ARIN 52 Public Policy and Members Meeting, Day 2 Transcript - Friday, 20 October 2023
Opening and Announcements
Hollis Kara: Are you folks ready to get this party started?
(Cheers and applause.)
I was going to say come on, don’t make me try that hard. It’s been a long week.
Welcome, everyone, to day two of ARIN 52.
We’re happy to have you back. I want to start off the day with a couple of quick reminders before we launch into our presentations.
Again, I’d like to thank all our volunteer bodies that support the ARIN community, the Board of Trustees, the Advisory Council, and NRO Number Council. If I could get you guys to stand up, and let’s give them a round of applause.
All right. Thank you so much.
Just a quick reminder, for those joining us in the hybrid space, for our virtual meeting, our virtual attendees, chat is for chat. If you wish to enter a comment or a question, when we get to any Q&A portions or the Open Microphone, please make sure to raise your hand or to enter that question in the Q&A box on your Zoom.
The Help Desk will be open for virtual attendees until 9:30 this morning, if you’re having any technical challenges, and it will be open again at the break.
In person, you are welcome to join the Zoom if you like. Please do be sure, if you do that, that your device is muted and you are disconnected from audio. But you are welcome to log in there so that you can engage in chat with the remote attendees if you so choose.
Just a reminder, the navigation on our website is a little bit compressed this time. Under the in-person navigation menu, I believe, yep, you can see where you can find our ombudsman’s information if you need to contact him at any point during the meeting.
And then for virtual attendees, the virtual event hub and Help Desk are available. And for in-person attendees that virtual event hub would be a way you could quickly access the Zoom if you wanted to join that.
For our Q&A portions of the meeting, please remember, whether you are entering a comment in person or virtually that you need to do that by starting with your name and affiliation, for the benefit of our transcriptionist. And also, if you could try to speak a teence slower than I’m talking right now.
I’d like to thank our network sponsor, AT&T, if we could give them a round of applause.
This meeting does rely very heavily on a functional network. So, the network sponsor is a critical component of the success of the meeting.
I’d like to thank our bronze sponsor, IPv4.Global by Hilco Streambank.
I didn’t even have to ask that time. You guys are getting good at this. And last, our webcast sponsor, Google.
We have a lot of really good content for you today. We’ll start off with an Engineering Update, followed by routing security, information security, an update from IANA, NRO EC update, our global RIR update, and then we’re going to take a quick break.
When we come back, we’ll have one virtual presenter of the meeting, who will be speaking on research around network and IP management obstacles. Then we’ll have our programs update and certification program update, and close out with the ASO AC update and an Open Microphone. Lots to get through. A little bit of time.
We’re going to get the party started, get rolling here. If I could invite Mark Kosters up to handle the Engineering Update, that would be awesome. Come on up, Mark.
Mark Kosters: So, welcome. I should say good morning.
From the Floor: Good morning.
Mark Kosters: For me, I’m still on Eastern time zone. I’ve been waking up at 3:00 in the morning and not falling back to sleep. I don’t know how many of the rest of you are like that, but it’s just not happening to me this week. So, I guess I’ve been up for five hours already. For you who have been up for much less than that, congratulations.
What I’m going to talk about today, this presentation is going to be a preview of other talks that are going to be following me. So, I’m going to be talking a little bit about lots of things and you’re going to hear a lot more about sort of more narrow subject matters as we go through this presentation.
Here we go. I guess that’s the Engineering Report, that’s me. Okay. What are we going to talk about today?
We’re going to talk about the services that Engineering supports. It’s really sort of a catalog, if you will, of the things that Engineering takes care of for ARIN and for the community.
Second of all, we’re going to talk about statistics on certain aspects of the services that we have, software releases that we’ve done since the last meeting, and end up with challenges and what we’re going to be doing next.
Core services, ARIN Online. What is that? Anyone here actually use ARIN Online? Okay. Let me put it the other way, who has not used ARIN Online here?
All right. We have a few people. So, that’s fine. Go ahead and log in. You can get yourself an account. Log in once and you could be part of the statistics collection that I report on every ARIN meeting.
We have email templates that someday will go away. We have reports. We have lots of reports that are put out. So WhoWas, bulk Whois, extended delegated stats, transfer stats, you name it, we have reports on it.
RPKI, we’ll lots of enhancements to that. The Internet Routing Registry, IRR, we have some updates to that.
DNS, not really so many updates about that, but, man, we have a lot of traffic going toward that.
Directory Services, I think it was Andrew Dul that brought this up at the Open Mic — we have three services that essentially do the same thing. They’re all a little bit different.
We have Whois. And as we go through the slides you’ll see that it gets the predominant amount of traffic from the community.
We have Whois-RWS, which is sort of a predecessor to RDAP. And Whois-RWS is basically webifying Whois with essentially all the same features as Whois has but on port 80 and 443.
And of course, we have RDAP. And this is an industry standard that we’ve helped the IETF through that the community will be using, and some day we hope that will basically take over Whois.
We have email, hostmaster, and billing. Other services, ARIN Mailing Lists, the ARIN website. And ARIN website is comprised of both ARIN Online and the Vault. If you’ve gone to the Vault recently, you’ll notice that it looks a little bit different, and we’ve made some enhancements to it. And that was a long-running project between us and Communications.
We have OT&E set up for people who want to go ahead and test their code against what we have, whether it be APIs or using the user interface. We have that set up as well.
We have FTP. Yes, we still run FTP. Many of you don’t probably know what FTP is.
Okay. Most of you do know what it is.
We have the ARIN Online staff interface on the backside. We call that the Management App. We have infrastructure tools that we have on the backside as well.
Security and performance monitoring, we have weekly meetings where we talk about how things are doing. We actually go through Grafana graphs on our various services as well as the infrastructure that supports those services to make sure everything is running fine.
We have cloud-based tools that we are using as well. Email, of course, within the organization, which is really important. Various environments that are used for testing. Long-running hardened testing, daily testing, regression testing, you-name-it testing, we have that kind of testing. And, of course, analytics.
Let’s go look at statistics now. This is the number of people who have activated ARIN Online accounts since inception. One of the things that continually amazes me is we always consistently have approximately 10,000 to 12,000 new users every year that come into ARIN Online.
What’s interesting about this, even more, is the number of people that are one-and-done. So, those people who haven’t had accounts, you can actually join in and make that second column or that second part of the chart actually higher if you want.
So, if you raised your hand and never going to ARIN Online, now is your opportunity to do so. The last thing I’ll mention is that the number of people who have logged in 16 or more times is continually growing. Of course, that makes sense over time. And there’s one person that has logged into almost a billion times. The person has been very, very busy.
What can I say?
2FA adoption. We made 2FA, two-factor authentication mandatory for ARIN Online accounts. And one of the things that’s interesting is that there’s been over almost 21,000 — it’s over 20,000 new accounts since it was made mandatory.
And it’s basically running neck and neck between TOTP and SMS for the favored authentication method. FIDO2 is following behind, but I’m sure it will gain up steam someday.
Provisioning transactions. Okay. So, these are people that are actually going in and doing reassignments within ARIN. And what you’ll notice here is that the green line, which are templates, is slowly drifting down — slowly, slowly, still there. When will it go away?
The purple line is the RESTful transaction. That continues to grow.
Whois-RWS. So, Whois is the blue line. That is the legacy protocol that’s been around since I was a little baby. And the red line is Whois-RWS, which is a predecessor to RDAP, which is a web version of this. And you can see that they’re continuing to grow. The amazing thing is that we continue to be near record growth on Whois. People like to query us for data.
Here’s an interesting graph dealing with RDAP. You’ll notice that the numbers are a little bit different. The legends are a little bit different.
What I wanted to do through this graph is to show you, here’s a new service. This is a pretty modern service. The amount of people that are using v4, which is in red, and the people are that are using v6, that’s in blue.
It would be really kind of fun to see blue overtake red, but I’m not really holding my breath too much. It’s maybe 5 to 10 percent of our traffic is essentially v6.
DNS. I’m not sure how many of you can see this. We see about 70,000 queries per second across the /8 servers that serve up our, 192.in-addr.arpa. It’s a fairly busy service.
What’s interesting about that is most of the traffic is PTR records, which make sense because that’s the way that you say, hey, give me the name dealing with this IP address, which is the whole sole purpose of reverse DNS. And that is essentially 50 percent of the traffic.
“A” records, which is, hey, I have this name, give me the IP address. It’s close behind. I’m not sure why, but that is what it is. So, there you go.
Releases and improvements. Secured routing announcements. This is where I talk about sort of preview and sort of going over generally about what things are going to be talked about by Brad a little bit later.
We’ve done some preliminary work with RPKI integration with IRR. That work is ongoing. We actually need it to go to the community to do a consultation that many of you all participated in to figure out what is the best steps going forward.
We have done a notification for tech admin and routing context when a ROA is deleted. We’ve done RRDP notification file optimization. You all say, what is that?
Well, that is RPKI has this repository, and you have two ways of getting this data. One is using rsync, which is the old protocol, and RRDP, which is a new one, which actually uses the web.
What we’re learning over time is that there’s some better ways of doing impacts. And actually, we’ve actually helped with the community create best and current practices. And we’ve actually done some optimizations of our notification file, which basically says, hey, these changes have occurred since the last time you’ve checked, go ahead and pull down these changes.
We’ve had UI navigation improvements within ARIN Online. RPKI auto-renewal, which is a big hit. A number of you have talked to me about that and love it. And RPKI actions that are no longer ticketed.
When we first started this RPKI business, we thought that our HSMs were going to be overrun — which is, it’s a slow component — overrun with requests. And we’ve realized that we need to remove this gate. So, we removed the option of ticketing these things.
Now, once you go ahead and submit for your new ROA, it’s immediately created.
We have template and ARIN Online feature parity. I know someone in the audience really likes that. Thank you, Kat. So that is out there now.
Qualified Facilitator Program. This is a new program that ARIN’s put out. We made some process improvements for that.
New Fee Calculator. It reflects ASN fee harmonization changes that will start in 2024.
New Daily Resources Under Agreement Report. This is another one that the community actually likes. We may have some improvements to make to it as well. It basically denotes full versus basic registry services per Internet resource.
Ongoing. And this is another thing that I’m doing a preview for. We have a SOC2 Type 2 audit underway and a PCI audit under way. Both Christian and I are very happy about the progress. I will say no more, Christian. I’ll let you do the rest. And we also have a reduction of technical debt.
System improvements since ARIN 51. We’re continuing to get rid of end-of-life boxes. We are prepared to roll out new hardware for our PFS sites. We actually have this housed in one of our three facilities and are working on the transition now.
And we have completed our third-party security audit earlier in Q3.
What’s next and challenges? Okay, so here’s some things that are coming out.
So, I talked a little bit about templates, right? And we had, at the last meeting, we had a conversation about what should we do with templates. And Hollis brought up that there’s going to be an upcoming consultation on getting rid of templates.
To help this along, we realized that many of you don’t have the budget right now to go ahead and retool your stuff that’s been there for a long time on doing reassignments that actually sets them as templates.
So, what we did is create a tool that you can actually use as a shim that would take this template stuff and actually create RESTful API calls on the back end. And we’re going to be making this publicly available, and it will actually help – we hope it will help facilitate the transition from templates to the RESTful Reg-RWS API calls that many of you all use today.
Our hope is, one, this is more secure for you guys; two, it will help retire this legacy service more quickly.
This template processor will become available after the consultation starts, which I believe Hollis said will be sometime in November.
This is the ReadMe. You can see the graphic, how this works. Basically, it’s using Docker to actually work all this magic out. You can see the process flow.
Basically, send templates to SMTP service, which is an email system. It then sends it to a Docker image that actually translates that template into API calls that actually talks to ARIN.
Second thing that we’re talking about — and this is fairly new as well — is geolocation within RDAP. There’s been — over time, people have asked, hey, we would really like to know where this IP address really is located. And this really isn’t a part of ARIN’s core mission. But there are things that we can do to help.
And there’s an RFC that’s actually out there called the RFC9092, it’s in the lower area, that describes local management of how people can actually deal with their resources in geolocation data.
And the way of bootstrapping that is using a Directory Service Protocol to make this happen. One of the things we’ve had over time is that there’s been, within the Whois arena, there’s been various formats done by various players all entrenched, so that it’s really hard to parse this.
Whois-RWS, which is a predecessor to RDAP, really hasn’t taken off aside from — that ARIN uses. But RDAP is something that all the regional registries are consistently following. And we’re all following the same behavior.
And as we go forward with new enhancements. And maybe the best way to put this in is actually to have this sort of pointer to someone’s repository where they can say, here’s my list of IP addresses and where it’s actually geo-located.
And actually, that’s up to ISPs. They can actually do this or not do this. There’s no mandate to make this happen. But this could be a better way of actually making this go.
One of the things I’ll note — I’m kind of jumping all over the place on the background here — ICANN is in the process of sunsetting Whois. They are in the process making all the registrars and registries on the domain side actually move from Whois, as a mandated service that they need to provide to the community, to RDAP. And this will be completed, right now, in January of 2025.
So, this work is underway. They’re in the transition period now. But they’re looking to do this within the next year or so. You’ll see a lot of work starting to happen here.
If you haven’t heard RDAP before, you’re going to be hearing RDAP a lot more going forward.
Challenges over time. We had our SOC2 Type 1 audit that we actually put into place. We passed. We’ve had a balance of urgent needs, ARIN 51, ARIN Online enhancements, internal tools for customer-facing services and teams, and technical debt.
We continue that trend, continue having technical debt, ARIN Online enhancements, customer-facing teams, as well as the SOC2 and PCI audits. So, there’s a lot of work being done as a team with Engineering and Information Security and also with the customer service teams, et cetera, to make all these things happen. And we’re working hard to help serve the community better.
Thank you. Any questions?
Hollis Kara: Anyone has questions for Mark, now would be the time to approach the microphones or start typing.
And I see we have our first person.
Kevin Blumberg: Kevin Blumberg, The Wire. Good morning. Thank you, Mark.
Mark Kosters: You’re welcome.
Kevin Blumberg: First question, the word “technical debt,” in how many presentations over how many years has that word been used?
Mark Kosters: Lots.
Kevin Blumberg: Lots. Can you re-factor that more along the lines of lifecycle management and start actually showing where — because technical debt is a negative. And really what many cases what you’re saying is, we’re a little bit behind on some stuff. We’re doing great on others. Here’s what’s going on. But it’s more about lifecycle management. And it’s just something that I’ve noticed.
It also sort of applies to what you just brought up with getting rid of email templates. The most important thing is that discussion of getting rid of email templates is as long as the term “technical debt” has been around. I think you’ve put it up on slides the last 10 years.
Sunset it, but, more importantly, give us a lifecycle of, in 18 months this is being deprecated; in 36 months this is being turned off. Whatever it may be. But give the community just a roadmap, a lifecycle of these because we’re thinking about doing it has been at the mic for the last seven years now, I believe.
Rather, just give us a lifecycle on it. We understand that this is old. You’re going to have to work with it and get feedback on all of those things. But that makes life much easier for everybody.
Mark Kosters: Understood. Thank you, Kevin. Yes, John.
