Thank you. This side.
Kevin Blumberg: Kevin Blumberg, The Wire.
I don’t support this policy. I don’t support the text. I don’t support the intent of what this is doing, and I’m going to go through this a little bit here.
Two years from now, the deharmonization comes along and we remove out 20 years of policy, great. Now we go back and have to rewrite and add in assignments.
Changing definitions for terms that have been used for 20-plus years and have specific meanings for no reason other than cleanup doesn’t help anybody.
Making changes that have impact without even realizing they have impact for the sake of cleaning up text that is not used anymore is creating more problems than it’s solving.
This is not helping. This is actually now just creating more complexity. You’ve now created “issued,” which I, quite frankly, I saw the four or five people that were in support of it on the PPML, and to me it was trolling in some respects because it is just adding more complexity to something that is a well-defined aspect.
The assignments won’t be used — we know they won’t be used. But they were used for 20 years, more than that. We’re not solving a problem by just removing text that is not there. We’re adding now complexity.
So go back to the problem statement and ask yourselves, are we actually fixing a problem? So having said all of that, I don’t support this. I don’t think it could be fixed in any way, shape or form. Thank you.
Bill Sandiford: Thank you, Kevin. We’ll back to this side over here.
Waqar Ahmad: Hi, everyone. My name is Waqar, from Rogers. I’m an ARIN Fellow. I would like to ask a question regarding Section 6.5.8.
Does the new section title, end-user allocations, clear and concise? And does it accurately represent the intent of the section? Is it possible if we can modify it to IP allocations to end-users?
Doug Camin: So the current is direct assignments from ARIN to end-user organizations, and the current policy suggestion is to change it to “end-user allocations.” And your suggestion is to make it…
Waqar Ahmad: IP allocations to end-users.
If we can modify the statement into that.
Bill Sandiford: The Advisory Council will take that as feedback.
Doug Camin: Thank you.
Bill Sandiford: This side here. No? All right.
Closing the microphones in a second. Last chance. Do we have anybody online virtually?
Hollis Kara: We do not have any virtual comments.
Bill Sandiford: All right. Going once, going twice. All right. I think we’re good for this one. Thank you.
Hollis Kara: I think we’re good. Thank you, Doug. Thank you, Bill.
If it feels like something’s missing is because it is. We’re in a weird situation where today we only have Draft Policy so there’s not going to be any of the polling dance that typically happens at the end of a policy discussion.
So it makes it a little easier for the folks that normally used to have to count polls. But it’ll make things go I think a little more quickly today.
So next up we have Brian Jones, who is going to come up and talk about Draft Policy 2023-1: Retire Slow Start.
Draft Policy 2023-1: Retire 126.96.36.199 Slow Start
Brian Jones: Okay. Did I do that already? All right, myself and Amy Potter are the shepherds of this Draft Policy. It is to Retire 188.8.131.52 Slow Start.
This policy has been around for about two decades. Successfully served to constrain the rate at which ARIN issued out the IPv4 addresses to the community.
Following the exhaustion of the free pool and the introduction and refinement of transfer policies, Slow Start has ceased to be applicable to the operations of ARIN’s services. And staff has confirmed that this policy has not been used since 2018.
So, do we want to retire Slow Start? We can do this immediately. It was introduced in April, became a Draft Policy in May, and the Staff and Legal Review will be requested at the close of ARIN 52 if there are no major objections.
Feedback from the community to this point has been in support of retiring this section of the Number Resource Policy Manual.
So we would appreciate any feedback. Do you support retiring this section or was there any objections?
Hollis Kara: All right, I think we’re ready for discussion on this one, if folks would like to approach the microphone.
Bill, are you going to come back up?
You just got settled, and we’re already — we can get a chair for you up here. There’s another one. You can hang out with me.
Bill Sandiford: Hang with you over there? Hollis Kara: Sure, why not.
Bill Sandiford: Start over here on the left side.
Doug Camin: Doug Camin, Coordinated Care Services. I support this policy as it’s drafted. It sounds — the intent seems like the right thing to do. Thank you.
Bill Sandiford: All right. Thank you. Next.
Kevin Blumberg: Kevin Blumberg, The Wire.
A little opposite here because I do believe this actually solves a problem.
Slow Start is not possible. It is an impossibility when it comes to IPv4. It can’t be used. It should be removed. As you said, it hasn’t been used in many years.
This is a very clean, simple adjustment, without any definition changes, without anything else. It’s removing something that is not possible to do in the future. So I do support this as it is written. Thank you.
Bill Sandiford: Thank you. Anyone virtually or online?
Hollis Kara: I do not have any online questions. Anything else in the room?
Bill Sandiford: Over on the my right, your left side.
Mohibul Mahmud: Mohibul from Microsoft. I have a question. How will the retirement of Slow Start affect the allocation process of IPv4 addresses to the ARIN members? And will there be any changes in the allocation rate or other operational aspects?
Brian Jones: I don’t believe there would be any effect to the operations. It hasn’t been used by the staff since 2018.
I don’t know about — I don’t think it would affect the return of any addresses.
Bill Sandiford: I see John Sweeting has stepped away for a second. Can you repeat the question one more time, just the second –part?
John Sweeting: I’m sorry, what was the question?
Mohibul Mahmud: I’m repeating the question.
How will the retirement of Slow Start affect the allocation process of IPv4 addresses to the ARIN members? And will there be any changes in the allocation rate or other operational aspects?
John Sweeting: For today, Slow Start would not affect the allocation — the allocation of IPv4 at all. We don’t use Slow Start anymore. There’s no use case at all for it.
Hollis Kara: We have a couple online comments.
Bill Sandiford: All right, let’s go to the online virtual comment.
Beverly Hicks: I have Joe Provo, Google, GweepNet, “Support as written.”
I also have Celeste Anderson from Pacific Wave. “I support 2023-1 as written.”
Bill Sandiford: Thank you. All right, last call for microphones in the room, last call for those online to please use the tools available to make some comments.
Going once, going twice. On to the next one.
Hollis Kara: Thanks, Brian and Bill. For anybody who is wondering what the heck’s going on up here, whoever designed this thing is cruel and put the blackout button exactly where your finger wants to rest between clicking slides, which is why we keep accidentally doing that.
And my efforts to inform people that that’s going to be a likely outcome simply just makes them want to do it more.
So it’s my fault. I apologize. I’ll take ownership.
On to the next one, Matthew Wilder, where are you? Here he is. On his way up to talk about Draft Policy Proposal 2023-2: /26 Initial IPv4 Allocation for IXPs.
Draft Policy 2023-2: /26 Initial IPv4 Allocation for IXPs
Matthew Wilder: I’m going to try my best to avoid a blackout situation. Thanks, Hollis.
All right, ARIN 2023-2. This is /26 initial allocation for IXPs.
And before I get started I’ll just say there’s a similar policy that has been adopted by RIPE NCC and also similar policy being considered at APNIC.
So, the idea here is that in Section 4.4, in micro-allocations, there’s a pool set aside for IXPs and other critical infrastructure, including DNS.
And the IXPs that we look at today, there’s a number of different sizes that are out there. And a /24 would be enough to give you 256 peers, peering members in those IXPs.
And some PeeringDB analysis has shown that 70 percent of global IXPs have fewer than 32 members registered with that site. And therefore those IXPs would be readily able to operate with a /26.
And this, of course, is a measure that would allow us to save and conserve that /15 pool that’s allocated for this use and extend the runway for that pool.
So unlike other types of allocations, IXPs do not require routing of that space to the global Internet.
So where typically we wouldn’t ever give anything smaller than a /24 to an Org, IXPs are kind of a special case where we can get away with a smaller assignment.
Okay, so the existing text is here, 4.4, micro-allocation. I’ll trust that you can read this and pull it up on NRPM if you would like. Here’s the text that we’re replacing with.
So just a couple of adjustments, and also adding a 4.4.1, it’s not there right now, which is going to look like that.
And this proposal came in in May and has gone to Draft Policy in June.
Here’s what we heard from the community, mostly through PPML. The adoption of this policy would impose a renumbering plan on IXPs if they expand outside the initial allocation.
So this is a concern saying if they get a /26 initially, they are successful, they grow, and all of a sudden they’ve got that 65th member who wants to join. All the 64 peers have to renumber, and that’s quite an arduous process from everything that I’ve heard.
If an allocation of /26 or smaller is made, will the IXP have the remainder of the /24 reserved for future growth?
So this is kind of a question of sparse allocation. It’s a numbering practice that has been done periodically by RIRs. So you would set aside the entire /24, but initially only assign the /26. So if they do grow they can capture the rest of that. No renumbering required.
So that’s just a question from PPML and it could be something we consider.
Okay. Then there’s also the question of replenishment, and we heard it at the mic today. NRPM
4.4 and 4.10 take precedence over Wait List. So in other words, if there’s IPv4 addresses that come back into ARIN, for whatever reason, those would first go to 4.4 and 4.10 before they go to Wait List.
So there is a mechanism for these allocations for core infrastructure, critical infrastructure, and IXPs, DNS, and IPv6. These can get additional addresses.
And then some more PPML feedback as well as other contact we’ve had. So IXPs, maybe we need to define them because we have had suggestions that maybe interconnection of three ASNs qualifies as an IXP. And I don’t think that really satisfies what most members of the community would expect an IXP.
We would expect if you’re running an IXP, it should be public. There should be a way to peer into that, become a member. So maybe we need to define that in PPML.
Okay. Another question came is, do we need to specify criteria for the return of IP space?
So if an IXP goes defunct, do they return the IP space? And maybe there’s a question we need to explore that because there may be some instances where that hasn’t been happening.
And then finally some IXP allocations are apparently advertised to the Internet today. You can see on the ARIN website the list of ranges that are assigned to IXPs. And we wouldn’t expect those to be routed via BGP just because you don’t need to. So there’s a question, maybe they’re not being used appropriately.
Just one other point to bring up. There was a question of can we really predict or can ARIN staff predict which IXPs are going to be viable.
So if someone comes along and says I think in the middle of this corn field in Oklahoma I’m going to have 300 peers connect over the next year.
Just one sort of data point for everyone here. Look at this map and make a guess as to where you think the top 10 IXPs in the US by peer count would be? So I’ll give you a second. Maybe someone can do a drum roll.
All right. So there you go. And I’ll let you draw your own inferences as far as how you might predict where these have gone, the top IXPs by peer count in the U.S.
And here are the questions to you folks.
And there’s a lot here for questions, so the plan is to also bring this to the community through PPML. But if you want to answer any of these questions at the microphone, you’d be more than welcome to. So the three questions we’re asking:
Is it worth developing the option of allowing smaller assignments for the IXPs? Number two, is there value in defining what constitutes an Internet Exchange Point or Public Exchange Point in NRPM 4.4? And finally, should the community define a policy to require the return of IP resources in the event that an IXP ceases its operations over a given time period?
Thank you very much.
Hollis Kara: Thanks, Matt. Looks like the queues are already forming, so please feel free to get in line if you would like to submit a comment and to start typing if you are joining us online.
Bill Sandiford: Yeah, I think that’s an important point to note, Hollis. It seems to me there’s about a one-minute delay between what happens up here on stage and when people on the livestream are seeing it. I know this because my 13-year-old just told me that they saw me on stage, and I happened to be back at my computer and I was still supposedly on stage.
So point of the story is, if you’re a remote user, get the questions in early because by the time I say “last call,” we’re going to be done and moved on before you even start typing when I say “last call.”
So get those questions in early, especially if you’re virtual or remote.
Let’s start over on your right, my left side this time.
Chris Woodfield: Hi, Chris Woodfield, DriveNets, ARIN Advisory Council. And I will take the credit or the blame, depending on your point of view, for authoring and submitting this policy. And I did so following observing similar policy action happening in the RIPE territory, which as I’m understanding has been adopted.
If I were to write this today, I might tweak it a bit based on the feedback that we’ve seen on PPML.
I think the biggest bits of objection would be the initial size and the transition interval. I think right now it says it starts at 26 and there is a six-month renumbering period.
I think that’s probably a bit optimistic even with a smaller exchange, so extend that period out and maybe consider /25 versus /26 as the starting block.
Something that I’ve learned about PeeringDB is that there are quite a number — there is no requirement that an IXP or an IX with a PeeringDB record have every peer listed in that exchange.
There are some networks that are on exchanges but do not put their peering addresses into PeeringDB because they don’t want to be publicly visible on the exchange at that level.
They want to be able to reach — they want to be able to select who they want to peer with as opposed to having to handle peering requests from everyone else on that exchange.
I don’t think there are many networks like that, but that possibility does exist with any exchange.
So I think this is, I still think this is a worthwhile policy.
I think a few tweaks are in order, but in favor.
Bill Sandiford: Thank you. Kevin, you switched sides on us, you’re over there this time.
Kevin Blumberg: Kevin Blumberg, Toronto Internet Exchange.