John Curran: So, the management of the technical debt, and it is technical debt. We have lifecycle management for all the things we’re developing, and we’re very good about making sure we’re not adding to the technical debt. But we have a large number of systems we inherited that truly is technical debt.
We report quarterly to the Board of Trustees the status of ARIN’s technical debt in detail, multiple pages with charts showing quarter-by-quarter plans on what’s getting retired. So, there is a level of oversight and review. And it does change over time. We have a sizable quantity, but it is a different and smaller amount. It’s smaller and it’s different than where it was three years ago.
I don’t know the extent to which the Board wants us to go ahead and review that with the members as well. I can certainly discuss that. But I do want to distinguish, we do lifecycle management for all the systems we’re developing, but we have things we didn’t develops, or we have things that were not maintained until we started a regime of it. That’s why the term “technical debt” is used.
Kevin Blumberg: Thank you.
Dan Alexander: Dan Alexander, Comcast.
I’ve seen these presentations a number of times, and it’s always interesting because we’re adding more and more services and we’re continuing to drag the old ones along.
And it’s one thing from an engineering perspective, but yesterday we’re also talking about the same thing from a finance perspective and the ever-increasing cost to support it all.
It’s just a suggestion that staff or ARIN may want to consider, like, pick out the bottom 25 percent of legacy-services functionality, things that are consuming Engineering’s time, and let’s pick out a slot or set a slot aside on the next ARIN meeting where the community can get together and give the Board some real guidance about let’s just cut this one, let’s just cut this one, and start getting rid of some of the legacy functionality so you don’t have to constantly support it.
Mark Kosters: Agreed. Agreed. So, there’s a couple of legacy services. I’ll mention one that I personally would like to see go.
That’s FTP, File Transfer Protocol.
Vendors don’t even support that on their OSs anymore. But I know that people are still reliant on it. So, that’s something that we would have to work through to actually make the community aware, to retool their systems, et cetera, so that they can be ready for it. But your point’s very valid.
Dan Alexander: And the other reason it came to mind is there was a presentation — I think it was earlier at ARIN or maybe it was NANOG; it’s all blurring together — the ever-recurring story of how someone was talking to the presenter because they wrote the code 20 years ago that’s still running today, and they had left the company and nobody even knows where it is anymore.
So much of the stuff that’s probably still being used are those situations which are never going to go away. So, at a certain point we just have to cut the cord.
Mark Kosters: Agreed. Thank you so much.
Kat Hunter: Hi, Kat Hunter, Comcast, ARIN AC. As one of the largest, old email users of templates, the changes you made this year and the upcoming changes, once you made the changes this year, I have not touched the email templates. As far as I’m concerned you can get rid of them now. Everything works the way that it should. I’ve used it several times online and it works very well.
Mark Kosters: Thank you so much, Kat.
Hollis Kara: All right. I don’t see anything coming from online. So, I think you are all done.
Mark Kosters: Thank you.
Hollis Kara: Thank you, Mark. All right. We’re going to stick with our theme at the moment and head right into an update on routing security. Where is — there he is, Brad Gorman making his way to the stage.
You do need walk-on music. You take your time, don’t you?
Brad Gorman: Giving you more opportunities —
Hollis Kara: What more should I say, Mr. Gorman?
Brad Gorman: How wonderful and beautiful this hotel has been.
Hollis Kara: Yes, the hotel has been lovely. Yes. What else?
Brad Gorman: The fine weather in Southern California.
Hollis Kara: Yes, the fine weather in Southern California. I hope everyone has taken advantage of that. Any other notes?
Brad Gorman: The great presentations that you’ve been able to… —
Hollis Kara: Yes, you guys have had a great bunch of presentations. We’re going to have a few more here. Can we go?
Brad Gorman: Sure.
Hollis Kara: Okay. Thanks.
Routing Security Update
Brad Gorman: Thank you, Hollis. And thank you, everybody, for being here. Again, I’m Brad Gorman, the routing security product owner, responsible for all of the routing security products, like RPKI, IRR, DNSSEC. But today I’m going to focus on RPKI.
We’ll talk about very high definition and overview of RPKI and its usefulness, talk about ARIN’s RPKI services and what they do.
I’m going to look at some of the adoption numbers at RPKI of the services here at ARIN. And then we’ll talk about some new features, features that were released since ARIN 51, new features that have just been released the beginning of this month. And there you go, let’s go from there.
Let’s talk about RPKI. Thank you, RFC8620, for this fine definition. But basically, RPKI is a certificate-based cryptographic method where a resource holder can tell operators near and far across the Internet that you should be seeing traffic from these prefixes, coming from this ASN. Otherwise, don’t trust it.
It’s just a nice, simple method. As confusing and as sleep depriving these RFCs may be, it is a product that is the shining example of where routing security features are today and moving forward into the future.
What are some of the high-level benefits of RPKI? Well, it gives operators another third-party source of information to make better-informed decisions about their routing decisions.
This is a build-on to its sister routing security product, the IRR, but the great plus with RPKI is there’s continued development moving forward, and it’s going to be with us for a long, long time, and everybody should pay attention and move forward.
Another thing that RPKI offers network operators is it gives the resource holders the opportunity to make these statements about their resources and where they should come from. And it protects them from mistaken configurations or attempted nefarious activity, like hijacking your traffic.
And it also reduces the overall attack surface available to people who are trying to do bad things by making these statements and by using RPKI.
I’m going to talk about the services that ARIN offers, but I have to give you just a quick definition of a couple of terms.
In the certificate methodology that’s in RPKI, it follows the same rules and the same formatting as HTTP — or HTTPS, excuse me.
There’s a highest level certificate that is the trusted certificate for everything else down the chain. And in the example of RPKI, the Trust Anchor are all of the IRRs who are responsible for confirming resources that are in our registries to say when someone makes that statement that, yes, this is genuine, and it comes from the resource holder.
The main component that you, resource holders, are interested in RPKI is the Route Origin Authorization, or ROA. This is where you tell people “Hey, my prefix should be coming from this ASN.” And it’s your opportunity to make that statement in a place that everyone that is enabling and using RPKI can see it.
And then there’s an extremely important component in the middle of the RPKI. It’s Relying Party Software, but the more common term is validator. These validators are what search for and collect data from all of the IRRs, the RPKI repositories, and then make a determination about what information in the repository is valid. And then that data is used by operators on that back end to make those more informed routing decisions.
There’s three main — excuse me — there’s two main RPKI features that we offer and our peers, the other IRRs, offer. The first is Hosted RPKI. Hosted RPKI is kind of like the RPKI on training wheels. Let’s call it that.
The advantage to you, the resource holder, is that the RIR, ARIN in this case, does all the heavy lifting. We serve as the top certificate tree authenticator. We are the ones who maintain all of the information in the repositories for these ROAs that you’ve created.
The only responsibility that you have is creating these ROAs. But we do all the rest of making sure that Certificate Authority is there, making sure that those ROAs and that repository is available.
High availability is important. And this Hosted RPKI service is available both using the ARIN Online web interface or the API where you can make changes.
Now, it is by far the easiest one to use. It is by far the most adopted and used version of RPKI service at ARIN and in fact across the world. Upwards of 98 percent of our customers, the users of RPKI, use hosted.
Now Delegated RPKI is kind of the other end of the spectrum. All of the responsibilities, save that highest level certificate that the Trust Anchor function that ARIN performs, is now taken on by you or the operator who wants to maintain full control of their certificates and how they sign their ROAs. They maintain their repository in the publication services.
It is really for an organization who wants to maintain a lot more control over their destiny with respect to RPKI. But it does come with a number of — let’s call it responsibility associated with it. And it really isn’t — I wouldn’t really recommend it for any organization that doesn’t have a good handle, good knowledge of RPKI and its functions, as well as human and technical resources available to provide these repository services and running their certificate authority.
Now, I fumbled a little bit. There isn’t really a third flavor of RPKI, but there is an offshoot of Delegated. And the colloquial term is Hybrid RPKI. And it’s kind of the best of both worlds for an organization that wants to do it.
For the Org that wants to maintain more control over things, they run their own certificate authority. They manage where they or their customers create their ROAs.
But ARIN, in this case, will run the high-availability repositories that people out on the Internet will pull down with their validators and make these decisions.
And it’s that high-uptime availability requirement that most people want to run. This is really a good option for someone who wants more control but wants to kind of offload the hard stuff back to ARIN.
I’m going to show you a few numbers of adoption inside the ARIN region. As of today, or as of actually October 1, the number of organizations — eligible organizations — that had resources that could sign up for RPKI services, only 23.9 percent of them had adopted and turned up some sort of RPKI configuration with ARIN.
It is growing. And, again, you can tell the numbers here, the Hosted numbers are significantly larger than Delegated. And since hybrid is kind of an in-between — it’s actually a sub-service for Delegated customers. You can see there’s a few customers that have started using that.
But the graph, we just really want to represent it’s going up to the right. Selfishly we’d like to see it go to the right a whole lot more up. So, if there’s any questions, please come and find us and we’ll help you out, how to do it.
This is a representation of all of the addresses that are in — ARIN’s responsibility for in our registry and comparing it to the number of addresses that are visible and being covered by these ROAs, these statements that you’re making about your resources.
And about one-third of all of the numbers in ARIN’s repository, ARIN’s registry have been checked and are validated and are RPKI valid in the Internet today.
Here are new features in development.
Now, since ARIN 51, we had a release cycle two weeks after that. Some of these things were things being developed in the future that are now old and long in the tooth. They’ve been around for six months now.
We developed a new API. That new API, a much simpler interface. It makes it — it enabled atomic creation. You can do multiple adds and deletes inside of the same call, where everything was linear before.
And one of the biggest things that changed back in May was that we removed the signing requirement for users who are creating ROAs. And that opened up a whole lot of opportunities for us to develop new features for you, amongst them ROA auto renewal.
And Mark brought this up, but ROA auto renewal is exactly what it sounds like. Since your ROAs will no longer expire, there’s kind of a safety net out there. You can create them. And you don’t need to keep an eagle eye on it and make sure they’re there.
We’re going to take those and refresh them every 80 days for you. So, no unexpected or unintended impacts from ROAs going away.
I want to make a point, though, that any of the ROAs that were created with the API that had been released in 2014 are not auto renewing. So, you do need to make an effort to either recreate those ROAs using the UI, or with the new API to take advantage of the auto renewal feature that we enabled.
Another nice catch-up and keep-you-out-of-trouble sort of thing: we automated our certificate re-rolls. So, if resources come in or leave your organization, be it by transfers or new allocations, we will update your certificate with the new list of resources for you, so that the next time that you jump into the UI or go to use the API to make changes, those new resources are going to be available to you right away when you get in.
We also released an eligibility matrix and kind of different representation of how you would go into your RPKI or your IRR features. And it makes it much simpler, right in front of the presentation of where my organization stands with do I have resources that can be used or not used, and quicker links to explanations of how to make it happen.
And I don’t have it on the slide here but one of the things I’ve been hearing from the community is when we got rid of this signing requirement and made it easier for you to create ROAs, you don’t have to worry about expiration dates anymore.
The form, the input form is simplified a lot. Someone told me it’s like having the “easy” button. And I was happy it wasn’t like having the “no” button. But it’s been recognized that some of the work that we’ve been doing has been well received. And we’re going to continue with development along the lines and get things going.
Now, we had a consultation that ran from a period from August into September where we were asking for your input on a feature that will pull closer together the use of two of the main routing security products, the RPKI and the IRR.
And after discussion both with the community and then internal at the conclusion of that consultation, I’m going to go over in some detail — more details available online or you can reach out to any of us — me or other people at ARIN to get even more detail.
But go down the list. Sorry. ARIN organizations will have the ability to set an organizational default that will automatically create a corresponding managed IRR route object at ROA creation.
It’s a way to make it easier upon you to create objects. It gives you an “easy” button, so to speak, to create IRR objects that may have been forgotten, that you don’t know you need to make.
This is a simplification of bringing those together. And it’s also going to, over time, tighten up the IRR infrastructure that’s at ARIN and make it more useful moving forward.
The default of this feature is set to on.
But at every point during the addition or creation process you have the option to say, yes, I agree, or, no, I don’t want to create an auto-managed object.
So, at every step of the way you have a yes/no/stop where you can do it or not want to do it.
All of the auto-managed objects will be marked in the database as being such, being auto managed. And these auto-managed objects are going to be forever linked to that ROA.
Now, if you have a ROA and you go to delete it, and you agree that, hey, I created this ROA, there was a managed object, I want you to get rid of it for me, great. We’ll go ahead and do it.
If you so choose to keep that managed — or that route object that was created, it will become unmanaged and just the ROA is deleted.
There won’t be an unintended — if you don’t choose not to — removal of the auto object that may have unintended consequences.
When the ROAs are created, we’ll do a check to say, hey, do you want — there are no route objects associated with this. Do you want us to create it, yes or no? You have the option to do that.
These auto-managed objects that were created during ROA creation are not going to consider a max-length variable that’s inside of a ROA when creating managed route object. Let me get into that.
ROAs have settings with a max-length value that could potentially open up to a very large number of route objects created. By use of that feature, you could create thousands, hundreds of thousands or even worse if you were to, say, create a ROA with a v6 and say, oh, everything from my /32 that I have create N number of ridiculously high /48 route objects.
So, in an attempt to maintain the size of the IRR database, these route objects will create a highest level, most generic intent that’s in that prefix, that’s in the ROA you created.
This also goes along with a standard in the RFC that’s suggesting a limited use. There are use cases for having a max-length value turned on. But the path and the direction that we’re taking with this, we believe, is not only in the spirit of using max-length in a way that is not — that there won’t be abuse, that can cause problems.
The deletion sequence is the same thing. If you go to delete the ROA, you have the ability to say yes or no, I want to delete the ROA. And any connected objects — those objects that don’t get deleted — are now unmanaged, allowing you to delete them.
At any point in time, you can manually create your own route objects. We’re not taking that away. But those route objects will not be managed by a ROA unless generated at ROA creation.
As a means of bringing together conformity, the API as it was released in May will also be updated to give the same features and capabilities as the users of the web UI.
We do have some interesting things in the pipeline. Mark touched on a couple of them, but I’ve got a couple different ones here too.
We have a feature we’re calling the RPKI IRR Intelligence, or BGP intelligence. What this is, a request that came in through our suggestion process to give information to the organization or the users creating a ROA to see what is the potential impact.
What could be the effect of me creating this ROA beforehand, kind of a precognition.
And that’s something that is integral in being able to understand what may or may not happen before and not having any impact.
We’re also going to give the ability to — we’re going to provide the information that says, hey, you have announcements going out that are existing on the Internet; you don’t have a ROA. Would you like to create a ROA for that?
And additionally we could say, hey, you’re creating a ROA that doesn’t match what’s out that we’re seeing in the Internet. Do you want to sync things up?
That’s something that definitely people have been looking for and asking for, and it is high on the list of future development.
And then we’re thumbing the other way now with regards to syncing capabilities that are in the API and the Web UI. We’re going to give web users the ability to download the full list of ROAs in a format file that you can pull off and do further — you can do further work on them offline.
We’re going to accept ROA changes via file, via upload. The interface right now is a create a ROA, come back, create another ROA, come in.
The API says you can create a thousand ROAs all at once. We’re going to give people the opportunity that maybe aren’t familiar or not wanting to use an API to upload a file in a format as we explain what it needs to look like and create a whole bunch of ROAs all at once.
Another thing that’s interesting, we had another request was to create a way with which we can assist in customers who are transferring from a hosted to a Delegated deployment of RPKI.
A lot under the hood there, but it’s something that, not only for this feature, a lot of applicability in other features that we’ll release in the future.
Detailed but also high level. Any questions?
Hollis Kara: Thank you, Brad. If anyone has questions, please approach the microphone. I saw we have one from a virtual attendee. So, Beverly, would you like to read that for us?
Beverly Hicks: From Kurt Torok, for the 2014 ROA, API-created ROAs, will the expiration emails be sent, reminders before they expire, right?
Brad Gorman: Absolutely. Historically there had been, and still will be, messages sent at a 30-day countdown when ROAs are going to expire.
Again, those only go to ones that are expiring, not ones that are reaching the end of the auto-renew cycle. So, it’s only for ROAs that delete. And, yes, we’ll continue to send them.
Beverly Hicks: He says thank you.
Hollis Kara: Awesome. We’ll come over to…
Edward Lewis: Ed Lewis, ICANN, speaking as someone interested in the deployment of technologies, the statistics you gave in this talk, I would like to see them online and kept track over time. I’m curious how people are adopting which version of the Hosted or Delegated.
I’m interested in seeing that split over time. If you could keep stats like that online, that would be helpful for people to look at, how this gets rolled out.
Brad Gorman: I believe that’s a great idea. We’ll look at it.
Kevin Blumberg: Kevin Blumberg, The Wire.
Brad, thank you. The improvement to the RPKI ecosystem within the ARIN region over the past three years has been extraordinary. And you can absolutely see that the uprate now is getting there.
And with your simplifications to the process, it is going to accelerate even further. So, kudos to you and the staff and everybody who has been involved in improving this.
Brad Gorman: Thank you for the kind words to me, but I just suggest and prioritize things.
Really, it’s the engineering and development teams that are the ones doing the hard work. So, thank you.
Kevin Blumberg: My one question is, how is ARIN doing from a feature parity point of view with RPKI to the other RIRs? I don’t mean it in a negative. I just want to make sure that if everybody is sort of getting towards this simplification — or can you sort of speak to how that’s going on with the RIRs?
Brad Gorman: That’s interesting that you bring that up. And thank you for doing it. The NRO and the executive committee of the NRO did recognize that there are places where we could come to a more uniform — to say exactly the same is a push because we know that all the RIRs have their own responsibilities and member community they have to talk to — but we’re coming together. And one of these groups is a RPKI Working Group. We are going to do exactly that — try to come closer together to get a simplified but more common presentation of the capabilities across all the RIR footprints.
So, that’s something that we’re working on now. We’re, in fact, hiring the cat herder that’s going to work with all of us across the RIRs moving forward in the future. And that’s high on the list of things to do next year.
Kevin Blumberg: Thank you.
Anthony Delacruz: Anthony Delacruz, Lumen. I, again, second that. You guys are doing great with this.
Some of the changes to the pages, the format, everything, it’s really easy for our customers as we walk them through to be able to use it.
When do you anticipate the organizational on/off button appearing? My concern with that is since we run the LEVEL3 Routing Registry and we’re getting ready to dump in a ton of ROAs. I don’t want to duplicate some of that information that appears inside of our Routing Registry.
Brad Gorman: I understand. And, again, thank you for your question.
The development on those features as outlined in the consultation, work is going to start on that, maybe the end of this year but likely beginning of next year. And it will be a next-year deployment.
As it gets closer, we’ll probably give more defined timeframe of when it will come. But my crystal ball says first half of next year.
Anthony Delacruz: Keep up the good work. Appreciate it.
Brad Gorman: Thank you.
Steve Wallace: Steve Wallace, Internet2. Great work. I have one thought. When you go to the ARIN Online web page it shows your IP address. You’re coming from, I think, in the upper right- or upper left-hand corner. You should have a check if there’s a covering ROA for that.
There are, like, “is your network safe” sites, but they actually don’t do that. So, that seems like — maybe I’ll submit that. I don’t know if that’s something that would be submitted as a feature request for the user interface. But it would be nice if you just had an indication, yeah, your IP address is covered by ROA.
Brad Gorman: Okay. Interesting. We’ll talk about it.
Leif Sawyer: Leif Sawyer, GCI Communications, Alaska. Thank you absolutely for all the work you guys are doing. My company said, no, we don’t want to do ROAs, we don’t want to do RPKI because it’s too difficult, it’s too confusing and the risks are too high. What you’ve done is made it so that my architect sent me a message and said, when are you back? We want to start doing ROAs.
Brad Gorman: Awesome.
Hollis Kara: Awesome.
Brad Gorman: Leif, thank you. That makes me feel good that the message is getting out. What we’re doing, making it simpler and spreading the understanding of how it works is working. We are continuing to push training. We’re going to be producing some educational videos and possibly certification systems moving forward.
Glad it’s working, and there’s more to come.
Hollis Kara: We can take one final question.
Chris Woodfield: Admittedly this is more a statement than a question, but I’ll ask anyway. Chris Woodfield, DriveNets, ARIN AC.
Curious question for the room. How many people here have actually had a route hijack mitigated by having implemented RPKI?
(Some hands raise in room, including Chris Woodfield.)
Someone asked, how would you know. The answer is because not every carrier is doing RPKI validation. So, I can speak to an incident in general detail, but over two years, a company I worked for had two route hijacks by nation states.
The first one was before we implemented RPKI. The second one was after. And the impact of the two, while not zero, was night and day. So, I can speak off the record in more details, but just holding myself up as an example of why you should do this and why you should use RPKI.
Brad Gorman: All right, thanks, Chris.
Hollis Kara: Thanks, Chris. I think we’re all done, Brad.
We’re going to do a slight agenda pivot to keep us on schedule this morning. I’d like to invite Aaron Foley to come up and provide us an update on IANA. There he is. Snuck up on me, man.
Aaron Foley: Sneaky.
Hollis Kara: I’ve heard.
Aaron Foley: Hi, everyone. My name is Aaron Foley. I work as a Senior Cryptographic Key Manager providing IANA services.
Perhaps it was just my turn in the engagement rotation, or perhaps I was just selected as virtue of nominative determinism, but in any case I find myself at my first ARIN meeting to provide you all with an update.
Some of this information is likely a bit remedial for this audience but bear with me. Without further ado, let’s begin.
We maintain approximately 3,000 unique Internet identifier registries. Some are well known, while some are only familiar to programmers that write code for particular types of Internet software.
One subset of identifiers we manage is the Number Resource services which is no secret to this crowd. This covers IPv4 and IPv6 addresses, as well as Autonomous System Numbers.
Just briefly, here’s the status of address allocations. The vast majority of IPv4 addresses are designated for unicast use. For other uses, multicast, for example, IANA is responsible for direct registrations, but unicast addresses are allocated to the regional registries such as yourselves, who in turn service their respective communities.
The last IPv4 allocation was made in 2011, but there was a recovery pool active for a number of years based on returned allocations. But that was exhausted in 2019.
We have a very small recovery pool left, but not enough left to divide among the five Regional Internet Registries that exist today.
IPv6, as you know, is a very different story. We have a very large reserve. One-eighth of addresses are allocated for unicast use. Of that, there are 512 /12s, of which there are 504 still to be allocated.
In the work that we do, not just for RIRs, but across the spectrum of all provided services, accountability is fundamentally important to us.
We strive to be the trusted home for all of the authoritative registries we maintain. To do that, we have a variety of different forms of accountability, including performance reporting, post-transaction surveys, annual surveys, annual community reviews and third-party audits. These mechanisms are all designed to provide confidence in IANA services and allow the community to provide valuable feedback so we can continue to optimize our delivery.
I think one of my slides got hijacked, so I was a bit confused there. Sorry. Today’s presentation is relatively short and I’ll now move on to the primary theme — our maintenance of the DNSSEC Trust Anchor.
Does this red button go back? Perfect. DNS is a hierarchical system with DNSSEC following that same hierarchy. Both follow the same hierarchy as the namespace itself. At the apex of the DNS is with the namespaces, the root zone itself.
At the apex of the DNSSEC trust hierarchy is the Trust Anchor known as the Key Signing Key or the KSK. We’ve managed the KSK in a very open and transparent manner to bolster confidence in the security of the KSK, which is done in a fairly novel manner.
If you were to survey the industry to determine how their individual cryptographic assets are maintained you’d likely find the normal course of business is to operate in secrecy behind closed doors. We, on the other hand, with the assistance of the community, have designed a highly transparent system which has been operating now for 13 years.
Intrinsic to that design, we involve community members who are security experts located throughout the world when conducting key-signing ceremonies, which occur on a roughly quarterly basis.
These ceremonies follow a script containing steps to retrieve the keys from a secure enclosure, generate operational signatures used in the day-to-day administration of the root zone for the upcoming quarter. This is done to the satisfaction of the experts and participants in attendance.
There’s often media in attendance and a high focus on these operations. There are seven trusted community representatives allocated to each of the two key-management facilities we maintain. These representatives serve as ambassadors who can report to their respective communities. We are conducting these operations in a transparent and secure manner.
The hope is that this will, in turn, bolster DNSSEC adoption and provide the global Internet with a more secure user experience.
We continuously seek new volunteers who meet the right criteria to serve as trusted community representatives. Some trusted community representatives are still serving in the role since its inception in 2010. And many are looking to move on to new appointments — looking at you, R.S.
And for those in the rotation, we need to maintain a pool of qualified individuals. We strive to maintain diversity and geography, skill and gender.
This provides us with a wide range of perspective and input, and serves to improve confidence in DNSSEC operations overall. If you or an individual you know are interested, please submit a statement of interest at the URL provided on this slide. We are currently seeking more volunteers from the APAC and African regions, in particular.
While on the topic of the DNSSEC Trust Anchor, I’d like to provide you with some updates there.
Since 2010, the KSK has only undergone one key replacement, or rollover, occurring back in 2018. We are still using that second key.
Near the beginning of this year, we announced the new key rollover process would begin. Shortly after that announcement, we received a curveball from our current hardware security module provider. The hardware security module, or HSM, is the device where our keys are securely stored.
The providers stated that they would be ceasing all HSM-related manufacturing in the near term. To keep our options open while we researched our next steps, we went ahead with the generation of the third KSK with our current HSMs back in April and replicated that key to the other management facility in July, but have since decided to hold off going any further with that particular key while our research continues.
HSMs, by design, do not simply allow the transfer of cryptographic keys from one type to another without defeating the security mechanisms designed to safely store the keys during their lifecycles.
Because of the aforementioned curveball and the second key-rollover project, has essentially turned into a combined HSM and key-rollover project. So in summary, when a new hardware security module is introduced, the new key will be generated on that hardware, effectively restarting the rollover process that we began at the beginning of this year.
In other news, we’re also looking at algorithm-rollover requirements. Today we use the RSA SHA-256 as the algorithm for the root zone. We’re looking at alternative algorithms like elliptic curve key cryptography, which has never been done in the root zone. And we have concerns that some software may not support it. So we’re working in a careful and calculated manner to make that determination.
To that end we established a community design team late last year, who have been working on a set of requirements on how to make this change.
And actually, a draft report was published just a couple of days ago on the ICANN website that’s open for comment, if anybody would like to visit it and provide any valuable feedback in that manner.
And that’s all I intended to cover today.
Hollis Kara: All right. If anybody has any questions for Aaron, please feel free to approach the mic.
And my apologies on the issues with the slides. I received a helpful suggestion from elsewhere that perhaps we ought to start signing them to avoid hijacks. It’s a groaner, sorry.
Scott Johnson: Scott Johnson, Spacely Packets. Pursuant to the algorithmic change, the threat from quantum computing is real and present.
There exists in the world today, in the hands of many positive and non-positive actors, the capability to pretty much crack a good number of the algorithms that we have in real time.
NIST has just released several suites of protocols named lattice protocols that are designed to be resilient against these type of attacks because the kind of mathematics that is done in the algorithms is well beyond the capabilities of current quantum computing architectures fundamentally and should be for another good 10 or 15 years. That’s really all I had to say. Thank you.
Aaron Foley: Thanks.
Kevin Blumberg: Kevin Blumberg, ASO AC. I’d like to thank the collaboration with IANA and the RIR community.
But I thought it would be helpful, since I know this information but I don’t know if the room does, IANA handles a number of identifiers. Everybody here is aware of the three that’s part of the RIR community. You mentioned the DNS identifiers. But you are responsible for thousands of identifiers.
Aaron Foley: Approximately 3,000.
Kevin Blumberg: If you could just speak to that a little bit, I think it would give a little bit of a sense of the scope of the type of work that you’re doing for this community. I think that would be very helpful.
Aaron Foley: I would love to do that, but that’s not actually my focus of work, and I would be remiss to talk about the different registries. My focus, in particular, is on the trust anchor and DNSSEC.
Kevin Blumberg: Thank you. But you mentioned it was 3,000 different identifiers?
Aaron Foley: 3,000 unique — approximately 3,000 different, unique Internet identifier registries.
Kevin Blumberg: Wonderful, thank you.
Aaron Foley: Thanks a lot, Kevin.
Hollis Kara: Thank you, Aaron. (Applause.)
Here we go. Moving right along, I’d like to invite John Curran to the stage to give an update from the Number Resource Organization from the perspective of the Executive Council. We’ll get the ASO flip side of this from Kevin a little bit later on.
Number Resource Organization Executive Council Update
John Curran: Thank you, Hollis. Good morning, everyone.
First presentation I have the privilege of giving is the Number Resource Organization update.
This is prepared by the Number Resource Organization Executive Council. And just sort of, you’ve seen it before; hasn’t changed much.
So the NRO is also known as the ASO. It’s the coordination body by which the RIRs work together. It’s formed by an MoU signed in October 2003. There was an addendum in 2020 that talks about the Internet Number Registry System and our mutual commitments to keep it unique and effective globally, operational, and provide consistent services. So this is how the RIRs coordinate our work together.
In 2022, we reviewed our strategic plan and made sure we all understood the mission of the NRO. That’s to do the joint activities of the RIRs and promote our joint registry. As you know there’s one Internet number registry.
We talk about the ARIN registry, but we only have a subset of the overall Internet number registry. And it’s the union of the five RIRs that provides the unique registry.
And also a vision to be the single point, the flagship and global leader in terms of being able to be available as a resource for people to know that it’s a central element of an open, stable and secure Internet.
The executive committee, made up of the CEOs of the five RIRs. This has officer duties that rotate. This year I have the privilege for 2023 of being the Chair of the NRO. Paul Wilson from APNIC is the Vice Chair. Oscar from LACNIC is treasurer. Hans Petter is just a member. And we actually presently have no executive from AFRINIC on the executive committee.
We have a permanent secretary hosted by APNIC. And German is our executive secretary. And Laureana also provides support to us. They help keep projects moving and all the information flowing.