Bill Sandiford: Oh, wow, who’s the new guy in the room?
Kevin Blumberg: I do not support this policy, and I’m going to bring up a bunch of factual problems.
The first is many of our members have one, two, four IP addresses on the exchange for the purposes of redundancy, site diversity, et cetera. So just counting the number of participants is an egregious mistake.
Two, APNIC did not reach consensus.
Three, the netmask renumbering is still renumbering. This is not your own network. These are other organizations that are going to have to change their infrastructure.
Again, this is an Internet exchange point.
Making changes like this is a hostile environment, very difficult, and is probably the worst case you want to renumber, especially for a smaller organization.
Operators have told me they won’t waste their time with an exchange that is at a /26; it’s not worth their energy to go to that new exchange. You are going to actually make it more difficult for new exchanges to kickstart themselves because larger players just aren’t interested in dealing with weird, one-off situations.
Next, reverse DNS. While we do not advertise this space — in fact you should null route it with RPKI, reverse DNS is a critical diagnostic tool for participants on an Internet exchange. And today my understanding is ARIN has no support for less than a /24 for reverse DNS services.
So unless the community is looking to spend a whole lot of money to get ARIN to support less than /24, you are removing that capability.
And lastly, lastly, I do agree with one thing in this policy. Public exchange points, as defined, people need to be called out when they’re not using the space for that.
We don’t need to use a hammer to solve that problem by changing other parts of it when the reality
is the space should be properly used and staff should be going after users of the space that are not using it appropriately. Thank you.
Matthew Wilder: Can I ask one question, Kevin? Reverse DNS, do you guys use it?
Kevin Blumberg: Absolutely, 100 percent.
Bill Sandiford: Thank you, Kevin. Owen.
Owen DeLong: Owen DeLong, DeLong Consulting. I oppose this policy. I’ll answer your questions first. No. No. And, hmm, maybe, but don’t we already have that, really?
So moving on to my opinion on the policy, we really don’t need this because we really don’t even need to protect that space because it turns out IXPs are pretty much the one and only environment where going IPv6-only is entirely painless because it is nothing, no effort at all to run IPv4 NLRI across IPv6 addresses in a peering session.
Every vendor supports it. Every router supports it that’s been out there for more than 10 years. If you’re on an exchange, you’re probably running a less than 10-year-old router because you’re probably trying to take something resembling full tables.
So there’s just no pain point when we run out of these addresses to forming IPv6 exchanges that pass IPv4 NLRI across v6 addresses just fine. So this isn’t worth doing.
Bill Sandiford: Thanks, Owen. Come back over to this side.
Mohibul Mahmud: Hi, this is Mohibul, from Microsoft, and ARIN Fellow. So I have actually clarification, just clarification question. How will this implementation of this policy will impact existing IXPs that may have previously received a /24 allocations? In that case, will they need to require to migrate to /16 or like renumbering their resources?
Matthew Wilder: I would need staff to confirm, but my thought would be this would apply only to new applicants for that space. Any existing assignment is not going to be touched or impacted.
Mohibul Mahmud: So I have a follow-up question in that case. So I think you indicated that some of the existing IXPs, announcing the /24 blocks to the Internet. So as like they’re not able to announce less than a /24.
So, in that case, the /26, they’ll not have new IXPs — my understanding is they’ll not be able to advertise to the Internet, right?
Matthew Wilder: They can try, but most operators will filter that out.
Mohibul Mahmud: Usually the practice is /24, I guess.
Matthew Wilder: That’s right.
Mohibul Mahmud: Okay, thank you.
Bill Sandiford: All right, we’ll go back over to this side.
Aftab Siddiqui: Hi, I’m Aftab Siddiqui. As the author of the similar policy in APNIC region.
Just to clarify a few misconceptions which are popping up here as well because we answered most of them in the APNIC region. The reason why it did not reach consensus, because we failed to reach consensus in APIX, which is an association of all the existing IXs.
So there was a misperception of the policy chairs, and that has to be resolved internally within the APNIC which is not related to the — if you look at the number of roles, we’ve reached the maximum number of roles in the policy meeting.
So second point. What Owen was saying, that, well, there’s no reason that IX cannot be IPv6-only. And the reason — the question was asked in APNIC. And we counter-questioned the people, saying, can you name one IX that is running IPv6-only? Well, the answer is zero.
So, yes, technology supports it, but no one has ever even tried it. So no IX has done it. That is again a moot question.
Then going into — most of the concerns come from the existing IX. And use, Ken mentioned it, that it doesn’t apply to any of the existing IX.
And one point of view we presented in the APNIC with these stats, yes, you cannot base, you cannot base your decision on PeeringDB data because not every peer is there, but we counter-checked it with every IX-owned website, which usually put the right numbers in.
And the numbers were not very different.
Yes, there was a 10 to 15 percent change, but not very different.
So on the basis of that, what we predicted that there is still a requirement to have a /26 and a /25.
The last point I have, is in the APNIC region, we have 16 economies who does not even have more than 10 ASNs allocated to them. Even if you multiply them with three peers each to the route server, you’re still not going to reach a /26 limit. IXPs do renumber all the time.
I’ve been peering with multiple fabrics for the last 16 years. Have renumbered multiple times.
That is not a problem.
What the AC member was saying, that, yes, the requirement should be more than six months, that I support. But, yeah, as an author in APNIC I support this policy here as well. Thank you.
Bill Sandiford: Thanks, Aftab. All right, first of all, we’re getting tight on time for this policy so we’re going to call last call for the queues now. If you have something to say, please get in line in the queues. Same for those who are virtual or remote, with which we have somebody, so let’s go to that one now.
Beverly Hicks: I have Jonathan Stewart from Manitoba Internet Exchange. “Do not support. IXPs, even virtual ones, are not a large demand on the IPv4 pool, and the young ones should not bear the additional burden of arising from a /26.”
Bill Sandiford: Thanks, Jonathan. Closing the queues where they are now.
We’ll go to Kevin.
Kevin Blumberg: Kevin Blumberg, Toronto Internet Exchange. There isn’t an abuse that you’re trying to fix. You’re trying to do a long tail on a pool that the community agreed on already.
At the APNIC region, they were large providers that went up and said on a v6-only network I will not peer with it; it’s a waste of my time.
Creating issues for new entrant Internet exchange points, which is what this will do, is not worth the small number. We’re talking about saving it from a 10- to 15-year run rate currently on the existing pool before refreshing to a hundred-year pool.
This is not solving an immediate or even a near-immediate problem, but it is creating technical problems. It is creating imbalances in Internet exchange. As an Internet exchange operator, I’m more concerned about helping the new entrants. I don’t need new IP space. I can do it.
And all of the pain that goes into the technical side of an IXP, while it’s easy to dismiss it from a renumbering point of view, there are a number of areas where this gets very complicated. And I don’t want new entrances to be affected by that.
Bill Sandiford: Thank you. Come to this side here.
Aaron Wendel: Aaron Wendel, Kansas City Internet Exchange. I also operate St. Louis and Houston, and I also operate smaller markets like Sioux City, Iowa; Des Moines, Iowa; Springfield, Missouri.
I can tell you that an Internet exchange in Sioux City, Iowa, will never use more than a /26, whereas Kansas City, we’re currently renumbering from a /24 to a /23, which is horribly, horribly painful.
So, first of all, I would say that the six-month transition period, I think, is very aggressive and should probably be extended to at least a 12-month period.
Other than that, I support the proposal mainly because there is an immediate and a near-immediate issue. And in the exchange groups that get together, we have an issue that we tend to call the Connected Nation problem that’s coming down the pipe.
That is that with the B money coming out of the federal government here in the United States, we’ve got an issue where peering is suddenly the new buzzword and everybody wants to push peering to the edge.
And so we have a couple of groups besides the one I just named who want to put an exchange in places like Hutchison, Kansas; Lawrence, Kansas, you know, populations of 2,000 where there’s maybe one or two networks, and they’re going to come back to ARIN for IPs for all of these exchanges. I think Connected Nation’s list is 140 markets at this point.
So at this point there’s no mechanism for ARIN to even do anything less than a /24. So at the very least, there needs to be some sort of mechanism for those types of exchanges to come in and get IPs without one company coming in putting 300 exchanges out there and wiping out the entire pool in one swoop.
Bill Sandiford: Good points. Thank you.
We’ve got some online comments. We’ll go to those next.
Beverly Hicks: I have Louie Lee, Google Fiber, current IX participant, previously an IX operator with multiple IXs. “Opposed even with tweaks.”
I also have Celeste Anderson from Pacific Wave. “Do not support 2023-2 as written.”
Bill Sandiford: Chris.
Chris Woodfield: Chris Woodfield, DriveNets, ARIN AC. The previous context around Connected Nation is — with a big part of the context of this proposal as well and with the understanding that that was a potential future situation which may create greater demand for this space than we’ve had in the past.
I also wanted to make one correcting clarification around the peer analysis that was done. That was a count of peers, not necessarily a count of networks. That did take into account networks that — networks that had multiple peering addresses on a specific exchange.
Bill Sandiford: All right. Thanks, Chris. We’ll come to this side here.
Roman Tatarnikov: Roman Tatarnikov, I am with IntLos Consulting Company. I do oppose this proposal mostly because now we’re talking about – dividing the already-divided IPv4 space drastically instead of looking more into how to shift everyone to IPv6.
What made me essentially go to this conclusion was the previous answer that there’s zero number of IXPs who are IPv6-only.
The fact is there are zero right now doesn’t mean that we shouldn’t push them towards expanding this number beyond zero. This is the only way we can accelerate the IPv6 adoption.
And it’s hard for ISPs and some other ASNs to adopt IPv6. IXPs normally work with different — IXs normally work with different ISPs. So they should be the front who does IPv6 adoption. That’s it.
Bill Sandiford: Thank you. And the final comment.
Christopher Quesada: Christopher Quesada, Quantum Loophole, NRO NC, and previously running packs and switching data IXs. I oppose the current version of this. And I believe that it will need some tweaking because I do agree with some of the colleagues’ statements that, especially with B grants coming up, that there could be a run on IXs as it is a hot topic for gaining that grant money. Thank you.
Bill Sandiford: Thanks, Chris. All right. That’s it for this particular one.
We did have one more that was on the schedule prior to the break that’s going to be done by Alison, but we’re going to delay that one and do it after the break because we’re running a little bit behind.
So it’s 2:54 now. We’ll reconvene at 3:20. And we will reconvene sharp at 3:20 because we now have, I believe, five more to go.
Hollis Kara: We have five more to go.
Bill Sandiford: Five more to go in a very tight time frame to do them. So we’re going to be (clapping) for that last little bit.
So enjoy your break and we’ll see everybody at 3:20 sharp.
Policy Session 2
Hollis Kara: All right. We’re getting settled in. We’re about ready. Looking around. Okay.
So, as Bill mentioned before the break, we kind of shifted things over, and I think — it looks like we got advanced forward — I’m going to have to go back to Alison’s slides.
Beverly, can you get me back there real quick. One second, Alison. Yeah, it’s Alison coming up. I’m just looking. Come on up.
We’re going to move right along into policy discussion 2023-5.
I’d like to welcome my Fellow CSU Ram mom, Alison Wood.
Draft Policy ARIN-2023-5: Clean-up of NRPM Sections 4.3.4, 4.4., 4.10 and 6.10.1
Alison Wood: You didn’t tell me which one is the blackout.
All right. My name is Alison Wood, and Kendrick and I are bringing you Policy No. ARIN 2023-5, Cleanup of NRPM Sections 4.3.4, 4.4, 4.10 and 6.10.1.
I encourage you, as you listen to this presentation, to think about this as an editorial change. And I also encourage you to think about coming to the mic with your questions or your support or not support. This is a really good one especially for first-timers to hit the mics — and veterans, of course.
All right. So this proposal continues the work that the NRPM Cleanup Working Group has been working on. So it does focus on four different sections of the NRPM.
The intent of this policy is the clarification and removal of unnecessary wording in 4.3.4, 4.4, 4.10 and 6.10.1. You guys remember all those?
All right. So this is just kind of a slide telling you what we’re going to talk about.
Okay. So in 4.3.4, we’re going to just delete this entire text. All right.
In 4.4, we’re going to remove the text, “Organizations receiving these micro-allocations will be charged under the fee schedule.” The reason why we’re going to remove this is because the NRPM does not discuss fees. Very cool. We’re going to see this one again.
In 4.10 we’re going to change, “This block will be subject to a minimum and a maximum allocation size of /24” to “A /24 block will be allocated.”
You guys got this? Remember, we’re thinking is this an editorial change or should this not be an editorial change?
And last one, once again, in Section 6.10.1, we would like to remove the reference to a fee because there’s no fees in the NRPM.
All right. This one came in August 14th, became a Draft Policy September 26th. Super quick. All right. Staff says this one’s clear and easy to implement and can be done within about three months.