We are implementing our strategic plans. As part of the 2020 review, we realized that there’s some activities we need to work even more closely than our groups would normally do on their own. Our groups do work together, but to some extent we need some oversight and project management.
So we’re looking at actually bringing in someone to do overall project management responsibilities in these key areas — RPKI, cybersecurity, and government engagement. You’ll see job postings, for example, on all the RIR websites.
And that will help perhaps get us a more consistent set of approaches to these problems among the RIRs.
Coordination groups, we do coordinate extensively today. Each of our departments has a corresponding coordination group which meets with its partners from the other RIRs. So there’s quite a bit of activity.
But those are informal. Those are just to help keep us aligned. There’s no work, per se, done by the coordination groups that’s tasked by the NRO, but we all task our individual teams to do things and use the coordination groups to work with the other RIRs to the extent necessary.
This is different than what I showed earlier when we said, for things like RPKI, we actually believe we need a set of common objectives and common program management.
So the coordination groups are kind of the fallback on how our staff work with their counterparts in an organized manner.
Finances. The NRO has a general operations budget of $582,000. That’s the secretariat support, the meetings we conduct, the chair of the ASO AC, our Advisory Council moving to the — traveling to ICANN, and Internet governance support. We support a number of Internet governance — for example, the Internet Governance Forum.
We also provide a contribution to ICANN in two pieces. It adds up to $823,000 a year. It has been $823,000 a year since the inception of ICANN in 1999.
We predate ICANN. So we’ve been supporting it since it was formed and are still supporting it.
We’ve recently broken out into clear categories what we’re paying them for. The IANA contract, we have an IANA numbering services contract, which provides for the IANA team to manage the numbers part of the numbers registry. This includes the v4, v6, and ASN free pools.
And then we also provide a voluntary contribution of 173 above and beyond that, which is for all the ASO functions. We have an ASO that works on global policy, elects members to the ICANN Board of Directors and participates, a little more engaged with ICANN. The sum of that is 823.
We have NRO programs. You saw the program management I talked about. And we have a Stability Fund that we’ve all pledged to. So those are sort of the financial rundown.
And then just in terms of cost, the direct costs of the NRO is divided based on the size of the RIRs based on the Registration Services revenue of each of the parties.
So ARIN is about 29 percent; RIPE, 36 percent; LACNIC; APNIC — AFRINIC is not paying at this time because it’s in an unusual status. So we’re dividing it up a little differently.
AFRINIC situation, the unusual status. I’m going to talk about global RIR update, cover this in more detail.
You should know the RIRs are collectively providing on-site legal support to the extent that over the last year and a half, when AFRINIC has needed additional legal review, we’ve offered that. And we have, ARIN actually has counsel on site in Mauritius. Sometimes our advice is taken. Sometimes it’s not. But it’s available for a second look at these challenges.
We are engaging with regional stakeholders in the AFRINIC Internet community to see what can be done to help advance AFRINIC, get it back into a stable situation.
And we’re also preparing to, once AFRINIC gets to the point of having elections, preparing to engage to get the entire community involved.
And I will talk a lot more about this, so I’m not going to dwell on it in the report.
Publications. Couple of things the NRO publishes that are pretty important. The global Internet number statistics. You see it now and then. I’m not going to bring it up now. But the status of the IPv4, IPv6 and ASN free pools, allocations that have been done and run rate over time. We’ve produced those reports and they’re on NRO statistics.
We also provide a comparative policy overview, comparing the various categories and policies among the RIRs and how they differ. So registration issuance; ASNs; v4, v6 transfers — and so you can get at a glance how the policies in one region and the policies in another might be structured differently or have materially different provisions.
So there’s an IANA Review Committee. As I said, we pay for the IANA numbering services to update the registries as we ask. We put in requests, generally somewhere between two and six requests a year. And the IANA updates those. Also provides reverse DNS services.
We review the service that we get from IANA, and that’s actually done by the community to make sure that it’s clear and open. We have an IANA Review Committee made up of three members from each region, and they review the reports we get out of the IANA.
I will say the reports we get out of the IANA are always wonderful, noting exemplary performance. So the Review Committee has a very easy job confirming exemplary performance. The IANA team and the supporting team at ICANN have been wonderful.
And we publish the Review Committee report. And the Review Committee report is online.
The IANA Review Committee at this time, present members, Chris Quesada, Nick Nugent, John Sweeting are members from ARIN. You see the members from the other region.
We also participate in the ICANN Empowered Community. And this is a very interesting function that people don’t really know about. When the IANA stewardship transition happened, and I don’t know how many people know what that is, but it was a contract between the U.S. government and ICANN for ICANN to do the IANA functions — do the names, numbers, and protocol support. It was a nominal agreement between NTIA and ICANN to do that.
When NTIA said, this is running under community supervision and doesn’t need us to have a contract for that, they agreed to transition the stewardship of the oversight of ICANN to the community. And what that meant is that each of the various organizations that were involved — so, for example, the numbers community got the IANA services agreement, the thing that provides the services and that that Review Committee handles.
The IETF has an MoU for protocol parameters. And the DNS community has constituencies within ICANN that effectively proposed the policies and ratified by the ICANN Board that are used by IANA.
But above all of that, the community said it might be necessary, in case the ICANN Board or IANA leadership does not perform, it might be necessary to have a community-control mechanism. And that’s the ICANN Empowered Community.
So, in effect, when ICANN makes a decision that does things like change its bylaws or appoint directors or adopt a substantial budget strategic plan or activity plan, those are actually ratified by the ICANN Empowered Community, which is made up of organizations such as — the ASO is a member of that, and on the DNS side, the DNS constituent organizations are there.
And it’s just to provide an absolute backstop. If the ICANN organization weren’t performing in the way expected, the Empowered Community actually has vast powers to change things.
I will say that the Empowered Community has been working very well. And nearly everything that ICANN proposes has been in keeping with its bylaws and community direction, so all of it gets ratified very smoothly.
So that’s the NRO. And I’ll take questions on this before I do the global RIR update.
Hollis Kara: Any questions for John on the NRO? Anything from remote?
John Curran: Global questions? Intergalactic?
Hollis Kara: No.
Global Regional Internet Registry Update
John Curran: Let me give the global RIR update. So this is ARIN’s update on what’s happening globally.
I don’t usually give this because usually we don’t have a lot to say. Each RIR presents its own report and you guys get to hear that. And we sometimes do that at these meetings.
But sometimes it’s necessary for me to brief the ARIN community on what’s happening globally in the RIR system. This is one of those occasions.
So there’s five RIRs, we all know that, and I’m not going to talk about most of them. I am going to talk about one of them.
So ARIN does not normally comment on disputes or litigation occurring in another RIR. In general, we don’t talk about things like that because it’s the business of that other RIR. And they’ll handle the business in due course. They’ll handle their disputes. They’ll handle their legal matters. They’ll handle their court actions. They’ll correct things and everything will be normal and it doesn’t affect the ARIN region substantially. It’s the business of another RIR.
Okay. When that doesn’t happen, I actually have to keep you informed because there could be things happening in the RIR system that affect you.
For example, we could have an RIR become not operationally stable. We could have an RIR that doesn’t provide its portion of the Internet number registry service.
So I have an obligation to apprise you of that possibility. And we’re certainly there at this point with respect to AFRINIC. So I’m going to talk about the status of AFRINIC.
Now, to do that, I have to highlight things that have happened there. And we’ve taken reasonable care in trying to reflect what these are. But I have to say something.
It might not be perfect. There could be an error or omission in the fact that while we took good due diligence and tried to confirm everything we’re conveying, it might be imperfect.
If it’s imperfect, and you’re one of the parties listening or listening to the recording of this or looking at the slides at some future time and we’ve made a mistake, let me know.
Facts matter. And we will, with diligence, update and try to correct and I’ll try to point out in the future and make sure that if we got the record wrong here somehow, we’ll try to correct it, because, as I said, facts are important.
Having said that, I have no sympathy or remorse. If there is any confusion about anything I’m about to present, it is not the responsibility of ARIN. It’s the responsibility of those who haven’t kept the community informed. And I don’t really have a lot of sympathy for them. If for some reason something’s wrong here, recognize the people who haven’t been communicating are the reason we don’t have a better status.
So take note. With that pleasantry aside, I’ll now begin.
So in 2020, AFRINIC completed a registry audit. And one of the customers was sought for more information, and AFRINIC ultimately determined that the resources weren’t being used for the purposes issued and needed to be revoked after suitable time to allow the customers to migrate.
The party, Cloud Innovation Limited, principal Mr. Lu Heng, disputed AFRINIC’s authority to enforce this provision of the agreement. And that was 2020. That’s the beginning of our story.
Mr. Lu Heng engaged in several actions to prevent having to return the address blocks. I won’t go through all the details. There was a motion at one point to freeze AFRINIC’s accounts, and thus had the ability to hamper AFRINIC’s operations. After about two and a half months, AFRINIC successfully had the freezing order modified and removed.
In 2022, an injunction entered in court prevented AFRINIC from holding its annual elections just prior to the AFRINIC AGMM. I want to point out, this was something in the past I actually communicated incorrectly because I said it happened after the meeting. No, just prior to the meeting, an injunction was entered.
And as a result they didn’t have their annual election. And thus coming out of that, they did not have enough directors to have quorum. They were what we call inquorate — unable to hold a meeting with all of the directors present, enough to conduct business.
And that prevents them from, well, appointing temporary directors, holding another meeting, holding an election. It’s a pretty debilitating situation. And it occurred in 2022, after their AGMM.
In 2023, in April, there was a file by one of the Directors, a registered member of the organization, to seek the ability to hold elections.
In September, there was a court order, September 23, just recently, to appoint official receiver of Mauritius to oversee the affairs of AFRINIC, hold an election for the AFRINIC Board within six months, and work towards the appointment of a CEO.
This is what courts do when an organization doesn’t have a governing Board and doesn’t look like it has a way out. And it should not be a surprise that after a year without a quorate Board that someone appointed an Official Receiver.
In September, a few days later, the NRO issued a statement. And one quote from the statement: “The NRO welcomes the recent developments in the legal proceedings affecting AFRINIC. With successful execution, these developments will restore AFRINIC to a functional governance with the election of an Executive Board and appointment of a CEO.”
Because an AFRINIC that had operated for a year without a functional Board is a risk to our registry system, and there was no path to get us back to having a member-elected Board for AFRINIC.
28 September — we’re getting kind of right around the corner, just a few weeks ago, an appeal was lodged against the official receiver resulting in an automatic stay of the order and suspension of the official receiver’s authority. So AFRINIC went back to having no governing Board.
There was a filing by Cloud Innovation challenging the acceptance of the AFRINIC appeal, suspending the automatic stay and thus restoring the authority of the Official Receiver. So, the 2nd of October, just a little while ago, we again had an Official Receiver.
On October 4th there was also an order issued preventing some of the previous directors, Benjamin Eshun and Viv Padayatchy, from acting on behalf of AFRINIC because their term has expired, amongst other things.
This got us to just the other day where Benjamin Eshun had a discharge of that order and discharged the suspension of the stay against the Official Receiver, thus again the Official rReceiver has been set aside. He’s operating under a stay, and his authority is suspended.
So, again, AFRINIC is without an Official Receiver to run the organization and without a governing Board.
That’s where we are right now. AFRINIC is back to where it was effectively before the OR was — order was entered. A lot of fun. Okay.
ARIN’s assessment. These are not facts. These are subjective views of the organization. I need to be very clear here.
Let’s see. There remains significant litigation for sure. All the court cases I’m not talking about. There are numerous court cases against AFRINIC. Not even going over those.
However, there’s still insufficient Directors to convene a Board meeting or a members meeting as necessary to elect Directors. Petitions for the court for appointment of temporary Directors have not been granted. There’s a pending appeal, and that pending appeal was put on stay and now is refreshed. With that pending appeal, the appeal of the appointment of the OR, I will say 10 to 12 months before that appeal is heard.
So we do not know if we will have an official receiver for probably a year’s time at AFRINIC.
At this time AFRINIC continues to operate without significant impact to services. I use the word “significant” — you can’t operate an organization without a governing Board and not have some risk. You have to pay contracts and people and you don’t necessarily have a budget. You’re operating at a little bit of a risk just there alone.
Staff like to have an organization to operate in. It’s true that it’s nice to actually know that there’s a governing Board and there’s a management structure above you. There’s no CEO and there’s no governing Board.
So obviously the staff are there getting the job done. I’ll use the term “heroic.” It’s heroic what the AFRINIC staff are doing, keeping it running under these circumstances.
Next steps, to be determined. There’s no clear path at this time for AFRINIC to a member election of a Board of Directors. And that’s a problem. We’ve gone a year without one and it’s almost an assumption of a registry that will have a member-elected Board.
This is problematic. As you can see, even the NRO, we have challenges doing some things because we’d like to work with AFRINIC in doing them, and we’re kind of doing them for the system. And we don’t have a voice representing the AFRINIC region at the NRO level.
It’s also, there could be any number of events that AFRINIC would be unable to respond to because it lacks a governing Board.
There’s still a possibility, we don’t know what’s going to happen with the Official Receiver. As you saw, those legal events were all dated in the last two weeks. So to say that we know the status right now and it’s stable would be a lie. There could be other events just subsequent to what just happened.
So while I say the Official Receivers probably will or will not happen at the hearing of the appeal, which will take about a year, we don’t know. There could be other developments. We’re not a party to that at ARIN. So it’s very hard to determine what the moving pieces are.
We have offered, as I said, we’ve offered legal assistance, we’ve offered financial assistance. I know the other RIRs have offered same. ICANN has actually offered assistance in terms of a neutral party that’s a technical expert in registry operations.
But we’re all not parties to this. We’re all standing outside.
I will say that the primary interest here is protecting the registrants in the AFRINIC region.
There are people who have resources registered in the AFRINIC registry. They have rights to those resources. They need to be protected no matter what happens.
So as much as we think about possible ways of getting involved, nearly all of them have high risk, more risk than necessarily waiting out this process.
At this time, ARIN does not have a plan to directly get involved. That could change if it looks like this isn’t going to help.
I don’t know the status of the other RIRs, obviously, I don’t speak for them. But we’re all on standby looking for someone to bring a path forward that gets it to member election.
As I said, the official receiver order did get us on a path that would have an election within six months, but one of the previous directors has appealed that.
We have not seen to what end, what goal or how that serves the AFRINIC community. So we’re looking for more information here.
And with that, I will open this up to questions. Oh come forth, brave people, come on.
Hollis Kara: Please feel free to approach the mic. I see we have one question coming in from our virtual attendees, if you would like to start with that, John.
Beverly Hicks: Louie Lee, Google Fiber, past NRO Number Council member. Does ARIN need to make any changes to our structure, processes, or anything else to prevent significant pending litigation from significantly affecting our operations?
John Curran: I’m having trouble making out the words. What’s the question?
Hollis Kara: The question was — let me pull it up again.
Lee Howard: Does ARIN need to do anything different to prevent similar damages?
Hollis Kara: Yes, do we need to do anything, make any changes to our processes to protect our organization?
John Curran: Operationally AFRINIC continues to operate. That’s fine. The formation of the coordination through the NRO, the NRO structure is such that the NRO takes action on the NRO Advisory Council. And the NRO Advisory Council, while it doesn’t have a member from AFRINIC, is fully capable of executing decisions on behalf of the NRO.
So we continue to operate — we’d like a member of AFRINIC, but we don’t have one with the departure of the CEO. So we’re able to function. We don’t need to change any of our processes.
It is problematic, though, because clearly any substantial change that we needed to do among the RIRs and running the registry system we would not be able to get AFRINIC’s concurrence — we would just do it. And they would have to deal with it after the fact. And that’s obviously suboptimal.
You don’t want to change a registry system that part of the globe is a member of without them having a voice in the room. Yet there’s no structure for them to have that voice.
Hollis Kara: Thank you.
Lee Howard: Lee Howard, IPv4.Global by Hilco Streambank, and also, as it happens, former NRO NC member. What was the basis of the challenge for the receivership?
John Curran: I will not go into the specifics. You could argue merits one way or the other.
The short version is that the receiver was appointed by the court under the understanding that there was not going to be any representation of AFRINIC because those people in the room and their legal representatives didn’t constitute a Board. And so a single Director cannot speak on behalf of an organization. Short summary.
Note that a Director, however, has a vested interest in an organization. And if the organization does something and the Director may have some liability, they’re still an interested party. I could argue legally both sides. That’s what courts are for.
Lee Howard: Thanks.
John Curran: Mr. Owen DeLong.
Owen DeLong: Owen DeLong, full disclosure, I do some consulting for Cloud Innovation (hissing from audience), so I’m more aware of the details than I wish to be.
Hiss all you want.
To comment on Louie Lee’s question, no, I don’t see ARIN being likely to depart from its bylaws and its Registration Services Agreements to such an extent that it would start randomly going after members that it didn’t like just to try and reclaim their resources out of malice. So I don’t think ARIN needs to change anything or is at risk.
John Curran: I know you’ve characterized AFRINIC’s behavior and there’s a dispute on that.
But — thank you.
Lee Howard: Sorry, I want to point out that hissing is actually a violation of our code of conduct.
John Curran: Right. I’m trying to point that out indirectly, but I’ll use the word “yes.” Let’s not characterize organizations’ behavior that way.
Scott Johnson: Scott Johnson, Spacely Packets. It appears that there’s a non-zero possibility of a complete operational failure of AFRINIC at some point. Can I ask you to speak to the possible ramifications of that potential event?
John Curran: Sure. I expected that to come up.
So let me talk about the DNS. Now, you may not think that’s relevant. But in the DNS system, all the DNS registries have escrow data with ICANN. There’s an Emergency Registry Operator program so that if a registry disappears, ICANN can activate the emergency Registry Operator Program and feed it data. And the DNS registrants will continue to be served even though it was their TLD that — operator that disappeared.
And that’s because the DNS is a highly structured system with many, many players, hundreds of players.
In the case of the RIRs, we’re five loosely coupled operations. While we all have our own disaster-recovery plans and contingency plans, we have not done formal recovery planning for a complete RIR failure.
And should we do that? Well, I guess now that’s a great question. And it’s one that I know people are looking at.
The RIRs get recognized through a process that ends with an RIR declaring its conformance to a document called ICP-2. Internet Consensus Policy 2 was adopted by the ICANN Board, and it was written by the RIR community. And it has some standards.
It says you have a member-elected Board, and you’ll have certain governance, and a certain region, et cetera, et cetera.
But it doesn’t call for escrow of data and commitment to such.
I know there’s some discussion among the Internet community, among folks like the ASO, the Address Supporting Organization Advisory Council, the ASO AC, that they would — to look at maybe ICP-2 should be updated. But that doesn’t exist today.
So today what we have is what we have. And what we have today is, I know a number of RIRs have taken measures to do snapshots of the AFRINIC data.
If AFRINIC were to suddenly become inoperable, I am fairly confident that if that was confirmed and everyone agreed on that and all the pointers were swung, that a frozen instance of AFRINIC would be stood up, and that it would reflect the WHOIS, RDAP, IRR, RPKI information that we know to the best of our knowledge. Not perfect. But to the best of our knowledge.
But that’s frozen. That’s literally what was last week. There’s no organization or governing body, there’s no nothing. It’s just a snapshot.
And going beyond that is very complicated because even if you could build an operating proto-AFRINIC, you don’t have contracts with the customers. You don’t know actually who the customers are. You know who they are in your database, but you don’t know who represents them or who validates them.
Imagine effectively Org recovery for an entire region and the potential hijacking and misappropriation that might occur, particularly because in some cases the record keeping is not to a conformance standard that the other RIRs are used to, depending on what country they’re in. It varies across each of the economies, and you’d need local knowledge that you don’t have.
So the possibilities of Org recovery and mistakes is very high. Plus you don’t have a contract with them. Not to mention the fact that it’s never been done. There’s not necessarily a technical or RIR system basis for doing it.
So the best you might rely on is, if AFRINIC would have a complete operational failure, is a snapshot would probably be set up by the other RIRs and ICANN to that purpose.
Going beyond that, I do not know if we can, as rapidly as we hope, establish the necessary framework that doesn’t exist today sort of after the fact. And that means anything beyond that is purely speculation. Probably more than you wanted to know, but you’re entitled to know.
Chris Tacit: Hi, Chris Tacit, Tacit Law. I think the biggest risk to any RIR is the risk of Board capture. And in that regard I want to commend ARIN for some of the measures it’s taken recently, more specifically increasing the size of the Board and imposing term limits. I think those are two very important safeguards.
And I hope that vigilance will continue at the Board level as well because that’s really critical, too, so we don’t suffer a similar fate in the future.
John Curran: Thank you. Good point.
I will note at this time that AFRINIC does not have a risk of Board capture because, well, it actually has no governing Board at the moment. So there’s nothing to capture.
We’ll see what happens if there’s ever an election. For now I will say any board might be better than no board.
Okay, if there’s no further questions, thank you for your time. I hope this has been informative.
Hollis Kara: Thank you, John. (Applause.)
With that we’re going to go to break. We are going to restart at 11 so this is going to be a quick one. We have our virtual presenter joining us from Lithuania so we need to be back and start on time for his presentation.
So I know a lot of you are going to probably have questions or things you want to discuss in the hall, but let’s try to keep it brief and come back so that we can give our guest speaker the courtesy of an audience. Thank you.
Hollis Kara: All right, folks, it’s 11:00 a.m., if I could get you to come in and take your seats please, our remote presenter is ready to come online.
I’d like to welcome Vaidotas Januska from IPXO — did I get it right? I did — to present his research around networks and IP management obstacles. With that, take it away.
Guest Speaker: Research Around Network and IP Management Obstacles
Vaidotas Januska: Hello, everyone. Welcome from Lithuania. It’s a bit cold and rainy out here.
I know for a fact in San Diego it’s much better. I checked it.
But pleasure to be here and have an opportunity to share with you some insights that we discovered. So let’s begin.
As a starting point, based on our experience, we have the hypothesis that despite the maturity of IPv4 and now with IPv6 coming, coming along the way, there are still a handful of obstacles that managing the data related to IP addresses themselves are there actually. Let’s go through the journey and dig deeper.
Next slide, please.
To develop our hypothesis and to understand these obstacles, we conducted the research. We interviewed over 100 companies that use IP actually as part of their core business enabler. Those companies were mainly based in U.S. and Europe.
I know that the term, how to say, data related to IP address is broad. So to narrow it down, we explore topics of key interest related to RPKI and ROA handling, Whois data management, like the locations, domain delegations, route objects.
We also spoke about geolocation and abuse-related data management and actual plans about IPv6 adoption.
We actually saw those topics related to Internet score building around governing elements that shape your presence on the Internet as such and being the main subject of our research. That was our interest.
Next slide, please.
So before we move on to discover obstacles, let’s start with an overview showing the distribution of business verticals, their managed IP space that participated in the research.
Worth to note that IP addresses count encompasses their owned IP addresses and leased IP addresses, and total amount of the space allocated in scope here is about 10 million. Actually, mainly that comes from ARIN and RIPE regions.
When you look at the industry distribution, we have industries like cloud providers, hosting, proxy, data mining, telco/ISPs and LIRs and others.
One thing to note, before we move on, is I would like to state a few things. The companies, as you see, are in different business verticals. They’re at various operational maturity levels.
Some have different expertise levels in the core networking from very deep knowledge to more all-hands IP guys that know just how to configure a server with the route and the default gateway and concepts. And that’s enough for them.
Some of them are running their own infrastructure and providing services to others, while some use infrastructure as a service to run their services on top.
Yet one common thing for all of them, IP is their business enabler and key component, and the data around those IPs are very important for them to run the business.
Different scenarios, of course, bring different challenges and perspectives. So apologies, as I say in advance, that some of those obstacles might sound generic or irrelevant to one or the other industry. But regardless of that fact, they’re still valid at large because they’ve been stated as such.
I really kind of believe and hope that some of those obstacles mentioned here on observations will echo to your own experiences and stories you might have heard or actually been part of.
So please move to the next slide. Now, in order to have some sort of a way to pinpoint these obstacles, we decided to take a journey from actually obtaining IPs all the way to using them.
So let’s start. The starting point is actually the first step in a simplified version. The Internet functions, bunch of routers speaking BGP and exchanging the routing information with their neighbors. Right? It’s like in a simple shape and form of it.
Key payload of that exchange actually includes IP address and AS Numbers, define networks and their origins. Both of these elements are assigned by RIRs to organizations, and they’re currently five RIRs. It’s like not the Wild Wild West. The allocation of IP addresses, the allocation of AS Numbers, they’re governed, there are special policies around that, which is good.
Yet core concepts and fundamentals in data that is being managed is more or less the same in its kind of shape and form and meaning. It’s IP address, AS Number, ownership data, contacts, et cetera.
Yet every RIR has their special twist here and there when it comes to managing the data and how it is treated, et cetera.
I personally, how to say, I appreciate that; nevertheless, we heard that this is seen as an extra complexity or obstacle managing that fundamental data from the participants that were in our research and had resources from multiple RIRs.
Now, once you get over that part, you have IP addresses. You sort of — what do you do? You want to understand and keep track of what you have in your stock, what you put in use and where, who is using it, and et cetera, et cetera.
This is usually something that — the factor to most of the network guys, smells and looks like you need an IPAM system and it should be doing that. But funny enough, most of our respondents — and I would say industry to an extent — view IPAM more as an internal network covering element and system.
Usually, part of some sort of a DDI solution, leaving, say, the external IP address management subject to the best IPAM out there, the best system, the best invention.
Excel. Excel keeps a lot of things running across the industries. That’s no secret. Jokes aside. Yes, Excel is one of the IPAMs used. Most of the companies, or simply put, some file is used to document all those allocations.
Coming back to my statement that I previously mentioned that company maturity level is different, and actually some of the companies have invested money and time building their own IPAMs. They’ve been built by some engineer or some third-party. It’s usually a combo of IPAM and some sort of CRM system to map that because usually the traditionally IPAMs have a data like VLAN allocation, row number, in the data center, et cetera, et cetera, they have a customer associated with that.
And the sad part of it that those systems were once written by someone. They run. If it runs, don’t touch it.
It to an extent sort of resembles a little bit like DDI solutions that are put in place. You put them in place and you have them for 10-plus years because it’s a foundational, how to say, element of your network.
So touching it, moving it; if there is no necessity, you usually avoid doing that.
And in my career, I’ve just seen like two cases where we sort of been on a journey changing the DDI solution underneath it but it had survived 10-plus years as such.
Now let’s move further. Next slide, please.
So once you are over with RIR and IPAM parts, you sort of can straightaway jump to configuring the routing part. You get IPs. You document their location and associated data and just start using them. Simple.
But actually when it’s done by one person that knows the drill and is responsible end to end, you sort of know your ways of doing that.
You prepare, you document, and you configure, with love and respect. But usually organizations have different people and roles to manage the IP address allocations, the IP people, as I call them. They manage their records, people who own and configure the edge routing.
What I mean by edge routing is actual Internet-facing boxes or the feeding points. The people that actually understand the BGP, they know the BGP community is what they mean. They know routing policies, et cetera. They care about IRR records. They care about ROAs and cryptic lists, et cetera.
And on top of that, if you’re a bigger enterprise, et cetera, there are teams that actually are responsible for data center networks for the campus, for the WAN part.
Where the disconnect is, people that are responsible for the edge, they think about aggregates and summaries. The people that are deeper down in the network, they think about more specific part of that and each of them are involved making sure that there is a good documentation and good housekeeping in place to make sure that every single IP is accounted for and known and all the Whois accuracies in place or the routing policies are in place. Everything is in place.
Actually, this can be a very well-orchestrated and practiced process. It’s like nothing to be invented here. It’s well known, et cetera. But there is one but. When it’s people, no automation, sometimes mistakes happen. And those mistakes can happen not in the bad will of people. It could be due to some sort of emergency, some incident.
You need to bring the business back. You need to change some routing ad hoc, documentation follows, and sometimes it’s forgotten.
Obviously like inherited risk or inherited results of such setup is most of our respondents said but they’re not 100 percent sure that their documentation is up to date.
What that means, if you are not sure about your inventory, you can’t be sure if you use it efficiently. It’s as simple as that.
Next slide, please.
Now we have IPs. We have routed and are live on the Internet. And now we need to move up the stack.
Moving up the stack, once we are on the Internet, we have apps and their payload on top. The IP addresses don’t travel themselves from one destination to another. There is some sort of an intent. Intent is being application payload.
The payload can be good. It can be bad.
It’s a kind of very simplified view of that. Internet is full of stuff, of good things and bad things.
Long story short, to tackle the bad intents, some of the bad intents leave actually a mark around IPs that limit the freedom of IP usage.
This good intention actually to identify bad and good actors based on IPs was developed in different companies like security companies have their products and have their lists of blocks and organizations in a distributed fashion. Organizations driven by community, for example.
And the result of that is multiple block lists with their own specific procedures when and how those IPs need to be reported, how to get them out of there, and last but not least, due to the lack of standards, lack of aggregation of the domain, it’s very hard to understand where one or the other IP is listed and what actions are necessary actually to take this IP out of that list once you sorted with the root cause, the bad actor.
Now, other thing that is affecting the user’s experience on the Internet is geolocation. It was actually designed and built for the great purpose so you could have like personalized experience when you are in the Internet. It is also kind of, you know, a way to protect copyright things and the content. It’s amazing.
But like IP reputation, this domain has such evolved in a also distributed manner too. This brought multiple geolocation providers to the market. They have their own secret recipes, how they make decisions, where the actual IP is.
Some are more robust. Some are less. Some have update period of a week, some of a day or even a month. As a result, the same IP can be seen like in different geolocation databases at the same time being in Paris or Tokyo. So where the heck is it? Right?
So when you have that many geolocation providers, one thing, as I mentioned, how to understand, that they geolocate my IPs correctly.
I want to make sure that all my IPs are seen as they are in those geolocation providers, all of them.
Well, it’s not like we are powerless here.
We have a RFC8805 standard that we can use to construct the geo feed, talk to those geolocation providers, say here’s my geo feed, treat me as a trusted source of that data. Thank you; bye.