Okay. Community feedback. It’s so hard; I want to come out here and talk to you guys.
Mike and Owen gave us some feedback that they thought that these changes were editorial in nature. They also supported these changes.
But I would love to hear from others in the community on that. So remember, if you are a Fellow, if you’re a newcomer, this is a great Policy Proposal to give some feedback on. It’s safe. Nobody’s going to yell at you. I promise. So if you would like to come on up, I highly encourage you.
Hollis Kara: With that, the queues are open. Virtual attendees please feel free to start typing your questions or comments. And, Bill, please join us on stage.
Bill Sandiford: All right. Let’s start on this side, over here.
Mohibul Mahmud: Mohibul here, Microsoft, first-timer. So my question is related to the policy statement 4.10.
Next page. So we’re proposing the changes that this block will be subject to minimum and maximum size allocation of /24 to a block.
Alison Wood: Yes.
Mohibul Mahmud: I’m just curious, how this change have implication. Like, how this will affect the allocation process and organizations who are seeking IPv4? Is there any change?
Alison Wood: That’s a great question. No, there is no change really. This is just a clarification of the text.
The way it was worded before was a bit confusing. And so they just clarified it to say this is going to be a /24. There’s no variability. This is a /24.
Mohibul Mahmud: So, no change?
Alison Wood: No change technically. It’s just a clarification.
Mohibul Mahmud: Thank you.
Alison Wood: And good job coming to the mic.
Bill Sandiford: We’ll go to this side over here.
Kevin Blumberg: Kevin Blumberg, The Wire. I support this. I support it as written. I do not support it an editorial change. I don’t believe editorial should even exist.
If it’s a capital T versus a lower case T by accident, but even a comma, I think, needs to go through its due diligence. But as it is I support it.
Alison Wood: I appreciate that. Thank you. Bill Sandiford: Thanks, Kevin.
Owen DeLong: Owen DeLong, former member of this committee, I believe.
I actually would like to propose one additional change as long as we’re taking out unnecessary words.
I think “a /24 will be allocated” is sufficient. I don’t think we need “block”.
Bill Sandiford: Thanks.
Alison Wood: Okay, thanks, Owen. Bill Sandiford: Chris.
Chris Tacit: Chris Tacit, ARIN AC, co-author of this, and I support it. I also do support it as an editorial change. Based on what Kevin said, if there’s any sort of ambiguity about what should and shouldn’t be editorial, maybe that’s something that will need to be looked at conceptually as more — but right now this seems to me to fall within the current intent of editorial adjustments.
Alison Wood: So, clarify what an editorial is or maybe even a policy.
Chris Tacit: If that’s necessary because sometimes we do struggle with this on the AC, and we tend to err on the side of caution, and — until we’re told to go ahead and make it editorial.
Alison Wood: Thank you.
Bill Sandiford: Thanks, Chris. Online.
Beverly Hicks: Kerrie Richards, unaffiliated. Anything to make the NRPM easier to understand and in line with common English is great. Since this is editorial in nature, I’m in favor.
Alison Wood: Thank you, Kerrie.
Bill Sandiford: All right, Doug.
Doug Camin: Doug Camin, Coordinated Care Services. I support the policy as drafted. Owen and I are on the same wavelength because I was also up here to mention about the 4.10 /24 block language change. But thank you.
Alison Wood: Got it. Thank you.
Bill Sandiford: Over here.
Scott Johnson: Scott Johnson, Spacely Packets. As a recipient of 4.10 space, I support this policy as written. And it’s an excellent policy that should be continued until it’s no longer necessary.
Alison Wood: Thank you. Agreed.
Bill Sandiford: Going to throw last call out there for the microphones and getting your comments in online.
We’ll head over to this side over here.
Matthew Cowen: Matthew Cowen, I’m a Fellow, first time up as well. I’m an independent consultant in the Caribbean.
I had exactly the same feeling as others on 4.10. I don’t think the word “block” is necessary.
But I support the policy as written.
Alison Wood: Okay. Thank you. Excellent job coming to the mic. I appreciate it.
Bill Sandiford: Any more online?
Hollis Kara: Nothing in the virtual queue.
Bill Sandiford: Going once, going twice. Thanks, everyone. We’ll move on to the next one.
Hollis Kara: Thank you, Alison.
Alison Wood: Thanks, you guys.
Hollis Kara: All right. Getting back on track here, I’m going to click through. There you go. No, we had that break you don’t get another one.
Next up, Chris Tacit. Where are you, Chris? Here you come. Chris is coming up to present on Policy 2023-3, Amendment of the Waitlist Agreement to Include a Restriction on Leasing.
Draft Policy ARIN-2023-3: Amendment of the Waitlist Agreement to Include a Restriction on Leasing
Chris Tacit: Thank you, all. Before I get into this, I want to preface this a little bit.
Sometimes in our policy development, we run across issues because of some fundamental changes.
So we had to deal, for example, with IPv4 runout. And that led to a lot of consideration of what the rules should be for allocating the last bit of that. And we ended up with the Waitlist, but that took a long time.
From that also we ended up with transfer policies as well, and we had to refine those. We had to refine out-of-region and so on.
So this one, it looks simple, but it adds a couple of words that have all sorts of implications both grammatical, conceptual, and possibly policy-related. So I really — we, as shepherds, Gerry and I really want your input on this and really are interested in your feedback.
So as we know, right now, the Waitlist policy prohibits the transfer of Waitlist space for a period of 60 months. But there’s no restriction on leasing out the space right after it’s acquired from the Waitlist.
This is the current text. So the proposed policy is subtle. It just seems to suggest adding those two innocent-looking words.
But what it does is it forces the community to consider what is leasing, what is it as distinct from other types of delegation of resources and how do we deal with that.
So the proposal was presented on June 2nd. Quickly became a Draft Policy.
So here are the key questions that we would really appreciate some feedback on as shepherds.
First of all, is the definition of leasing clear and distinguishable from how downstream customers should legitimately receive numbering resources associated with network services from upstream providers?
Can this policy actually be enforced?
And are the current requirements and restrictions in the Waitlist policy sufficient as written, making the proposed policy unnecessary?
In sum, really what we want to do is think about should there be explicit restrictions on leasing. And, if so, is the current text clear enough or are there suggestions for improvement?
And Gerry and I would very much appreciate if you folks would like to address some of these questions. Thank you.
Hollis Kara: All right. With that, the microphones are open. Please approach if you have questions or comments and start typing.
Go ahead, Owen.
Owen DeLong: Owen DeLong. I personally am actually mostly in support of this policy if there were a clear definition of leasing.
However, my review of Section 2 of the NRPM did not find the word “lease” or any of its derivatives anywhere in Section 2 of the NRPM. So I think that would need to be added to the Policy Proposal before it’s ready for prime time.
I would propose that that definition of “lease” be specific, that it refers to leasing independent of connectivity services, so as to avoid causing problems for traditional ISP-based leasing that we all know and love and support.
I think that that would be relatively simple to define, personally.
Chris Tacit: What you’re saying, I just want to make sure I understand, is we can’t just rely on the dictionary definition, because there is one, because we want to make sure that we distinguish it from tying it to —
Owen DeLong: The dictionary definition includes me having to pay Comcast, for example, or any other dollar ISP — sorry, Steve will want to kill me later, or Michael now —
Bill Sandiford: Maybe both.
Owen DeLong: — any ISP for a certain number of static addresses, for example. That’s a form of leasing, but I don’t think it’s a form we would want to prohibit her.
Chris Tacit: Okay, thank you. That’s clear. Bill Sandiford: All right. Chris.
Chris Woodfield: Chris Woodfield, DriveNets, ARIN AC, what Owen said. There needs to be a definition of leasing in this policy or in the NRPM as part of this policy. And the most common use case for leasing, which is something we see every day, is the public address that a cloud provider is going to start charging me for independent of my virtual server, to take a recent news release into account.
And what we’re trying to get at here — and I think everyone understands what we’re trying to get at here — is leasing of address space that, as you said, is not part and parcel of a connectivity service.
I would argue that there could be ways for an organization to craft a connectivity service that may meet that criteria, but there needs to be a common sense definition of that in some way to verify, okay, this is an address block or address that is being leased as part of a bona fide connectivity service versus a FigLeaf VPN tunnel to meet the textual criteria and only that.
So that’s where I think we can wind up getting into the weeds here quite a bit, unfortunately, but let’s work on it.
Bill Sandiford: Thanks, Chris. Next.
Steve Wallace: Steve Wallace, Internet2. I don’t support this proposed change because I think regardless of your attempts at identifying the different classes of leasing, it’s not worth enforcing.
So I think if the address space is being utilized it’s receiving utility from the Internet users. I know it deviates from sort of the purest intent of the Waitlist, but I just can’t imagine this is worth enforcing.
And even though ideally I get it, it doesn’t make sense to me.
Bill Sandiford: All right. We’ll go to online now. And reminder to others online to get your comments on.
Beverly Hicks: Joe Provo from Google, support in concept. In agreement with Mr. DeLong’s suggestion of a formal definition. It will be interesting to see if this leasing-related proposal will advance.
And he also mentions that leasing is correct but therefore a string disagree — he extremely disagrees with the last comment.
Bill Sandiford: Over to this side.
Kaitlyn Pellak: Hi, Kaitlyn Pellak. Yes, I agree there should be a definition for leasing. I think that is a non-starter. I also say, just to expand on the enforceability question, I think probably the answer is, yes, in a broad sense this is probably enforceable, but I would encourage you to look beyond just whether or not it’s enforceable and look at the actual impact of how enforcing it would, like, what that would entail and how difficult it may be.
Bill Sandiford: Thanks, Kaitlyn. All right. Last call for the queues. Please join the queues now if you intend to. Back over to this side.
Scott Johnson: Scott Johnson, Spacely Packets. I support this proposal in spirit and intent. However, as written, it would fundamentally break the ability for someone to deploy DHCP, for example. And so I think we do need a clear definition of just exactly what leasing is in this context.
Further, I would like to see suggestions as to an enforcement mechanism that could be deployed functionally in order to perfect such a change.
Bill Sandiford: Thank you. Over here.
Dustin Moses: Hi, Dustin Moses, Intermax Networks. I support this policy in theory. I also agree with everyone here, if you’re going to use the word “lease” that you need a definition for what a lease is.
In terms of the enforceability, we’re asking about if the current policy on the Waitlist might be able to enforce that already, such as proper justification for IPv4 addresses, leasing may not be in that definition of a justified IPv4 for connectivity.
So maybe there needs to be some clarification in that for justifications.
Chris Tacit: Just to comment on that briefly. One of the challenges, of course, is that with the transfer policy, ARIN still acts as a gatekeeper under the transfer policies.
With leasing, it’s very difficult for ARIN to know what’s actually happening with those resources, in terms of enforcement, right?
Dustin Moses: Which, I would say, there’s still the section about the 8.2 in adherence of 8.2, right? Thanks.
Bill Sandiford: All right. Queues are now closed. Back over to this side here.
Kevin Blumberg: Kevin Blumberg, The Wire. I don’t support this particular way of addressing the problem. I think we’ll be talking about IPv6 runout probably before we reach consensus on the definition of leasing as a community.
But that being said, I think it brings up the more holistic way of looking at this, which is this is more like a 4.4 or a 4.10 space for its intended purpose.
We circled around and put a five-year transfer on it, et cetera. Maybe, Chris, a better way to look at this is we need to lock this down like 4.4 and 4.10, intended purpose only, nontransferable, dot, dot, dot, /24, and really lock it down to companies using it for their own immediate need.
Rather than trying to now carve out all these exceptions or not exceptions to the rule, let’s go that extra distance and say, hey, we’re basically giving you a free lottery ticket on this Waitlist. You can’t go off and then spend it or whatever.
Let’s rather look at this as a bigger picture and maybe clean this whole section up to what we, as a community, I think, now want it to be, which is a little help, but not a way to get on a free pass to some free v4.
Chris Tacit: To get clarification, would you then favor eliminating the ability to transfer at all? So even after 60 months?
Kevin Blumberg: Yes.
Chris Tacit: Thank you. That’s clear.
Bill Sandiford: Doug.
Doug Camin: Doug Camin, Coordinated Care Services. I support the concept of the policy in the nature of preventing abuse of the policy section here. I agree with others in the fact that there should be a definition for leasing. I also agree with Kevin that perhaps restricting the ability to transfer on a permanent basis is a reasonable consideration as well. Thank you.
Bill Sandiford: We’ll go to online now.
Beverly Hicks: Dan Hawthorne, Tenerity. Is there a history of this being a real issue? How can a lease be identified? I do not support the current version.
I also have a second comment, would you like that now?
Bill Sandiford: Go for it.