But the thing is that sometimes those geolocation providers slip through their radars, some nonlegitimate source of geolocation, and my feed is overwritten by others.
Of course, you know, there is kind of now an RFC9092 picking its space and having better coverage that should to an extent add extra control over legitimacy, who is actually — where is actually the, how to say, feed’s legitimacy coming from but it’s under the Whois data. It’s great, but it’s yet another data point to manage.
Funny thing is no one talked much about geoloc object in the [indistinguishable] but that’s the case.
So next slide, please. Good. So we went through the list of mentioned obstacles, and those obstacles can cause gaps in data consistency around IP data, and that actually poses risks to a few aspects. One of them is stability. How can it affect stability?
Our routing can be dropped or wrongly routed due to inconsistent or incorrect routing policies defined by ROA or IRR records. Your client emails could be dropped if you’re listed in some blacklist and you don’t have a clue if you’re listed in a blacklist. Of course, there are means to prevent that, but still it’s a possibility.
And last but not least, when it comes to your users that can’t actually access the content they paid for if the geolocation is wrong.
So planning. If you don’t trust your data –– and as I mentioned, it’s very hard to understand or be actually in 100 percent control of your data where your IP is at — you can’t plan properly.
Every single time you want to kind of plan something and see where you’re at, you need to burn time and do the audit and that could be cumbersome because we’re talking about different data domains, like Whois data, routing data, routing policy-related data, geolocation data, you name it, security.
In simple terms, your IPs can be hijacked if you don’t take care of your ROA IRR records, you can have hijacks happening.
Other thing, it’s like obvious. If you don’t understand where your IPs are at, that means you are not in control of your perimeters and enterprise as a company.
When you’re not in control of your perimeter, what that means is you can have gaps in your firewalls, in your controls where some bad actors can just use that and do an attack.
And last but not least, it can actually affect your transition speed to IPv6. You just burn energy and time maintaining v4 trying to be efficient, trying to have the data consistent, et cetera, so why bother with yet another protocol if you have issues with the IPv4 domain.
Next slide, please.
Based on all that input during the interviews, we also asked the participants what they would feel, sort of a way out of this situation and have more control over the obstacles. And they mentioned things like, you know, they want to have a system or see a system that would enable them to spot data inconsistencies between different planes. What do we mean by planes?
As I mentioned before, their Routing Registry data, the routing policy data, the actual routing configuration, geolocation and other things.
To have it like a system work for you, not you working for the system, there is the view that the system should provide recommendations on what data points need to be synchronized. So the system should tell them, look, there’s an inconsistency between route and ROA; do you want to fix that? Should I fix that in the end state?
Also have an option to define status quo of your IP data. Tell that to the system that, look, this is how I want it to be in the perfect state, please monitor and ensure it.
Sounds like a [indistinguishable], but why not? Other thing is also help me understand where I have opportunities.
If I want to expand my network, if I want to bring on more customers, what can I do to better utilize my existing resources?
And last but not least, it’s the obvious one, be API-enabled. API everything nowadays. It’s not a kind of a surprise to see it here. API-enabled for the current and future tech stack integrations.
Next slide, please. There should be a next slide. Good. The future.
So, of course, all those things, imagine they’re working; the system is taking care of your worries, what to do with your all spare free time.
Of course, move to IPv6 and get more time back to deal with other challenges and maybe, among fun things, that IPv6 might bring along with wider and wider adoption.
So next slide, please. And here it is. Thank you.
I know I overrun, apologies. I had lots to tell you or share with you.
Questions, please? Do we have time for that?
Hollis Kara: Thank you so much Vaidotas. I think what we’re going to do, is if folks have questions, they can email them to meetings@arin and we’ll get them forwarded on to you, okay?
Vaidotas Januska: Good.
Hollis Kara: Thank you so much for your time. We’re happy to have you here.
Vaidotas Januska: Thank you.
Hollis Kara: We’re moving along. Next up, Christian Johnson scurrying to the stage, going to give us an update on information security at ARIN. Not in general that would take a long time. Just in general?
Information Security Update
Christian Johnson: I’m looking for the button of death. I switched hands so hopefully it doesn’t naturally rest on it. Fair enough.
Good morning, everyone. It’s still technically morning. Good morning. My name is Christian Johnson, I’m the Chief Information Security Officer for ARIN, and I’m really happy to be able to be here today, not just because it’s San Diego, but because it’s a fantastic opportunity for me to be able to share with you all the fantastic news about security at ARIN.
I don’t say that sarcastically, although it probably sounds like I was saying it sarcastically.
Very briefly, I’ll provide a quick overview, a little bit of a security update, talk about the compliance initiatives that we’ve been working on.
Some of these slides, if you were at ARIN 51, they’re going to look conspicuously similar to some of the conversation that I had there. There’s a reason behind that. Might not be a super strong reason, but I think it’s important that — not everyone attends every single meeting, so there are some folks who are here who weren’t there, and so I want to briefly touch on a few things.
One of them very important to me is the ability to communicate about security. There’s a lot of nuance in words that I think was mentioned earlier, maybe yesterday.
There’s a lot of nuance in words. And I want to sort of strip out some of that nuance when we talk about security in general. It could be information security, computer security, data security, information assurance.
We love creating words in some industries. Security is not immune to that.
For the sake of conversation, unless it’s necessary, these things mean the same thing as a part of this conversation. Just to allow for inclusion for those people who are not security professionals or who haven’t done it as an add-on extra duty at some point, it allows us to have that conversation.
I could say number two every single year because it’s my priority every single year. Security, there’s been a tremendous amount of work done in security over the past year.
I could not give strong enough kudos to the engineering team, to HR, to every department within ARIN who has stepped up and contributed to the initiatives that I’m going to come up here and talk about and sort of, by proxy, take credit for, but I do want to give a round of applause up front to all the departments, all the staff within ARIN and all the hard work.
You’re doing that blindly because I haven’t actually given the presentation. So now let me give the presentation that justifies all that.
One of the things I also want to do, as a further dedication or proof of the dedication that we have towards security at ARIN, we brought on a new information security manager, Anthony Clark. Anthony, could you raise your hand or stand up, one of the two. Either one. Anthony, new to the ARIN organization.
Very happy, very lucky to have him here.
His depth of experience is a real benefit to the organization. And it’s going to play out in the years to come. Just super happy to have you here. Welcome.
I’m big on basics, focusing on the basics. It doesn’t matter if it’s sports. It doesn’t matter if it’s cybersecurity. It doesn’t matter what it is, the focus on basics and successful execution of the basics often leads to success.
And if you’re one of those people, like me, who just really loves to read about unfortunate security incidents that happen — and they get published every single day, doesn’t matter what the publication is, you can read about another unlucky organization.
More often than not is because the organization failed to do the basics properly with regards to security.
And so that is one of the reasons why I try to focus on that and drill with that at the organization at any given time.
A lot of this stuff is — none of this especially exciting within the realms of what we do.
There’s not any bullet that I’m going to talk about that says that we’re integrating the newest artificial intelligence security tools here at ARIN.
No, this is the fundamentals. Information, annual information security training, that’s one of the things that they point to. As fundamental as it is — and the industry kind of shrugs that off on occasion because of the fact it seems so fundamental, and yet, when we talk about the number one risks to any organization, it comes down to education of the staff, and in this case in regards to security.
That’s one of the reasons why there’s a big focus on information security training. Phishing awareness exercises. We used to do those — at one point we did those once a year. We’re up to doing those monthly within the organization.
And we’ve seen a dramatic improvement in our reporting capabilities when staff are the targets of those phishing exercises.
We’ve seen a dramatic increase in the reporting there and that’s incredibly positive overall.
One of the things I was asked to point to, in particular — this would be one of those things I would slide right past — one of those things I don’t really care to talk about in public forums. But I was asked to sort of settle on this for a second and that was to talk about the fact that we held an incident response exercise this year.
In particular, we had the Board of Trustees in attendance on that. So, it was a higher-level incident response exercise. It wasn’t one of the more lower-level working with the specific incident response team and drilling specific response playbooks and things of that nature.
It was really working with the Board to share how we would be engaging with them in case there was an incident that we experienced at ARIN.
A lot of times that’s overlooked, engaging the Board so that they’re familiar with what they would experience in those environments. It’s not the only exercises that we’ll be committing to this year. We also do have a technical exercise that we’ll be running later on in the year for our incident response team.
But very important that we were able to engage the Board, bring them in and share that experience with them.
Some of this other stuff was actually mentioned. We talked about two-factor authentication, Mark talked about specifically a penetration test that we had earlier in the year. We are now moved to running quarterly vulnerability scans.
Some of the reasoning behind that’s going to unfold on subsequent slides, whereas we were doing it annually, previously, as part of a more broad, not just a penetration test, per se, but a broader security audit.
This will also look familiar. The specific compliance initiatives that we work on. So the first one you’ll see is the NIST, in particular, the logo there is the NIST Cybersecurity Framework, but we leverage NIST standards, special publications broadly, as I think most organizations do.
So, we’re constantly — a lot of the stuff we built our program on, the security controls, were built off of the NIST framework, but we do continue to monitor releases and updates that are provided by NIST, and so they continue to shape the way that we do things at ARIN.
We are working a SOC2 audit program as well as PCI DSS, so SOC Systems and Organization Controls, a type of security framework — if you’re not familiar with it — that allows you to look at a specific service or look at a specific product and certify the security of that product or service.
There is some, just like with PCI DSS, there are some broad organizational controls that are a part of that.
And with PCI DSS, in particular, the Payment Card Industry Data Security Standard, that applies to any organization that allows you to use a payment card, a credit card or a debit card, to make a payment.
So that applies to every organization, whether it’s the gas station with a card reader at the pump, all the way up to your very large unnamed online sales platforms. And we just happen to be included in that.
So specifically with regards to SOC2, so I provided an update at ARIN 51. There’s not a whole lot of change here. The scope of this, again, broad organizational security, and we were focusing on RPKI specifically, the security of RPKI.
We did get the complete Type 1 audit in December of 2022. And we had an audit period that we just completed at the end of September, and we’re expecting our final report by October 31.
Actually, there is something new to add to this, and that’s — as of this morning — I received the draft report from the auditor, and the draft report is a successful Type 2 audit. Obviously, I can’t say that we have definitively passed. It’s not official because we don’t have the final draft of the report, but according to the draft that I just received, we did successfully certify RPKI towards our SOC2 Type 2. That’s a tremendous amount of work we’ve put in. Kudos to the entire organization for that work.
That is the part of the explanation for why we clapped earlier.
So, PCI DSS. This is focused more — it has a piece or a component that’s focused on organizational security, but this is looking more to ARIN Online or parts of ARIN Online where the payment card information traverses the infrastructure that handles that kind of stuff.
It’s not all of ARIN Online, but it covers a lot of ARIN Online. It’s a different structure around that. It’s not the exact same kind of framework, but they look at similar items there.
And the one thing I will say is it’s sort of, for major components, that’s external and internal vulnerability testing. That’s one of the reasons why we launched off this year to doing that on a quarterly basis as opposed to annually.
There is the penetration testing that’s required on an annual basis by a third party, which we continue to do, and there’s a security questionnaire that, at our level, we self-complete, we self-attest.
It is basically all the same controls that we use for SOC2. That’s pretty much a one-for-one kind of thing. The one thing I want to communicate here, as earlier this month, we’re officially PCI DSS compliant with ARIN Online.
So October Cybersecurity Awareness Month for us should be pretty special in 2023 that we’ve been able to successfully certify both ARIN Online and RPKI. It’s a tremendous amount of work for the organization, and I’m very proud of everybody who has been involved in that.
So there was a question during ARIN 51 about a roadmap. This is all great information. Appreciate the information. But what next? I will admit this roadmap changed from the end of last year. This is not what we had anticipated. And it’s a very simplified roadmap for sharing with the organization.
What’s on the top is essentially the same information on the bottom, just visualized a little bit.
The blue items are now officially complete.
RPKI for SOC2 has been achieved.
Type 2 achieved unofficially as of today.
PCI DSS for ARIN Online was officially achieved as of the beginning of this month. We originally didn’t intend on taking on PCI DSS in 2023, to be fully compliant.
Full disclosure: What we had intended on doing was doing the RPKI for SOC2 and doing a feasibility study to determine if we could pull more products and services into the SOC2 program along with RPKI.
I think the obvious first choice for consideration would have to be ARIN Online. So we were looking at that and saying, okay, let’s continue to move towards rolling that into the program.
When we did a payment card vendor change coming into 2023, there was a different set of criteria that they expected compared to our last payment card vendor, and so we immediately changed gears and focused on PCI DSS to be compliant this calendar year.
We are, as I said, officially as of Q3 PCI DSS compliant ARIN Online. The SOC2 portion of that has been pushed — we’ll be trying — at the earliest we’ll be looking at pulling it into the SOC2 program as we start it in our 2024 to 2025 cycle, if things continue to stay favorable that we’re able to roll that in.
Then after we roll ARIN Online into the SOC2 program, then we’ll do another feasibility study to determine whether or not there are other products and services that we can pull in, whether or not the community has an appetite for it at that point.
So that, very generally, is our roadmap going forward. A little bit of agility there just to address real world concerns and changes with our payment card vendor, but otherwise we’re staying on track.
None of that is mentioned on our website yet because since it was all happening during the month of October, we were going to let everything play out and then update all the PCI and the SOC2 information on our webpage so folks would have that information available to them.
Once we get the final report from our auditor, which they have pledged to get to us no later than the end of the month, I expect that we’ll see it by the end of the month at this point.
At the point that we get that, we will make the updates to the webpage to reflect our Type 2 completion, as well as our PCI DSS compliance.
And that’s what I have for you today.
Subject to your questions.
Hollis Kara: We can take just a couple of questions. We have a few more things to get through. This is important conversation. So real quick.
Leif Sawyer: Leif Sawyer, GCI Alaska. Recovering security architect. Congratulations on the SOC1 and pending SOC2. That’s great.
We have a lot of customer data out there that we need to make sure we’re protecting and looking forward to ISO27001.
Christian Johnson: We’ll have to do a feasibility study on that to determine obviously whether or not that’s a broad community interest, 27001 was part of the discussion when we opted to go with SOC2, and part of the reason that we hardopted for SOC2 was because of the fact it was a stated expectation from the broader community.
If that becomes something that the broader community has an appetite for, then we’ll have to look at that roadmap and reassess.
Leif Sawyer: Thank you.
Christian Johnson: You bet.
Kevin Blumberg: Kevin Blumberg, The Wire. This is wonderful stuff to see. There’s an ancillary benefit to all of the work that ARIN is doing, which is something that comes up in many community consultations, which is: We need to leave this deprecated service that is insecure around so that somebody on the Internet can still connect to this service.
I think it’s important that as you’re going through this process that you make it keenly aware that to be able to maintain these certifications, the what-ifs of somebody running a 25-year-old server down the road is just not going to be able to be supported.
So, as you move through the process through the next two, three years, you’re going to have to turn off stuff that people expected to just always run because you can’t maintain certification with these systems.
I think it’s important for the community to understand what may be coming down the pike in that regard.
Christian Johnson: Fair enough. Thank you for voicing that.