Beverly Hicks: Mike Flowers, TDS Telecom. Follow-up question, the attempt to enforce this policy, what would you do to those who have already done the leases and now have the legal contracts that they are to have to abide by?
Bill Sandiford: Good question. Something for the AC to think of. Over to this side.
Mike Burns: Mike Burns, IPTrading. I’m against the policy. I have a couple of comments. First, my question is what is the problem that this policy was designed to solve? Was there a problem statement?
Chris Tacit: Yes. I guess the problem statement referenced the fact that normally you want to provide resources in connection with connectivity services, which aligns with some of the comments about defining leasing a little more precisely, and that they shouldn’t just be provided without any strings attached.
Mike Burns: And yet people who get addresses not from the waiting policy have no such prohibition? Is that true?
Chris Tacit: You know, you could be a lawyer. I feel like I’m being cross-examined.
Mike Burns: I’m just wondering when we talked about the problem with the Waiting List when it was suspended by the Board, we were given information about the size of the blocks that were being transferred. And I haven’t seen any information here about the scale or scope of this potential problem.
And knowing as I do lease rates and knowing as I do the time it takes for a Waiting List and the maximum reception amount, which is a /22, I just don’t think that this is worth our time.
And if people check the policymaking communities around the world they’d be aware that there has been a global attempt to prevent leasing that has pretty much bogged down everywhere on the definition of leasing. And the attempt to tie it to connectivity as you know can easily be evaded with simple methods. So there’s a limited scope of the problem.
Trying to get ARIN to look at usage post-allocation and make decisions to revoke based on that, it’s not anything that ARIN has ever done. So I just don’t think the problem is worth this solution.
And what’s more, as has been stated, I have a feeling that the Waiting List policy is going to change. We talked about that earlier. And I think that it will be changed, and we should probably wait for that.
Chris Tacit: On that, maybe a follow-up question to the community is given the Policy Experience Report and the length of time it takes to get those resources, is this really still a problem? Because that’s important to note.
In other words, it’s going to take three years to get it. Are people really going to get on a three-year Waitlist just so they can lease without connectivity?
It’s an interesting question to contemplate.
Mike Burns: The community should have more information on the scope of this problem.
Chris Tacit: Thank you.
Bill Sandiford: Thanks, Mike. Over to this side.
Mohibul Mahmud: Mohibul from Microsoft. I have one observation, like others have mentioned. We need to define the leasing. And another thing is I just would like to know the clarification, like how the 60-month restriction on leasing is aligned with the existing 60-month restriction on the transfer for Org Waitlist? So like what is actually the rationale for this timeframe, like 60 months?
Chris Tacit: The 60 months was just the community consensus when the policy was put in place and adjusted.
Mohibul Mahmud: For transfers?
Chris Tacit: For transfers, yes. When the word “or lease” was added, I guess whoever the author was — I can’t remember now — didn’t think that it should be a separate period. So they adopted the same 60-month period for the restriction period as exists in the transfer.
It was just a matter of their convenience when they proposed the policy.
Bill Sandiford: All right, Aftab.
Aftab Siddiqui: Aftab Siddiqui. Quick comments, a couple of them, one which Mike referred to. In the APNIC region one of the authors is trying to come up with the definition of leasing for the last two years. And it’s still continuing. So it’s not going to solve.
I totally support the problem statement.
Yes, there is a problem, but a solution doesn’t exist. And if you want to come up with a definition, I would say just every time you come up with a definition please check how do you define 184.108.40.206 /24. Is it leasing or not? Because Cloudflare does not have the custodianship of this address. It does not belong to them.
So how do you check it? I know because the agreements are publicly available. But from the routing, how are you going to tell that this is leasing or not leasing? So putting a lot of pressure on the hostmasters on the ARIN staff is, I don’t think is appropriate.
I would suggest what Kevin was saying, number one, either extend the number of years — in APNIC it’s five years, nontransfer policy — either you extend it or just put a restriction once that you get it from the Waiting List you’ll never be able to transfer it.
Chris Tacit: Thank you.
Bill Sandiford: Final comment.
Waqar Ahmad: Hi, this is Waqar from Rogers. I am an ARIN Fellow. I clearly support this policy as it stands because it clearly describes the important use of leasing IPv4 for subnet from the Waitlist.
Bill Sandiford: Thank you.
All right. Thank you, everybody, for your comment, your feedback. We’ll move on to the next one.
Hollis Kara: I think so. Thank you, Chris.
All right. Next up, we’ve got Anita Nikolich, who will come up and talk about Proposal 2023-4: Modernization of Registration Requirements.
Draft Policy ARIN-2023-4: Modernization of Registration Requirements
Anita Nikolich: I’m here on behalf of — Alicia Trotman is my co-shepherd, so please give us some feedback. There’s been a little bit on PPML, but please give us some feedback at the conclusion of this.
So I’m going to talk about Draft Policy 2023-4. There’s a lot of words on these slides, so I’m not going to read them all.
But in terms of the problem, the motivation, so this came about from the NRPM Working Group. Of course, we all know the value of registration, but if you — I’ll give you a second to read this — you’ll see about three sentences in there’s a reference to privacy laws.
Particularly in the US, since there’s so many different privacy laws now enacted at the state level, there is some kind of different, depending on the jurisdiction, there are some different opinions, I’d say, about states, about these issues.
So the problem statement is to modernize registration, and because this is important to a variety of stakeholders, of course, not just to network operators but a variety of stakeholders to get accurate information, that was the crux of the problem here.
So the proposal aims to modernize requirements by introducing language to make the requirements more adaptable to these changing privacy laws. Again, because so many of them, at least in the US, are done at the state level, this is an emerging scene. So that’s what this proposal aims to address.
I highlighted in red just to make it easier.
I’ll let you look through this, Section 220.127.116.11.1. You can see that the key points are adding “within 14 days to the extent permitted and manner provided by applicable law.” So that’s some new changes to the wording, renaming Section 18.104.22.168.
Also in this section — this is very lengthy — but you can see in red, this is replacing, essentially, “within 14 days, to the extent permitted and manner provided by applicable law,” similar to the section referencing IPv4. And finally to retire this section because it will be replaced potentially by the section mentioning 14 days.
So the proposal started in June. The revision had to do with the 14 days. This was with some feedback from PPML. So that’s how it currently sits, 14 days. Some of the feedback from PPML, suggestions on a definitive timeframe. Originally the proposal said “timely” in the Draft Policy, so it was changed to 14 days.
Some concern with stating privacy laws in the problem statement itself.
Some concern with the phrase, “To the extent permitted and manner provided by applicable law.”
So of course all these are open for more discussion.
The main question from us, is 14 days a reasonable timeframe? And I’m sure others have some questions or comments. But that’s kind of the main thing in terms of being shepherds that we kind of wondered about the community feedback.
Any questions or comments?
Hollis Kara: All right. Microphones are open. Bill, shall we start over here?
Bill Sandiford: Start with Owen.
Owen DeLong: Owen DeLong. I’d like to roll back to the slide that said “reallocations or reassignments”.
Anita Nikolich: Let me see if I can actually go back. This one or —
Owen DeLong: There was one where you were actually changing it to say “reassignment or reallocation,” I thought.
Anita Nikolich: Correct. Let me go back.
Owen DeLong: In that case —
Anita Nikolich: It’s this one, right?
Bill Sandiford: Forward one slide.
Anita Nikolich: It’s this one, right?
Owen DeLong: Yes. And in the other paragraphs that will also be affected by this, I think this is going to collide with one of the proposals we looked at earlier where we’re eliminating the term “assignment” essentially in favor of calling everything an allocation.
So perhaps we should refer to everything as a reallocation. John’s going to correct me.
John Sweeting: That is not correct. Reassignments still exist for our customers that have direct allocations. They can either reassign to their customers, which then makes those customers not able to reallocate further down, or they can reallocate.
But reassignment is still an action that can be taken in the system.
Owen DeLong: Okay. I’ll stand corrected on that. I think 14 days is perfectly reasonable. Generally in support of the policy.
Anita Nikolich: Let me go back.
Bill Sandiford: Thanks, Owen. We’ll head over to this side over here.
Roman Tatarnikov: Roman Tatarnikov, IntLos Consulting Company. I worked with some of the privacy in California with implementing it, specifically compliance with CPRA. Right now there’s only six states in the United States that have any kind of privacy laws.
Canada has PIPEDA. So the whole concept of privacy as industry is only emerging in North America.
In Europe there’s GDPR but it’s still very fluid and it’s changing a lot.
So for 14 days, considering it’s a whole new industry, I don’t think it’s enough. I think it’s going to take like 14 years to come up with what privacy is. That’s the first thing.
And the second is in regards to GDPR, CPRA, and all the other privacy laws, they always mention privacy of either the end client, customer, individuals, or employees.
What they don’t really cover are the companies. So what I think we need to focus on is do we actually expose a PII or any employee names in Whois and similar services then it might be a question — that probably is a definition that it falls into privacy laws. If it’s just a company name, it shouldn’t fall under them.
So I wish I could say the perfect solution to this. But, again, since the privacy law is changing so much it’s very hard.
I do however support this policy, that clarification — the clarification that it needs to be extent permitted and manner provided by applicable law. I think that’s a very good way to go around possible legal issues. Thank you.
Bill Sandiford: Thank you. We’ll head over to the side.
Steve Wallace: Steve Wallace, Internet2.
And this may be a little bit tangent to this, but one thing that occurred to me when I saw this policy and policy recommendation, is you list a certain allocation size that will require these. I would also — if they’re being originated from a different AS as a requirement, and because that leaves the door open for creating ROAs.
So, if there’s a reallocation of any address space that’s going to originate from a different AS, and if there’s going to be a future mechanism for people who were — the SWIP-ees, if they can create ROAs.
Anita Nikolich: That’s also good. If you have some specific language, because that sounds like that would broaden this. So if there was some specific language you could recommend or feedback, that would be very helpful for the shepherds.
Steve Wallace: I’ll do that.
Bill Sandiford: Last call for the queues.
Do we have anybody online? Last call for the queues. Get your comments in online. And we’ll hit this side over here.
Mohibul Mahmud: Hi, it’s Mohibul from Microsoft and an ARIN Fellow. My question is related to Section 22.214.171.124.1.
I would like to know what is the rationale for introducing this 14-day timeframe and referencing applicable laws. So if there is any rationale for 14 days.
Anita Nikolich: The 14 days was, so, if you look — so for the next section — sorry. The section after this would be taken out, which currently has seven days. The 14 days is just to get — doing things immediately is very difficult.
So, this is just, again, the shepherds are neutral, but based on some feedback it felt like 14 days was a reasonable timeframe for somebody, for a company to do this.
The applicable laws is what we’re talking about, with the different states having different — like, the California and Virginia and just a handful of states with varying privacy laws, pretty much how they interpret PII being an IP address.
So those laws, because they do vary, some providers are unsure without a very clear definition of what to do. This gives at least some guidance by saying “applicable law.”
It can’t be super prescriptive, but it says laws are emerging; this acknowledges that. Is kind of the rationale. But any wording would be appreciated if you had some.
Mohibul Mahmud: That’s fine. Thank you.
Bill Sandiford: Queues are now closed. And we’ll come to this side. Kevin.
Kevin Blumberg: Kevin Blumberg, The Wire.
I do like one part of this policy statement: Modernization of Registration Requirements. The rest of it I don’t agree with.
I do believe that we need to have a registration modernization, and I think it needs to be far more simple than this.
The biggest issue is a /47 or larger means that pretty much every addressable 48 that’s on the BGP routing table has no SWIPing because you don’t need to and nobody will.
The reality is /29s was an arbitrary number 25 years ago and really has no impact to anything.
What we need today — and you’re welcome to do it as your own, or I’ll submit it separately — is at the end of the day there are two kinds of reassignments or reallocations — ones where the company wants to do it.
You’re my customer, you’re doing email deliverability. I don’t want to get all this abuse email. I’m putting in a rec for it. That’s one kind.
The second is I’m giving you space. You are going to announce it separately and that should be an absolute hard requirement that if space is announced separately — and I would even wrap it into without that reassignment you cannot use any of the services like SWIP — sorry, like reverse DNS, like RPKI, like IRR.
Because that is the critical thing. If that space is being addressed, it’s being addressed outside the organization that, quote/unquote, has the title to that, the original space, has no idea how it’s being used and there’s no contact to it.
That’s really the only other situation today.
The 14 days is a red herring. The /29, all those are a red herring. The most important thing is who is ultimately responsible for handling an abuse complaint, the top owner or the one that’s SWIPed down. And we really need to think about doing a proper modernization rather than shifting words around.
To add complexity, Bill 25 in Quebec is a very very tough privacy law. There’s a lot of changes going on.
Ultimately it’s outside of policy. And it really comes down to the RSA and my company being able to do what is required. I don’t think we even need to go into applicable law because it’s not policy that’s responsible for that; it’s the contract I have with ARIN and my own regulatory requirements in my city or state or province or country. Thank you.