Doug Camin: Doug Camin, Coordinated Care Services. Echoing some of the other comments. Great work as a fellow individual working in the IT space and cybersecurity, it’s a lot of big lift. So congratulations to you and your team and your work.
Christian Johnson: Thank you very much.
Peter Harrison: Peter Harrison, Board member. You mentioned that security was part of the DNA of the organization. I want to let the community be aware that the Board takes this extremely seriously. The creation of the Risk and Cybersecurity Committee is a manifestation of that.
We have quarterly reviews of the strategic risks and we have monthly reviews of material operational risks. We shepherd the plans to mitigate these risks, and we have meetings about this every month, and there’s evidence of the progress that we’ve seen from the staff presentations.
Our input, along with other committees, is used in the strategic direction of the organization, and I want to say once again that the performance of the team has been exemplary. Thank you.
Christian Johnson: Thank you very much, Peter. Thank you.
Roman Tatarnikov: Roman Tatarnikov, IntLos, consulting company. Yesterday there was a question about privacy, one of the policies about privacy. And that brought up an interesting question in my mind.
How does privacy go together with security at ARIN exactly, or is it a separate topic that’s not coming from information security?
And honestly, thank you so much for doing that, especially doing all these audits ahead of time. That’s tremendous.
Christian Johnson: Sure, thank you. John Curran unplugged.
John Curran: There have been requests for that, that I be unplugged.
So short version. We have mandatory priorities that we don’t get to avoid. So those are, for example, priorities that are driven by legal requirements, regulatory requirements. Sometimes system upgrades; we’re doing a change, we’re switching vendors.
We did that with payment. We switched vendors and PCI DSS suddenly became first and foremost.
So the security requirements can be swept into those sometimes. But if it’s not mandated by what we’re doing, then the security requirements go in the same list as the tech debt relief that we’re talking about, and the engineering improvements and anything that we’ve put on the suggestion list so it ends up on the engineering roadmap for priorities.
There’s an entertaining wrestling match is probably the best way of saying it for those priorities. Christian has an equal seat at the table.
So when we did, for example, SOC2, that did mandate some changes, and because that was the driver, that mandated those changes go into a regulatory change, it has to happen.
But in general, security is going to be — unless it’s to meet one of our compliance requirements — security will be considered equal with tech debt, considered equal with engineering efficiency and similar.
It doesn’t have priority but it also doesn’t have de-priority. The moment it gets in the way of a certification, then it’s the top of the list because certifications is an organizational goal.
If we expand scope of our certification, so for example, right now our SOC2 certification is RPKI. If we expand the scope, that will drive a bunch of security priorities.
So in and of itself, it doesn’t have a push, but it can be based on the scope of our prioritization commitments for security. If we increase the scope of our security compliance commitments, that drives certain automatic priorities.
Roman Tatarnikov: Thank you so much.
Hollis Kara: Thank you. We’ll take one last question.
Scott Kim: Scott Kim, ARIN Fellow, McKesson. I have a question about the vulnerability scan, the quarterly vulnerability scan implemented by ARIN, does it include a remediation plan for identifying vulnerabilities in a timely and effective manner, or is there a separate process for remediation in place?
Christian Johnson: Yes. I’m just kidding. (Laughter.)
There absolutely is. When I say that there’s vulnerability scans, what is part and parcel with that is we have an expectation that for those items — in accordance with PCI requirements — that we address those high and critical items on an appropriate timeline to make sure they’re addressed, they’re remediated.
PCI will not allow you to move forward without certain vulnerabilities being addressed. So we do have a set of policies and expectations around addressing those as a part of that vulnerability scan.
So I’ll slide into this for a second. You run the scan. You address those concerns based on what the threshold is, and it differs between external and internal scans. And then you have to rescan and provide the clear scans to the PCI auditor so that they can clear that it’s been addressed.
So very much so, yes, we do remediate those items as part of the scanning process.
Scott Kim: Thank you.
Hollis Kara: Thank you. And thank you, Christian.
Folks, going to ask you to bear with us. We have a few more things on the agenda that we want to make sure we provide an update on.
Next up I’d like to invite — she’s already here, Amanda Gauldin. I’m getting out of the way.
Amanda Gauldin: Moving fast! Now I know how Nancy Carter feels like with the Financial Report towards the end of the meeting. Whoo! We’re almost done, guys. Hang in there.
It’s great to have the opportunity to share with you all what has happened since I gave my last update at ARIN 51 related to outreach and various programs here at ARIN.
My name is Amanda Gauldin, and I’m the community programs manager at ARIN.
I’ll start with the ARIN Fellowship Program. Now that we’ve moved into this in-person but enhanced virtual meeting space, I think the program has gotten a lot more visibility recently. So, hopefully it’s already familiar to you, but if not don’t worry, I am here to tell you more.
The Fellowship Program launched in 2009 with the goal of bringing selected individuals from throughout the ARIN region together to learn more about ARIN and attend the meeting. It’s especially a great opportunity for individuals to be able to attend if it’s not in their organization’s budget.
You can see that since launch year we’ve had more than 200 Fellows join us at these meetings.
Starting in 2021, though, we began to incorporate a pretty full program.
We now have pre-recordings for Fellows to watch, two 90-minute Zoom sessions that cover the ARIN policy development, the Number Resource Policy Manual that we love to call NRPM, the Mailing Lists, policies on the docket for the upcoming meeting, and new this year we added a little bit of an intro to the Global Policy Development Process. Then Fellows attend the meeting orientation. They attend the ARIN meeting, either in-person or virtually. And then we have one last wrap-up meeting next week.
Additionally, Fellows are paired with an ARIN Advisory Council member/mentor for those virtual breakout-room sessions where they can have more specific time for Q&A and just to have conversation with each other.
It’s very much a time investment on the part of the Fellows that they’ve committed to, but it has created such an awesome way to introduce them to ARIN, our work and then members of the community as well.
Who are the fortunate Fellows for ARIN 52 that have joined us and put in all this time and hard work? Hopefully you’ve met a few of them, if you are attending NANOG as well, as they were here either in person or online.
I’ll give a quick shout-out to the Fellowship Selection Committee as well that served for 2023. They reviewed a lot of applications for our two meetings, ARIN 51 and then ARIN 52, and made a lot of hard decisions as it was really an excellent pool of applicants that we had this year.
For ARIN 52, we have 14 Fellows. 11 have attended in person and three are online virtually.
We haven’t had a crew this large for quite a while, and we’ve had a great couple of weeks learning together. Fellows who are here in person have a blue ribbon on their badge, so hopefully you’ve been able to stop and introduce yourself. And if you’re on the Zoom you can give them a little virtual wave as well.
I mentioned the Advisory Council member Mentors. So pictured here joining us this program are Doug Camin, Chris Tacit, Alicia Trotman, and Alison Wood. And Kerrie Richards, also a former AC member, joined us to be in the virtual space this go around.
They have all helped me and helped the Fellows, overall adding so much value to the program. And hopefully you’ve been able to tell that this Fellowship program is a team effort and there’s other people. I want to thank Leif Sawyer and Kat Hunter on the ARIN AC, Chair and Vice Chair, that have joined me. And Kevin Blumberg, of The Wire, joined us this year and gave that Internet policy global view that was very valuable.
And pretty much every member of the ARIN Communications team as well helps me along the way. So, thank you to all of them.
And I’ll switch gears now and tell you a little bit more about the Fellowship Program coming up for the next meeting, and then if you’re interested how to apply for that. But I’ll share with you guys now about the ARIN Community Grant Program.
By supporting initiatives that improve the overall Internet industry and user environment for the ARIN region, we have been able to see some really great projects come to fruition.
Overall, 21 projects have been funded the past few years. There is also a selection committee for the grant program. So, thanks to them for volunteering their time to go through many long and very detailed and thorough applications and make decisions along with Board approval for where this money is going to go.
Our 2022 Grant Program recipients have completed their projects. Their final reports have been submitted, and next month you’ll see a blog post from each of them where you can read about their accomplishments and how these funds help them achieve success in their endeavors.
And also exciting news, the grant recipients for 2023 were selected and have received funding to work on their projects. And we’ll get an update from them around the springtime and then a final report from them around the falltime next year.
If you would like to know more about these projects, you can check out the blog post that went out in September which goes into a little bit more detail about what each project is looking to accomplish over the next 12 months.
The grant program application cycle for 2024 will open in April. There’s a great deal of information on the ARIN website right now that outlines the criteria that must be met in order for an application to be reviewed by the selection committee.
There’s also a sneak peek at the questions on the application. So, if you are thinking about a project and interested in requesting funding, there’s no reason that you can’t take a look at all of that information now.
Lastly, I will talk about outreach to the ARIN community and what that looked like over the course of the year.
Here’s a little visual of where ARIN has been. To me the question is, where haven’t we been in 2023 as it has been a very busy year. But it’s also been great to be back at it, back in a part of it with presentations, help desks, webinars.
We’ve had a lot of interaction and engagement with you, the Internet community, in making sure that we’re providing support and assistance to you so you can maximize the value of ARIN services.
Total running count of the events so far, we’ve had 31 in-person and seven virtual for a total of nearly 40 events so far this year. And the year’s not quite over.
Also keep in mind there are many more events that ARIN attends. For example, ARIN’s Government Affairs Department does extensive international travel but this count pertains to where we’re going to give a presentation or provide a help desk, and the majority is to the community and the ARIN region.
We have been talking a lot this year about IPv6, RPKI and providing those timely updates on important changes coming to ARIN services, many of which you have heard today and yesterday as well.
The year isn’t over yet but it is winding down. So, that means just a lot to look forward to in 2024.
Applications for the ARIN 53 Fellowship Program — that meeting is in Barbados in April. So, the application site for Fellowships will open in January.
Like the Grant Program, there is a lot of information online right now. A sample of the application questions, FAQs, and we’ll update that here shortly to reflect program specifics about ARIN 53.
I do have a hunch it will be very competitive. Similarly, applications for the ARIN 54 Fellowship Program that will be happening in Toronto in October will open later this summer.
And I briefly mentioned the Grants Program.
Applications opened April 24. And there’s also volunteer opportunities as well in January. We’ll be making a call for Grant Selection Committee members and Fellowship Program Selection Committee Members. If you’re interested in volunteering your time in that angle, keep an eye on ARIN Announce.
Lastly, if you’re hosting an event or webinar as well and think ARIN’s presence would align with your goals, definitely tell us about it. We’re building our 2024 calendar right now, and we’d love to help potential new or existing customers understand all of the services that ARIN provides.
Thank you for listening and engaging with us and being here. And I’m happy to answer any questions that you guys may have.
Hollis Kara: Actually, what I’d like to do in the interest of time because we’re a little bit pressed is hold questions and comments about programs until the Open Microphone if that’s okay with everyone. Okay?
Amanda Gauldin: I’m fine.
Hollis Kara: Thank you, Amanda.
We want to hear from you, and we want to give you time for that, but we also want to give our presenters time to make sure that we give you all the things you might wish to comment on, if that makes sense. We’ll go with it.
All right, next up, I’d like to invite Marty McLaughlin, he’s our Certification Program Manager, to come up and talk a little bit about what’s going on in developing certificate programs at ARIN.
Certification Programs at ARIN
Marty McLaughlin: Good morning, everyone.
My name is Marty McLaughlin. I’m the new Certification Program Manager. I work for Joe Westover in the Customer Experience and Strategy Group under John Sweeting. I’m going to cover a couple of new programs. I’m very new to ARIN. This is my first ARIN meeting in person.
I started in April, and I was immediately given a new program to launch, and that was the Qualified Facilitator Program.
There we go.
I was also hired to establish a Training Certification Program. So, what I’m going to do is cover the Qualified Facilitator Program first.
What is the Qualified Facilitator Program? It’s an optional resource for ARIN customers that helps connect organizations seeking to acquire IPv4 address space or Autonomous System Numbers with Qualified Facilitators who have been approved by ARIN to help organizations with the transfer process.
This is a new program that replaces the STLS program, which was the Specified Transfer Listing Service. This new program, it requires facilitator’s strict adherence to ARIN’s policies and high ethical standards. It ensures the protection of ARIN’s interests and reputation. And it streamlines the transfer process for ARIN’s registration service. It also instills greater confidence within the ARIN region.
We retired the STLS in May, and under that program there were organizations that would list unused IPv4 space. They’d list their contact information. And other organizations would list themselves as needing IPv4 space. And then there were some facilitators who would help with the transfer process.
That service kind of dwindled after a while. I think it was around for about 10 years. And the community wanted to make the qualifications for the facilitators a lot stricter. And so, with the feedback from the community and even the facilitators themselves we came up with very stringent qualification requirements. I’m going to cover those now.
All Qualified Facilitators have to be legally registered entities in the ARIN region and under an ARIN RSA, which is a Registration Services Agreement. They have to operate within ARIN’s service region and adhere to US government business regulations, maintain at least two points of contact who can pass a qualification interview, and that’s with our general counsel and CCO.
And they also have to at least $1 million in liability insurance, naming ARIN as an additional insured, provide third-party background checks for their employees and offer indemnification for ARIN.
They also have to submit three verifiable customer references and comply with the facilitator agreement and code of conduct.
These are all new requirements that were put in place to make sure that we had a very rigorous process for qualifying them.
And some of the code of conduct: In all transactions, Qualified Facilitators should observe the duties of good faith and fair dealing. They have to have a duty of transparency, a duty of competency. You can read through the code of conduct on our website.
One of the other things they have to do is inform ARIN when they’re assisting with transfers.
And on an annual basis they’re going to have to confirm their compliance and remit their associated fees.
There was a lot of teams that were involved in launching this program. This was a good way for me to kind of learn the inner workings of ARIN, how all the different departments work together, including CXS, Comms, RSD, FSD, and Legal. I got a lot of help from them. I just brought it across the goal line.
We do have some Qualified Facilitators here, I believe. I thought we did. I can’t see. If anybody wants to stand up and acknowledge. They may have already left.
But if anyone’s interested in becoming a Qualified Facilitator, you can go to our website and look up Qualified Facilitator Program. If you’re interested in using a Qualified Facilitator, you can also find a Qualified acilitator on that list and on the website. There’s currently eight.
I believe at one point, under the STLS program, there was about 27. So, by making these more strict requirements, we’ve definitely whittled down that list, but that’s a good thing because all of these facilitators are earnest, and they represent our community very well.
The other program that I am going to talk about today is our Training Certification Program. We’ve had training offered for a long time. But we don’t really have a certification program, per se.
Certification can mean a lot of different things to different people.
Certifications for PMP, for instance, where you have to recertify every year and then you’ve got certifications where you just take a class, you pass an exam, and you get a certificate.
Right now, we’re basically in the planning stages. And afterwards we’re going to design some courses, we’ll develop the material, and we’d like to have a test or a pilot group that would be able to work out all the kinks. And then we’ll implement the training and then maintain it.
These are basic stages. We’re very early in the stages, in the planning stage — sorry, I keep turning the page and hitting the mic; it’s probably making some noise.
What we’ve done so far is that we’ve acknowledged training interest continues in the community, and it’s reflected in the 2023 ARIN Satisfaction Survey. We’ve also known this for some time just from basic community feedback.