Anita Nikolich: Good feedback. I think there will be a lot more discussion on this line. So I appreciate that. Thanks for the feedback.
Bill Sandiford: Thanks, Kevin. And final comment, Chris.
Chris Tacit: Chris Tacit, Tacit Law, ARIN AC. I think Kevin raised some good points for consideration. But, having said that, if there’s going to be any registration policy, it’s going to have to tie in realistically to what the existing laws are wherever it’s going to be applied.
So I don’t think we can completely sever that link. It’s desirable. I’d love to see it severed, but I’m just not sure it can be achievable.
On the 14 days, I think you need to create some timeframe that’s realistic by which a party can assess whether it can or cannot and if it can, must, populate the registry or the directory.
So there has to be some timeframe there. 14 isn’t right. Maybe it needs to be a bit more. But you do need a deadline.
And people will be sensitized to their own privacy laws as they exist, as they have to apply this policy. So it shouldn’t take that long for them once they know their own laws. Thank you.
Bill Sandiford: Thanks, Chris. Thank you, everybody, for your comments and feedback. We’ll move on to the next one.
Hollis Kara: Thank you, Anita. We will.
All right. Lively discussion. I love to see it. Let’s go.
Alicia, come up. We’ll talk about Policy 2023-6: ARIN Waitlist Qualification.
Draft Policy ARIN-2023-6: ARIN Waitlist Qualification
Alicia Trotman: Hello, everyone. This is Draft Policy 2023-6: ARIN Waitlist Qualification. I’m the primary shepherd, Anita is the secondary shepherd. And this was also from the NRPM Working Group.
So the problem statement. The gist of it is the proposal aims to make explicit the relationship between the Waitlist policy and the qualifications for the Waitlist space, based on Section 4.2 for ISPs, Section 4.3 for end users, and Section 4.5 for organizations making use of multiple discrete networks.
This here is the section that’s going to be added — 126.96.36.199, Qualification. And it reads, “ARIN staff will evaluate Section 4.1.8, ARIN Waitlist requests, on the basis of relevant policies within other Section 4 subsections as applicable. For example, staff may refer to Section 4.2 for ISPs, Section 4.3 for end users, and Section 4.5 for organizations with multiple discrete networks.”
A bit of history. We received this proposal on August 16th. And it was accepted as a Draft Policy on the 26th of September, which hasn’t been too long.
Thus far on the PPML there have been no comments. I know this is not a very exciting policy like some of the others with the Waitlist, but I would love your feedback today. And the question is do you support the policy as written.
Hollis Kara: Bill. Thanks, Alicia. All right, folks, microphones are open. I think everybody got tired. Everybody run out of steam?
Alicia Trotman: Don’t all run at once.
Hollis Kara: Come on, give us something.
Bill Sandiford: Opening it up for online and remote.
Hollis Kara: Yes, remote, please start typing.
Bill Sandiford: Please make the room look bad by getting comments remotely.
I think what they’re saying is that your presentation was just so fantastic they have no questions or comments.
We have one. All right.
Mohibul Mahmud: Hi, Mohibul from Microsoft and an ARIN Fellow. My question is what specific criteria or conditions in Section 4.2, 4.3, and 4.5 are relevant for evaluating ARIN Waitlist requests, and how ARIN staff will apply them in practice?
Alicia Trotman: John, do you want to get that one.
Hollis Kara: John’s in his Cracker Jacks. Hold on. Might need to repeat that one.
Bill Sandiford: You caught him with a mouthful of Cracker Jacks.
John Sweeting: Caught with my hand in the bag. Could you repeat that?
Mohibul Mahmud: Sure. What specific criteria or conditions in Section 4.2, 4.3, and 4.5 are relevant for evaluating ARIN Waitlist requests, and how ARIN staff will apply them in practice?
John Sweeting: Is there a slide for this?
Bill Sandiford: No, there isn’t. I checked.
Hollis Kara: It’s a pop quiz.
Bill Sandiford: While we’re waiting for that, maybe we’ll just — Matthew, jump on in.
Matthew Wilder: Matthew Wilder, ARIN AC, NRPM Working Group. We sent this your way, and the rationale was actually to kind of shore up — we’re evaluating Section 4 in its entirety. We want to explain why we’re not just doing away with all that text.
There’s no free pool. So you look at 4.2, 4.3, 4.5, it looks like, why is this text still here? So this qualification text sort of says, here’s how ARIN staff uses it. And so you’ve got initial allocation. You’ve got additional. And the Waitlist requests are evaluated.
There are Waitlists comments on how much space can be assigned, but staff may refer to these sections for initial and additional IP space. Is that fair, John?
John Sweeting: That’s very fair. And it’s also there’s usage requirements as well for space you already have that you have to meet as well that are in those sections.
Bill Sandiford: Thank you. Mohibul Mahmud: Thank you.
Bill Sandiford: Andrew — last call on the queues. Get your comments in online.
Andrew Dul: Andrew Dul, with my AC hat on. I think this is probably the backward way to approach this problem. I think the best thing is to actually put the requirements in the Waitlist section and do away with the rest of them, because I think those requirements can be very simple. Probably even three or four sentences and you’re done and we can get rid of an entire section of history that is no longer relevant.
Bill Sandiford: Thank you. Going once, going twice. Thank you, everyone.
Hollis Kara: Thank you, Alicia.
All right. I jinxed it. Sorry, guys.
We’re wrapping it up. This is our last policy discussion of the day.
I’d like to welcome up Chris Woodfield. He’s going to talk us through Draft Policy 2023-7, which is a very long title that he is going to be here sooner than I can finish reading, so you can read it yourselves.
Draft Policy ARIN-2023-7: Clarification of NRPM Sections 4.5 and 6.11 Multiple Discrete Networks and the Addition of New Section 2.18 Organizational Identifier (Org ID)
Chris Woodfield: Yes, the title here, Draft Policy 2023-7: Clarification of NRPM Sections 4.5 and 6.11 Multiple Discrete Networks and the Addition of New Section 2.18 Organizational Identifier (Org ID).
So we have a fairly equally extensive problem statement. But the best way to think of this one is that it is almost editorial. Very little language is changing. This is mostly reformatting. The additional language is a definition that is currently not present in the NRPM.
So our problem statement here is that 4.5 and 6.11 do not adhere to the style guide as used in the remainder of the document. And they feature numbered lists that detract from the readability and usability.
In the process of researching the changes it was noticed that we do not currently define Organizational Identifier and that we should include a definition to add clarity to the term and unify all the references and match the use of the term for other NRPM ARIN publications. So thus we’re adding Section 2.18 to handle that.
Here is the current language. As you can see we have a mix of numbered sections that, some appear should be in a sublist after 188.8.131.52 are part of 2, so we’re making that fix here. Similarly here there’s a number of numbered blocks that really make more sense as a single paragraph.
I should note that this policy is a work product of the NRPM Working Group. So thank you to those in that working group that helped to work on this. Kudos.
As you see here, we have done away with the numbered sections and replaced them with paragraphs and bulleted points. But the text does not significantly change. The bulk of the change is the use of the word “organizational ID,” which is in service of it being defined later.
The other section is now added as a single paragraph. Granted it is a bit of a long paragraph but necessarily so in the author’s opinion.
Here is the changes that we make to section 6.11. We do have bulleted points here, unlike 4, but they can be better formatted.
And here’s our current text, and we are reformatting it as such, the changes, but we are also replacing the numbered points with bulleted points in the new text.
So this is currently a Draft Policy, a fairly recent Draft Policy. It was adopted onto the docket last month.
So far, as of the, well, two weeks ago, the date these slides were prepared, there was no PPML feedback responding to the announcement of this Policy Proposal. And I don’t think there’s — I don’t believe there’s been any since. But someone can correct me if I’m wrong on that.
So questions for the community are as follows. Do you support this rewrite? Do you believe the updated text provides additional clarity — updated text and formatting of said text? Do you believe that the term “organizational identifier” is — a definition of the term “organizational identifier” is necessary, and does that provide additional clarity?
Third question, do you believe that both issues above are best addressed in a single Policy Proposal, or would there be a preference to handle these two issues as separate proposals?
Hollis Kara: All right. With that let’s get folks in queue for questions and comments. Folks online, please start typing if you have questions or comments for Chris. And, Bill, where do we want to go?
Bill Sandiford: We’re going to start with Doug.
Hollis Kara: Okay. Doug, you’re up.
Doug Camin: Doug Camin, Coordinated Care Services. I do support the changes to match the style guidelines as you proposed. I don’t know that I have enough to comment on the Org ID at the moment. So I’ll leave my comments at that. Thank you.
Bill Sandiford: Thanks, Doug. Reminder to people online, get your comments in. Kevin.
Kevin Blumberg: Kevin Blumberg, The Wire.
We’re close to Christmas so I’m going to say this: Let’s eat kids. Let’s eat, comma, kids. Punctuation saves lives.
You’re asking for a significant amount of “no op” editorial changes that, with one comma, could have very different things. So I’m just tired of the word “editorial.”
That being said, the cleanup looks good. I don’t know why we’re doing it because it’s just a cleanup. It’s not actually changing anything. And, in fact, what you’re doing is creating a situation where people who have put in lots of policy in their own companies, you are now creating a headache for them because they cannot reference because that reference is now changed for no-op reason other than your own style guide.
You put this guide out there. Many Orgs use this guide. Internally they will have processes and procedures that reference this guide. And instead of redacting it, you’re now just wholesale changing it for your own style needs without taking into their account.
So I don’t support that part of it unless there’s a specific reason to do it. Org ID — that was maybe the specific reason to do it.
Is there an RSA definition? Is there a definition in the RSA for Org ID?
Chris Woodfield: Does anyone know the answer to that question?
Kevin Blumberg: Then why are we creating a definition for it? If there is an authoritative definition by ARIN staff for the word “Org ID,” which is their term, great, use that. If there isn’t, don’t create something that is in conflict.
John Curran: Okay. Not that I need it.
Organizations — sorry, entities that have an entry in the ARIN registry are organizations by definition. Org ID is a convenient handle for referencing the fact that an entity is a user of ARIN’s registry with entries in it.
So we don’t have a definition of “Org ID” other than one that is self-referential. Every entity that has an entry in the ARIN registry is, as far as we’re concerned, an organization ID. And it came from the convenient handle that we issue.
In truth, the handle is just the handle.
The organizations are organizations. So you can say that an organization identifier is a record that represents a business, but that’s just because we assigned handles to them. That’s it.
Bill Sandiford: Unique handles.
Kevin Blumberg: Right. So the suggestion in this policy is to create a definition, add in terms like “nonprofit organization,” “government entity,” all these things.
We don’t need this, Chris. I’ll be honest. It is creating a new definition for something that could be — an organizational ID is a term for organization as defined by ARIN, et cetera.
So I appreciate that cleanup work has been done by the Advisory Council. I do appreciate all of the work that goes in. I know it’s not easy. But please be very considerate to those who have other stuff on the other side. It’s making what you perceive to be better for the community, but it may not actually do what you intend it to do. Thank you.
Chris Woodfield: Question for you, Kevin.
Given this particular definition — you mentioned business, nonprofit, corporation, or government entity, could we simply just say, record that represents an organization in the ARIN database, regardless of what the type of organization is?
Kevin Blumberg: I would ask staff to give you a definition that — because by the sounds of what John just said, an organizational ID is a nice way to say an organization. It’s self-referencing.
Chris Woodfield: The ID that references the organization.
Kevin Blumber: Yes, thank you.
Bill Sandiford: Do we have anyone online? Nobody online. Last call for the queues. We’ll go to this side over here. Go ahead.
Mohibul Mahmud: Hi, Mohibul from Microsoft, an ARIN Fellow. I was just curious, what are the specific -– is there any specific benefit of adding a definition of organizational ID to the NRPM? Is there any —
Chris Woodfield: We do find in there, where places where if we don’t define a term various community members tend to walk away with various different definitions, which makes for some interesting data and input for the Policy Experience Report.
So a number of places — if we have a term that we use internally but don’t define that term, the use of that term can be ambiguous and could be used in conflicting ways without a definition.
That’s not just an ARIN thing, that’s just a general policy procedure/contractual law thing is that if you’re using a term that doesn’t have a very well understood definition, you need to make one.
Mohibul Mahmud: Thank you.
Bill Sandiford: Okay. Queues are now closed. And Kaitlyn.
Kaitlyn Pellak: Hi, Kaitlyn with Amazon Web Services. Actually Kevin brought up a good point that reminded me of something that I’ve encountered in the ARIN database.
I would argue that business, nonprofit corporation, or government entity is not all-encompassing. I have definitely run into Org ID organizations that are not actually businesses. I’ve seen all kinds of crazy stuff in there.