We’ve researched and documented the resource requirements and development time needed to successfully launch a Training Certification Program. And what I mean by that, resources being — you go into a shop and you see what are the systems and tools that they have, who are the personnel that can do the training.
Me being new, this is what I did, I’m telling Hollis and Beverly something that they already know, but some of the tools would include a learning management system, for instance — content development tools like Captivate, certification exam platforms, and assessment and grading tools.
Personnel would be program administrators, managers, instructional designers, or technical trainers, and also subject matter experts, help desk and what have you.
A lot of this we have. We do have training developer extraordinaire in Beverly Hicks, and she gets a lot of help from other folks in Hollis’s team. We have some subject matter experts, RPKI, Brad Gorman, Jon Worley in IPv6.
Looking at development time. There have been some studies by ATD and Chapman Alliance that kind of tell you how many hours it takes to develop one hour of content. We’ve looked at some of that. Takes longer for e-learning courses, for instance, than it does for instructor-led courses.
Certification test development. It takes time to develop tests. I did this when I was in the Air Force. It could average anywhere from 30 minutes to an hour to develop a test [question].
All the things that we’ve looked at are in anticipation of how long it will take for us to launch training. And part of that was assessing our initial training objectives.
What I want to do right now — I don’t see the clock ticking — am I okay?
Hollis Kara: Yeah, you’re good.
Marty McLaughlin: Let’s take a look at the Customer Satisfaction Survey. This is something that Joe mentioned the other day, Joe Westover, that is.
These are some of the comments that came back from the community. I’ll read just a few of them:
More education and promotion of the Routing Registry and RPKI service. More educational resources for things like DNSSEC and RPKI. There’s some more aspirational partnering with NANOG and doing virtual labs and more meaningful IPv6 adoption training.
One of the questions in the survey was “Which of the following topics will you be interested in formal training provided by ARIN?” This is the survey that Joe went over – I robbed one of his slides — and the survey was done over probably about nine years, starting in 2014, every three years.
If you look at the far left, the darkest blue column, that is the 2023 survey results. There are about 317 participants.
It shows that RPKI — obviously it’s one of our newer services — has got the most interest at 51 percent. It’s up from 28 percent in 2014. And IPv6 deployment is second-most, even though it’s gone down a little. Then use of ARIN tools and services, IPv4 transfers, use of ARIN Online.
So, the recommendation was, of course, to provide more training in these areas.
Looking at what we currently have as far as resources, we have some initial training certification goals, and that’s just to get things started.
Expand our learning development resources. What does that mean? It could mean using resources from within. Maybe getting another resource, meaning another person.
We also want to update existing training videos, develop brand-new e-learning training modules that actually have knowledge checks to establish some testing criteria for these training modules. And then host them on a learning management system, provided we’re able to get one.
We’re initially going to focus on RPKI, IPv6, and ARIN Online, and then target development at an e-learning level one, level two, and these levels go all the way from level one all the way up to level five with virtual reality and that sort of thing. We’re not going there.
Level one, level two are page turners, assessments, and interactive exercises. We’d also need to, if we were lucky enough to be able to procure a Learning Management System, we’d have to stand it up, have resources available that can actually use the system, set it up for us.
So, that’s where we are right now. Before you can run, you’ve got to be able to walk. I think these are the building blocks that we need in order to get the certification program rolling.
In looking at some of the subjects that we would cover initially — probably looking at the eLearning modules based on these topics –– so RPKI, introduction to RPKI, RPKI architecture, certificate management, Route Origin Validation, Route Origin Authorization creation and management, relying party software, RPKI deployment strategies, monitoring and troubleshooting, industry standards and best practices, case studies and real-world examples.
Some of the material we already have, so the idea would be to pull the material that we have, update it, and get it into an actual structured eLearning module that we can deliver.
The same with IPv6. Introduction to IPv6, addressing, address planning, protocols and services, routing and routing protocols, transition mechanisms, security considerations, deployment and implementation strategies, et cetera. You can read these.
ARIN Online. We do have a lot of ARIN Online videos today. We would just again update those, put them in a more structured format for eLearning with knowledge checks.
Those would be the first three courses that we would venture to create. And when we get to the point where we’re going to pilot some training, we would like to get some feedback from the community. Maybe get a focus group together and test out that training.
If we have any volunteers, you can reach out to firstname.lastname@example.org to participate. That would probably be sometime next year. That’s all I have.
Hollis Kara: Thank you, Marty.
Like we did with Amanda, if anybody has any questions or comments on what we’re doing in the certification program space, we’ll keep those for Open Microphone.
I want to allow Kevin Blumberg just a few moments to come up share a few news items related to ASO AC.
Address Supporting Organization Address Council Update
Kevin Blumberg: Good afternoon, everybody.
I’m Kevin Blumberg from the ASO AC. I’m going to go very fast because I don’t want to keep you from your flights, your coffee or pool time.
Normally during this presentation I would do an explanation of who we are, how we operate, everything around that, but I’m just going to go into two very specific things.
This is the ASO AC. There’s 15 of us from five regions normally. In our region, we have Nick Nugent, Chris Quesada and myself, Kevin Blumberg.
We’re the ASO AC representatives for the ARIN region. Pictures. What we do. We do three things.
I’m going to talk about two of them. The first thing we do is global policy development. That is where one of our main focuses is the last major global policy development was in 2012.
We also do the appointment of two ICANN Board of Directors as well as to the ICANN NomCom. We have a number of meetings. This is all online. Please, we’re very open and transparent. We’d love for to you join us.
Here’s our current appointments. This is the first thing I wanted to let everybody know. Just like we’ve talked about policy for the last couple of days, the Advisory Council did a full modernization of our procedures. Very, very in depth. An example is we went from 14 different voting mechanisms in our procedures to one.
That is currently in the voting process to be approved, to be sent to the NRO EC for them to vet, approve it, send back to us. We’ve done that project. It was a massive undertaking, and hopefully we’ll be now using that new procedures document in the next couple of months.
There is one slide that is missing. And it doesn’t matter, I’ll just tell you. I was mentioning that the ASO AC is responsible for appointing two directors to the ICANN Board. Seat nine is going through that process now. We’re in the nomination phase.
If you or anybody you know has an interest in applying to be part of that process for the ICANN board through the ASO AC, it is on our website, ASO.ICANN.org. The deadline is December the 15th for the first round of nominations.
Our final — it goes fairly fast. There’s a lot of interviews. A lot of other things that happen, but our results are usually in May. All of the timelines were emailed as well as on the website. So if there’s anybody for the ICANN Board who is interested in that seat nine, you need to be in the region other than the RIPE region to be eligible.
That’s the only key requirement is that you cannot be from the RIPE region because we already have a director from that region. Otherwise, that’s it.
Hollis Kara: Thank you, Kevin.
Apparently, the slide gremlins got us today. Let’s go. Here we go. That brings us to Open Microphone.
Mr. Curran, if you would like to come on up.
John Curran: Okay, the Open Mic program.
Good afternoon. Microphones are open. I’ll be handling them. This one. Go.
Doug Camin: Doug Camin, Coordinated Care Services, ARIN AC, and mentor in the Fellowship Program. I just wanted to make a round of applause to the Fellows that were here. Great job for them. And Amanda and her team for the job they did with the Fellowship Program. It’s awesome, and I’m honored to participate in it but also the work they do is amazing. Congratulations.
John Curran: Thank you. Over here.
Roman Tatarnikov: Roman Tatarnikov, IntLos Consulting Company, also former ARIN Fellow. I just wanted to do a comment on the Fellowship Program. I remember seeing an email on NANOG saying that ARIN has a Fellowship Program, and my first response was, “Huh, the company that takes money for IP addresses actually has something more than that.” I was glad I was selected a Fellow.
I encourage everyone to go through this because that’s how you learn, not just what ARIN does but whole Internet governance.
I would like to thank not just as all of the ARIN staff but also Amanda, who selected me, my Mentors Dave Cunningham and Doug Camin.
And I would also like to remind you that we keep on talking about all these beautiful things, IPv6, RPKI, and so on.
We cannot really implement them well if the larger world doesn’t know that they need to be implemented.
So whenever you go to a meeting, whether it’s Information Security Association or some kind of meeting or something, or just go into a college, always remind people that there is a Fellowship Program, always encourage them to participate, and then you get Fellows like Dustin, who is actually now going for AC Board. Thank you.
John Curran: Great input.
Mohibul Mahmud: It’s Mohibul from Microsoft and ARIN Fellow. So, I want to extend my heartfelt gratitude to ARIN for granting us this incredible opportunity to be part of the Fellowship program. And through this experience, I have gained, we have gained a profound understanding of ARIN and how their policy meeting works.
I also actively participated in policy discussions, which was interesting, first time, better contacts with other peers. And I have every intention of remaining actively engaged in this dynamic community in the future.
Moreover, as a Fellow, I had the privilege of attending the NANOG 89 program meetings this time, which allowed me to delve into technical issues and connect with Fellow engineers, which was interesting.
This experience has been truly enriching, and I’m deeply thankful to ARIN for making it possible.
And after returning to my work, I’m planning to give a presentation of this — like in our team, we have more than 100 people. So I will try to encourage my Fellow engineers to be involved more in this community.
And last but not the least, I also would like to thank Amanda and the whole ARIN team and Mentors, all the Mentors, AC members, for all of their support. Thank you. Thank you, all.
John Curran: Glad you found the mentor program useful, Fellowship Program, thank you. Over here.
Nick Nugent: Nick Nugent, University of Tennessee and NRO NC. I just continue to be skeptical or at least concerned about the labels that are attached to names for folks who are running for office, the “qualified,” “well-qualified,” “qualifications not demonstrated.”
I’m certainly open-minded and happy to be persuaded otherwise, but it did seem strange to me that in this go-around, and perhaps others, there are current members, incumbents, who have long served on a body who were receiving the second-highest rating of qualified as opposed to well-qualified.
I understand, or at least I’ve heard, that maybe this is outsourced to another organization, so I would just encourage maybe examining the current process by which these labels are attached to potentially improve them.
One possible suggestion would be for incumbents to simply attach an “incumbent” label so as to remove them from sort of the same ordinality.
Another is to remove the system altogether.
John Curran: Your suggestions will be taken. I will note that the Board of Trustees has spent quite a bit of time over the years looking at the election process, trying to balance the open nature of it, but also trying to make sure that people are informed well about the candidates.
In the past we had a NomCom doing the evaluation, and we provided the criteria. And now we’ve actually had a third-party HR firm that objectively applies criteria.
I know that we’ll be looking at refinements to the system. But I guess at a high level, the most important thing to think about is that the major change we made now is that all candidates make the ballot.
Short of a material, clear violation that prevents them from serving in the role as AC or Board, you will be on the ballot. You may have a rating attached, but at least we’ve stepped to the point where we don’t remove candidates and have people wondering why a candidate doesn’t appear at all, which was a past problem.
As for labels, we’ll take your feedback.
We’ll give it back. It will go to the Governance Committee of the Board as part of the year-end report, and they’ll take that into consideration.
Scott Johnson: Scott Johnson, Spacely Packets. I want to congratulate the Board staff and AC and Mr. Curran on your continued progress this year and a wonderful meeting. And speaking on behalf of the Interplanetary Networking Special Interest Group we all hope you continue to live long and prosper.
John Curran: Thank you. (Laughter.)
Very good. (Applause.)
Leif Sawyer: Leif Sawyer, GCI Communications, Alaska; chair, ARIN Advisory Council. I look out, we’re all getting a little older here, a little bit more gray into my beard. And I don’t know that I’m that old, but these are really hard to read, the names on the name badges. Right?
And it’s single-sided, so if it flips over I have no idea who you are. I look at the NANOG name badge and I see my name very boldly written. You can read it from here, can’t you?
And it has my pronouns on here, which makes it really nice when I’m being introduced to people or when other people are introduced to me.
So a suggestion is to follow the NANOG style so that we can all read our name badges without infringing on other people’s personal spaces.
John Curran: Got it. Your suggestion is to follow the NANOG style, not to issue readers to the older members of our community, right? I just want to be clear.
Leif Sawyer: Glasses on top of my trifocals. Thank you.
John Sweeting: Yeah, and we don’t want to have Hollis going around flipping everybody’s badge. This is actually been addressed, Leif, and Hollis has taken the initiative to reach out. And we’ve contacted the suppliers of badges for NANOG. And I believe we will most likely be using them for our meetings in the future.
Hollis Kara: We are investigating actively. Thank you, Leif.
Gerry George: Hi, Gerry George, ARIN AC, former Fellow and Caribbean member. I’m really looking forward to the e-learning option. I think that’s going to be really great.
With regard to the Fellowship Program, particularly now that there is the hybrid option, I have a suggestion to increase the number of remote participants.
And I’m thinking, maybe selfishly, particularly in the Caribbean region, that we can now have a lot more remote Fellows without necessarily increasing the cost to ARIN because one of the things I keep trying to do is to encourage persons to be part of the program.
And the mentorship is actually extremely valuable in terms of getting persons to understand what ARIN is about, to avoid getting lost in all of what’s going on.
So if, for example, the remote Fellowship Program can be increased by a significant amount, then we can have a lot more people participating, getting involved without necessarily having the —
John Curran: The travel associated with it. Excellent suggestion and we’ll make sure it gets back into the community.
Gerry George: Thanks a lot.
John Curran: Thank you very much.
Microphones remain open, open mic. Remote, mic is open. Interplanetary mic is open. SETI?
Hollis Kara: No questions in the virtual queue.
John Curran: Last chance. Closing the on-site queues. Closing the remote queues.
John Sweeting: John Sweeting, Chief Customer Officer. I just want to say, we’re having a really fantastic turnout on the election on the voting. We’re almost to quorum already.
But that doesn’t mean you don’t have to vote. Please, everyone, keep voting. If you’re eligible, cast your vote and know that there’s a lot of people out there participating this year so your vote really matters.
John Curran: That’s what we want.
And with that, I will close the queues, end the session. Thank you for a wonderful meeting. I’m going to turn it over to Hollis to close. Thank you.
Closing Announcements and Adjournment
Hollis Kara: Thank you, John, thank you everyone. It’s been a great meeting. So happy to have you here with us and for sticking through to the end. I know we ran a little bit long.
We do have our final wrap-ups, of course. Everybody get ready to applaud. Let me read off all the names first and please start.
We have our network sponsor, AT&T; our bronze sponsor, IPv4.Global by Hilco Streambank; and our livestream sponsor, Google. So let’s give them all a round of applause.
We do rely on our sponsors very heavily to make these meetings happen. So we really appreciate them.
Again, we do want to hear what your experience was like here at the meeting. It’s very important to us. It’s how we figure out how to improve. You will receive a link to the survey.
There’s also a QR code you can scan in the hall as you’re walking out if you like.
We will be giving a lucky winner an iPad in a random drawing at the end of the survey period at the end of next week.
And please do go ahead and mark your calendars. It’s going to be a hardship, but ARIN 53, we’re going back to Bridgetown. And so we hope to see you all there, either in person, hopefully, or online if you’re unable to make the trip.
But 14 to 17 April 2024. We’ll be back again with ARIN 53. And thank you and that is a wrap. Have a great time, everybody.
(Meeting adjourned at 12:30)