So I would definitely encourage expanding that definition at least. I would also argue that rather than breaking this out into its own section, you may want to consider just adding additional language to 2.12, which talks about organizations. Might just be easier than creating an entirely new definition.
Chris Woodfield. Great, thank you.
Bill Sandiford: Thank you. Doug.
Doug Camin: Doug Camin, Coordinated Care Services, I had some additional thought. I think that the — I mentioned before, I agree with the editorial components of the bullets and the other style guidelines point.
And I think it would probably be beneficial to split this into two policy proposals. So you have one that really addresses the style guideline component, which would really be editorial in nature, could pretty easily be classified as such. And then deal with the organizational ID and the definition that comes with that as its own separate policy with its own separate discussion, so that one doesn’t drag down the other. Thank you.
Bill Sandiford: Owen.
Owen DeLong: Owen DeLong, DeLong Consulting. Pretty much what he just said. I would also propose that a better way of expressing the definition would be, an Org ID is a unique identifier that identifies an organization record in the ARIN database. Because the Org ID is not the record; it is a handle that points to the record.
Chris Woodfield: Good point. Thank you.
Bill Sandiford: All right. This side.
Rhonda McFadden: Hey there. Rhonda McFadden, currently independent and available for hire.
I just wanted to second or third or fourth or fifth some of the things that everyone else is saying, that it seems to me that something like an organizational identifier is a record that represents an entry in the ARIN database or an entity in the ARIN database.
And let’s see if I can remember what my other point was. Oh, it’s a minor thing, but on your slide, you don’t have a dash in data transmission on the other statement, but on the website it’s there.
Bill Sandiford: Thank you.
Rhonda McFadden: Little things.
Chris Woodfield: They’re important.
Bill Sandiford: Same side.
Dustin Moses: Dustin Moses, Intermax Networks. I just want to follow up with everyone, in agreement that it should be probably two different policies in terms of the Org ID.
I feel when you’re bringing in a definition like this, you’re really putting a definition across the whole board. For example, when I look at the ARIN resources directly and I go to my organization IDs, I can see that there’s already a definition there and that needs to also be confirmed with, if it’s a NRPM definition or if it’s an ARIN definition internally.
And so we need to be careful that we’re not being too exclusive about what an Org is. And so I’ve kind of agreed that it needs to be more just a unique entity of the handle, not necessarily the specific business, nonprofit, that sort of thing.
Chris Woodfield: Where did you say the other definition exists?
Dustin Moses: There’s another definition — the definition is right in the portal.
When you just go to your Org IDs, it says this is what an Org ID is. Just making sure that’s synonymous, if we decide to make the definition. And, like I said, I feel that’s a whole separate policy.
Bill Sandiford: Beverly, we have an online?
Beverly Hicks: Yes. Joe Provo, he says, putting his legacy holder hat on, narrow definition of an Org isn’t great. As noted previously, a general definition would be better and would match with one of my Orgs.
I have a second one if you’d like.
Bill Sandiford: Go for it.
Beverly Hicks: And the second is from Dan Hawthorne from Tenerity. I have a list of Org IDs that represent the same organization. So in our case there are multiple Org IDs for a single entity.
Bill Sandiford: Fair point. Chris.
Chris Tacit: Chris Tacit, Tacit Law, ARIN AC. I agree with splitting this out to a separate policy. I think the other editorial stuff is fine. We do need to match it to the style guide.
If anyone thinks that that part is going to break anything, then I would expect to see comments on PPML about that. So far we haven’t seen those. So the hypothetical that it might break something, I don’t think should prevent editorial changes.
As far as this one is concerned, the comment I would have is if ARIN has adopted a practice of what an acceptable organization is, if staff has done that as a process matter, it would be very useful to share that with the shepherds because what this was attempting to do was to quantify an existing practice, not to make a change to the Org IDs that are acceptable within ARIN.
So if this needs to be generalized, if it needs to match process, no argument from me on that. So thank you.
Chris Woodfield: I’ll mention there are probably people —
Bill Sandiford: Go ahead, John.
John Curran: You ask if there’s a definition of what’s an acceptable Org ID. I want to point out an Org ID refers to an organization. And an organization can have multiple Org IDs. So when you’re asking the acceptable definition, you’re implying a set of constraints that probably don’t exist.
In truth, the question is, what does an entity have to do to do business with ARIN? Well they have to hold themselves out as an organization, and we assign them an Org ID. Holding themselves to an organization is to say they will enter into an RSA agreement with us.
So there’s no constraints whatsoever. And in fact some organizations have separate divisions with separate Org IDs.
Chris Tacit: I don’t mean to interrupt. But what I meant is “what an acceptable organization” is, not Org ID; I got sidetracked there. What I really meant is, what is an acceptable organization to ARIN. Does it have to be a legal entity?
John Curran: It does not have to be a legal entity.
Chris Tacit: So how do you enter into a contract with something that isn’t —
John Curran: There’s DBAs and similar people hold themselves out. You register yourself as a name for a business.
Chris Tacit: But behind that it has to be a legal entity.
John Curran: You’re a legal citizen and you can hold yourself out with a name, registered — we have many cases of people conducting business. They do not need to be incorporated, if that’s the question. We’ve been through this. But you don’t need to delineate that.
Chris Tacit: No, that’s fine. I just wanted to understand. If what you’re saying is, we’ll take almost anything that somebody gives us, then that’s the way the definition should be and that’s fine.
John Curran: That’s my point. I want to be clear. There’s nothing in Number Resource Policy that should be applying a constraint to the business practice of what organizations make use of ARIN services.
If so, then, yes, we don’t need a definition here. This is not — no one’s intending that this definition be exclusionary, who can use ARIN services. So you don’t need to elaborate it.
Chris Tacit: No, maybe not, except that everywhere else in the NRPM where we have a capitalized term or short form term is defined.
So a new person coming to ARIN wanting to understand what it means should have a guide as to what this means. And if it has to be very wide, broadly encompassing, that’s great. Again, I don’t favor constraining the current practice at all. I’m just trying to quantify it.
John Curran: Does the term “Org ID” apply elsewhere in NRPM?
Chris Tacit: Yes.
John Curran: Then you should define it as the handle that defines the organization using ARIN services.
Chris Tacit: That’s fine. That makes sense. Thank you.
John Curran: Because it is the handle of the organization using ARIN’s services.
Chris Tacit: Thanks, John.
Bill Sandiford: All right Amy, I saw you sneak into the closed queues when you thought nobody was looking. But we’ll let you go anyway.
Amy Potter: I actually think that the way organizational identifier, or Org ID, is used throughout NRPM is perfectly clear, and there’s no need to create definitions for a term that everyone understands.
Bill Sandiford: Hear, hear. All right, go.
Rhonda McFadden: Thank you. Rhonda McFadden, again.
Would it just make more sense just to say, an Org ID represents an entity that has an RSA with ARIN?
Bill Sandiford: I don’t think we can go that far because we have Org IDs in the data base that do not have RSAs.
I’m going to call a close on this one. And I think that’s the end of our policy block.
Hollis Kara: We’re done with policy.
Bill Sandiford: Thanks, everybody.
Hollis Kara: Congratulations, everybody.
I know that probably felt like a lot, but I’ve got to say, from my perspective, after a couple of meetings in a row where there wasn’t a lot of engagement around policy discussion, this was really nice to see.
You should give yourselves a round of a hand — a round of a hand? — a round of applause.
It’s been a long day, y’all. We’re in the homestretch.
All right. So we’re going to probably end up trimming at least one presentation and carrying it over to tomorrow. But because my colleague, Joe Westover, was an auctioneer in a former life, he’s going to come up and run through the 2023 Customer Satisfaction Survey results. But he is going to slow down, otherwise Denise is going to get really upset.
2023 Customer Satisfaction Survey Results
Joe Westover: I guess that ends the policy portion of this meeting. I’m sure I don’t want to stand between everybody and ending this, but I’ll do my best.
I just want to touch briefly on the 2023 Customer Satisfaction Survey.
Just for those who have been in line with the community, you are aware these occur every three years. We have conducted it in Q2 2023. We have an independent contractor, Rockbridge Associates. They’ve been with us every year since 2014.
Objectives are obvious, right?. We wanted to really determine and lock down member expectations and needs, evaluate the satisfaction of ARIN’s services, identify unmet needs, and highlight priority areas for our enhancements and efforts within our teams.
The big one is gauging ARIN’s perception in the Internet community. I know I’m kind of newer here — newer meaning four years. When I did come on board in 2020, I was lucky enough to administer the 2020 Customer Satisfaction Survey. So it’s been a bit of an interesting survey there.
We’re looking to spot opportunities for enhanced outreach and participation. That seems to be something we have no problems doing, judging by the uptick in outreach this past year. And then obviously we’re comparing results year over year.
Methodology-wise, I’ll touch on this in a little bit, but the reality is come find me. The 56-page, full, unabridged, unabbreviated report is up on our website right now. You can go through that ad nauseam. I’m happy to talk about it after this, tomorrow, any other time.
They essentially go, from the methodology point of view, over 34 specific attribute groups. And that covers everything from policy development, Registration Services, engineering, financial services, communications and outreach, ARIN meetings such as this one, customer service, Internet governance and security. And there’s different components involved in there.
The key point here — and I’m going to show a chart over here; I’m going to jump ahead a little bit — but they’re looking for what you would want, what your perfect RIR score would be and then how you think ARIN is doing. So, there’s a bridge and a gap there.
Basically, we look at a 10-point gap, we need a concentrated effort needed to remediate it. And these are the recommendations from Rockbridge Associates. Fewer than ten points, good. Fewer than five point is obviously what we’re looking for.
Should you actually have the time, when you can’t get to sleep at night, want to go read this report ad nauseam, again, versus the output and the summary, this is what you’ll look at with a lot more rows and a lot more colors.
But essentially you kind of see points from ‘14, 2017 and 2020. And you can kind of see the gap between what we see as an ideal and where we actually measure up in terms of ARIN itself.
Overall, the feedback, we’re doing a good job meeting the needs of the community. Over 8 in 10 are satisfied that we are meeting the needs of their organization. So we’re happy about that.
Summary findings. Our alignment with community needs remains strong. Our loyalty and satisfaction indicators have been rising fairly consistently since 2014.
And three out of four respondents value ARIN’s fee structure, which as someone who was involved in the 2022 fee schedule, I’m pleased to see, and some of the other fee-schedule changes we’ve done.
Two-thirds are familiar with ARIN’s role, but only 20 percent are deeply acquainted. I’m sure that will not come as a complete surprise to other folks in the room.
Most believe in ARIN’s commitment to an open Internet, customer care. Financial management perceptions are a bit mixed. But, again, I think that goes with territory, with some concern about bureaucracy. But that’s again, I think that kind of comes with the territory there.
About 70 percent of respondents — there are about 317 completed survey responses, so those are the numbers that these percentages actually apply to — 70 percent recognize all ARIN products and services.
The top utilized services, as reported, included ARIN website and ARIN Online, maintain a high satisfaction, which is good.
Unsurprisingly also, RPKI usage, as reported, not only demonstrated by Brad Gorman and others in the reports for adoption has increased — 52 percent in 2023 versus 38 percent in the previous one.And DNSSEC shows a similar uptick.
Email, for better or worse, remains the primary communication mode as, reported by respondents, although its preference is client side lately.
Policy Development Process participation is marginally up, with time constraints being the primary deterrent. I think as someone who is newer here and has observed this, things seem to be maturing a lot.
That would be another natural component of that.
Unsurprisingly, training interest has surged, especially in RPKI. And that, again, doesn’t come as a surprise to anybody. We’re making lots of internal efforts, including plans for enhanced training next year.
Tons of outreach, 30-plus events. You’ll hear a little bit about that in the program overview for this year, and we’ll be doing a little more of enhanced programs. You’re going to hear more about that tomorrow when Marty McLaughlin talks about the certification update.
Did I go too far? I want to go by this one.
Vendor recommendations. So, ultimately these are the pieces that they’ve said, they’ve asked that we should do, is based off the respondents
Meetings, continue to simplify the election process. We do it on a regular basis. We look at the process coming out of every year.
Customer service, continue to deliver clear and accurate information, focus on improving the speed-of-request processing — again, something we’re looking at internally — enhance and continue staff training for better communication service.
I will say, having looked at the breadth from 2014 through and seeing the transition of what we’re focused, none of this is a surprise.
If anything, it actually corroborates a lot of what we’re already hearing, what we’re already listening to and actually already putting programs and resources and plans in place to address.
Communications, work on optimizing the website’s navigation. Continue to enhance transparency. Build upon existing mechanisms for gathering and responding to community feedback. Hollis and I talk about that quite frequently, how we can make improvements when we have items of note for next year and ongoing.
Registration Services, continue to speed up the process of transfer requests — that’s a biggie.
Ensure tools and resources remain user friendly. We do have a process team internal to ARIN. And a lot of that focus is going to be on transfers and other kind of billing irregularities, not irregularities, but the process itself so we can kind of streamline that.
That’s a new above and beyond. What I’m speaking about, we already have things in place. I know there was talk about the maturity of the organization and how we may be flat from a budget point of view. But we have actually taken the time and the forethought to get the resources in place to address all these things ahead of time. So we’re not going to miss out.
RPKI training, again, that’s been fairly robust, it’s going to get more robust next year, I believe with the addition of an LMS, but I’ll leave a little bit of that — I’m sorry, I didn’t say that.
And we’ll continue to offer more user-friendly documentation. That’s a huge focus on a day over day.
Innovation, again, continue to embrace new approaches and ideas for continuous improvement.
I think we’ve demonstrated that with some of the activities we’ve taken internally that hopefully will be indirect positives on the community.
Feedback methods. The Customer Satisfaction Survey is not the only method. We look at a lot — there’s feedback buttons. There’s after-ticket transaction surveys. There’s documented feedback, informally and formally from telephone calls, tickets, chats, et cetera.
We have the ARIN Consultation and Suggestion Process, the ACSP, which is, again, welcome any ideas. Come on in.
In-person feedback and events. Again, the sheer volume of outreach has given a lot of opportunity to get more feedback.
Mailing List, social media. That’s been good, and then Ask ARIN.
Then I close with this. The survey and the ongoing feedback — and in three years we’ll pitch again — has really been essential for ARIN. It’s really been essential to help us qualify what we’re doing, ensuring we’re focusing on the right things, and if there’s other things we need to discover to look at to perform improvements based off the community, it’s a huge help, along with all the other intake mechanisms.
I just want to say thank you on behalf of ARIN and the general community.
Hollis Kara: Thanks, Joe.
Does anybody have any questions of Joe about the survey? All right. Welcome to the microphone.
Lee Howard: Lee Howard, IPv4.Global by Hilco Streambank. Thank you for doing this. I always love to see reporting like this.
I did actually read the full report on the airplane here because it’s the kind of thing I do on airplanes.
Joe Westover: I downloaded a movie.
Lee Howard: It was also interesting to see that RIPE NCC also did their customer survey right in the same time frame and published their report right in the similar timeframe.
I read that one, too, because that’s the kind of glutton I am. I did not go compare the two, but it might be interesting to see what the results are.
When looking at those, as you showed the example of the individual boxes and the gap between expectations and performance, did the consultant give you a sense for, like, how significant a gap is significant? Like, some people will never ever rate you 100 percent because they just don’t believe in giving a hundred percent.
Joe Westover: They were primarily focused on that gap of 10 points or more, five points, that focus there.
A lot of it is obviously there’s a methodology among the surveyors in their professional industry, where we’re relying on their deciphering interpretation of some of the data that comes in. But in the end, they steered us towards that. That’s that gap. You want that closing, not opening.
Either if it isn’t closing or it opened widely — and there were a few of those — from that came some of the focus and recommendation areas they offered us at the end of the survey.
Lee Howard: Ten or more is exactly the answer I was looking for. As I was reading through, I kept seeing, oh, there a lot of 8s, there’s a lot of 10s. Oh, my gosh, this is terrible. I say I don’t know if that’s bad or not.
I also think that you might want to call out — there’s at least one area where ARIN outperformed the expectations. I believe that was policy. And I don’t remember off the top of my head whether it was Policy Development Process or if it was international coordination. But whichever, good job in whatever that one was.
Joe Westover: I can’t take the credit. We have a policy team.
Hollis Kara: Thank you, Joe.
All right. So now we’re definitely not going to have time for programs, but I need a little bit of audience participation real quick. How many folks have things for Open Microphone?
We’ve got one. That’s it. Sorry, guys,
you’re going to have to listen to me talk for a minute. I’m going to go ahead and talk a little bit about the ARIN Consultation and Suggestion Process and get that knocked out this afternoon instead of waiting for tomorrow. Because I’m here and I’ve got the clicker, and I can.
ARIN Consultation and Suggestion Process
Hollis Kara: All right. It got mentioned earlier this morning, and it always gives me a warm feeling when I hear somebody say that it’s a cool thing that ARIN has this program.
What I want to do is just take a moment. We haven’t really talked about it at a high level in quite a while.
I just wanted to share sort of performance over time and what’s been happening inside this year and what’s coming up, because it’s a lot. It’s actually getting exercised more and more, and we’re finding ways to be more efficient.
What I’d like to do is give you a brief overview of the history and then what performance has happened this year and what’s coming up, which I just said, again. And Jason is in the hall.
The ACSP was launched in 2006. We’ve had it for a while. The current process that it operates under was adopted by the Board in 2018. That’s important.
Over the course of time, we’ve conducted 72 consultations with the community. We have received 438 valid suggestions. We’ve closed 320. We have 67 pending in queue, which is a lot. And there were 51 that were relegated as spam; received in total.
So, a fairly robust mechanism for the community, I think we can agree.
Now, this year has been particularly busy.
Not of late, thank you. We’ve had 13 suggestions submitted so far this year. Five of them are currently open and confirmed. Two have been referred on to consultation — I’ll talk a little bit more about that in a second —One we went back to the author and went back and forth, and it’s been closed and resolved.
One was withdrawn. And one was declined. Five were spam.
So that’s what the queue looks like now.
The print’s rather small. If you go on the website, you can read through these.
We have closed 14 suggestions this year, which is, I think, a peak from the last several years. We had a period of time where we had a very dedicated focus, an entire team, focused on closing suggestions, and we were going through them at a great rate of speed.
That had to stop for a while. But because we have, I think, done a better job of matching this up with the development work and our pipeline, we’ve been able to successfully close 14 suggestions this year on a whole range of areas in our services.
We’ve also had a fairly brisk pace of consultations this year. It’s not going to let up.
We had a consultation at the beginning of the year on expanding 2FA options. We had another on offering our content in multiple languages.
We did the ASN fee harmonization, which you’ve heard mentioned a number of times already today. And then we just completed a suggestion, which Brad Gorman will speak about the results of a little bit more tomorrow on automation of creating route objects in relation to ROAs.
The first two — both of those we’ve taken that feedback and it is in consideration in our pipeline for future development with regard to additional 2FA features and offering content in translation.
The ASN fee harmonization was adopted.
We’re preparing for an implementation in January, and we are currently engaged in direct communication with impacted customers, so they know they’re going to be seeing a change in their bill in 2024.
As I mentioned, we just completed the consultation on IRR route objects, and Brad will be reporting on that in detail in his presentation tomorrow.
We, as I mentioned at the beginning, have been running off this exact documented process since 2018. Things have changed. One of the big things notable this year is the development inside of our Customer Experience and Strategy team of developing a business process, focused process — a process — yes. Reggie is in the back of the room; he’ll explain.
But developing a new way of doing that; and so what we’re trying to do is better align the ACSP with that. You’re going to see more things coming through as suggestions with a resolution of referring them to consultation, but we’re also going to be updating the suggestion process document itself to reflect that and better align it with our new business processes.
That’s probably going to be an early 2025 thing — 2025 — I don’t even know what year it is anymore. 2024. Working on it.
Did somebody say it was a long day? It’s been a long day.
We do have four consultations already queued up in the pipeline. Mark’s going to talk a little bit more tomorrow about what’s coming up in the area about our email templates, but we’ll be having a consultation on that probably launching — we’re targeting the beginning of November, depends on how wrap-up from the meeting goes. We’ll be talking about that.
Next up, after that, we’ll be looking at allowing recipients of reallocated or reassigned addresses to use RPKI. That’s something that came in via suggestion earlier this year. We’ll be scoping that out a little bit and getting some input from the community via consultation.
Then on to Resource Public Key Infrastructure, BGP route intelligence, there’s a lot of work that Brad’s been doing in that area. He’ll talk about that more in his Routing Security Update tomorrow.
And most recently, we had a fairly — in the last month and a half — suggestion come in related to our REST API and some of the functionality there, and we’ll be doing a consultation on that to determine whether or not — where that might fit in future development.
That’s kind of what’s been happening in the consultation and suggestion space, and I just wanted to give folks an update because it doesn’t tend to get a lot of attention but it’s something that’s very important to us.
It’s how we find out what you need us to be doing. So please don’t hesitate to use that as a way to make recommendations for improvements to process and services.
With that, are there any questions before we go to Open Microphone? And I’ll help myself with the queue. Go ahead.
Andrew Dul: Andrew Dul. My question is about how you think about priorities and impact of suggestions, specifically around a specific suggestion might impact one organization or it might impact every organization, and how you think about the priorities of those when you are determining which ones to push forward as opposed to which ones you say “We’re not going to do that?” What’s the process and thoughts around that these days?
John Curran: Okay. There’s two things that happen. First, the suggestion has to be prioritized to see whether or not — or not even prioritized — assessed to see whether or not it’s something that should be done. And that’s the first filter.
A lot of things we look at, we understand why, but the impact of that or the consequences aren’t valid. You’ll see us turn down, say, based on the consultation we did with the community and their feedback, this isn’t something we think we should be doing, or it’s something that we should.
That’s just a threshold of, in the perfect world, with infinite resources, would we be doing this, yes or no? And we try to do that pretty quickly.
There’s some that I can rule out immediately — legal basis, violation of mission, whatever — but a lot of them go to consultation. And then when we come back, if it’s something in a perfect world we should do, we’ll accept it. And then you’ll see a statement saying, “Be accepted for further consideration of the development timeline,” which is a whole other process.
What happens is we actually have Richard and Mark, and there’s a development backlog that they’re trying to pick up items that have been accepted as suggestions, as “Yes, we’ll do this when resources allow.”
If we’re in that section of ARIN Online doing code, we will try to bring it in because you’re already there, you’re already doing QA. I don’t weigh in too much and meddle on the development team’s desire as to what rate they get those items.
I do hear complaints when people say we’re not getting to them fast enough. And occasionally there’s times, like we do RPKI, and every other development item sort of slides while we’re doing that.
But if it’s worth doing, it makes it through the suggestion process, and then the development team will pick it up, as long as we don’t have them doing mandatory feature push-out or mandatory regulatory work or mandatory legal work.
I let the engineering people predominantly decide how they prioritize that because the last thing they need is one more set of voices in their head.
Andrew Dul: Just a real quick follow-up. I appreciate the statements we see when they come back. I think sometimes I just want to see something that is more like an impact statement: this impacts this amount of the community, or some sort of more quantifiable metric; this is in our top priorities, or this is in our super backlog or whatever, that is maybe a little bit more transparent going forward.
John Curran: Let me ask a question.
There’s: we think this is important; we think this is good; this is a nice to have. We can give you that and we can give it at the time we close.
But that’s different than this will happen soon, or this will happen later. And to see that, you have to go on… We actually put the roadmap of our features that are coming online. And you’ll see these things get slated in but they might be two quarters out.
Its importance doesn’t say how soon it’s going to happen because you don’t know what else is already committed to or what else is there.
We can try to work on doing a better idea of how important we consider it, but if you actually want to see what does that translate to when I see it, you have to keep checking the engineering roadmap, and seeing when it actually ends up on the roadmap.
John Sweeting: We’re beginning a front-end business process(Off Microphone.)
John Curran: Internally, there’s a pretty significant process. Because we make commitments to you and the Board about what we get done. And that preempts many of the development cycles in a substantial way.
Hollis Kara: Thank you.
Kevin, did you have a question?
Kevin Blumberg: Yeah. Kevin Blumberg, The Wire. First of all, I appreciate that you limiting down and keeping it relevant that we aren’t getting inundated with consultations or with over emailed things. I do appreciate that.
A couple things. The first is, email Mailing Lists are horse and buggy at this point. They can only work in a serial nature. You can’t throw up three consultations at the same time; everybody gets lost between them.
So one thing you could possibly do is look at once a month. You do a consultation for 30 days until the end of that month, it’s done. You can then do 12 of them and that’s your maximum for the year. You do 12. Or you come up with a better process of doing consultations.
Because it is very serial — you can do one at a time — otherwise people get lost in it.
The second thing is, I would really appreciate having consultations be done over ARIN conferences. They start and they stop after whatever date you want. And I think you will find that there will be far greater feedback towards a consultation if it was actually also done during an ARIN meeting. Something to consider there.
Lastly, a lot of the information that ARIN gives has been very good with these consultations.
It’s done a very good job explaining it. Keep trying to do more in that regard in terms of, I think there’s a lot of background that you are so used to knowing about, that means that the person who is completely blank to this, whether it’s 2FA, or whatever, fee harmonization, they don’t know the history, the context of it.
It would be very helpful for the average ARIN member if there was a little bit more context to some of these consultations.
Hollis Kara: Awesome. I appreciate all that feedback. Thank you.
John Sweeting: I just want to make — John Sweeting, Chief Customer Officer. I just want to make a comment to Kevin’s point.
We actually have spent a lot of time over the last year and a half building the new business processes inside ARIN, and the consultation process is one of the things that we realized that we need to really get better at.
You’re going to see a lot more in-depth consultations coming out, as Hollis alluded to in her presentation.
Hollis Kara: Yep. Awesome.
Dustin Moses: Dustin Moses, Intermax Networks. One of the things I saw on the Consultation and Suggestion Process is that you have a bunch of options for all of these suggestions that are in there. But wouldn’t it be nice if people could actually look at that and say “Actually this also is something I’m interested in,” and it’s as simple as an up-vote, saying this is going to help bubble things up that are top priorities for the community rather than just it being a ticket, which kind of just sits there as a suggestion and just says open with some feedback or some consideration?
If the community could then just a simple up-vote/down-vote, this isn’t a priority/this is a priority, that would be kind of helpful.
John Curran: To that extent, when we’re not in a surge like we’ve just kind of been doing with routing RPKI and we have a substantial amount of development resources coming up to free, you’ll see us often put a survey out saying “We have a list of items we’re thinking of for development, can you prioritize them?”
You haven’t seen one in 18 months because we’ve been in a little bit of a squeeze trying to catch up with RPKI. But when we get some more cycles, you’ll see, we’ll take the items in the queue, and rather than presuming our idea or my idea of what’s important, if we have enough cycles that we have the freedom to prioritize, we’ll go out for survey.
We have done that in the past two or three times. We just haven’t done one recently, so you may not have seen it.
Hollis Kara: All right. Seeing nothing further, could I get an assist to hop ahead to the open mic slide.
With that, I’d like to welcome John and Bill up to the stage to conduct the Open Microphone. If you have comments or questions for Open Mic, please approach.
John Curran: Thank you, Hollis.
Bill Sandiford: All right. Let’s start over here on this side.
William Sylvester: William Sylvester, Addrex. We have a Whois problem. The Whois problem is that we have Port 43. We have Port 80, otherwise known as HTTP. We have JSON. We have RDAP and a bunch of other things.
And I was thinking it would be helpful for the community to get together and ultimately probably create a task force to sort of sort through all these different versions and ultimately figure out what is really needed, not needed; there’s stuff that goes back 30 or more years, protocols that are used. But mostly it’s the inconsistencies between some of the different protocols that creates some challenges that are within that.
John Curran: This is music to my ears because we have to support all of that, and having the community use fewer items that are more robust and better supported than a wide range of things over 20 years is a great thing.
If anyone is interested in that, find Bill, and when you guys get a good idea together, we’re happy to implement it.
Quite frankly, part of the work that’s pressuring the organization and the engineering team is we have a pretty big push to take legacy — not legacy resources — but legacy as in old systems, things beyond their lifetime, and retire them.
And we have a little bit of what we call “tech debt” from old code. Some of which we might have inherited like from you, actually, now that I think about it.
Maybe not you directly, but we have some code that we’ve brought along with the formation of ARIN that’s still being updated.
To that extent, that’s why we’re looking at things like template retirement. But we’d also like to look at the wide range of systems we have and if there’s not a need for all of them, that would be great to wind down and just focus on the ones that are important.
So I think that’s great. But we need to have that come from the community. So if you want to galvanize a bunch of people and get them excited, we’re happy to support the discussion.
Bill Sandiford: Lee.
Lee Howard: Lee Howard from IPv4.Global by Hilco Streambank. Actually not an entirely unrelated comment or request.
So what I’m hearing is something like a registration database — registration database working group. That’s a clever idea. Somebody should do that at an RIR. Actually, I do think it needs to be facilitated by ARIN in order to provide the means of communication.
But what I came up to say, as we were discussing some of the policies today, I noticed that they referenced a term “SWIP.” That is not actually expanded in the Number Resource Policy Manual. There is no definition of Shared Whois Project.
We don’t even use a Shared Whois. That doesn’t have a legitimate meaning anymore. I’ve already asked one of my favorite AC members to take that back to the Advisory Council, but that seems like an important term. If we’re going to be looking at the database, the Section 3.2 that discusses distributed database might also come up for discussion again.
John Curran: If you look at the threads today, the discussion here, there is a delegation thing that happens in our registry that we don’t have well-defined, we’ve inherited because of the policies for picking up things.
To the extent that someone wants to propose a NRPM policy for the registration of delegations, okay, and say when they have to happen and what’s the circumstance and are they for certain sized blocks or tied to the abuse contact and whether you’re doing the NOC service, once we actually get a clear definition of delegation registration — and that can be someplace other — there’s a lot of NRPM that gets cleaned up.
And SWIP is an example. SWIP is now used today in SWIP entries to refer to, effectively, delegation registration.
Lee Howard: Reassignment.
John Curran: We just need to have a definition and a policy that covers that generically and not reference the Shared Whois Project.
Lee Howard: Exactly. I’m proposing we need a definition section that says whatever the word is.
John Curran: Right.
Bill Sandiford: Verb, “to SWIP.” Doug.
Doug Camin: Doug Camin, Coordinated Care Services, and wear my hat as an AC candidate. A suggestion for election process. I know we did the new video recording and the idea behind that was an equity component, which I support and agree with.
I do think that — the suggestion that I have is that we consider adding a component where, perhaps after the videos are done or something like that, all those who are up for election are asked to come up front and you can maybe introduce them, like maybe, Hollis, you be the one to introduce them, they kind of wave their hands or something like that, so they can put faces to names in the room for the people that are actually present here in the meeting. I feel like that would be beneficial.
John Curran: Can I ask a question about that? I’m going to move from the AC to the Board.
When we provide that opportunity — and remember that sometimes we have people running for the AC or the Board who aren’t necessarily otherwise attending an ARIN meeting.
We have a circumstance where either those who can afford to attend get to be seen in front of the community, or we’re subsidizing to create an equal field so everyone who is running can attend, and that ends up being a pretty — our election processes we’ve moved to more open, and we don’t eliminate someone from the slate unless it’s absolutely visibly obvious they can’t serve, which means we could have a large number of people running because the meeting is in Miami and who doesn’t want to go to a trip to Miami.
So how would you deal, if we’re going to let the people in the room have that advantage of interacting, how would you deal with the equity situation? Do we just let the ones who happen to afford to come to ARIN gain the advantage?
Doug Camin: I think that’s a great question. I don’t know that I have a direct answer for it at this moment.
I think that one of the components of running is being present here and that does speak a lot to where things are.
Your point is well made that a trip to Miami can be a challenging thing, or, sorry, could attract a lot of people to come to it.
But I also think that for the people who are present here, there is certainly a component where knowing who you are, being able to talk to people, sometimes the video, you might be washed out of the video or you look a little different or something like that.
So being able to put the name to the face for the people that are matching those to people up in the room does have value as well.
John Curran: Understood. And we thought about that. The Board has been constrained in the past worrying about the equity situation. But we’ll take it and pick it up again.
Doug Camin: Thank you.
Bill Sandiford: Kevin.
Kevin Blumberg: Just to go a little bit here. I don’t think that this is helping the process, what you’re talking about with the equity. I think it’s just making the process worse.
What I mean by that is, I take great pride in watching the candidates squirm up at the microphone and see how they perform live. Whether that’s Zoom or whether that’s in person. I see great validity to that.
You could just as easily take it as far as saying no candidate flags, so you don’t know who the candidates are, and the candidates actually can’t participate in person because that would be a disadvantage.
You can take it any step you want it to be completely. There’s an absolute benefit for the community to be able to interact and see the candidates. So I actually prefer the live, I’ve got to say, and that could be live remote or live in person.
No, it’s not a free meal ticket. I don’t believe in that. But that doesn’t mean you need to detract from giving us that.
John Curran: Okay. Good to know. Thank you.
Kevin Blumberg: That was number one. My actual item.
Bill Sandiford: One item per customer.
Kevin Blumberg: The NANOG conference just wrapped up. Tina did a description of it. In the NANOG conference, the operators were, quite frankly, very unaware of the policies that were going on with ARIN, which is not a new thing. But they are by and large a little bit more interested when there’s a policy which impacts them.
I would say the same thing about the ARIN community. I think the ARIN community needs to spend a little bit more time looking at what the operators are doing, especially with RPKI, with IRR, with many of the changes that are coming down the pipe.
There’s a huge change coming to IRR in, what, 10, 12 days with RADb, which is one of the largest IRR mirrors. Big change.
There’s lots of stuff going on, and it will have a direct impact on how we inform policy and how we make our decisions.
So it’s really important that, as policy people at this conference, we are very keenly aware of what the operators are doing three days before as well.
John Curran: All right.
Bill Sandiford: Last call for the microphones. Feel free to comment from online remotely as well.
Norman Jester: Norman Jester, Mexico Internet Exchange and Jelly Digital. My comment is this: Earlier, we were talking about Whois records and registration and all that.
I do support fully registering and having SWIPs and everything for customers, but just sitting here, I received four different complaints from my staff that we’re getting Whois spam from various carriers who are abusing the Whois database system.
As network operators, we all have a lot of time helping customers and everything. The last thing we need is people abusing the Whois system to inbox us and try to market us services, such as several carriers, some starting with the letter C and ending with T, for example.
Bill Sandiford: Let’s avoid that type of stuff, but I hear you.
Norman Jester: I’m avoiding that. But what I would like to know is, is there some kind of a plan in place to create a way to sanction those that are abusing the system and a penalty of some sort or a smack on the hand publicly or something to that effect? How is that going to be handled? Because it’s getting worse and worse and worse, as you can see in NANOG, all the threads in the various groups.
John Curran: Right. Okay. So to the extent that you have someone spamming you, okay, you send it to compliance@ARIN.net. And you say this is abuse from a Whois contact. We don’t want to hair trigger. I’ll admit, we do try to wait a little bit.
But if we see a pattern, we do reach out directly to the carrier and we say you have to stop this; you have to reeducate your salesforce, you cannot use and harvest Whois records for this.
Worst case, we drop their access to Whois. We block right across the board. You’d be amazed, because when we do that, we do all your ranges. That’s you, your customers. It’s impactful.
Bill Sandiford: It has been done.
John Curran: It’s because if you abuse the Whois database, you shouldn’t have access to the Whois database.
Please give this to compliance and we’ll revisit the carriers in question.
Norman Jester: Thank you.
Bill Sandiford: All right. Microphones are now closed. Come on up, Scott.
Scott Johnson: Just pursuant to the gentleman’s point here. I get a reasonable amount of email that is not only spam but could be considered social engineering, and the request is not to lease my address space or purchase my address space, but can you put me in contact with the person that is responsible for your subnetting.
John Curran: I agree. To this end, folks, to the extent that you’re worried about this, one thing that helps enormously is, put an email address in your Whois record for your organization, for your POCs, that are unique to what you do to ARIN, and that way when they show up, we have no argument about where this came from.
We do have Salt in the database. So occasionally we’ll pick it up, but you pick it up far more often. So good to have unique handles.
Bill Sandiford: Hollis, that’s it for Open Microphone. Go ahead and close it down. Thank you very much.
John Curran: Thank you.
Closing Announcements and Adjournment
Hollis Kara: All right. Thank you, John and Bill. And thank you everyone for joining us today and hanging in there. It’s been a lot. We’ve got a lot to think about. There’s been a lot of great conversation, and hopefully we’ll be able to continue that at the social a little bit later this evening.
First off, I’d like to thank our sponsors, AT&T, IPv4.Global by Hilco Streambank, and Google.
Can I get a round of applause?
There’s still audience participation. We’re not done yet. Thank you, sponsors.
ARIN elections, as you know, the elections opened a little bit earlier today. You can visit ARIN.net/elections for full voting instructions, if you need them, or, everybody say it, Jason’s out in the hall. Try again. Everybody. Jason’s in the hall. Y’all, come on. We’re not done. I expect more tomorrow. I’m just saying.
Thanks, guys, for playing.
I do hope we’ll see you this evening at our social event. We’ll be at Stone Brewing World Bistro and Gardens - Liberty Station. The same people who named IPv4.Global were responsible for that name.
So that would be tonight from 7 to 11 p.m. We’ll be having transportation available. Buses will leave starting at 6:15. We’ll be running them at 6:30 and 6:45 as well, with return service starting around, what, 8 p.m.? I think that’s right. There will be signage at the event.
If you go out the front doors and kind of walk a little bit down the hill, that’s where the buses need to load. They can’t bring them all the way up.
So do join us for the social this evening. My understanding is it’s a lovely venue. It will be a relaxed event, and you can continue your conversations of the day.
Tomorrow morning, we’ll resume with breakfast at 8 a.m. out on the Bay Terrace. We’ll start the meeting at 9 and we’ll run through noon.
Thank you again for being here today and we look forward to seeing you tomorrow. Thanks, everybody.
(Meeting adjourned at 5:15.)